Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe
-
Size
453KB
-
MD5
4355f0fd7e30d13bdc88167bcf586e70
-
SHA1
75b4d927b179b8da1a80cf9c95cc941438075467
-
SHA256
7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9b
-
SHA512
83df090fee1444c28cafdaa6654919f7bdb4f6010e8529d7f35fe77d069c70dc584fd418e35519710e881e01766644621a7feec9804e37cad2314c07a5326aed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3052-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-904-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-911-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-1436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-1618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4916 ffrlfxx.exe 4328 5djvp.exe 1032 8886044.exe 3832 o624826.exe 4488 66648.exe 464 htnbtn.exe 4132 9rlfrfr.exe 3880 4042648.exe 4608 248648.exe 3192 jpppd.exe 4960 jjjvp.exe 2224 2042020.exe 5080 pdjdv.exe 4836 64004.exe 3568 7rrfrrx.exe 5012 288262.exe 2108 08444.exe 2124 dpdpd.exe 1400 20640.exe 3988 fllfrlx.exe 2648 0882004.exe 1872 1jdjd.exe 4456 9ttnbt.exe 4724 vjpdd.exe 348 xrlfxrl.exe 3144 66862.exe 3292 42208.exe 5100 jjjvp.exe 1496 426482.exe 3632 dvpdd.exe 3012 a0004.exe 1392 62260.exe 4476 862882.exe 860 9nhthb.exe 1680 bnbnbb.exe 2280 284882.exe 4572 084020.exe 3712 vvpjj.exe 4164 rrfxrrr.exe 2176 c804888.exe 2596 4662266.exe 1140 0882820.exe 4860 nbbbhb.exe 3708 242044.exe 5032 vpvpp.exe 3080 i222660.exe 3876 tbbnnh.exe 1460 xrxrrxr.exe 1148 bbtnnn.exe 3684 5thnhh.exe 4916 286488.exe 4852 xlrxlrr.exe 960 s8264.exe 428 880822.exe 2372 rfxlfxl.exe 544 6800448.exe 2164 0820048.exe 4400 9nnttb.exe 1056 bhttnt.exe 2932 0000468.exe 3880 pvjjj.exe 2964 044822.exe 4980 nhttbb.exe 4960 lrxxxxf.exe -
resource yara_rule behavioral2/memory/3052-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-904-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u004660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2048648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m6264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 084020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8048228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 4916 3052 7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe 83 PID 3052 wrote to memory of 4916 3052 7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe 83 PID 3052 wrote to memory of 4916 3052 7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe 83 PID 4916 wrote to memory of 4328 4916 ffrlfxx.exe 84 PID 4916 wrote to memory of 4328 4916 ffrlfxx.exe 84 PID 4916 wrote to memory of 4328 4916 ffrlfxx.exe 84 PID 4328 wrote to memory of 1032 4328 5djvp.exe 85 PID 4328 wrote to memory of 1032 4328 5djvp.exe 85 PID 4328 wrote to memory of 1032 4328 5djvp.exe 85 PID 1032 wrote to memory of 3832 1032 8886044.exe 86 PID 1032 wrote to memory of 3832 1032 8886044.exe 86 PID 1032 wrote to memory of 3832 1032 8886044.exe 86 PID 3832 wrote to memory of 4488 3832 o624826.exe 87 PID 3832 wrote to memory of 4488 3832 o624826.exe 87 PID 3832 wrote to memory of 4488 3832 o624826.exe 87 PID 4488 wrote to memory of 464 4488 66648.exe 88 PID 4488 wrote to memory of 464 4488 66648.exe 88 PID 4488 wrote to memory of 464 4488 66648.exe 88 PID 464 wrote to memory of 4132 464 htnbtn.exe 89 PID 464 wrote to memory of 4132 464 htnbtn.exe 89 PID 464 wrote to memory of 4132 464 htnbtn.exe 89 PID 4132 wrote to memory of 3880 4132 9rlfrfr.exe 143 PID 4132 wrote to memory of 3880 4132 9rlfrfr.exe 143 PID 4132 wrote to memory of 3880 4132 9rlfrfr.exe 143 PID 3880 wrote to memory of 4608 3880 4042648.exe 91 PID 3880 wrote to memory of 4608 3880 4042648.exe 91 PID 3880 wrote to memory of 4608 3880 4042648.exe 91 PID 4608 wrote to memory of 3192 4608 248648.exe 92 PID 4608 wrote to memory of 3192 4608 248648.exe 92 PID 4608 wrote to memory of 3192 4608 248648.exe 92 PID 3192 wrote to memory of 4960 3192 jpppd.exe 146 PID 3192 wrote to memory of 4960 3192 jpppd.exe 146 PID 3192 wrote to memory of 4960 3192 jpppd.exe 146 PID 4960 wrote to memory of 2224 4960 jjjvp.exe 94 PID 4960 wrote to memory of 2224 4960 jjjvp.exe 94 PID 4960 wrote to memory of 2224 4960 jjjvp.exe 94 PID 2224 wrote to memory of 5080 2224 2042020.exe 95 PID 2224 wrote to memory of 5080 2224 2042020.exe 95 PID 2224 wrote to memory of 5080 2224 2042020.exe 95 PID 5080 wrote to memory of 4836 5080 pdjdv.exe 96 PID 5080 wrote to memory of 4836 5080 pdjdv.exe 96 PID 5080 wrote to memory of 4836 5080 pdjdv.exe 96 PID 4836 wrote to memory of 3568 4836 64004.exe 97 PID 4836 wrote to memory of 3568 4836 64004.exe 97 PID 4836 wrote to memory of 3568 4836 64004.exe 97 PID 3568 wrote to memory of 5012 3568 7rrfrrx.exe 98 PID 3568 wrote to memory of 5012 3568 7rrfrrx.exe 98 PID 3568 wrote to memory of 5012 3568 7rrfrrx.exe 98 PID 5012 wrote to memory of 2108 5012 288262.exe 99 PID 5012 wrote to memory of 2108 5012 288262.exe 99 PID 5012 wrote to memory of 2108 5012 288262.exe 99 PID 2108 wrote to memory of 2124 2108 08444.exe 100 PID 2108 wrote to memory of 2124 2108 08444.exe 100 PID 2108 wrote to memory of 2124 2108 08444.exe 100 PID 2124 wrote to memory of 1400 2124 dpdpd.exe 101 PID 2124 wrote to memory of 1400 2124 dpdpd.exe 101 PID 2124 wrote to memory of 1400 2124 dpdpd.exe 101 PID 1400 wrote to memory of 3988 1400 20640.exe 102 PID 1400 wrote to memory of 3988 1400 20640.exe 102 PID 1400 wrote to memory of 3988 1400 20640.exe 102 PID 3988 wrote to memory of 2648 3988 fllfrlx.exe 103 PID 3988 wrote to memory of 2648 3988 fllfrlx.exe 103 PID 3988 wrote to memory of 2648 3988 fllfrlx.exe 103 PID 2648 wrote to memory of 1872 2648 0882004.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe"C:\Users\Admin\AppData\Local\Temp\7fec050a290195cbf196bc875f9b6dd618e1d232d20d4d956bad262fec8a3d9bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\ffrlfxx.exec:\ffrlfxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\5djvp.exec:\5djvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\8886044.exec:\8886044.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\o624826.exec:\o624826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\66648.exec:\66648.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\htnbtn.exec:\htnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\9rlfrfr.exec:\9rlfrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\4042648.exec:\4042648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\248648.exec:\248648.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\jpppd.exec:\jpppd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\jjjvp.exec:\jjjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\2042020.exec:\2042020.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\pdjdv.exec:\pdjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\64004.exec:\64004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\7rrfrrx.exec:\7rrfrrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\288262.exec:\288262.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\08444.exec:\08444.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\dpdpd.exec:\dpdpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\20640.exec:\20640.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\fllfrlx.exec:\fllfrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\0882004.exec:\0882004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\1jdjd.exec:\1jdjd.exe23⤵
- Executes dropped EXE
PID:1872 -
\??\c:\9ttnbt.exec:\9ttnbt.exe24⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vjpdd.exec:\vjpdd.exe25⤵
- Executes dropped EXE
PID:4724 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe26⤵
- Executes dropped EXE
PID:348 -
\??\c:\66862.exec:\66862.exe27⤵
- Executes dropped EXE
PID:3144 -
\??\c:\42208.exec:\42208.exe28⤵
- Executes dropped EXE
PID:3292 -
\??\c:\jjjvp.exec:\jjjvp.exe29⤵
- Executes dropped EXE
PID:5100 -
\??\c:\426482.exec:\426482.exe30⤵
- Executes dropped EXE
PID:1496 -
\??\c:\dvpdd.exec:\dvpdd.exe31⤵
- Executes dropped EXE
PID:3632 -
\??\c:\a0004.exec:\a0004.exe32⤵
- Executes dropped EXE
PID:3012 -
\??\c:\62260.exec:\62260.exe33⤵
- Executes dropped EXE
PID:1392 -
\??\c:\862882.exec:\862882.exe34⤵
- Executes dropped EXE
PID:4476 -
\??\c:\9nhthb.exec:\9nhthb.exe35⤵
- Executes dropped EXE
PID:860 -
\??\c:\bnbnbb.exec:\bnbnbb.exe36⤵
- Executes dropped EXE
PID:1680 -
\??\c:\284882.exec:\284882.exe37⤵
- Executes dropped EXE
PID:2280 -
\??\c:\084020.exec:\084020.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4572 -
\??\c:\vvpjj.exec:\vvpjj.exe39⤵
- Executes dropped EXE
PID:3712 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe40⤵
- Executes dropped EXE
PID:4164 -
\??\c:\c804888.exec:\c804888.exe41⤵
- Executes dropped EXE
PID:2176 -
\??\c:\4662266.exec:\4662266.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\0882820.exec:\0882820.exe43⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nbbbhb.exec:\nbbbhb.exe44⤵
- Executes dropped EXE
PID:4860 -
\??\c:\242044.exec:\242044.exe45⤵
- Executes dropped EXE
PID:3708 -
\??\c:\vpvpp.exec:\vpvpp.exe46⤵
- Executes dropped EXE
PID:5032 -
\??\c:\i222660.exec:\i222660.exe47⤵
- Executes dropped EXE
PID:3080 -
\??\c:\tbbnnh.exec:\tbbnnh.exe48⤵
- Executes dropped EXE
PID:3876 -
\??\c:\xrxrrxr.exec:\xrxrrxr.exe49⤵
- Executes dropped EXE
PID:1460 -
\??\c:\bbtnnn.exec:\bbtnnn.exe50⤵
- Executes dropped EXE
PID:1148 -
\??\c:\5thnhh.exec:\5thnhh.exe51⤵
- Executes dropped EXE
PID:3684 -
\??\c:\286488.exec:\286488.exe52⤵
- Executes dropped EXE
PID:4916 -
\??\c:\xlrxlrr.exec:\xlrxlrr.exe53⤵
- Executes dropped EXE
PID:4852 -
\??\c:\s8264.exec:\s8264.exe54⤵
- Executes dropped EXE
PID:960 -
\??\c:\880822.exec:\880822.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:428 -
\??\c:\rfxlfxl.exec:\rfxlfxl.exe56⤵
- Executes dropped EXE
PID:2372 -
\??\c:\6800448.exec:\6800448.exe57⤵
- Executes dropped EXE
PID:544 -
\??\c:\0820048.exec:\0820048.exe58⤵
- Executes dropped EXE
PID:2164 -
\??\c:\9nnttb.exec:\9nnttb.exe59⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bhttnt.exec:\bhttnt.exe60⤵
- Executes dropped EXE
PID:1056 -
\??\c:\0000468.exec:\0000468.exe61⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pvjjj.exec:\pvjjj.exe62⤵
- Executes dropped EXE
PID:3880 -
\??\c:\044822.exec:\044822.exe63⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nhttbb.exec:\nhttbb.exe64⤵
- Executes dropped EXE
PID:4980 -
\??\c:\lrxxxxf.exec:\lrxxxxf.exe65⤵
- Executes dropped EXE
PID:4960 -
\??\c:\tnhhbh.exec:\tnhhbh.exe66⤵PID:2156
-
\??\c:\600062.exec:\600062.exe67⤵PID:4844
-
\??\c:\0644446.exec:\0644446.exe68⤵PID:3524
-
\??\c:\88044.exec:\88044.exe69⤵PID:4396
-
\??\c:\082822.exec:\082822.exe70⤵PID:4644
-
\??\c:\o224606.exec:\o224606.exe71⤵PID:2064
-
\??\c:\0800606.exec:\0800606.exe72⤵PID:2308
-
\??\c:\84060.exec:\84060.exe73⤵PID:4232
-
\??\c:\llfffff.exec:\llfffff.exe74⤵PID:4464
-
\??\c:\nhnhht.exec:\nhnhht.exe75⤵PID:3924
-
\??\c:\lffrrrr.exec:\lffrrrr.exe76⤵PID:1400
-
\??\c:\44822.exec:\44822.exe77⤵PID:3680
-
\??\c:\pddvp.exec:\pddvp.exe78⤵PID:684
-
\??\c:\dvvvp.exec:\dvvvp.exe79⤵PID:3520
-
\??\c:\xrllfff.exec:\xrllfff.exe80⤵PID:3584
-
\??\c:\8468260.exec:\8468260.exe81⤵PID:228
-
\??\c:\hbbbbb.exec:\hbbbbb.exe82⤵PID:220
-
\??\c:\88640.exec:\88640.exe83⤵PID:4764
-
\??\c:\6882222.exec:\6882222.exe84⤵PID:3552
-
\??\c:\7djdd.exec:\7djdd.exe85⤵PID:4956
-
\??\c:\64044.exec:\64044.exe86⤵PID:3624
-
\??\c:\jpjjp.exec:\jpjjp.exe87⤵PID:1012
-
\??\c:\dvjpd.exec:\dvjpd.exe88⤵PID:772
-
\??\c:\bbtnhn.exec:\bbtnhn.exe89⤵PID:4436
-
\??\c:\66226.exec:\66226.exe90⤵PID:2404
-
\??\c:\jpjpj.exec:\jpjpj.exe91⤵PID:3412
-
\??\c:\3btnhb.exec:\3btnhb.exe92⤵PID:2000
-
\??\c:\26000.exec:\26000.exe93⤵PID:5008
-
\??\c:\62420.exec:\62420.exe94⤵PID:644
-
\??\c:\lxflffr.exec:\lxflffr.exe95⤵PID:728
-
\??\c:\tnbtbh.exec:\tnbtbh.exe96⤵PID:3396
-
\??\c:\4626600.exec:\4626600.exe97⤵PID:2972
-
\??\c:\rrfffrl.exec:\rrfffrl.exe98⤵PID:3188
-
\??\c:\vddvp.exec:\vddvp.exe99⤵PID:3984
-
\??\c:\u626482.exec:\u626482.exe100⤵PID:4040
-
\??\c:\260482.exec:\260482.exe101⤵PID:2088
-
\??\c:\7hhbnn.exec:\7hhbnn.exe102⤵PID:3992
-
\??\c:\6448888.exec:\6448888.exe103⤵PID:4936
-
\??\c:\pddvj.exec:\pddvj.exe104⤵PID:2172
-
\??\c:\djjdp.exec:\djjdp.exe105⤵PID:4172
-
\??\c:\rlrfxrl.exec:\rlrfxrl.exe106⤵PID:1664
-
\??\c:\0666660.exec:\0666660.exe107⤵PID:2804
-
\??\c:\5jvvp.exec:\5jvvp.exe108⤵PID:2320
-
\??\c:\o004264.exec:\o004264.exe109⤵PID:3464
-
\??\c:\djddd.exec:\djddd.exe110⤵PID:3084
-
\??\c:\u866600.exec:\u866600.exe111⤵PID:1020
-
\??\c:\nhthbt.exec:\nhthbt.exe112⤵PID:1160
-
\??\c:\880486.exec:\880486.exe113⤵PID:2328
-
\??\c:\ddvpd.exec:\ddvpd.exe114⤵PID:1508
-
\??\c:\m6264.exec:\m6264.exe115⤵
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\jppjd.exec:\jppjd.exe116⤵PID:1124
-
\??\c:\hbhttn.exec:\hbhttn.exe117⤵PID:3192
-
\??\c:\5nbnhh.exec:\5nbnhh.exe118⤵PID:3644
-
\??\c:\28420.exec:\28420.exe119⤵PID:5000
-
\??\c:\dpjvp.exec:\dpjvp.exe120⤵PID:2420
-
\??\c:\bhntbb.exec:\bhntbb.exe121⤵PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-