Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 04:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe
Resource
win7-20241010-en
windows7-x64
6 signatures
150 seconds
General
-
Target
e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe
-
Size
332KB
-
MD5
57976d55a73b7c031f9e165cbfc63932
-
SHA1
455aaf237c1c048962248fd3f44b88f6d94544d1
-
SHA256
e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44
-
SHA512
d386da94bd1dba99efdf2c6bb4114ab9b6ccc3e0aca8b435e0ef8fdaa7ef68c211d79cae899dae4c9f153af0c822c21487bd9736340a701557177fc876cd0071
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPh/:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTv
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3576-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2216 a0642.exe 4488 vvvjd.exe 1148 004860.exe 3108 8404204.exe 3956 dvdpv.exe 1428 vjdvj.exe 1712 flxfrxx.exe 5044 btnhtn.exe 4552 vjppp.exe 1900 nnthbn.exe 1520 fllxlxr.exe 1244 tnthtt.exe 4260 dpvpp.exe 2860 xrllrlf.exe 2564 5nnbth.exe 2656 200460.exe 1704 nbbntn.exe 4344 86260.exe 4884 222682.exe 4380 28486.exe 4796 84820.exe 644 64206.exe 60 64042.exe 3520 20208.exe 1176 djjvj.exe 1940 bnhthb.exe 3664 88486.exe 4804 vjpdd.exe 4072 xfxxflx.exe 2700 268866.exe 4748 lxxrlrl.exe 1492 xlrlrrx.exe 1980 268844.exe 2892 llxrlrr.exe 4372 jppdv.exe 4476 5fxrlfx.exe 468 86208.exe 4780 0608204.exe 3480 dppjv.exe 1780 w04020.exe 4312 vpdvd.exe 3576 hbhtnn.exe 4588 rflxrlf.exe 3140 nnnhtb.exe 2020 6220448.exe 4800 jppjv.exe 3104 7lrflfl.exe 1104 bnbthh.exe 852 068200.exe 1668 xrlfrxr.exe 4996 pvvpj.exe 2840 3tnnhh.exe 3076 vjpdv.exe 2952 jjvpj.exe 2004 xrrffxr.exe 2496 288826.exe 4484 jpvpv.exe 3896 2086044.exe 2236 rlxxrll.exe 1520 i668248.exe 968 vppdv.exe 3612 20220.exe 3892 2466026.exe 1424 dpvdp.exe -
resource yara_rule behavioral2/memory/3576-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-945-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6440288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 2216 3576 e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe 84 PID 3576 wrote to memory of 2216 3576 e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe 84 PID 3576 wrote to memory of 2216 3576 e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe 84 PID 2216 wrote to memory of 4488 2216 a0642.exe 85 PID 2216 wrote to memory of 4488 2216 a0642.exe 85 PID 2216 wrote to memory of 4488 2216 a0642.exe 85 PID 4488 wrote to memory of 1148 4488 vvvjd.exe 86 PID 4488 wrote to memory of 1148 4488 vvvjd.exe 86 PID 4488 wrote to memory of 1148 4488 vvvjd.exe 86 PID 1148 wrote to memory of 3108 1148 004860.exe 87 PID 1148 wrote to memory of 3108 1148 004860.exe 87 PID 1148 wrote to memory of 3108 1148 004860.exe 87 PID 3108 wrote to memory of 3956 3108 8404204.exe 90 PID 3108 wrote to memory of 3956 3108 8404204.exe 90 PID 3108 wrote to memory of 3956 3108 8404204.exe 90 PID 3956 wrote to memory of 1428 3956 dvdpv.exe 91 PID 3956 wrote to memory of 1428 3956 dvdpv.exe 91 PID 3956 wrote to memory of 1428 3956 dvdpv.exe 91 PID 1428 wrote to memory of 1712 1428 vjdvj.exe 92 PID 1428 wrote to memory of 1712 1428 vjdvj.exe 92 PID 1428 wrote to memory of 1712 1428 vjdvj.exe 92 PID 1712 wrote to memory of 5044 1712 flxfrxx.exe 93 PID 1712 wrote to memory of 5044 1712 flxfrxx.exe 93 PID 1712 wrote to memory of 5044 1712 flxfrxx.exe 93 PID 5044 wrote to memory of 4552 5044 btnhtn.exe 94 PID 5044 wrote to memory of 4552 5044 btnhtn.exe 94 PID 5044 wrote to memory of 4552 5044 btnhtn.exe 94 PID 4552 wrote to memory of 1900 4552 vjppp.exe 95 PID 4552 wrote to memory of 1900 4552 vjppp.exe 95 PID 4552 wrote to memory of 1900 4552 vjppp.exe 95 PID 1900 wrote to memory of 1520 1900 nnthbn.exe 96 PID 1900 wrote to memory of 1520 1900 nnthbn.exe 96 PID 1900 wrote to memory of 1520 1900 nnthbn.exe 96 PID 1520 wrote to memory of 1244 1520 fllxlxr.exe 97 PID 1520 wrote to memory of 1244 1520 fllxlxr.exe 97 PID 1520 wrote to memory of 1244 1520 fllxlxr.exe 97 PID 1244 wrote to memory of 4260 1244 tnthtt.exe 98 PID 1244 wrote to memory of 4260 1244 tnthtt.exe 98 PID 1244 wrote to memory of 4260 1244 tnthtt.exe 98 PID 4260 wrote to memory of 2860 4260 dpvpp.exe 99 PID 4260 wrote to memory of 2860 4260 dpvpp.exe 99 PID 4260 wrote to memory of 2860 4260 dpvpp.exe 99 PID 2860 wrote to memory of 2564 2860 xrllrlf.exe 100 PID 2860 wrote to memory of 2564 2860 xrllrlf.exe 100 PID 2860 wrote to memory of 2564 2860 xrllrlf.exe 100 PID 2564 wrote to memory of 2656 2564 5nnbth.exe 101 PID 2564 wrote to memory of 2656 2564 5nnbth.exe 101 PID 2564 wrote to memory of 2656 2564 5nnbth.exe 101 PID 2656 wrote to memory of 1704 2656 200460.exe 102 PID 2656 wrote to memory of 1704 2656 200460.exe 102 PID 2656 wrote to memory of 1704 2656 200460.exe 102 PID 1704 wrote to memory of 4344 1704 nbbntn.exe 103 PID 1704 wrote to memory of 4344 1704 nbbntn.exe 103 PID 1704 wrote to memory of 4344 1704 nbbntn.exe 103 PID 4344 wrote to memory of 4884 4344 86260.exe 104 PID 4344 wrote to memory of 4884 4344 86260.exe 104 PID 4344 wrote to memory of 4884 4344 86260.exe 104 PID 4884 wrote to memory of 4380 4884 222682.exe 105 PID 4884 wrote to memory of 4380 4884 222682.exe 105 PID 4884 wrote to memory of 4380 4884 222682.exe 105 PID 4380 wrote to memory of 4796 4380 28486.exe 106 PID 4380 wrote to memory of 4796 4380 28486.exe 106 PID 4380 wrote to memory of 4796 4380 28486.exe 106 PID 4796 wrote to memory of 644 4796 84820.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe"C:\Users\Admin\AppData\Local\Temp\e03d638ccfe2285a3481de749d7d56fb5469d6bac1a08afe249d36210b62ce44.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\a0642.exec:\a0642.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\vvvjd.exec:\vvvjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\004860.exec:\004860.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\8404204.exec:\8404204.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\dvdpv.exec:\dvdpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\vjdvj.exec:\vjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\flxfrxx.exec:\flxfrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\btnhtn.exec:\btnhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vjppp.exec:\vjppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\nnthbn.exec:\nnthbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\fllxlxr.exec:\fllxlxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\tnthtt.exec:\tnthtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\dpvpp.exec:\dpvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\xrllrlf.exec:\xrllrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\5nnbth.exec:\5nnbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\200460.exec:\200460.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\nbbntn.exec:\nbbntn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\86260.exec:\86260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\222682.exec:\222682.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\28486.exec:\28486.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\84820.exec:\84820.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\64206.exec:\64206.exe23⤵
- Executes dropped EXE
PID:644 -
\??\c:\64042.exec:\64042.exe24⤵
- Executes dropped EXE
PID:60 -
\??\c:\20208.exec:\20208.exe25⤵
- Executes dropped EXE
PID:3520 -
\??\c:\djjvj.exec:\djjvj.exe26⤵
- Executes dropped EXE
PID:1176 -
\??\c:\bnhthb.exec:\bnhthb.exe27⤵
- Executes dropped EXE
PID:1940 -
\??\c:\88486.exec:\88486.exe28⤵
- Executes dropped EXE
PID:3664 -
\??\c:\vjpdd.exec:\vjpdd.exe29⤵
- Executes dropped EXE
PID:4804 -
\??\c:\xfxxflx.exec:\xfxxflx.exe30⤵
- Executes dropped EXE
PID:4072 -
\??\c:\268866.exec:\268866.exe31⤵
- Executes dropped EXE
PID:2700 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe32⤵
- Executes dropped EXE
PID:4748 -
\??\c:\xlrlrrx.exec:\xlrlrrx.exe33⤵
- Executes dropped EXE
PID:1492 -
\??\c:\268844.exec:\268844.exe34⤵
- Executes dropped EXE
PID:1980 -
\??\c:\llxrlrr.exec:\llxrlrr.exe35⤵
- Executes dropped EXE
PID:2892 -
\??\c:\jppdv.exec:\jppdv.exe36⤵
- Executes dropped EXE
PID:4372 -
\??\c:\5fxrlfx.exec:\5fxrlfx.exe37⤵
- Executes dropped EXE
PID:4476 -
\??\c:\86208.exec:\86208.exe38⤵
- Executes dropped EXE
PID:468 -
\??\c:\0608204.exec:\0608204.exe39⤵
- Executes dropped EXE
PID:4780 -
\??\c:\dppjv.exec:\dppjv.exe40⤵
- Executes dropped EXE
PID:3480 -
\??\c:\w04020.exec:\w04020.exe41⤵
- Executes dropped EXE
PID:1780 -
\??\c:\vpdvd.exec:\vpdvd.exe42⤵
- Executes dropped EXE
PID:4312 -
\??\c:\hbhtnn.exec:\hbhtnn.exe43⤵
- Executes dropped EXE
PID:3576 -
\??\c:\rflxrlf.exec:\rflxrlf.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\nnnhtb.exec:\nnnhtb.exe45⤵
- Executes dropped EXE
PID:3140 -
\??\c:\6220448.exec:\6220448.exe46⤵
- Executes dropped EXE
PID:2020 -
\??\c:\jppjv.exec:\jppjv.exe47⤵
- Executes dropped EXE
PID:4800 -
\??\c:\7lrflfl.exec:\7lrflfl.exe48⤵
- Executes dropped EXE
PID:3104 -
\??\c:\bnbthh.exec:\bnbthh.exe49⤵
- Executes dropped EXE
PID:1104 -
\??\c:\068200.exec:\068200.exe50⤵
- Executes dropped EXE
PID:852 -
\??\c:\xrlfrxr.exec:\xrlfrxr.exe51⤵
- Executes dropped EXE
PID:1668 -
\??\c:\pvvpj.exec:\pvvpj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996 -
\??\c:\3tnnhh.exec:\3tnnhh.exe53⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vjpdv.exec:\vjpdv.exe54⤵
- Executes dropped EXE
PID:3076 -
\??\c:\jjvpj.exec:\jjvpj.exe55⤵
- Executes dropped EXE
PID:2952 -
\??\c:\xrrffxr.exec:\xrrffxr.exe56⤵
- Executes dropped EXE
PID:2004 -
\??\c:\288826.exec:\288826.exe57⤵
- Executes dropped EXE
PID:2496 -
\??\c:\jpvpv.exec:\jpvpv.exe58⤵
- Executes dropped EXE
PID:4484 -
\??\c:\2086044.exec:\2086044.exe59⤵
- Executes dropped EXE
PID:3896 -
\??\c:\rlxxrll.exec:\rlxxrll.exe60⤵
- Executes dropped EXE
PID:2236 -
\??\c:\i668248.exec:\i668248.exe61⤵
- Executes dropped EXE
PID:1520 -
\??\c:\vppdv.exec:\vppdv.exe62⤵
- Executes dropped EXE
PID:968 -
\??\c:\20220.exec:\20220.exe63⤵
- Executes dropped EXE
PID:3612 -
\??\c:\2466026.exec:\2466026.exe64⤵
- Executes dropped EXE
PID:3892 -
\??\c:\dpvdp.exec:\dpvdp.exe65⤵
- Executes dropped EXE
PID:1424 -
\??\c:\lrxfrfx.exec:\lrxfrfx.exe66⤵PID:3372
-
\??\c:\8400484.exec:\8400484.exe67⤵PID:452
-
\??\c:\02404.exec:\02404.exe68⤵PID:1184
-
\??\c:\pjjdv.exec:\pjjdv.exe69⤵PID:1500
-
\??\c:\4282004.exec:\4282004.exe70⤵PID:4556
-
\??\c:\28824.exec:\28824.exe71⤵PID:4344
-
\??\c:\1pvpp.exec:\1pvpp.exe72⤵PID:116
-
\??\c:\288604.exec:\288604.exe73⤵PID:4296
-
\??\c:\080488.exec:\080488.exe74⤵PID:3000
-
\??\c:\00020.exec:\00020.exe75⤵PID:1584
-
\??\c:\xflfrrr.exec:\xflfrrr.exe76⤵PID:1924
-
\??\c:\dvpjd.exec:\dvpjd.exe77⤵PID:3900
-
\??\c:\260864.exec:\260864.exe78⤵PID:3060
-
\??\c:\22426.exec:\22426.exe79⤵PID:1776
-
\??\c:\lllxlfr.exec:\lllxlfr.exe80⤵PID:3388
-
\??\c:\vppjj.exec:\vppjj.exe81⤵PID:2452
-
\??\c:\nbbtnn.exec:\nbbtnn.exe82⤵PID:2592
-
\??\c:\vpjpd.exec:\vpjpd.exe83⤵PID:3376
-
\??\c:\4642660.exec:\4642660.exe84⤵PID:836
-
\??\c:\xrlfffx.exec:\xrlfffx.exe85⤵PID:2904
-
\??\c:\hhhtht.exec:\hhhtht.exe86⤵PID:3144
-
\??\c:\084226.exec:\084226.exe87⤵PID:3092
-
\??\c:\hhhnhh.exec:\hhhnhh.exe88⤵PID:2908
-
\??\c:\880404.exec:\880404.exe89⤵PID:1588
-
\??\c:\dpjvj.exec:\dpjvj.exe90⤵PID:1008
-
\??\c:\880604.exec:\880604.exe91⤵PID:5012
-
\??\c:\082044.exec:\082044.exe92⤵PID:3792
-
\??\c:\3vdvj.exec:\3vdvj.exe93⤵PID:1576
-
\??\c:\lflxrrl.exec:\lflxrrl.exe94⤵
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\84604.exec:\84604.exe95⤵PID:2680
-
\??\c:\tttnnt.exec:\tttnnt.exe96⤵PID:4584
-
\??\c:\20264.exec:\20264.exe97⤵PID:2744
-
\??\c:\hhbthh.exec:\hhbthh.exe98⤵PID:2028
-
\??\c:\lllflll.exec:\lllflll.exe99⤵PID:4868
-
\??\c:\3xrrffx.exec:\3xrrffx.exe100⤵PID:4340
-
\??\c:\84246.exec:\84246.exe101⤵PID:4008
-
\??\c:\2066448.exec:\2066448.exe102⤵PID:4488
-
\??\c:\0288222.exec:\0288222.exe103⤵PID:3620
-
\??\c:\6004226.exec:\6004226.exe104⤵PID:2020
-
\??\c:\htbtnh.exec:\htbtnh.exe105⤵PID:4800
-
\??\c:\pjjvp.exec:\pjjvp.exe106⤵PID:816
-
\??\c:\pvdjv.exec:\pvdjv.exe107⤵PID:1104
-
\??\c:\tbthbt.exec:\tbthbt.exe108⤵PID:852
-
\??\c:\htnbhb.exec:\htnbhb.exe109⤵PID:2924
-
\??\c:\s4480.exec:\s4480.exe110⤵PID:640
-
\??\c:\tntthb.exec:\tntthb.exe111⤵PID:4460
-
\??\c:\2026448.exec:\2026448.exe112⤵
- System Location Discovery: System Language Discovery
PID:1540 -
\??\c:\22260.exec:\22260.exe113⤵PID:3504
-
\??\c:\vvdpj.exec:\vvdpj.exe114⤵PID:4020
-
\??\c:\tttnnn.exec:\tttnnn.exe115⤵PID:1988
-
\??\c:\pjppp.exec:\pjppp.exe116⤵PID:2480
-
\??\c:\vjdvv.exec:\vjdvv.exe117⤵PID:4572
-
\??\c:\64868.exec:\64868.exe118⤵PID:3928
-
\??\c:\44042.exec:\44042.exe119⤵PID:3404
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe120⤵PID:1124
-
\??\c:\w20404.exec:\w20404.exe121⤵PID:396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-