Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 19:20
Behavioral task
behavioral1
Sample
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe
-
Size
50KB
-
MD5
5b8fcc61f01923defa64b4cb5a1e076b
-
SHA1
c230a9f733d13a4a866891abe71c9b1a607d33b1
-
SHA256
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105
-
SHA512
e137519deaf1b5214d440f7c6e645aef952a3cae18d23c6c5583b3c65502de53d24bd796c6a97dd1cc8f8c0b5e35af0073581fa79ef720b1280fe6f326b14ea0
-
SSDEEP
1536:LvQBeOGtrYS3srx93UBWfwC6Ggnouy8g5Uhub:LhOmTsF93UYfwC6GIoutg5Uha
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1168-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1232-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1064-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4388-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1300-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1244-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-481-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-484-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-583-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-861-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
2806622.exe082006.exeppddv.exebthhbh.exe0204804.exelxrlffx.exethntnt.exe8288446.exe642608.exe682602.exelllxffl.exe688228.exelrrlxrr.exerffxllx.exe606000.exe24066.exe0862660.exe286008.exenhtntb.exe44642.exerxfxrrx.exejjjjd.exevjpjv.exek48826.exe9bnhbb.exe000600.exehtbbbh.exe60240.exevdjjd.exepjjdd.exerffrlll.exevvvvp.exerrlxxlx.exe0864880.exe1jvpv.exe044822.exe2000444.exevvvvv.exehnbhnb.exe64008.exebttntt.exenttbnb.exetnhbth.exe82626.exebnnhtt.exe02680.exe8088000.exetbnntb.exevjvpv.exexrrllff.exevvdpd.exe022468.exe4644802.exe428280.exew62648.exe3xlffrl.exe662644.exeffrxlrr.exetnhhtt.exe68822.exehbbttt.exe3fxfrxx.exehntnhh.exe224822.exepid Process 3452 2806622.exe 844 082006.exe 1232 ppddv.exe 4576 bthhbh.exe 4000 0204804.exe 2272 lxrlffx.exe 840 thntnt.exe 3580 8288446.exe 3568 642608.exe 1496 682602.exe 3972 lllxffl.exe 4204 688228.exe 3588 lrrlxrr.exe 1884 rffxllx.exe 1580 606000.exe 4092 24066.exe 2800 0862660.exe 640 286008.exe 4032 nhtntb.exe 1920 44642.exe 4852 rxfxrrx.exe 3608 jjjjd.exe 916 vjpjv.exe 2512 k48826.exe 4516 9bnhbb.exe 3360 000600.exe 3688 htbbbh.exe 400 60240.exe 4968 vdjjd.exe 3808 pjjdd.exe 3932 rffrlll.exe 2988 vvvvp.exe 1732 rrlxxlx.exe 3216 0864880.exe 3176 1jvpv.exe 4108 044822.exe 4120 2000444.exe 1008 vvvvv.exe 4828 hnbhnb.exe 1656 64008.exe 4168 bttntt.exe 2620 nttbnb.exe 2556 tnhbth.exe 2120 82626.exe 5044 bnnhtt.exe 4732 02680.exe 4844 8088000.exe 1064 tbnntb.exe 1584 vjvpv.exe 1800 xrrllff.exe 432 vvdpd.exe 2756 022468.exe 1384 4644802.exe 3660 428280.exe 1904 w62648.exe 4388 3xlffrl.exe 4996 662644.exe 1796 ffrxlrr.exe 812 tnhhtt.exe 3252 68822.exe 3284 hbbttt.exe 1520 3fxfrxx.exe 2592 hntnhh.exe 4008 224822.exe -
Processes:
resource yara_rule behavioral2/memory/1168-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0010000000023bc5-3.dat upx behavioral2/memory/1168-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-12.dat upx behavioral2/memory/844-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3452-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c8f-9.dat upx behavioral2/files/0x0007000000023c95-18.dat upx behavioral2/memory/1232-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4576-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-24.dat upx behavioral2/files/0x0007000000023c97-28.dat upx behavioral2/files/0x0007000000023c98-32.dat upx behavioral2/files/0x0007000000023c99-36.dat upx behavioral2/memory/840-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-41.dat upx behavioral2/files/0x0007000000023c9b-45.dat upx behavioral2/memory/3568-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-50.dat upx behavioral2/memory/1496-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-55.dat upx behavioral2/memory/3972-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-61.dat upx behavioral2/memory/4204-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3588-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-67.dat upx behavioral2/memory/1884-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-72.dat upx behavioral2/files/0x0007000000023ca1-75.dat upx behavioral2/memory/1580-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-80.dat upx behavioral2/files/0x0007000000023ca3-84.dat upx behavioral2/memory/2800-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-90.dat upx behavioral2/memory/640-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-95.dat upx behavioral2/memory/1920-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-99.dat upx behavioral2/files/0x0008000000023c90-103.dat upx behavioral2/memory/3608-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-108.dat upx behavioral2/files/0x0007000000023ca8-113.dat upx behavioral2/memory/916-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-118.dat upx behavioral2/memory/2512-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4516-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-123.dat upx behavioral2/memory/3360-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-128.dat upx behavioral2/memory/3688-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-139.dat upx behavioral2/memory/3688-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-134.dat upx behavioral2/files/0x0007000000023cae-142.dat upx behavioral2/files/0x0007000000023caf-146.dat upx behavioral2/memory/3932-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-151.dat upx behavioral2/memory/2988-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1732-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3216-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3176-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4120-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1656-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4828-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pjjdd.exevpvpp.exedjjdj.exerfxxlfx.exerxfxrlf.exedjppv.exe8866240.exe40684.exe0844444.exebbhnbb.exevdvpv.exe268060.exeppvvv.exea4086.exe6002600.exefllrllr.exe7tthbb.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8866240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0844444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6002600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe2806622.exe082006.exeppddv.exebthhbh.exe0204804.exelxrlffx.exethntnt.exe8288446.exe642608.exe682602.exelllxffl.exe688228.exelrrlxrr.exerffxllx.exe606000.exe24066.exe0862660.exe286008.exenhtntb.exe44642.exerxfxrrx.exedescription pid Process procid_target PID 1168 wrote to memory of 3452 1168 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 82 PID 1168 wrote to memory of 3452 1168 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 82 PID 1168 wrote to memory of 3452 1168 e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe 82 PID 3452 wrote to memory of 844 3452 2806622.exe 83 PID 3452 wrote to memory of 844 3452 2806622.exe 83 PID 3452 wrote to memory of 844 3452 2806622.exe 83 PID 844 wrote to memory of 1232 844 082006.exe 84 PID 844 wrote to memory of 1232 844 082006.exe 84 PID 844 wrote to memory of 1232 844 082006.exe 84 PID 1232 wrote to memory of 4576 1232 ppddv.exe 85 PID 1232 wrote to memory of 4576 1232 ppddv.exe 85 PID 1232 wrote to memory of 4576 1232 ppddv.exe 85 PID 4576 wrote to memory of 4000 4576 bthhbh.exe 86 PID 4576 wrote to memory of 4000 4576 bthhbh.exe 86 PID 4576 wrote to memory of 4000 4576 bthhbh.exe 86 PID 4000 wrote to memory of 2272 4000 0204804.exe 87 PID 4000 wrote to memory of 2272 4000 0204804.exe 87 PID 4000 wrote to memory of 2272 4000 0204804.exe 87 PID 2272 wrote to memory of 840 2272 lxrlffx.exe 88 PID 2272 wrote to memory of 840 2272 lxrlffx.exe 88 PID 2272 wrote to memory of 840 2272 lxrlffx.exe 88 PID 840 wrote to memory of 3580 840 thntnt.exe 89 PID 840 wrote to memory of 3580 840 thntnt.exe 89 PID 840 wrote to memory of 3580 840 thntnt.exe 89 PID 3580 wrote to memory of 3568 3580 8288446.exe 90 PID 3580 wrote to memory of 3568 3580 8288446.exe 90 PID 3580 wrote to memory of 3568 3580 8288446.exe 90 PID 3568 wrote to memory of 1496 3568 642608.exe 91 PID 3568 wrote to memory of 1496 3568 642608.exe 91 PID 3568 wrote to memory of 1496 3568 642608.exe 91 PID 1496 wrote to memory of 3972 1496 682602.exe 92 PID 1496 wrote to memory of 3972 1496 682602.exe 92 PID 1496 wrote to memory of 3972 1496 682602.exe 92 PID 3972 wrote to memory of 4204 3972 lllxffl.exe 93 PID 3972 wrote to memory of 4204 3972 lllxffl.exe 93 PID 3972 wrote to memory of 4204 3972 lllxffl.exe 93 PID 4204 wrote to memory of 3588 4204 688228.exe 94 PID 4204 wrote to memory of 3588 4204 688228.exe 94 PID 4204 wrote to memory of 3588 4204 688228.exe 94 PID 3588 wrote to memory of 1884 3588 lrrlxrr.exe 95 PID 3588 wrote to memory of 1884 3588 lrrlxrr.exe 95 PID 3588 wrote to memory of 1884 3588 lrrlxrr.exe 95 PID 1884 wrote to memory of 1580 1884 rffxllx.exe 96 PID 1884 wrote to memory of 1580 1884 rffxllx.exe 96 PID 1884 wrote to memory of 1580 1884 rffxllx.exe 96 PID 1580 wrote to memory of 4092 1580 606000.exe 97 PID 1580 wrote to memory of 4092 1580 606000.exe 97 PID 1580 wrote to memory of 4092 1580 606000.exe 97 PID 4092 wrote to memory of 2800 4092 24066.exe 98 PID 4092 wrote to memory of 2800 4092 24066.exe 98 PID 4092 wrote to memory of 2800 4092 24066.exe 98 PID 2800 wrote to memory of 640 2800 0862660.exe 99 PID 2800 wrote to memory of 640 2800 0862660.exe 99 PID 2800 wrote to memory of 640 2800 0862660.exe 99 PID 640 wrote to memory of 4032 640 286008.exe 100 PID 640 wrote to memory of 4032 640 286008.exe 100 PID 640 wrote to memory of 4032 640 286008.exe 100 PID 4032 wrote to memory of 1920 4032 nhtntb.exe 101 PID 4032 wrote to memory of 1920 4032 nhtntb.exe 101 PID 4032 wrote to memory of 1920 4032 nhtntb.exe 101 PID 1920 wrote to memory of 4852 1920 44642.exe 102 PID 1920 wrote to memory of 4852 1920 44642.exe 102 PID 1920 wrote to memory of 4852 1920 44642.exe 102 PID 4852 wrote to memory of 3608 4852 rxfxrrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe"C:\Users\Admin\AppData\Local\Temp\e486e9a4f70928a10a6a35fd90f36cfc4880f89d4ec07ca16865a62bf6d56105.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\2806622.exec:\2806622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\082006.exec:\082006.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\ppddv.exec:\ppddv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\bthhbh.exec:\bthhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\0204804.exec:\0204804.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\lxrlffx.exec:\lxrlffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\thntnt.exec:\thntnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\8288446.exec:\8288446.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\642608.exec:\642608.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\682602.exec:\682602.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\lllxffl.exec:\lllxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\688228.exec:\688228.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\lrrlxrr.exec:\lrrlxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\rffxllx.exec:\rffxllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\606000.exec:\606000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\24066.exec:\24066.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\0862660.exec:\0862660.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\286008.exec:\286008.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\nhtntb.exec:\nhtntb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\44642.exec:\44642.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\rxfxrrx.exec:\rxfxrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\jjjjd.exec:\jjjjd.exe23⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vjpjv.exec:\vjpjv.exe24⤵
- Executes dropped EXE
PID:916 -
\??\c:\k48826.exec:\k48826.exe25⤵
- Executes dropped EXE
PID:2512 -
\??\c:\9bnhbb.exec:\9bnhbb.exe26⤵
- Executes dropped EXE
PID:4516 -
\??\c:\000600.exec:\000600.exe27⤵
- Executes dropped EXE
PID:3360 -
\??\c:\htbbbh.exec:\htbbbh.exe28⤵
- Executes dropped EXE
PID:3688 -
\??\c:\60240.exec:\60240.exe29⤵
- Executes dropped EXE
PID:400 -
\??\c:\vdjjd.exec:\vdjjd.exe30⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pjjdd.exec:\pjjdd.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3808 -
\??\c:\rffrlll.exec:\rffrlll.exe32⤵
- Executes dropped EXE
PID:3932 -
\??\c:\vvvvp.exec:\vvvvp.exe33⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rrlxxlx.exec:\rrlxxlx.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\0864880.exec:\0864880.exe35⤵
- Executes dropped EXE
PID:3216 -
\??\c:\1jvpv.exec:\1jvpv.exe36⤵
- Executes dropped EXE
PID:3176 -
\??\c:\044822.exec:\044822.exe37⤵
- Executes dropped EXE
PID:4108 -
\??\c:\2000444.exec:\2000444.exe38⤵
- Executes dropped EXE
PID:4120 -
\??\c:\vvvvv.exec:\vvvvv.exe39⤵
- Executes dropped EXE
PID:1008 -
\??\c:\hnbhnb.exec:\hnbhnb.exe40⤵
- Executes dropped EXE
PID:4828 -
\??\c:\64008.exec:\64008.exe41⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bttntt.exec:\bttntt.exe42⤵
- Executes dropped EXE
PID:4168 -
\??\c:\nttbnb.exec:\nttbnb.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tnhbth.exec:\tnhbth.exe44⤵
- Executes dropped EXE
PID:2556 -
\??\c:\82626.exec:\82626.exe45⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bnnhtt.exec:\bnnhtt.exe46⤵
- Executes dropped EXE
PID:5044 -
\??\c:\02680.exec:\02680.exe47⤵
- Executes dropped EXE
PID:4732 -
\??\c:\8088000.exec:\8088000.exe48⤵
- Executes dropped EXE
PID:4844 -
\??\c:\tbnntb.exec:\tbnntb.exe49⤵
- Executes dropped EXE
PID:1064 -
\??\c:\vjvpv.exec:\vjvpv.exe50⤵
- Executes dropped EXE
PID:1584 -
\??\c:\xrrllff.exec:\xrrllff.exe51⤵
- Executes dropped EXE
PID:1800 -
\??\c:\vvdpd.exec:\vvdpd.exe52⤵
- Executes dropped EXE
PID:432 -
\??\c:\022468.exec:\022468.exe53⤵
- Executes dropped EXE
PID:2756 -
\??\c:\4644802.exec:\4644802.exe54⤵
- Executes dropped EXE
PID:1384 -
\??\c:\428280.exec:\428280.exe55⤵
- Executes dropped EXE
PID:3660 -
\??\c:\w62648.exec:\w62648.exe56⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3xlffrl.exec:\3xlffrl.exe57⤵
- Executes dropped EXE
PID:4388 -
\??\c:\662644.exec:\662644.exe58⤵
- Executes dropped EXE
PID:4996 -
\??\c:\ffrxlrr.exec:\ffrxlrr.exe59⤵
- Executes dropped EXE
PID:1796 -
\??\c:\tnhhtt.exec:\tnhhtt.exe60⤵
- Executes dropped EXE
PID:812 -
\??\c:\68822.exec:\68822.exe61⤵
- Executes dropped EXE
PID:3252 -
\??\c:\hbbttt.exec:\hbbttt.exe62⤵
- Executes dropped EXE
PID:3284 -
\??\c:\3fxfrxx.exec:\3fxfrxx.exe63⤵
- Executes dropped EXE
PID:1520 -
\??\c:\hntnhh.exec:\hntnhh.exe64⤵
- Executes dropped EXE
PID:2592 -
\??\c:\224822.exec:\224822.exe65⤵
- Executes dropped EXE
PID:4008 -
\??\c:\1xxxrlf.exec:\1xxxrlf.exe66⤵PID:4768
-
\??\c:\rllflfl.exec:\rllflfl.exe67⤵PID:1180
-
\??\c:\20480.exec:\20480.exe68⤵PID:3692
-
\??\c:\llfrlxf.exec:\llfrlxf.exe69⤵PID:3580
-
\??\c:\m4048.exec:\m4048.exe70⤵PID:4140
-
\??\c:\tbbbhh.exec:\tbbbhh.exe71⤵PID:3696
-
\??\c:\xfrrrxx.exec:\xfrrrxx.exe72⤵PID:2040
-
\??\c:\48240.exec:\48240.exe73⤵PID:1300
-
\??\c:\8288220.exec:\8288220.exe74⤵PID:4308
-
\??\c:\8222628.exec:\8222628.exe75⤵PID:1688
-
\??\c:\bthbnn.exec:\bthbnn.exe76⤵PID:4244
-
\??\c:\a0604.exec:\a0604.exe77⤵PID:4892
-
\??\c:\dpvjv.exec:\dpvjv.exe78⤵PID:4944
-
\??\c:\602488.exec:\602488.exe79⤵PID:4084
-
\??\c:\840666.exec:\840666.exe80⤵PID:2404
-
\??\c:\frllfxr.exec:\frllfxr.exe81⤵PID:2160
-
\??\c:\e04264.exec:\e04264.exe82⤵PID:2800
-
\??\c:\dpvvp.exec:\dpvvp.exe83⤵PID:768
-
\??\c:\3nhnbn.exec:\3nhnbn.exe84⤵PID:2916
-
\??\c:\224440.exec:\224440.exe85⤵PID:3572
-
\??\c:\42246.exec:\42246.exe86⤵PID:3052
-
\??\c:\2060466.exec:\2060466.exe87⤵PID:2936
-
\??\c:\lrrlrll.exec:\lrrlrll.exe88⤵PID:3748
-
\??\c:\2060000.exec:\2060000.exe89⤵PID:4632
-
\??\c:\nhnhhh.exec:\nhnhhh.exe90⤵PID:1408
-
\??\c:\646822.exec:\646822.exe91⤵PID:4516
-
\??\c:\48226.exec:\48226.exe92⤵PID:3992
-
\??\c:\4844406.exec:\4844406.exe93⤵PID:1988
-
\??\c:\1dvpj.exec:\1dvpj.exe94⤵PID:2200
-
\??\c:\44266.exec:\44266.exe95⤵PID:4060
-
\??\c:\82484.exec:\82484.exe96⤵PID:2572
-
\??\c:\04660.exec:\04660.exe97⤵PID:912
-
\??\c:\xfxrlfx.exec:\xfxrlfx.exe98⤵PID:3808
-
\??\c:\jpjpj.exec:\jpjpj.exe99⤵PID:3048
-
\??\c:\thnbtt.exec:\thnbtt.exe100⤵PID:3532
-
\??\c:\484428.exec:\484428.exe101⤵PID:4484
-
\??\c:\2064822.exec:\2064822.exe102⤵PID:3268
-
\??\c:\djvpj.exec:\djvpj.exe103⤵PID:2260
-
\??\c:\428204.exec:\428204.exe104⤵PID:2716
-
\??\c:\c840004.exec:\c840004.exe105⤵PID:3736
-
\??\c:\86240.exec:\86240.exe106⤵PID:1228
-
\??\c:\o022660.exec:\o022660.exe107⤵PID:4420
-
\??\c:\jdpdp.exec:\jdpdp.exe108⤵PID:2116
-
\??\c:\244880.exec:\244880.exe109⤵PID:3744
-
\??\c:\80028.exec:\80028.exe110⤵PID:4992
-
\??\c:\pdjjd.exec:\pdjjd.exe111⤵PID:2016
-
\??\c:\3jjdv.exec:\3jjdv.exe112⤵PID:2452
-
\??\c:\7rxrrll.exec:\7rxrrll.exe113⤵PID:3968
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe114⤵PID:4608
-
\??\c:\s6222.exec:\s6222.exe115⤵PID:4324
-
\??\c:\xrxfffx.exec:\xrxfffx.exe116⤵PID:4492
-
\??\c:\hhdjjv.exec:\hhdjjv.exe117⤵PID:2940
-
\??\c:\80664.exec:\80664.exe118⤵PID:4468
-
\??\c:\666666.exec:\666666.exe119⤵PID:2564
-
\??\c:\dpvvp.exec:\dpvvp.exe120⤵PID:1168
-
\??\c:\1pdvv.exec:\1pdvv.exe121⤵PID:996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-