Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe
-
Size
454KB
-
MD5
e9a35cfdd7204ed6a64f13f710d18c7a
-
SHA1
d5c166db6c72a5bc04bbb60c2f4e220badffc973
-
SHA256
e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d
-
SHA512
ed17ab6f4eb52524a0a0e6e95d158ca13804a71842ca9960ad0b7f12e094809055456e0488d1674f733b206d5bc66a62403a87b232e16f16c0d16bf7965cb9dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3384-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-1301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1104 llrrxrf.exe 4744 44004.exe 3368 862266.exe 4820 0244444.exe 2148 vvdvp.exe 2144 rfxfxxr.exe 4220 3hhbtt.exe 3476 886244.exe 1968 0682604.exe 2780 ddjdd.exe 2500 g6260.exe 2576 pdpdv.exe 2072 nhbthh.exe 3784 62004.exe 2744 nbhbtt.exe 3408 240088.exe 1452 frxrlrl.exe 1764 6640404.exe 3548 6088822.exe 3448 628822.exe 4292 88808.exe 3220 dpjdd.exe 1892 rrlxxlf.exe 2128 vjpdd.exe 228 46648.exe 1596 662082.exe 5100 jddpd.exe 1432 7frfrxl.exe 3304 q40860.exe 3544 4222686.exe 2268 thbnbn.exe 1144 5rrfxrf.exe 5008 rfxlxrf.exe 548 5ffrfxl.exe 3588 4886086.exe 4992 6260886.exe 1908 rxrfrlx.exe 1796 btnbnh.exe 3060 xrxllxr.exe 2152 jppjv.exe 2428 3rrllff.exe 1924 424404.exe 3920 nhbhtn.exe 4520 pdvvj.exe 2596 406082.exe 1084 bhthnb.exe 4788 u686886.exe 3064 s4426.exe 748 frxlrll.exe 2656 btnbtt.exe 2664 nbbthh.exe 2496 3ddpp.exe 1816 4682266.exe 2876 9xrlfxr.exe 3948 068648.exe 4472 rfxlxrf.exe 1976 tnhbbh.exe 2948 bbtntb.exe 112 nnnnhb.exe 2544 bnbnnh.exe 3904 rlrlxrf.exe 3096 i262682.exe 4936 3tnhtn.exe 4156 0404260.exe -
resource yara_rule behavioral2/memory/3384-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-770-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8204486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i262682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e62488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3384 wrote to memory of 1104 3384 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 83 PID 3384 wrote to memory of 1104 3384 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 83 PID 3384 wrote to memory of 1104 3384 e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe 83 PID 1104 wrote to memory of 4744 1104 llrrxrf.exe 84 PID 1104 wrote to memory of 4744 1104 llrrxrf.exe 84 PID 1104 wrote to memory of 4744 1104 llrrxrf.exe 84 PID 4744 wrote to memory of 3368 4744 44004.exe 85 PID 4744 wrote to memory of 3368 4744 44004.exe 85 PID 4744 wrote to memory of 3368 4744 44004.exe 85 PID 3368 wrote to memory of 4820 3368 862266.exe 86 PID 3368 wrote to memory of 4820 3368 862266.exe 86 PID 3368 wrote to memory of 4820 3368 862266.exe 86 PID 4820 wrote to memory of 2148 4820 0244444.exe 87 PID 4820 wrote to memory of 2148 4820 0244444.exe 87 PID 4820 wrote to memory of 2148 4820 0244444.exe 87 PID 2148 wrote to memory of 2144 2148 vvdvp.exe 88 PID 2148 wrote to memory of 2144 2148 vvdvp.exe 88 PID 2148 wrote to memory of 2144 2148 vvdvp.exe 88 PID 2144 wrote to memory of 4220 2144 rfxfxxr.exe 89 PID 2144 wrote to memory of 4220 2144 rfxfxxr.exe 89 PID 2144 wrote to memory of 4220 2144 rfxfxxr.exe 89 PID 4220 wrote to memory of 3476 4220 3hhbtt.exe 90 PID 4220 wrote to memory of 3476 4220 3hhbtt.exe 90 PID 4220 wrote to memory of 3476 4220 3hhbtt.exe 90 PID 3476 wrote to memory of 1968 3476 886244.exe 91 PID 3476 wrote to memory of 1968 3476 886244.exe 91 PID 3476 wrote to memory of 1968 3476 886244.exe 91 PID 1968 wrote to memory of 2780 1968 0682604.exe 92 PID 1968 wrote to memory of 2780 1968 0682604.exe 92 PID 1968 wrote to memory of 2780 1968 0682604.exe 92 PID 2780 wrote to memory of 2500 2780 ddjdd.exe 93 PID 2780 wrote to memory of 2500 2780 ddjdd.exe 93 PID 2780 wrote to memory of 2500 2780 ddjdd.exe 93 PID 2500 wrote to memory of 2576 2500 g6260.exe 94 PID 2500 wrote to memory of 2576 2500 g6260.exe 94 PID 2500 wrote to memory of 2576 2500 g6260.exe 94 PID 2576 wrote to memory of 2072 2576 pdpdv.exe 95 PID 2576 wrote to memory of 2072 2576 pdpdv.exe 95 PID 2576 wrote to memory of 2072 2576 pdpdv.exe 95 PID 2072 wrote to memory of 3784 2072 nhbthh.exe 96 PID 2072 wrote to memory of 3784 2072 nhbthh.exe 96 PID 2072 wrote to memory of 3784 2072 nhbthh.exe 96 PID 3784 wrote to memory of 2744 3784 62004.exe 97 PID 3784 wrote to memory of 2744 3784 62004.exe 97 PID 3784 wrote to memory of 2744 3784 62004.exe 97 PID 2744 wrote to memory of 3408 2744 nbhbtt.exe 98 PID 2744 wrote to memory of 3408 2744 nbhbtt.exe 98 PID 2744 wrote to memory of 3408 2744 nbhbtt.exe 98 PID 3408 wrote to memory of 1452 3408 240088.exe 99 PID 3408 wrote to memory of 1452 3408 240088.exe 99 PID 3408 wrote to memory of 1452 3408 240088.exe 99 PID 1452 wrote to memory of 1764 1452 frxrlrl.exe 100 PID 1452 wrote to memory of 1764 1452 frxrlrl.exe 100 PID 1452 wrote to memory of 1764 1452 frxrlrl.exe 100 PID 1764 wrote to memory of 3548 1764 6640404.exe 101 PID 1764 wrote to memory of 3548 1764 6640404.exe 101 PID 1764 wrote to memory of 3548 1764 6640404.exe 101 PID 3548 wrote to memory of 3448 3548 6088822.exe 102 PID 3548 wrote to memory of 3448 3548 6088822.exe 102 PID 3548 wrote to memory of 3448 3548 6088822.exe 102 PID 3448 wrote to memory of 4292 3448 628822.exe 103 PID 3448 wrote to memory of 4292 3448 628822.exe 103 PID 3448 wrote to memory of 4292 3448 628822.exe 103 PID 4292 wrote to memory of 3220 4292 88808.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe"C:\Users\Admin\AppData\Local\Temp\e080a287c130ffa1fd75a4c72de0d14e142335b0c8672a351f216bff79dad84d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\llrrxrf.exec:\llrrxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\44004.exec:\44004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\862266.exec:\862266.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\0244444.exec:\0244444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\vvdvp.exec:\vvdvp.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\rfxfxxr.exec:\rfxfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\3hhbtt.exec:\3hhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\886244.exec:\886244.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\0682604.exec:\0682604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\ddjdd.exec:\ddjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\g6260.exec:\g6260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\pdpdv.exec:\pdpdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\nhbthh.exec:\nhbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\62004.exec:\62004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\nbhbtt.exec:\nbhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\240088.exec:\240088.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\frxrlrl.exec:\frxrlrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\6640404.exec:\6640404.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\6088822.exec:\6088822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\628822.exec:\628822.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\88808.exec:\88808.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\dpjdd.exec:\dpjdd.exe23⤵
- Executes dropped EXE
PID:3220 -
\??\c:\rrlxxlf.exec:\rrlxxlf.exe24⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vjpdd.exec:\vjpdd.exe25⤵
- Executes dropped EXE
PID:2128 -
\??\c:\46648.exec:\46648.exe26⤵
- Executes dropped EXE
PID:228 -
\??\c:\662082.exec:\662082.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jddpd.exec:\jddpd.exe28⤵
- Executes dropped EXE
PID:5100 -
\??\c:\7frfrxl.exec:\7frfrxl.exe29⤵
- Executes dropped EXE
PID:1432 -
\??\c:\q40860.exec:\q40860.exe30⤵
- Executes dropped EXE
PID:3304 -
\??\c:\4222686.exec:\4222686.exe31⤵
- Executes dropped EXE
PID:3544 -
\??\c:\thbnbn.exec:\thbnbn.exe32⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5rrfxrf.exec:\5rrfxrf.exe33⤵
- Executes dropped EXE
PID:1144 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe34⤵
- Executes dropped EXE
PID:5008 -
\??\c:\5ffrfxl.exec:\5ffrfxl.exe35⤵
- Executes dropped EXE
PID:548 -
\??\c:\4886086.exec:\4886086.exe36⤵
- Executes dropped EXE
PID:3588 -
\??\c:\6260886.exec:\6260886.exe37⤵
- Executes dropped EXE
PID:4992 -
\??\c:\rxrfrlx.exec:\rxrfrlx.exe38⤵
- Executes dropped EXE
PID:1908 -
\??\c:\btnbnh.exec:\btnbnh.exe39⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xrxllxr.exec:\xrxllxr.exe40⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jppjv.exec:\jppjv.exe41⤵
- Executes dropped EXE
PID:2152 -
\??\c:\3rrllff.exec:\3rrllff.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\424404.exec:\424404.exe43⤵
- Executes dropped EXE
PID:1924 -
\??\c:\nhbhtn.exec:\nhbhtn.exe44⤵
- Executes dropped EXE
PID:3920 -
\??\c:\pdvvj.exec:\pdvvj.exe45⤵
- Executes dropped EXE
PID:4520 -
\??\c:\406082.exec:\406082.exe46⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bhthnb.exec:\bhthnb.exe47⤵
- Executes dropped EXE
PID:1084 -
\??\c:\u686886.exec:\u686886.exe48⤵
- Executes dropped EXE
PID:4788 -
\??\c:\s4426.exec:\s4426.exe49⤵
- Executes dropped EXE
PID:3064 -
\??\c:\frxlrll.exec:\frxlrll.exe50⤵
- Executes dropped EXE
PID:748 -
\??\c:\btnbtt.exec:\btnbtt.exe51⤵
- Executes dropped EXE
PID:2656 -
\??\c:\nbbthh.exec:\nbbthh.exe52⤵
- Executes dropped EXE
PID:2664 -
\??\c:\3ddpp.exec:\3ddpp.exe53⤵
- Executes dropped EXE
PID:2496 -
\??\c:\4682266.exec:\4682266.exe54⤵
- Executes dropped EXE
PID:1816 -
\??\c:\9xrlfxr.exec:\9xrlfxr.exe55⤵
- Executes dropped EXE
PID:2876 -
\??\c:\068648.exec:\068648.exe56⤵
- Executes dropped EXE
PID:3948 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe57⤵
- Executes dropped EXE
PID:4472 -
\??\c:\tnhbbh.exec:\tnhbbh.exe58⤵
- Executes dropped EXE
PID:1976 -
\??\c:\bbtntb.exec:\bbtntb.exe59⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nnnnhb.exec:\nnnnhb.exe60⤵
- Executes dropped EXE
PID:112 -
\??\c:\bnbnnh.exec:\bnbnnh.exe61⤵
- Executes dropped EXE
PID:2544 -
\??\c:\rlrlxrf.exec:\rlrlxrf.exe62⤵
- Executes dropped EXE
PID:3904 -
\??\c:\i262682.exec:\i262682.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096 -
\??\c:\3tnhtn.exec:\3tnhtn.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\0404260.exec:\0404260.exe65⤵
- Executes dropped EXE
PID:4156 -
\??\c:\dppdp.exec:\dppdp.exe66⤵PID:3052
-
\??\c:\o060482.exec:\o060482.exe67⤵PID:2144
-
\??\c:\w00860.exec:\w00860.exe68⤵PID:2556
-
\??\c:\22642.exec:\22642.exe69⤵PID:4220
-
\??\c:\66260.exec:\66260.exe70⤵PID:3432
-
\??\c:\0886408.exec:\0886408.exe71⤵PID:2364
-
\??\c:\bnhbnt.exec:\bnhbnt.exe72⤵PID:2380
-
\??\c:\86608.exec:\86608.exe73⤵PID:2208
-
\??\c:\rrrfrlf.exec:\rrrfrlf.exe74⤵PID:1632
-
\??\c:\6064268.exec:\6064268.exe75⤵PID:2228
-
\??\c:\8468864.exec:\8468864.exe76⤵PID:928
-
\??\c:\7frlxrf.exec:\7frlxrf.exe77⤵PID:4300
-
\??\c:\2820824.exec:\2820824.exe78⤵PID:2308
-
\??\c:\662204.exec:\662204.exe79⤵PID:1208
-
\??\c:\20648.exec:\20648.exe80⤵PID:2512
-
\??\c:\864688.exec:\864688.exe81⤵PID:1932
-
\??\c:\284860.exec:\284860.exe82⤵PID:3012
-
\??\c:\400648.exec:\400648.exe83⤵PID:1332
-
\??\c:\rrffxff.exec:\rrffxff.exe84⤵PID:2004
-
\??\c:\vddpd.exec:\vddpd.exe85⤵
- System Location Discovery: System Language Discovery
PID:3604 -
\??\c:\080860.exec:\080860.exe86⤵
- System Location Discovery: System Language Discovery
PID:1460 -
\??\c:\nnnbtn.exec:\nnnbtn.exe87⤵PID:1792
-
\??\c:\pdjvp.exec:\pdjvp.exe88⤵PID:3488
-
\??\c:\24864.exec:\24864.exe89⤵PID:2588
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe90⤵PID:3740
-
\??\c:\lrrfxlx.exec:\lrrfxlx.exe91⤵PID:1432
-
\??\c:\86260.exec:\86260.exe92⤵PID:3304
-
\??\c:\c004608.exec:\c004608.exe93⤵PID:1980
-
\??\c:\bbbnth.exec:\bbbnth.exe94⤵PID:4092
-
\??\c:\48426.exec:\48426.exe95⤵PID:60
-
\??\c:\288208.exec:\288208.exe96⤵PID:2976
-
\??\c:\9bhbbb.exec:\9bhbbb.exe97⤵PID:4604
-
\??\c:\w48044.exec:\w48044.exe98⤵PID:5060
-
\??\c:\u460448.exec:\u460448.exe99⤵PID:3036
-
\??\c:\9vvjv.exec:\9vvjv.exe100⤵PID:1056
-
\??\c:\5jddp.exec:\5jddp.exe101⤵PID:4560
-
\??\c:\068266.exec:\068266.exe102⤵PID:376
-
\??\c:\044866.exec:\044866.exe103⤵PID:3920
-
\??\c:\dpjvd.exec:\dpjvd.exe104⤵PID:4520
-
\??\c:\bhtnbn.exec:\bhtnbn.exe105⤵PID:3624
-
\??\c:\frxllfr.exec:\frxllfr.exe106⤵PID:2272
-
\??\c:\9rrlrlr.exec:\9rrlrlr.exe107⤵PID:3168
-
\??\c:\02086.exec:\02086.exe108⤵PID:2276
-
\??\c:\tnbhbt.exec:\tnbhbt.exe109⤵PID:748
-
\??\c:\rfrfxll.exec:\rfrfxll.exe110⤵PID:3560
-
\??\c:\hhnntb.exec:\hhnntb.exe111⤵PID:4784
-
\??\c:\djjvp.exec:\djjvp.exe112⤵PID:1588
-
\??\c:\pjjjd.exec:\pjjjd.exe113⤵PID:5000
-
\??\c:\fxflrlx.exec:\fxflrlx.exe114⤵PID:2880
-
\??\c:\djdpd.exec:\djdpd.exe115⤵PID:4452
-
\??\c:\a6642.exec:\a6642.exe116⤵PID:4928
-
\??\c:\w62604.exec:\w62604.exe117⤵PID:4536
-
\??\c:\2668600.exec:\2668600.exe118⤵PID:5036
-
\??\c:\42420.exec:\42420.exe119⤵PID:3568
-
\??\c:\dpvpj.exec:\dpvpj.exe120⤵PID:4988
-
\??\c:\nnhbnb.exec:\nnhbnb.exe121⤵PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-