Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe
-
Size
456KB
-
MD5
c8dba65a9ff1939406cae452018ac9a0
-
SHA1
71fb17fb6ba6c1c19f17ac4262d4faa8bc5a347f
-
SHA256
793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3
-
SHA512
2cd1e3d3ada80d953231e71cb366fbebc4d0069eb6f5d63cdba0ae70de19af3e5282bdbb09d0ed8346e1ce76247462aed4c8334402886f5599e7651528e99e31
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRs:q7Tc2NYHUrAwfMp3CDRs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1756-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-1931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4052 28864.exe 4904 604264.exe 1588 jpddd.exe 2376 vvpjd.exe 2892 4468826.exe 5016 rlfrrlx.exe 668 664488.exe 2388 880448.exe 3992 btnhbb.exe 972 800424.exe 536 084844.exe 4980 frfxxxx.exe 2156 5pvpj.exe 4112 3lxrxrl.exe 4448 nbhbbt.exe 1048 frrlxrl.exe 3588 0060882.exe 2412 jpjvj.exe 4092 lxlxrrl.exe 2796 htbthb.exe 4988 rxrrflx.exe 4936 64608.exe 4596 06042.exe 2444 0268204.exe 1056 fffrfrx.exe 1316 jvvpj.exe 8 rfxrlfx.exe 2188 08204.exe 2364 82000.exe 4932 xrlrllx.exe 1536 lxlxrlf.exe 1936 nbbnnn.exe 1288 642622.exe 3180 thbnbt.exe 3700 nhbnbb.exe 3080 vpdjj.exe 4912 6026864.exe 5048 44646.exe 3344 thbnbt.exe 316 20420.exe 3328 btthhb.exe 1796 lfxxrrl.exe 1860 lffxrrf.exe 1608 4604860.exe 5012 hbtnbb.exe 2928 jjjdj.exe 3888 jdpjd.exe 2432 m6600.exe 3620 868222.exe 540 1ddvp.exe 3572 btthtn.exe 2616 htbttb.exe 4052 m6264.exe 1324 0488444.exe 804 06482.exe 4984 xrxrlxr.exe 1032 02822.exe 800 vdvpv.exe 4628 1xllllr.exe 2904 8620886.exe 2908 5rlxlfr.exe 668 ttnhhh.exe 4140 a4486.exe 4644 5pdpj.exe -
resource yara_rule behavioral2/memory/1756-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-835-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8048660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4404608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2284622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 4052 1756 793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe 83 PID 1756 wrote to memory of 4052 1756 793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe 83 PID 1756 wrote to memory of 4052 1756 793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe 83 PID 4052 wrote to memory of 4904 4052 28864.exe 84 PID 4052 wrote to memory of 4904 4052 28864.exe 84 PID 4052 wrote to memory of 4904 4052 28864.exe 84 PID 4904 wrote to memory of 1588 4904 604264.exe 85 PID 4904 wrote to memory of 1588 4904 604264.exe 85 PID 4904 wrote to memory of 1588 4904 604264.exe 85 PID 1588 wrote to memory of 2376 1588 jpddd.exe 86 PID 1588 wrote to memory of 2376 1588 jpddd.exe 86 PID 1588 wrote to memory of 2376 1588 jpddd.exe 86 PID 2376 wrote to memory of 2892 2376 vvpjd.exe 87 PID 2376 wrote to memory of 2892 2376 vvpjd.exe 87 PID 2376 wrote to memory of 2892 2376 vvpjd.exe 87 PID 2892 wrote to memory of 5016 2892 4468826.exe 88 PID 2892 wrote to memory of 5016 2892 4468826.exe 88 PID 2892 wrote to memory of 5016 2892 4468826.exe 88 PID 5016 wrote to memory of 668 5016 rlfrrlx.exe 89 PID 5016 wrote to memory of 668 5016 rlfrrlx.exe 89 PID 5016 wrote to memory of 668 5016 rlfrrlx.exe 89 PID 668 wrote to memory of 2388 668 664488.exe 90 PID 668 wrote to memory of 2388 668 664488.exe 90 PID 668 wrote to memory of 2388 668 664488.exe 90 PID 2388 wrote to memory of 3992 2388 880448.exe 91 PID 2388 wrote to memory of 3992 2388 880448.exe 91 PID 2388 wrote to memory of 3992 2388 880448.exe 91 PID 3992 wrote to memory of 972 3992 btnhbb.exe 92 PID 3992 wrote to memory of 972 3992 btnhbb.exe 92 PID 3992 wrote to memory of 972 3992 btnhbb.exe 92 PID 972 wrote to memory of 536 972 800424.exe 93 PID 972 wrote to memory of 536 972 800424.exe 93 PID 972 wrote to memory of 536 972 800424.exe 93 PID 536 wrote to memory of 4980 536 084844.exe 94 PID 536 wrote to memory of 4980 536 084844.exe 94 PID 536 wrote to memory of 4980 536 084844.exe 94 PID 4980 wrote to memory of 2156 4980 frfxxxx.exe 95 PID 4980 wrote to memory of 2156 4980 frfxxxx.exe 95 PID 4980 wrote to memory of 2156 4980 frfxxxx.exe 95 PID 2156 wrote to memory of 4112 2156 5pvpj.exe 96 PID 2156 wrote to memory of 4112 2156 5pvpj.exe 96 PID 2156 wrote to memory of 4112 2156 5pvpj.exe 96 PID 4112 wrote to memory of 4448 4112 3lxrxrl.exe 97 PID 4112 wrote to memory of 4448 4112 3lxrxrl.exe 97 PID 4112 wrote to memory of 4448 4112 3lxrxrl.exe 97 PID 4448 wrote to memory of 1048 4448 nbhbbt.exe 98 PID 4448 wrote to memory of 1048 4448 nbhbbt.exe 98 PID 4448 wrote to memory of 1048 4448 nbhbbt.exe 98 PID 1048 wrote to memory of 3588 1048 frrlxrl.exe 99 PID 1048 wrote to memory of 3588 1048 frrlxrl.exe 99 PID 1048 wrote to memory of 3588 1048 frrlxrl.exe 99 PID 3588 wrote to memory of 2412 3588 0060882.exe 100 PID 3588 wrote to memory of 2412 3588 0060882.exe 100 PID 3588 wrote to memory of 2412 3588 0060882.exe 100 PID 2412 wrote to memory of 4092 2412 jpjvj.exe 101 PID 2412 wrote to memory of 4092 2412 jpjvj.exe 101 PID 2412 wrote to memory of 4092 2412 jpjvj.exe 101 PID 4092 wrote to memory of 2796 4092 lxlxrrl.exe 102 PID 4092 wrote to memory of 2796 4092 lxlxrrl.exe 102 PID 4092 wrote to memory of 2796 4092 lxlxrrl.exe 102 PID 2796 wrote to memory of 4988 2796 htbthb.exe 103 PID 2796 wrote to memory of 4988 2796 htbthb.exe 103 PID 2796 wrote to memory of 4988 2796 htbthb.exe 103 PID 4988 wrote to memory of 4936 4988 rxrrflx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe"C:\Users\Admin\AppData\Local\Temp\793272852f504b6248acb6de136ca46f7bb729d14e67a27259c6e8b15f0014d3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\28864.exec:\28864.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\604264.exec:\604264.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\jpddd.exec:\jpddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\vvpjd.exec:\vvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\4468826.exec:\4468826.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\rlfrrlx.exec:\rlfrrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\664488.exec:\664488.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\880448.exec:\880448.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\btnhbb.exec:\btnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\800424.exec:\800424.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\084844.exec:\084844.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\frfxxxx.exec:\frfxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\5pvpj.exec:\5pvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\3lxrxrl.exec:\3lxrxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\nbhbbt.exec:\nbhbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\frrlxrl.exec:\frrlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\0060882.exec:\0060882.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\jpjvj.exec:\jpjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\htbthb.exec:\htbthb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\rxrrflx.exec:\rxrrflx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\64608.exec:\64608.exe23⤵
- Executes dropped EXE
PID:4936 -
\??\c:\06042.exec:\06042.exe24⤵
- Executes dropped EXE
PID:4596 -
\??\c:\0268204.exec:\0268204.exe25⤵
- Executes dropped EXE
PID:2444 -
\??\c:\fffrfrx.exec:\fffrfrx.exe26⤵
- Executes dropped EXE
PID:1056 -
\??\c:\jvvpj.exec:\jvvpj.exe27⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe28⤵
- Executes dropped EXE
PID:8 -
\??\c:\08204.exec:\08204.exe29⤵
- Executes dropped EXE
PID:2188 -
\??\c:\82000.exec:\82000.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\xrlrllx.exec:\xrlrllx.exe31⤵
- Executes dropped EXE
PID:4932 -
\??\c:\lxlxrlf.exec:\lxlxrlf.exe32⤵
- Executes dropped EXE
PID:1536 -
\??\c:\nbbnnn.exec:\nbbnnn.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\642622.exec:\642622.exe34⤵
- Executes dropped EXE
PID:1288 -
\??\c:\thbnbt.exec:\thbnbt.exe35⤵
- Executes dropped EXE
PID:3180 -
\??\c:\nhbnbb.exec:\nhbnbb.exe36⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vpdjj.exec:\vpdjj.exe37⤵
- Executes dropped EXE
PID:3080 -
\??\c:\6026864.exec:\6026864.exe38⤵
- Executes dropped EXE
PID:4912 -
\??\c:\44646.exec:\44646.exe39⤵
- Executes dropped EXE
PID:5048 -
\??\c:\thbnbt.exec:\thbnbt.exe40⤵
- Executes dropped EXE
PID:3344 -
\??\c:\20420.exec:\20420.exe41⤵
- Executes dropped EXE
PID:316 -
\??\c:\btthhb.exec:\btthhb.exe42⤵
- Executes dropped EXE
PID:3328 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe43⤵
- Executes dropped EXE
PID:1796 -
\??\c:\lffxrrf.exec:\lffxrrf.exe44⤵
- Executes dropped EXE
PID:1860 -
\??\c:\4604860.exec:\4604860.exe45⤵
- Executes dropped EXE
PID:1608 -
\??\c:\hbtnbb.exec:\hbtnbb.exe46⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jjjdj.exec:\jjjdj.exe47⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jdpjd.exec:\jdpjd.exe48⤵
- Executes dropped EXE
PID:3888 -
\??\c:\m6600.exec:\m6600.exe49⤵
- Executes dropped EXE
PID:2432 -
\??\c:\868222.exec:\868222.exe50⤵
- Executes dropped EXE
PID:3620 -
\??\c:\1ddvp.exec:\1ddvp.exe51⤵
- Executes dropped EXE
PID:540 -
\??\c:\btthtn.exec:\btthtn.exe52⤵
- Executes dropped EXE
PID:3572 -
\??\c:\htbttb.exec:\htbttb.exe53⤵
- Executes dropped EXE
PID:2616 -
\??\c:\m6264.exec:\m6264.exe54⤵
- Executes dropped EXE
PID:4052 -
\??\c:\0488444.exec:\0488444.exe55⤵
- Executes dropped EXE
PID:1324 -
\??\c:\06482.exec:\06482.exe56⤵
- Executes dropped EXE
PID:804 -
\??\c:\xrxrlxr.exec:\xrxrlxr.exe57⤵
- Executes dropped EXE
PID:4984 -
\??\c:\02822.exec:\02822.exe58⤵
- Executes dropped EXE
PID:1032 -
\??\c:\vdvpv.exec:\vdvpv.exe59⤵
- Executes dropped EXE
PID:800 -
\??\c:\1xllllr.exec:\1xllllr.exe60⤵
- Executes dropped EXE
PID:4628 -
\??\c:\8620886.exec:\8620886.exe61⤵
- Executes dropped EXE
PID:2904 -
\??\c:\5rlxlfr.exec:\5rlxlfr.exe62⤵
- Executes dropped EXE
PID:2908 -
\??\c:\ttnhhh.exec:\ttnhhh.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
\??\c:\a4486.exec:\a4486.exe64⤵
- Executes dropped EXE
PID:4140 -
\??\c:\5pdpj.exec:\5pdpj.exe65⤵
- Executes dropped EXE
PID:4644 -
\??\c:\jddvp.exec:\jddvp.exe66⤵PID:1972
-
\??\c:\9vvpj.exec:\9vvpj.exe67⤵PID:3496
-
\??\c:\86844.exec:\86844.exe68⤵PID:4408
-
\??\c:\482040.exec:\482040.exe69⤵PID:1336
-
\??\c:\208208.exec:\208208.exe70⤵PID:5044
-
\??\c:\5ffrfxl.exec:\5ffrfxl.exe71⤵PID:2652
-
\??\c:\4842608.exec:\4842608.exe72⤵PID:3688
-
\??\c:\jjpjd.exec:\jjpjd.exe73⤵PID:4464
-
\??\c:\1hbbtb.exec:\1hbbtb.exe74⤵PID:1192
-
\??\c:\062082.exec:\062082.exe75⤵PID:2000
-
\??\c:\2222666.exec:\2222666.exe76⤵PID:1048
-
\??\c:\82882.exec:\82882.exe77⤵
- System Location Discovery: System Language Discovery
PID:4544 -
\??\c:\84884.exec:\84884.exe78⤵PID:4504
-
\??\c:\bnhtnh.exec:\bnhtnh.exe79⤵PID:2180
-
\??\c:\6464628.exec:\6464628.exe80⤵PID:2068
-
\??\c:\frrlxrl.exec:\frrlxrl.exe81⤵PID:1476
-
\??\c:\dpvpp.exec:\dpvpp.exe82⤵PID:1472
-
\??\c:\622222.exec:\622222.exe83⤵PID:3792
-
\??\c:\jdpdv.exec:\jdpdv.exe84⤵PID:4596
-
\??\c:\04448.exec:\04448.exe85⤵PID:3416
-
\??\c:\thnhhb.exec:\thnhhb.exe86⤵PID:2092
-
\??\c:\3ddpj.exec:\3ddpj.exe87⤵PID:1056
-
\??\c:\0200826.exec:\0200826.exe88⤵PID:4604
-
\??\c:\684204.exec:\684204.exe89⤵PID:4580
-
\??\c:\006444.exec:\006444.exe90⤵PID:4276
-
\??\c:\422486.exec:\422486.exe91⤵PID:1144
-
\??\c:\g4644.exec:\g4644.exe92⤵PID:916
-
\??\c:\88486.exec:\88486.exe93⤵PID:4868
-
\??\c:\484260.exec:\484260.exe94⤵PID:4624
-
\??\c:\00280.exec:\00280.exe95⤵PID:3956
-
\??\c:\6660426.exec:\6660426.exe96⤵PID:1508
-
\??\c:\bhbthn.exec:\bhbthn.exe97⤵PID:2408
-
\??\c:\bnttbb.exec:\bnttbb.exe98⤵PID:1804
-
\??\c:\xrrflxl.exec:\xrrflxl.exe99⤵PID:1436
-
\??\c:\pvjpd.exec:\pvjpd.exe100⤵PID:1940
-
\??\c:\m8820.exec:\m8820.exe101⤵PID:2564
-
\??\c:\088260.exec:\088260.exe102⤵PID:5048
-
\??\c:\062088.exec:\062088.exe103⤵PID:3344
-
\??\c:\2882404.exec:\2882404.exe104⤵PID:316
-
\??\c:\400404.exec:\400404.exe105⤵PID:2920
-
\??\c:\q48260.exec:\q48260.exe106⤵PID:4920
-
\??\c:\xlxrfxl.exec:\xlxrfxl.exe107⤵PID:2004
-
\??\c:\46486.exec:\46486.exe108⤵PID:1608
-
\??\c:\bntnhh.exec:\bntnhh.exe109⤵PID:5012
-
\??\c:\642086.exec:\642086.exe110⤵PID:4168
-
\??\c:\062268.exec:\062268.exe111⤵PID:1320
-
\??\c:\jjppv.exec:\jjppv.exe112⤵PID:1468
-
\??\c:\66260.exec:\66260.exe113⤵PID:4388
-
\??\c:\2628404.exec:\2628404.exe114⤵PID:4212
-
\??\c:\i460604.exec:\i460604.exe115⤵PID:772
-
\??\c:\s6608.exec:\s6608.exe116⤵PID:4420
-
\??\c:\vjjvj.exec:\vjjvj.exe117⤵PID:4808
-
\??\c:\4202408.exec:\4202408.exe118⤵PID:4324
-
\??\c:\842440.exec:\842440.exe119⤵PID:1324
-
\??\c:\64082.exec:\64082.exe120⤵PID:4104
-
\??\c:\8880482.exec:\8880482.exe121⤵PID:3076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-