Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe
-
Size
458KB
-
MD5
784872ea17556eb59718107706d52b98
-
SHA1
626bbdd4366e12b055edcfcb944181a17e35d44c
-
SHA256
4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967
-
SHA512
5369e2b0ae1bbd0476e99e0e2723c1eb20456e137924e3e4bbd56aaf74055381367169398f18e3b2a29d0b895ef04471fedded5a8505a028f7771f6c027a129f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/116-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5256-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5988-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5576-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5532-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5504-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5704-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5320-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5912-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5528-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5452-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5980-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5936-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5148-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5288-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6072-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-1004-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 912 9jpjd.exe 5256 pdjdp.exe 4412 vjdpd.exe 4128 fflfffx.exe 3000 5hbhbb.exe 1796 vjpdp.exe 5988 rxrfrlx.exe 1556 jpvjd.exe 5576 1llxrrf.exe 2752 7jpdv.exe 4572 xllfrrl.exe 4588 frlxlfr.exe 4676 ntbhtn.exe 516 tnbbtb.exe 4632 1lxflrx.exe 4740 xffrlxr.exe 5532 rlllfff.exe 4792 xxffxrr.exe 5504 1ppjv.exe 392 xrxxllf.exe 4956 vjpdj.exe 1548 flrlxxl.exe 5244 tnbthb.exe 4992 thttnh.exe 4716 frrlffx.exe 2184 1frlllr.exe 2156 5nnnhn.exe 3508 jvpjd.exe 2264 bhhbtn.exe 3952 lxxrrrr.exe 3604 rrrrxxr.exe 2360 fxxrrrx.exe 4900 3nttnn.exe 1592 1jpvp.exe 5704 frrlfxr.exe 3684 hnnhtn.exe 5104 vjjdv.exe 1004 jjvpj.exe 5320 lxlxllx.exe 5860 nthbtn.exe 1724 vvdjv.exe 5912 xrxfxfr.exe 1056 7flxxff.exe 5528 bnbnbt.exe 3480 jdjvd.exe 2812 lfxxrlx.exe 5036 tnbnbb.exe 4996 3pjvd.exe 1920 lxfrlfx.exe 4032 lxxrrll.exe 740 nhhbtt.exe 3652 5jpjd.exe 3292 xllxlrf.exe 1804 1ffxrll.exe 6056 tbttnn.exe 5452 vdjdp.exe 5052 1lxxrrl.exe 616 5frlffx.exe 5980 hhhbtt.exe 5096 pddpd.exe 4496 5rlrflf.exe 2808 xllfxxf.exe 2648 1hhtnh.exe 3944 vdjvp.exe -
resource yara_rule behavioral2/memory/116-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5256-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5256-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5988-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5576-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5532-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5504-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5704-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5320-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5912-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5528-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5452-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5980-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5936-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5148-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5288-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5652-600-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 116 wrote to memory of 912 116 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 87 PID 116 wrote to memory of 912 116 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 87 PID 116 wrote to memory of 912 116 4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe 87 PID 912 wrote to memory of 5256 912 9jpjd.exe 88 PID 912 wrote to memory of 5256 912 9jpjd.exe 88 PID 912 wrote to memory of 5256 912 9jpjd.exe 88 PID 5256 wrote to memory of 4412 5256 pdjdp.exe 89 PID 5256 wrote to memory of 4412 5256 pdjdp.exe 89 PID 5256 wrote to memory of 4412 5256 pdjdp.exe 89 PID 4412 wrote to memory of 4128 4412 vjdpd.exe 90 PID 4412 wrote to memory of 4128 4412 vjdpd.exe 90 PID 4412 wrote to memory of 4128 4412 vjdpd.exe 90 PID 4128 wrote to memory of 3000 4128 fflfffx.exe 91 PID 4128 wrote to memory of 3000 4128 fflfffx.exe 91 PID 4128 wrote to memory of 3000 4128 fflfffx.exe 91 PID 3000 wrote to memory of 1796 3000 5hbhbb.exe 92 PID 3000 wrote to memory of 1796 3000 5hbhbb.exe 92 PID 3000 wrote to memory of 1796 3000 5hbhbb.exe 92 PID 1796 wrote to memory of 5988 1796 vjpdp.exe 93 PID 1796 wrote to memory of 5988 1796 vjpdp.exe 93 PID 1796 wrote to memory of 5988 1796 vjpdp.exe 93 PID 5988 wrote to memory of 1556 5988 rxrfrlx.exe 95 PID 5988 wrote to memory of 1556 5988 rxrfrlx.exe 95 PID 5988 wrote to memory of 1556 5988 rxrfrlx.exe 95 PID 1556 wrote to memory of 5576 1556 jpvjd.exe 96 PID 1556 wrote to memory of 5576 1556 jpvjd.exe 96 PID 1556 wrote to memory of 5576 1556 jpvjd.exe 96 PID 5576 wrote to memory of 2752 5576 1llxrrf.exe 98 PID 5576 wrote to memory of 2752 5576 1llxrrf.exe 98 PID 5576 wrote to memory of 2752 5576 1llxrrf.exe 98 PID 2752 wrote to memory of 4572 2752 7jpdv.exe 99 PID 2752 wrote to memory of 4572 2752 7jpdv.exe 99 PID 2752 wrote to memory of 4572 2752 7jpdv.exe 99 PID 4572 wrote to memory of 4588 4572 xllfrrl.exe 100 PID 4572 wrote to memory of 4588 4572 xllfrrl.exe 100 PID 4572 wrote to memory of 4588 4572 xllfrrl.exe 100 PID 4588 wrote to memory of 4676 4588 frlxlfr.exe 101 PID 4588 wrote to memory of 4676 4588 frlxlfr.exe 101 PID 4588 wrote to memory of 4676 4588 frlxlfr.exe 101 PID 4676 wrote to memory of 516 4676 ntbhtn.exe 103 PID 4676 wrote to memory of 516 4676 ntbhtn.exe 103 PID 4676 wrote to memory of 516 4676 ntbhtn.exe 103 PID 516 wrote to memory of 4632 516 tnbbtb.exe 104 PID 516 wrote to memory of 4632 516 tnbbtb.exe 104 PID 516 wrote to memory of 4632 516 tnbbtb.exe 104 PID 4632 wrote to memory of 4740 4632 1lxflrx.exe 105 PID 4632 wrote to memory of 4740 4632 1lxflrx.exe 105 PID 4632 wrote to memory of 4740 4632 1lxflrx.exe 105 PID 4740 wrote to memory of 5532 4740 xffrlxr.exe 106 PID 4740 wrote to memory of 5532 4740 xffrlxr.exe 106 PID 4740 wrote to memory of 5532 4740 xffrlxr.exe 106 PID 5532 wrote to memory of 4792 5532 rlllfff.exe 107 PID 5532 wrote to memory of 4792 5532 rlllfff.exe 107 PID 5532 wrote to memory of 4792 5532 rlllfff.exe 107 PID 4792 wrote to memory of 5504 4792 xxffxrr.exe 108 PID 4792 wrote to memory of 5504 4792 xxffxrr.exe 108 PID 4792 wrote to memory of 5504 4792 xxffxrr.exe 108 PID 5504 wrote to memory of 392 5504 1ppjv.exe 109 PID 5504 wrote to memory of 392 5504 1ppjv.exe 109 PID 5504 wrote to memory of 392 5504 1ppjv.exe 109 PID 392 wrote to memory of 4956 392 xrxxllf.exe 110 PID 392 wrote to memory of 4956 392 xrxxllf.exe 110 PID 392 wrote to memory of 4956 392 xrxxllf.exe 110 PID 4956 wrote to memory of 1548 4956 vjpdj.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe"C:\Users\Admin\AppData\Local\Temp\4802dcc7e09a05cb13c2312de9aeefeeda2e3adb31a64221268d60f4e6f22967.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\9jpjd.exec:\9jpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\pdjdp.exec:\pdjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5256 -
\??\c:\vjdpd.exec:\vjdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\fflfffx.exec:\fflfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\5hbhbb.exec:\5hbhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\vjpdp.exec:\vjpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5988 -
\??\c:\jpvjd.exec:\jpvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\1llxrrf.exec:\1llxrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5576 -
\??\c:\7jpdv.exec:\7jpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\xllfrrl.exec:\xllfrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\frlxlfr.exec:\frlxlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\ntbhtn.exec:\ntbhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\tnbbtb.exec:\tnbbtb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\1lxflrx.exec:\1lxflrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\xffrlxr.exec:\xffrlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\rlllfff.exec:\rlllfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5532 -
\??\c:\xxffxrr.exec:\xxffxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\1ppjv.exec:\1ppjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5504 -
\??\c:\xrxxllf.exec:\xrxxllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\vjpdj.exec:\vjpdj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\flrlxxl.exec:\flrlxxl.exe23⤵
- Executes dropped EXE
PID:1548 -
\??\c:\tnbthb.exec:\tnbthb.exe24⤵
- Executes dropped EXE
PID:5244 -
\??\c:\thttnh.exec:\thttnh.exe25⤵
- Executes dropped EXE
PID:4992 -
\??\c:\frrlffx.exec:\frrlffx.exe26⤵
- Executes dropped EXE
PID:4716 -
\??\c:\1frlllr.exec:\1frlllr.exe27⤵
- Executes dropped EXE
PID:2184 -
\??\c:\5nnnhn.exec:\5nnnhn.exe28⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jvpjd.exec:\jvpjd.exe29⤵
- Executes dropped EXE
PID:3508 -
\??\c:\bhhbtn.exec:\bhhbtn.exe30⤵
- Executes dropped EXE
PID:2264 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe31⤵
- Executes dropped EXE
PID:3952 -
\??\c:\rrrrxxr.exec:\rrrrxxr.exe32⤵
- Executes dropped EXE
PID:3604 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe33⤵
- Executes dropped EXE
PID:2360 -
\??\c:\3nttnn.exec:\3nttnn.exe34⤵
- Executes dropped EXE
PID:4900 -
\??\c:\1jpvp.exec:\1jpvp.exe35⤵
- Executes dropped EXE
PID:1592 -
\??\c:\frrlfxr.exec:\frrlfxr.exe36⤵
- Executes dropped EXE
PID:5704 -
\??\c:\hnnhtn.exec:\hnnhtn.exe37⤵
- Executes dropped EXE
PID:3684 -
\??\c:\vjjdv.exec:\vjjdv.exe38⤵
- Executes dropped EXE
PID:5104 -
\??\c:\jjvpj.exec:\jjvpj.exe39⤵
- Executes dropped EXE
PID:1004 -
\??\c:\lxlxllx.exec:\lxlxllx.exe40⤵
- Executes dropped EXE
PID:5320 -
\??\c:\nthbtn.exec:\nthbtn.exe41⤵
- Executes dropped EXE
PID:5860 -
\??\c:\vvdjv.exec:\vvdjv.exe42⤵
- Executes dropped EXE
PID:1724 -
\??\c:\xrxfxfr.exec:\xrxfxfr.exe43⤵
- Executes dropped EXE
PID:5912 -
\??\c:\7flxxff.exec:\7flxxff.exe44⤵
- Executes dropped EXE
PID:1056 -
\??\c:\bnbnbt.exec:\bnbnbt.exe45⤵
- Executes dropped EXE
PID:5528 -
\??\c:\jdjvd.exec:\jdjvd.exe46⤵
- Executes dropped EXE
PID:3480 -
\??\c:\lfxxrlx.exec:\lfxxrlx.exe47⤵
- Executes dropped EXE
PID:2812 -
\??\c:\tnbnbb.exec:\tnbnbb.exe48⤵
- Executes dropped EXE
PID:5036 -
\??\c:\3pjvd.exec:\3pjvd.exe49⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe50⤵
- Executes dropped EXE
PID:1920 -
\??\c:\lxxrrll.exec:\lxxrrll.exe51⤵
- Executes dropped EXE
PID:4032 -
\??\c:\nhhbtt.exec:\nhhbtt.exe52⤵
- Executes dropped EXE
PID:740 -
\??\c:\5jpjd.exec:\5jpjd.exe53⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xllxlrf.exec:\xllxlrf.exe54⤵
- Executes dropped EXE
PID:3292 -
\??\c:\1ffxrll.exec:\1ffxrll.exe55⤵
- Executes dropped EXE
PID:1804 -
\??\c:\tbttnn.exec:\tbttnn.exe56⤵
- Executes dropped EXE
PID:6056 -
\??\c:\vdjdp.exec:\vdjdp.exe57⤵
- Executes dropped EXE
PID:5452 -
\??\c:\1lxxrrl.exec:\1lxxrrl.exe58⤵
- Executes dropped EXE
PID:5052 -
\??\c:\5frlffx.exec:\5frlffx.exe59⤵
- Executes dropped EXE
PID:616 -
\??\c:\hhhbtt.exec:\hhhbtt.exe60⤵
- Executes dropped EXE
PID:5980 -
\??\c:\pddpd.exec:\pddpd.exe61⤵
- Executes dropped EXE
PID:5096 -
\??\c:\5rlrflf.exec:\5rlrflf.exe62⤵
- Executes dropped EXE
PID:4496 -
\??\c:\xllfxxf.exec:\xllfxxf.exe63⤵
- Executes dropped EXE
PID:2808 -
\??\c:\1hhtnh.exec:\1hhtnh.exe64⤵
- Executes dropped EXE
PID:2648 -
\??\c:\vdjvp.exec:\vdjvp.exe65⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9pjvp.exec:\9pjvp.exe66⤵PID:3300
-
\??\c:\ffxrxfr.exec:\ffxrxfr.exe67⤵PID:380
-
\??\c:\3tnhbb.exec:\3tnhbb.exe68⤵PID:4076
-
\??\c:\jvvvp.exec:\jvvvp.exe69⤵PID:552
-
\??\c:\3hhtnh.exec:\3hhtnh.exe70⤵PID:5936
-
\??\c:\jdjdd.exec:\jdjdd.exe71⤵PID:4628
-
\??\c:\jvdpp.exec:\jvdpp.exe72⤵
- System Location Discovery: System Language Discovery
PID:2368 -
\??\c:\7xxlfxr.exec:\7xxlfxr.exe73⤵PID:5628
-
\??\c:\htbtnh.exec:\htbtnh.exe74⤵PID:6124
-
\??\c:\lxrlfxr.exec:\lxrlfxr.exe75⤵PID:3516
-
\??\c:\3nhbtb.exec:\3nhbtb.exe76⤵PID:32
-
\??\c:\dpvpj.exec:\dpvpj.exe77⤵PID:2436
-
\??\c:\fxrllfr.exec:\fxrllfr.exe78⤵
- System Location Discovery: System Language Discovery
PID:3844 -
\??\c:\xrxllfl.exec:\xrxllfl.exe79⤵PID:5164
-
\??\c:\hhthth.exec:\hhthth.exe80⤵PID:5220
-
\??\c:\jjpdp.exec:\jjpdp.exe81⤵PID:1964
-
\??\c:\pjdjv.exec:\pjdjv.exe82⤵PID:4004
-
\??\c:\rflfrlf.exec:\rflfrlf.exe83⤵PID:1552
-
\??\c:\nhtntt.exec:\nhtntt.exe84⤵PID:2224
-
\??\c:\vvddj.exec:\vvddj.exe85⤵PID:4528
-
\??\c:\xllxllx.exec:\xllxllx.exe86⤵PID:4652
-
\??\c:\ttbnnh.exec:\ttbnnh.exe87⤵PID:4648
-
\??\c:\bntbbh.exec:\bntbbh.exe88⤵PID:5896
-
\??\c:\jdvvp.exec:\jdvvp.exe89⤵PID:4892
-
\??\c:\rfffxrx.exec:\rfffxrx.exe90⤵PID:1084
-
\??\c:\9lrfrlx.exec:\9lrfrlx.exe91⤵PID:4488
-
\??\c:\bnnnhh.exec:\bnnnhh.exe92⤵PID:4736
-
\??\c:\dvpdp.exec:\dvpdp.exe93⤵PID:4796
-
\??\c:\frrrlrl.exec:\frrrlrl.exe94⤵PID:4964
-
\??\c:\rxfrfrr.exec:\rxfrfrr.exe95⤵PID:4960
-
\??\c:\tnnbnh.exec:\tnnbnh.exe96⤵PID:1912
-
\??\c:\jdjvj.exec:\jdjvj.exe97⤵PID:2428
-
\??\c:\dpvpd.exec:\dpvpd.exe98⤵PID:2960
-
\??\c:\5llxxrf.exec:\5llxxrf.exe99⤵PID:4768
-
\??\c:\7nhhtt.exec:\7nhhtt.exe100⤵PID:4552
-
\??\c:\nbbthb.exec:\nbbthb.exe101⤵PID:2148
-
\??\c:\vpvpp.exec:\vpvpp.exe102⤵PID:880
-
\??\c:\1lxlfxl.exec:\1lxlfxl.exe103⤵PID:4312
-
\??\c:\5lfxlfr.exec:\5lfxlfr.exe104⤵PID:4800
-
\??\c:\nbbbnh.exec:\nbbbnh.exe105⤵PID:5668
-
\??\c:\jvdjj.exec:\jvdjj.exe106⤵PID:4716
-
\??\c:\1pjvj.exec:\1pjvj.exe107⤵PID:5876
-
\??\c:\frfxxrf.exec:\frfxxrf.exe108⤵PID:5700
-
\??\c:\nbtnhb.exec:\nbtnhb.exe109⤵PID:3092
-
\??\c:\hntnhb.exec:\hntnhb.exe110⤵PID:4060
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe111⤵PID:3504
-
\??\c:\ffrllrr.exec:\ffrllrr.exe112⤵PID:4900
-
\??\c:\tthbnn.exec:\tthbnn.exe113⤵PID:5148
-
\??\c:\ppjdp.exec:\ppjdp.exe114⤵PID:4304
-
\??\c:\vjjvp.exec:\vjjvp.exe115⤵PID:3540
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe116⤵PID:5104
-
\??\c:\7bbnbt.exec:\7bbnbt.exe117⤵
- System Location Discovery: System Language Discovery
PID:4392 -
\??\c:\djvpj.exec:\djvpj.exe118⤵PID:1520
-
\??\c:\lflffff.exec:\lflffff.exe119⤵PID:4252
-
\??\c:\tbbbnb.exec:\tbbbnb.exe120⤵PID:1492
-
\??\c:\3jpjp.exec:\3jpjp.exe121⤵PID:3068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-