Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe
-
Size
452KB
-
MD5
8ebc281dda8e4158edff94fab78ebbb1
-
SHA1
c63499f6cde14cdf00a5d6bb1cb483e9de18e664
-
SHA256
e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f
-
SHA512
7802bd3a2f84bfc8bb177ec4656f98346b8565dc65e1ef103e537abfb703e39f8a61b9134329f460c992def21f57ac058836657d941feac694135d405e0f1da1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/492-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-1517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 488 66260.exe 5016 3jpjd.exe 1764 ppvpj.exe 5012 hbttnn.exe 2804 rfxllxl.exe 2396 ddjpj.exe 3956 5hnhbb.exe 3988 08646.exe 948 bntnhh.exe 1280 828486.exe 1440 806006.exe 3764 9djdd.exe 4072 httnhh.exe 1056 4682266.exe 4692 64882.exe 2268 26406.exe 1716 4246804.exe 492 202644.exe 3596 662600.exe 656 dpvdj.exe 2836 3djjj.exe 224 vvjjv.exe 3528 nbtbhn.exe 1636 48620.exe 4008 24082.exe 5084 802222.exe 2216 rxxxllf.exe 3584 htbttt.exe 1212 3thbbb.exe 4012 0260044.exe 3996 462044.exe 1932 xfrlffx.exe 4536 vpjdv.exe 2212 q46020.exe 1092 jdvpj.exe 3408 482282.exe 3616 o066004.exe 3416 846686.exe 3164 w88880.exe 1148 64260.exe 1392 hbtntt.exe 1640 tnbttb.exe 2596 6428888.exe 2236 vpjjd.exe 3092 268284.exe 3972 66222.exe 3172 3lrlffx.exe 3496 400460.exe 3636 dpddd.exe 4612 jjdvj.exe 3564 40606.exe 4116 48624.exe 1184 e24822.exe 2280 lxfxxrl.exe 4356 3pvdj.exe 4408 lfrrrrr.exe 4320 lrfrlrr.exe 2896 q44826.exe 780 xrrrlll.exe 4876 04828.exe 888 xffllff.exe 2364 2626004.exe 384 jjjdd.exe 4700 jddvp.exe -
resource yara_rule behavioral2/memory/1272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/492-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-839-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i648268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0408626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 488 1272 e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe 82 PID 1272 wrote to memory of 488 1272 e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe 82 PID 1272 wrote to memory of 488 1272 e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe 82 PID 488 wrote to memory of 5016 488 66260.exe 83 PID 488 wrote to memory of 5016 488 66260.exe 83 PID 488 wrote to memory of 5016 488 66260.exe 83 PID 5016 wrote to memory of 1764 5016 3jpjd.exe 84 PID 5016 wrote to memory of 1764 5016 3jpjd.exe 84 PID 5016 wrote to memory of 1764 5016 3jpjd.exe 84 PID 1764 wrote to memory of 5012 1764 ppvpj.exe 85 PID 1764 wrote to memory of 5012 1764 ppvpj.exe 85 PID 1764 wrote to memory of 5012 1764 ppvpj.exe 85 PID 5012 wrote to memory of 2804 5012 hbttnn.exe 86 PID 5012 wrote to memory of 2804 5012 hbttnn.exe 86 PID 5012 wrote to memory of 2804 5012 hbttnn.exe 86 PID 2804 wrote to memory of 2396 2804 rfxllxl.exe 87 PID 2804 wrote to memory of 2396 2804 rfxllxl.exe 87 PID 2804 wrote to memory of 2396 2804 rfxllxl.exe 87 PID 2396 wrote to memory of 3956 2396 ddjpj.exe 88 PID 2396 wrote to memory of 3956 2396 ddjpj.exe 88 PID 2396 wrote to memory of 3956 2396 ddjpj.exe 88 PID 3956 wrote to memory of 3988 3956 5hnhbb.exe 89 PID 3956 wrote to memory of 3988 3956 5hnhbb.exe 89 PID 3956 wrote to memory of 3988 3956 5hnhbb.exe 89 PID 3988 wrote to memory of 948 3988 08646.exe 90 PID 3988 wrote to memory of 948 3988 08646.exe 90 PID 3988 wrote to memory of 948 3988 08646.exe 90 PID 948 wrote to memory of 1280 948 bntnhh.exe 91 PID 948 wrote to memory of 1280 948 bntnhh.exe 91 PID 948 wrote to memory of 1280 948 bntnhh.exe 91 PID 1280 wrote to memory of 1440 1280 828486.exe 92 PID 1280 wrote to memory of 1440 1280 828486.exe 92 PID 1280 wrote to memory of 1440 1280 828486.exe 92 PID 1440 wrote to memory of 3764 1440 806006.exe 93 PID 1440 wrote to memory of 3764 1440 806006.exe 93 PID 1440 wrote to memory of 3764 1440 806006.exe 93 PID 3764 wrote to memory of 4072 3764 9djdd.exe 94 PID 3764 wrote to memory of 4072 3764 9djdd.exe 94 PID 3764 wrote to memory of 4072 3764 9djdd.exe 94 PID 4072 wrote to memory of 1056 4072 httnhh.exe 95 PID 4072 wrote to memory of 1056 4072 httnhh.exe 95 PID 4072 wrote to memory of 1056 4072 httnhh.exe 95 PID 1056 wrote to memory of 4692 1056 4682266.exe 96 PID 1056 wrote to memory of 4692 1056 4682266.exe 96 PID 1056 wrote to memory of 4692 1056 4682266.exe 96 PID 4692 wrote to memory of 2268 4692 64882.exe 166 PID 4692 wrote to memory of 2268 4692 64882.exe 166 PID 4692 wrote to memory of 2268 4692 64882.exe 166 PID 2268 wrote to memory of 1716 2268 26406.exe 98 PID 2268 wrote to memory of 1716 2268 26406.exe 98 PID 2268 wrote to memory of 1716 2268 26406.exe 98 PID 1716 wrote to memory of 492 1716 4246804.exe 167 PID 1716 wrote to memory of 492 1716 4246804.exe 167 PID 1716 wrote to memory of 492 1716 4246804.exe 167 PID 492 wrote to memory of 3596 492 202644.exe 100 PID 492 wrote to memory of 3596 492 202644.exe 100 PID 492 wrote to memory of 3596 492 202644.exe 100 PID 3596 wrote to memory of 656 3596 662600.exe 101 PID 3596 wrote to memory of 656 3596 662600.exe 101 PID 3596 wrote to memory of 656 3596 662600.exe 101 PID 656 wrote to memory of 2836 656 dpvdj.exe 102 PID 656 wrote to memory of 2836 656 dpvdj.exe 102 PID 656 wrote to memory of 2836 656 dpvdj.exe 102 PID 2836 wrote to memory of 224 2836 3djjj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe"C:\Users\Admin\AppData\Local\Temp\e2a48936ca2a34f1fc7f2b907d2a3124d67df90d072d770a5e79bb0565d3a87f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\66260.exec:\66260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\3jpjd.exec:\3jpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\ppvpj.exec:\ppvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\hbttnn.exec:\hbttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\rfxllxl.exec:\rfxllxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\ddjpj.exec:\ddjpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\5hnhbb.exec:\5hnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\08646.exec:\08646.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\bntnhh.exec:\bntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\828486.exec:\828486.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\806006.exec:\806006.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\9djdd.exec:\9djdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\httnhh.exec:\httnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\4682266.exec:\4682266.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\64882.exec:\64882.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\26406.exec:\26406.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\4246804.exec:\4246804.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\202644.exec:\202644.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\662600.exec:\662600.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\dpvdj.exec:\dpvdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\3djjj.exec:\3djjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\vvjjv.exec:\vvjjv.exe23⤵
- Executes dropped EXE
PID:224 -
\??\c:\nbtbhn.exec:\nbtbhn.exe24⤵
- Executes dropped EXE
PID:3528 -
\??\c:\48620.exec:\48620.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636 -
\??\c:\24082.exec:\24082.exe26⤵
- Executes dropped EXE
PID:4008 -
\??\c:\802222.exec:\802222.exe27⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rxxxllf.exec:\rxxxllf.exe28⤵
- Executes dropped EXE
PID:2216 -
\??\c:\htbttt.exec:\htbttt.exe29⤵
- Executes dropped EXE
PID:3584 -
\??\c:\3thbbb.exec:\3thbbb.exe30⤵
- Executes dropped EXE
PID:1212 -
\??\c:\0260044.exec:\0260044.exe31⤵
- Executes dropped EXE
PID:4012 -
\??\c:\462044.exec:\462044.exe32⤵
- Executes dropped EXE
PID:3996 -
\??\c:\xfrlffx.exec:\xfrlffx.exe33⤵
- Executes dropped EXE
PID:1932 -
\??\c:\vpjdv.exec:\vpjdv.exe34⤵
- Executes dropped EXE
PID:4536 -
\??\c:\q46020.exec:\q46020.exe35⤵
- Executes dropped EXE
PID:2212 -
\??\c:\jdvpj.exec:\jdvpj.exe36⤵
- Executes dropped EXE
PID:1092 -
\??\c:\482282.exec:\482282.exe37⤵
- Executes dropped EXE
PID:3408 -
\??\c:\o066004.exec:\o066004.exe38⤵
- Executes dropped EXE
PID:3616 -
\??\c:\846686.exec:\846686.exe39⤵
- Executes dropped EXE
PID:3416 -
\??\c:\w88880.exec:\w88880.exe40⤵
- Executes dropped EXE
PID:3164 -
\??\c:\64260.exec:\64260.exe41⤵
- Executes dropped EXE
PID:1148 -
\??\c:\hbtntt.exec:\hbtntt.exe42⤵
- Executes dropped EXE
PID:1392 -
\??\c:\tnbttb.exec:\tnbttb.exe43⤵
- Executes dropped EXE
PID:1640 -
\??\c:\6428888.exec:\6428888.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vpjjd.exec:\vpjjd.exe45⤵
- Executes dropped EXE
PID:2236 -
\??\c:\268284.exec:\268284.exe46⤵
- Executes dropped EXE
PID:3092 -
\??\c:\66222.exec:\66222.exe47⤵
- Executes dropped EXE
PID:3972 -
\??\c:\3lrlffx.exec:\3lrlffx.exe48⤵
- Executes dropped EXE
PID:3172 -
\??\c:\400460.exec:\400460.exe49⤵
- Executes dropped EXE
PID:3496 -
\??\c:\dpddd.exec:\dpddd.exe50⤵
- Executes dropped EXE
PID:3636 -
\??\c:\jjdvj.exec:\jjdvj.exe51⤵
- Executes dropped EXE
PID:4612 -
\??\c:\40606.exec:\40606.exe52⤵
- Executes dropped EXE
PID:3564 -
\??\c:\48624.exec:\48624.exe53⤵
- Executes dropped EXE
PID:4116 -
\??\c:\e24822.exec:\e24822.exe54⤵
- Executes dropped EXE
PID:1184 -
\??\c:\lxfxxrl.exec:\lxfxxrl.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\3pvdj.exec:\3pvdj.exe56⤵
- Executes dropped EXE
PID:4356 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe57⤵
- Executes dropped EXE
PID:4408 -
\??\c:\lrfrlrr.exec:\lrfrlrr.exe58⤵
- Executes dropped EXE
PID:4320 -
\??\c:\q44826.exec:\q44826.exe59⤵
- Executes dropped EXE
PID:2896 -
\??\c:\xrrrlll.exec:\xrrrlll.exe60⤵
- Executes dropped EXE
PID:780 -
\??\c:\04828.exec:\04828.exe61⤵
- Executes dropped EXE
PID:4876 -
\??\c:\xffllff.exec:\xffllff.exe62⤵
- Executes dropped EXE
PID:888 -
\??\c:\2626004.exec:\2626004.exe63⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jjjdd.exec:\jjjdd.exe64⤵
- Executes dropped EXE
PID:384 -
\??\c:\jddvp.exec:\jddvp.exe65⤵
- Executes dropped EXE
PID:4700 -
\??\c:\q06042.exec:\q06042.exe66⤵PID:4580
-
\??\c:\tbnttb.exec:\tbnttb.exe67⤵PID:2272
-
\??\c:\8682228.exec:\8682228.exe68⤵PID:708
-
\??\c:\bnbtbb.exec:\bnbtbb.exe69⤵PID:4004
-
\??\c:\tbnhbt.exec:\tbnhbt.exe70⤵PID:496
-
\??\c:\4286600.exec:\4286600.exe71⤵PID:648
-
\??\c:\46848.exec:\46848.exe72⤵PID:3296
-
\??\c:\xrllxrx.exec:\xrllxrx.exe73⤵PID:1480
-
\??\c:\002600.exec:\002600.exe74⤵PID:760
-
\??\c:\btbttn.exec:\btbttn.exe75⤵PID:1744
-
\??\c:\624882.exec:\624882.exe76⤵PID:1228
-
\??\c:\864204.exec:\864204.exe77⤵PID:396
-
\??\c:\tttnnn.exec:\tttnnn.exe78⤵PID:3076
-
\??\c:\0806688.exec:\0806688.exe79⤵PID:2452
-
\??\c:\1bbttt.exec:\1bbttt.exe80⤵PID:4020
-
\??\c:\vvppd.exec:\vvppd.exe81⤵PID:264
-
\??\c:\nbnbtb.exec:\nbnbtb.exe82⤵PID:4872
-
\??\c:\rrlffxx.exec:\rrlffxx.exe83⤵PID:332
-
\??\c:\jvpjd.exec:\jvpjd.exe84⤵PID:4800
-
\??\c:\40848.exec:\40848.exe85⤵PID:2860
-
\??\c:\fxfxflf.exec:\fxfxflf.exe86⤵PID:2268
-
\??\c:\c826466.exec:\c826466.exe87⤵PID:492
-
\??\c:\044882.exec:\044882.exe88⤵PID:3656
-
\??\c:\hhhbtn.exec:\hhhbtn.exe89⤵PID:4812
-
\??\c:\244080.exec:\244080.exe90⤵PID:1892
-
\??\c:\i426022.exec:\i426022.exe91⤵PID:3528
-
\??\c:\9ffxrxx.exec:\9ffxrxx.exe92⤵PID:1988
-
\??\c:\vpvvj.exec:\vpvvj.exe93⤵PID:4268
-
\??\c:\446606.exec:\446606.exe94⤵PID:1364
-
\??\c:\48660.exec:\48660.exe95⤵PID:3428
-
\??\c:\a4622.exec:\a4622.exe96⤵PID:1348
-
\??\c:\jjddd.exec:\jjddd.exe97⤵PID:3996
-
\??\c:\bbbbtt.exec:\bbbbtt.exe98⤵PID:1672
-
\??\c:\48866.exec:\48866.exe99⤵PID:1816
-
\??\c:\66600.exec:\66600.exe100⤵PID:2420
-
\??\c:\lflfffx.exec:\lflfffx.exe101⤵PID:548
-
\??\c:\624060.exec:\624060.exe102⤵PID:3000
-
\??\c:\82864.exec:\82864.exe103⤵PID:1704
-
\??\c:\ffxrrfx.exec:\ffxrrfx.exe104⤵PID:464
-
\??\c:\vpdvj.exec:\vpdvj.exe105⤵PID:3960
-
\??\c:\5bnhbb.exec:\5bnhbb.exe106⤵PID:1296
-
\??\c:\88804.exec:\88804.exe107⤵
- System Location Discovery: System Language Discovery
PID:1656 -
\??\c:\4426048.exec:\4426048.exe108⤵PID:3636
-
\??\c:\i648268.exec:\i648268.exe109⤵
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\8404204.exec:\8404204.exe110⤵PID:3632
-
\??\c:\4282660.exec:\4282660.exe111⤵PID:4400
-
\??\c:\vppjd.exec:\vppjd.exe112⤵PID:4372
-
\??\c:\nbbbnh.exec:\nbbbnh.exe113⤵PID:4976
-
\??\c:\nnnhhh.exec:\nnnhhh.exe114⤵PID:1272
-
\??\c:\bbntht.exec:\bbntht.exe115⤵PID:2172
-
\??\c:\9lfrrxf.exec:\9lfrrxf.exe116⤵PID:2424
-
\??\c:\86046.exec:\86046.exe117⤵PID:2364
-
\??\c:\m6828.exec:\m6828.exe118⤵PID:5064
-
\??\c:\02408.exec:\02408.exe119⤵PID:4572
-
\??\c:\pjpdv.exec:\pjpdv.exe120⤵PID:4504
-
\??\c:\frfxrlf.exec:\frfxrlf.exe121⤵PID:4924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-