Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe
-
Size
454KB
-
MD5
e549e6f1d593b962096cac83bd4aef2e
-
SHA1
222d6be561d86b14232c857431be620ebb73dd28
-
SHA256
e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d
-
SHA512
ececf486ee74e7d4dcd8263c739da2acf39de88003f6741976c80fe5d5a95c7ac9c33011bb7d47548bb7ed69ffb3bd033f6315340f66872ad2138976a927b3de
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3000-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-1812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-1891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2380 dvvjd.exe 3652 vpdvv.exe 4592 02060.exe 4728 lxxxrll.exe 1836 jjjvd.exe 628 44222.exe 5032 hbhhht.exe 2428 448440.exe 1704 btbnbb.exe 2472 82848.exe 1380 fxlrllf.exe 3872 24662.exe 4692 xlrllxx.exe 4760 2220426.exe 4688 jppjv.exe 3644 022426.exe 3680 428204.exe 3972 jjvjv.exe 4916 fxlfrfr.exe 1824 422606.exe 2156 q44286.exe 3120 w02860.exe 860 620828.exe 3740 xxrlffx.exe 4556 246288.exe 4520 2488660.exe 732 pjdjd.exe 1056 1hnnhn.exe 4864 266048.exe 4284 4646426.exe 3152 024860.exe 1372 42648.exe 1780 1vjdj.exe 1344 bbhnbb.exe 1892 xfxrfxl.exe 2580 484404.exe 4932 5fxlllx.exe 4644 u248446.exe 1016 rfxlfrl.exe 116 ppdvd.exe 3400 fffxrxl.exe 1208 4242604.exe 3608 42686.exe 4420 7hnhbb.exe 1628 3bbbnn.exe 1568 886404.exe 2888 rfrrlll.exe 2100 800048.exe 4744 dvjjv.exe 4652 1rrxfrr.exe 2696 thntht.exe 1332 22426.exe 3012 4248084.exe 4424 844826.exe 4172 c468822.exe 1540 2462666.exe 1068 0204260.exe 5032 682866.exe 4240 2080888.exe 5012 4604444.exe 1444 ddppv.exe 380 c406662.exe 4248 hntbhh.exe 3960 rxxlxrx.exe -
resource yara_rule behavioral2/memory/3000-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-879-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8226604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s8864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2026682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i866226.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2380 3000 e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe 83 PID 3000 wrote to memory of 2380 3000 e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe 83 PID 3000 wrote to memory of 2380 3000 e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe 83 PID 2380 wrote to memory of 3652 2380 dvvjd.exe 84 PID 2380 wrote to memory of 3652 2380 dvvjd.exe 84 PID 2380 wrote to memory of 3652 2380 dvvjd.exe 84 PID 3652 wrote to memory of 4592 3652 vpdvv.exe 85 PID 3652 wrote to memory of 4592 3652 vpdvv.exe 85 PID 3652 wrote to memory of 4592 3652 vpdvv.exe 85 PID 4592 wrote to memory of 4728 4592 02060.exe 86 PID 4592 wrote to memory of 4728 4592 02060.exe 86 PID 4592 wrote to memory of 4728 4592 02060.exe 86 PID 4728 wrote to memory of 1836 4728 lxxxrll.exe 87 PID 4728 wrote to memory of 1836 4728 lxxxrll.exe 87 PID 4728 wrote to memory of 1836 4728 lxxxrll.exe 87 PID 1836 wrote to memory of 628 1836 jjjvd.exe 88 PID 1836 wrote to memory of 628 1836 jjjvd.exe 88 PID 1836 wrote to memory of 628 1836 jjjvd.exe 88 PID 628 wrote to memory of 5032 628 44222.exe 89 PID 628 wrote to memory of 5032 628 44222.exe 89 PID 628 wrote to memory of 5032 628 44222.exe 89 PID 5032 wrote to memory of 2428 5032 hbhhht.exe 90 PID 5032 wrote to memory of 2428 5032 hbhhht.exe 90 PID 5032 wrote to memory of 2428 5032 hbhhht.exe 90 PID 2428 wrote to memory of 1704 2428 448440.exe 91 PID 2428 wrote to memory of 1704 2428 448440.exe 91 PID 2428 wrote to memory of 1704 2428 448440.exe 91 PID 1704 wrote to memory of 2472 1704 btbnbb.exe 92 PID 1704 wrote to memory of 2472 1704 btbnbb.exe 92 PID 1704 wrote to memory of 2472 1704 btbnbb.exe 92 PID 2472 wrote to memory of 1380 2472 82848.exe 93 PID 2472 wrote to memory of 1380 2472 82848.exe 93 PID 2472 wrote to memory of 1380 2472 82848.exe 93 PID 1380 wrote to memory of 3872 1380 fxlrllf.exe 94 PID 1380 wrote to memory of 3872 1380 fxlrllf.exe 94 PID 1380 wrote to memory of 3872 1380 fxlrllf.exe 94 PID 3872 wrote to memory of 4692 3872 24662.exe 95 PID 3872 wrote to memory of 4692 3872 24662.exe 95 PID 3872 wrote to memory of 4692 3872 24662.exe 95 PID 4692 wrote to memory of 4760 4692 xlrllxx.exe 96 PID 4692 wrote to memory of 4760 4692 xlrllxx.exe 96 PID 4692 wrote to memory of 4760 4692 xlrllxx.exe 96 PID 4760 wrote to memory of 4688 4760 2220426.exe 97 PID 4760 wrote to memory of 4688 4760 2220426.exe 97 PID 4760 wrote to memory of 4688 4760 2220426.exe 97 PID 4688 wrote to memory of 3644 4688 jppjv.exe 98 PID 4688 wrote to memory of 3644 4688 jppjv.exe 98 PID 4688 wrote to memory of 3644 4688 jppjv.exe 98 PID 3644 wrote to memory of 3680 3644 022426.exe 99 PID 3644 wrote to memory of 3680 3644 022426.exe 99 PID 3644 wrote to memory of 3680 3644 022426.exe 99 PID 3680 wrote to memory of 3972 3680 428204.exe 100 PID 3680 wrote to memory of 3972 3680 428204.exe 100 PID 3680 wrote to memory of 3972 3680 428204.exe 100 PID 3972 wrote to memory of 4916 3972 jjvjv.exe 101 PID 3972 wrote to memory of 4916 3972 jjvjv.exe 101 PID 3972 wrote to memory of 4916 3972 jjvjv.exe 101 PID 4916 wrote to memory of 1824 4916 fxlfrfr.exe 102 PID 4916 wrote to memory of 1824 4916 fxlfrfr.exe 102 PID 4916 wrote to memory of 1824 4916 fxlfrfr.exe 102 PID 1824 wrote to memory of 2156 1824 422606.exe 103 PID 1824 wrote to memory of 2156 1824 422606.exe 103 PID 1824 wrote to memory of 2156 1824 422606.exe 103 PID 2156 wrote to memory of 3120 2156 q44286.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe"C:\Users\Admin\AppData\Local\Temp\e788f1750cf762c2c773ee02dfd77b5d569c6733d64f0b0103b544d749d7204d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\dvvjd.exec:\dvvjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vpdvv.exec:\vpdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\02060.exec:\02060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\lxxxrll.exec:\lxxxrll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\jjjvd.exec:\jjjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\44222.exec:\44222.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\hbhhht.exec:\hbhhht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\448440.exec:\448440.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\btbnbb.exec:\btbnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\82848.exec:\82848.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\fxlrllf.exec:\fxlrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\24662.exec:\24662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\xlrllxx.exec:\xlrllxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\2220426.exec:\2220426.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\jppjv.exec:\jppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\022426.exec:\022426.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\428204.exec:\428204.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\jjvjv.exec:\jjvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\fxlfrfr.exec:\fxlfrfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\422606.exec:\422606.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\q44286.exec:\q44286.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\w02860.exec:\w02860.exe23⤵
- Executes dropped EXE
PID:3120 -
\??\c:\620828.exec:\620828.exe24⤵
- Executes dropped EXE
PID:860 -
\??\c:\xxrlffx.exec:\xxrlffx.exe25⤵
- Executes dropped EXE
PID:3740 -
\??\c:\246288.exec:\246288.exe26⤵
- Executes dropped EXE
PID:4556 -
\??\c:\2488660.exec:\2488660.exe27⤵
- Executes dropped EXE
PID:4520 -
\??\c:\pjdjd.exec:\pjdjd.exe28⤵
- Executes dropped EXE
PID:732 -
\??\c:\1hnnhn.exec:\1hnnhn.exe29⤵
- Executes dropped EXE
PID:1056 -
\??\c:\266048.exec:\266048.exe30⤵
- Executes dropped EXE
PID:4864 -
\??\c:\4646426.exec:\4646426.exe31⤵
- Executes dropped EXE
PID:4284 -
\??\c:\024860.exec:\024860.exe32⤵
- Executes dropped EXE
PID:3152 -
\??\c:\42648.exec:\42648.exe33⤵
- Executes dropped EXE
PID:1372 -
\??\c:\1vjdj.exec:\1vjdj.exe34⤵
- Executes dropped EXE
PID:1780 -
\??\c:\bbhnbb.exec:\bbhnbb.exe35⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xfxrfxl.exec:\xfxrfxl.exe36⤵
- Executes dropped EXE
PID:1892 -
\??\c:\484404.exec:\484404.exe37⤵
- Executes dropped EXE
PID:2580 -
\??\c:\5fxlllx.exec:\5fxlllx.exe38⤵
- Executes dropped EXE
PID:4932 -
\??\c:\u248446.exec:\u248446.exe39⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rfxlfrl.exec:\rfxlfrl.exe40⤵
- Executes dropped EXE
PID:1016 -
\??\c:\ppdvd.exec:\ppdvd.exe41⤵
- Executes dropped EXE
PID:116 -
\??\c:\fffxrxl.exec:\fffxrxl.exe42⤵
- Executes dropped EXE
PID:3400 -
\??\c:\4242604.exec:\4242604.exe43⤵
- Executes dropped EXE
PID:1208 -
\??\c:\42686.exec:\42686.exe44⤵
- Executes dropped EXE
PID:3608 -
\??\c:\7hnhbb.exec:\7hnhbb.exe45⤵
- Executes dropped EXE
PID:4420 -
\??\c:\3bbbnn.exec:\3bbbnn.exe46⤵
- Executes dropped EXE
PID:1628 -
\??\c:\886404.exec:\886404.exe47⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rfrrlll.exec:\rfrrlll.exe48⤵
- Executes dropped EXE
PID:2888 -
\??\c:\800048.exec:\800048.exe49⤵
- Executes dropped EXE
PID:2100 -
\??\c:\dvjjv.exec:\dvjjv.exe50⤵
- Executes dropped EXE
PID:4744 -
\??\c:\1rrxfrr.exec:\1rrxfrr.exe51⤵
- Executes dropped EXE
PID:4652 -
\??\c:\thntht.exec:\thntht.exe52⤵
- Executes dropped EXE
PID:2696 -
\??\c:\22426.exec:\22426.exe53⤵
- Executes dropped EXE
PID:1332 -
\??\c:\4248084.exec:\4248084.exe54⤵
- Executes dropped EXE
PID:3012 -
\??\c:\844826.exec:\844826.exe55⤵
- Executes dropped EXE
PID:4424 -
\??\c:\c468822.exec:\c468822.exe56⤵
- Executes dropped EXE
PID:4172 -
\??\c:\2462666.exec:\2462666.exe57⤵
- Executes dropped EXE
PID:1540 -
\??\c:\0204260.exec:\0204260.exe58⤵
- Executes dropped EXE
PID:1068 -
\??\c:\682866.exec:\682866.exe59⤵
- Executes dropped EXE
PID:5032 -
\??\c:\2080888.exec:\2080888.exe60⤵
- Executes dropped EXE
PID:4240 -
\??\c:\4604444.exec:\4604444.exe61⤵
- Executes dropped EXE
PID:5012 -
\??\c:\ddppv.exec:\ddppv.exe62⤵
- Executes dropped EXE
PID:1444 -
\??\c:\c406662.exec:\c406662.exe63⤵
- Executes dropped EXE
PID:380 -
\??\c:\hntbhh.exec:\hntbhh.exe64⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rxxlxrx.exec:\rxxlxrx.exe65⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rflffxx.exec:\rflffxx.exe66⤵PID:4532
-
\??\c:\bbbtnn.exec:\bbbtnn.exe67⤵PID:3996
-
\??\c:\6668282.exec:\6668282.exe68⤵PID:2684
-
\??\c:\9bhbbb.exec:\9bhbbb.exe69⤵PID:1044
-
\??\c:\9fxxrxr.exec:\9fxxrxr.exe70⤵PID:4692
-
\??\c:\8888888.exec:\8888888.exe71⤵PID:404
-
\??\c:\tntnnn.exec:\tntnnn.exe72⤵PID:408
-
\??\c:\vpjdp.exec:\vpjdp.exe73⤵PID:1164
-
\??\c:\0444888.exec:\0444888.exe74⤵PID:3172
-
\??\c:\pddvv.exec:\pddvv.exe75⤵PID:3416
-
\??\c:\0268404.exec:\0268404.exe76⤵PID:5008
-
\??\c:\tbbnnn.exec:\tbbnnn.exe77⤵PID:2940
-
\??\c:\q88468.exec:\q88468.exe78⤵PID:804
-
\??\c:\bttnhh.exec:\bttnhh.exe79⤵PID:1920
-
\??\c:\88488.exec:\88488.exe80⤵PID:2584
-
\??\c:\484882.exec:\484882.exe81⤵
- System Location Discovery: System Language Discovery
PID:3868 -
\??\c:\ddvdj.exec:\ddvdj.exe82⤵PID:2412
-
\??\c:\86248.exec:\86248.exe83⤵PID:5028
-
\??\c:\rrrrllf.exec:\rrrrllf.exe84⤵PID:3788
-
\??\c:\hhtbbt.exec:\hhtbbt.exe85⤵PID:4808
-
\??\c:\04660.exec:\04660.exe86⤵PID:3572
-
\??\c:\vvddv.exec:\vvddv.exe87⤵PID:2800
-
\??\c:\rrxrxxx.exec:\rrxrxxx.exe88⤵PID:3448
-
\??\c:\46226.exec:\46226.exe89⤵PID:696
-
\??\c:\nbhbbb.exec:\nbhbbb.exe90⤵PID:732
-
\??\c:\0482644.exec:\0482644.exe91⤵PID:1056
-
\??\c:\2480848.exec:\2480848.exe92⤵PID:1732
-
\??\c:\lffxrrr.exec:\lffxrrr.exe93⤵PID:4864
-
\??\c:\1hbtnn.exec:\1hbtnn.exe94⤵PID:4284
-
\??\c:\hbthtn.exec:\hbthtn.exe95⤵PID:748
-
\??\c:\2048264.exec:\2048264.exe96⤵PID:4648
-
\??\c:\e24826.exec:\e24826.exe97⤵PID:1160
-
\??\c:\vvdvp.exec:\vvdvp.exe98⤵PID:1652
-
\??\c:\44888.exec:\44888.exe99⤵
- System Location Discovery: System Language Discovery
PID:2492 -
\??\c:\22082.exec:\22082.exe100⤵PID:2964
-
\??\c:\c086600.exec:\c086600.exe101⤵PID:2388
-
\??\c:\xffxxxx.exec:\xffxxxx.exe102⤵
- System Location Discovery: System Language Discovery
PID:4036 -
\??\c:\9hhhbh.exec:\9hhhbh.exe103⤵PID:2596
-
\??\c:\vppvv.exec:\vppvv.exe104⤵PID:1848
-
\??\c:\fflxxxl.exec:\fflxxxl.exe105⤵PID:116
-
\??\c:\640444.exec:\640444.exe106⤵PID:1600
-
\??\c:\68022.exec:\68022.exe107⤵PID:1208
-
\??\c:\660448.exec:\660448.exe108⤵PID:336
-
\??\c:\jpppp.exec:\jpppp.exe109⤵PID:2984
-
\??\c:\022044.exec:\022044.exe110⤵PID:3636
-
\??\c:\68888.exec:\68888.exe111⤵PID:1036
-
\??\c:\6466066.exec:\6466066.exe112⤵PID:2888
-
\??\c:\nhhhnn.exec:\nhhhnn.exe113⤵PID:2100
-
\??\c:\u626448.exec:\u626448.exe114⤵PID:4100
-
\??\c:\jddvv.exec:\jddvv.exe115⤵PID:4732
-
\??\c:\1ttnhh.exec:\1ttnhh.exe116⤵PID:3260
-
\??\c:\jpppj.exec:\jpppj.exe117⤵PID:2904
-
\??\c:\jpvpj.exec:\jpvpj.exe118⤵PID:832
-
\??\c:\2606462.exec:\2606462.exe119⤵PID:628
-
\??\c:\820844.exec:\820844.exe120⤵PID:3676
-
\??\c:\jpvjd.exec:\jpvjd.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-