Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe
-
Size
456KB
-
MD5
b49a7e1a5c6d62c3850dd7a103f22b50
-
SHA1
48d0bd412217b4afc65ad70791a0406ad34ea7f1
-
SHA256
e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58
-
SHA512
bdb8434640133841779d5185ae733143541641b5d3b751436630d11b26b9b3067dd5e94609f787d16da8c0d04095dac6c3f2ee0ebd4698b7305b4057e43a8586
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRz:q7Tc2NYHUrAwfMp3CDRz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3472-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-1084-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-1340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-1398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1152 448040.exe 4572 844240.exe 776 hhnnnn.exe 1584 5nhhhh.exe 636 3jpjp.exe 4340 jjvpp.exe 4276 1xlxrrl.exe 1552 rrxrxll.exe 3540 06888.exe 2472 vjpjd.exe 1756 flfxfff.exe 3452 e82060.exe 2384 rxlfrll.exe 4716 tbbbtn.exe 2516 bnthtn.exe 404 jvjvj.exe 2924 1bthtn.exe 5088 88848.exe 5044 bttnhh.exe 2536 044082.exe 4124 60800.exe 2788 pjvjv.exe 4888 jjvpj.exe 1976 084460.exe 4176 u442486.exe 2676 vdvjd.exe 4780 404260.exe 2004 46420.exe 4160 o682426.exe 1636 420420.exe 388 llxlxfr.exe 648 dpvjj.exe 1960 tbbnbt.exe 5048 hnttnt.exe 3064 2008602.exe 2412 pjpdd.exe 5100 vdjjv.exe 4976 pjdjd.exe 3672 4486486.exe 2552 xxxxrlf.exe 756 hbnbnn.exe 2464 pvpjv.exe 4588 frxrxrr.exe 4940 q44426.exe 4072 8600864.exe 224 lxlxrrl.exe 1648 4226486.exe 4428 hbbnhh.exe 4960 46648.exe 3472 w04268.exe 1152 8622284.exe 2908 xlllfff.exe 3172 6208260.exe 696 80206.exe 3616 lfxllfx.exe 2120 rlrllfl.exe 1336 u408204.exe 4340 42822.exe 4276 646240.exe 1524 2068822.exe 4900 8860448.exe 632 pddvp.exe 1608 flxlffx.exe 3904 62826.exe -
resource yara_rule behavioral2/memory/3472-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-875-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-897-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8240422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6480400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2800400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2422282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3472 wrote to memory of 1152 3472 e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe 83 PID 3472 wrote to memory of 1152 3472 e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe 83 PID 3472 wrote to memory of 1152 3472 e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe 83 PID 1152 wrote to memory of 4572 1152 448040.exe 84 PID 1152 wrote to memory of 4572 1152 448040.exe 84 PID 1152 wrote to memory of 4572 1152 448040.exe 84 PID 4572 wrote to memory of 776 4572 844240.exe 85 PID 4572 wrote to memory of 776 4572 844240.exe 85 PID 4572 wrote to memory of 776 4572 844240.exe 85 PID 776 wrote to memory of 1584 776 hhnnnn.exe 86 PID 776 wrote to memory of 1584 776 hhnnnn.exe 86 PID 776 wrote to memory of 1584 776 hhnnnn.exe 86 PID 1584 wrote to memory of 636 1584 5nhhhh.exe 87 PID 1584 wrote to memory of 636 1584 5nhhhh.exe 87 PID 1584 wrote to memory of 636 1584 5nhhhh.exe 87 PID 636 wrote to memory of 4340 636 3jpjp.exe 88 PID 636 wrote to memory of 4340 636 3jpjp.exe 88 PID 636 wrote to memory of 4340 636 3jpjp.exe 88 PID 4340 wrote to memory of 4276 4340 jjvpp.exe 89 PID 4340 wrote to memory of 4276 4340 jjvpp.exe 89 PID 4340 wrote to memory of 4276 4340 jjvpp.exe 89 PID 4276 wrote to memory of 1552 4276 1xlxrrl.exe 90 PID 4276 wrote to memory of 1552 4276 1xlxrrl.exe 90 PID 4276 wrote to memory of 1552 4276 1xlxrrl.exe 90 PID 1552 wrote to memory of 3540 1552 rrxrxll.exe 91 PID 1552 wrote to memory of 3540 1552 rrxrxll.exe 91 PID 1552 wrote to memory of 3540 1552 rrxrxll.exe 91 PID 3540 wrote to memory of 2472 3540 06888.exe 92 PID 3540 wrote to memory of 2472 3540 06888.exe 92 PID 3540 wrote to memory of 2472 3540 06888.exe 92 PID 2472 wrote to memory of 1756 2472 vjpjd.exe 93 PID 2472 wrote to memory of 1756 2472 vjpjd.exe 93 PID 2472 wrote to memory of 1756 2472 vjpjd.exe 93 PID 1756 wrote to memory of 3452 1756 flfxfff.exe 94 PID 1756 wrote to memory of 3452 1756 flfxfff.exe 94 PID 1756 wrote to memory of 3452 1756 flfxfff.exe 94 PID 3452 wrote to memory of 2384 3452 e82060.exe 95 PID 3452 wrote to memory of 2384 3452 e82060.exe 95 PID 3452 wrote to memory of 2384 3452 e82060.exe 95 PID 2384 wrote to memory of 4716 2384 rxlfrll.exe 96 PID 2384 wrote to memory of 4716 2384 rxlfrll.exe 96 PID 2384 wrote to memory of 4716 2384 rxlfrll.exe 96 PID 4716 wrote to memory of 2516 4716 tbbbtn.exe 97 PID 4716 wrote to memory of 2516 4716 tbbbtn.exe 97 PID 4716 wrote to memory of 2516 4716 tbbbtn.exe 97 PID 2516 wrote to memory of 404 2516 bnthtn.exe 98 PID 2516 wrote to memory of 404 2516 bnthtn.exe 98 PID 2516 wrote to memory of 404 2516 bnthtn.exe 98 PID 404 wrote to memory of 2924 404 jvjvj.exe 99 PID 404 wrote to memory of 2924 404 jvjvj.exe 99 PID 404 wrote to memory of 2924 404 jvjvj.exe 99 PID 2924 wrote to memory of 5088 2924 1bthtn.exe 100 PID 2924 wrote to memory of 5088 2924 1bthtn.exe 100 PID 2924 wrote to memory of 5088 2924 1bthtn.exe 100 PID 5088 wrote to memory of 5044 5088 88848.exe 101 PID 5088 wrote to memory of 5044 5088 88848.exe 101 PID 5088 wrote to memory of 5044 5088 88848.exe 101 PID 5044 wrote to memory of 2536 5044 bttnhh.exe 102 PID 5044 wrote to memory of 2536 5044 bttnhh.exe 102 PID 5044 wrote to memory of 2536 5044 bttnhh.exe 102 PID 2536 wrote to memory of 4124 2536 044082.exe 103 PID 2536 wrote to memory of 4124 2536 044082.exe 103 PID 2536 wrote to memory of 4124 2536 044082.exe 103 PID 4124 wrote to memory of 2788 4124 60800.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe"C:\Users\Admin\AppData\Local\Temp\e1255d67b60e2c3764f8c837cb297acd89aa17f5d2cd88b3f2e39ce6e53f3d58N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\448040.exec:\448040.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\844240.exec:\844240.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\hhnnnn.exec:\hhnnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\5nhhhh.exec:\5nhhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\3jpjp.exec:\3jpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\jjvpp.exec:\jjvpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\1xlxrrl.exec:\1xlxrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\rrxrxll.exec:\rrxrxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\06888.exec:\06888.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\vjpjd.exec:\vjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\flfxfff.exec:\flfxfff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\e82060.exec:\e82060.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\rxlfrll.exec:\rxlfrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\tbbbtn.exec:\tbbbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\bnthtn.exec:\bnthtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\jvjvj.exec:\jvjvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\1bthtn.exec:\1bthtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\88848.exec:\88848.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\bttnhh.exec:\bttnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\044082.exec:\044082.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\60800.exec:\60800.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\pjvjv.exec:\pjvjv.exe23⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jjvpj.exec:\jjvpj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888 -
\??\c:\084460.exec:\084460.exe25⤵
- Executes dropped EXE
PID:1976 -
\??\c:\u442486.exec:\u442486.exe26⤵
- Executes dropped EXE
PID:4176 -
\??\c:\vdvjd.exec:\vdvjd.exe27⤵
- Executes dropped EXE
PID:2676 -
\??\c:\404260.exec:\404260.exe28⤵
- Executes dropped EXE
PID:4780 -
\??\c:\46420.exec:\46420.exe29⤵
- Executes dropped EXE
PID:2004 -
\??\c:\o682426.exec:\o682426.exe30⤵
- Executes dropped EXE
PID:4160 -
\??\c:\420420.exec:\420420.exe31⤵
- Executes dropped EXE
PID:1636 -
\??\c:\llxlxfr.exec:\llxlxfr.exe32⤵
- Executes dropped EXE
PID:388 -
\??\c:\dpvjj.exec:\dpvjj.exe33⤵
- Executes dropped EXE
PID:648 -
\??\c:\tbbnbt.exec:\tbbnbt.exe34⤵
- Executes dropped EXE
PID:1960 -
\??\c:\hnttnt.exec:\hnttnt.exe35⤵
- Executes dropped EXE
PID:5048 -
\??\c:\2008602.exec:\2008602.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pjpdd.exec:\pjpdd.exe37⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vdjjv.exec:\vdjjv.exe38⤵
- Executes dropped EXE
PID:5100 -
\??\c:\pjdjd.exec:\pjdjd.exe39⤵
- Executes dropped EXE
PID:4976 -
\??\c:\4486486.exec:\4486486.exe40⤵
- Executes dropped EXE
PID:3672 -
\??\c:\xxxxrlf.exec:\xxxxrlf.exe41⤵
- Executes dropped EXE
PID:2552 -
\??\c:\hbnbnn.exec:\hbnbnn.exe42⤵
- Executes dropped EXE
PID:756 -
\??\c:\pvpjv.exec:\pvpjv.exe43⤵
- Executes dropped EXE
PID:2464 -
\??\c:\frxrxrr.exec:\frxrxrr.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\q44426.exec:\q44426.exe45⤵
- Executes dropped EXE
PID:4940 -
\??\c:\8600864.exec:\8600864.exe46⤵
- Executes dropped EXE
PID:4072 -
\??\c:\lxlxrrl.exec:\lxlxrrl.exe47⤵
- Executes dropped EXE
PID:224 -
\??\c:\4226486.exec:\4226486.exe48⤵
- Executes dropped EXE
PID:1648 -
\??\c:\hbbnhh.exec:\hbbnhh.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\46648.exec:\46648.exe50⤵
- Executes dropped EXE
PID:4960 -
\??\c:\w04268.exec:\w04268.exe51⤵
- Executes dropped EXE
PID:3472 -
\??\c:\8622284.exec:\8622284.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
\??\c:\xlllfff.exec:\xlllfff.exe53⤵
- Executes dropped EXE
PID:2908 -
\??\c:\6208260.exec:\6208260.exe54⤵
- Executes dropped EXE
PID:3172 -
\??\c:\80206.exec:\80206.exe55⤵
- Executes dropped EXE
PID:696 -
\??\c:\lfxllfx.exec:\lfxllfx.exe56⤵
- Executes dropped EXE
PID:3616 -
\??\c:\rlrllfl.exec:\rlrllfl.exe57⤵
- Executes dropped EXE
PID:2120 -
\??\c:\u408204.exec:\u408204.exe58⤵
- Executes dropped EXE
PID:1336 -
\??\c:\42822.exec:\42822.exe59⤵
- Executes dropped EXE
PID:4340 -
\??\c:\646240.exec:\646240.exe60⤵
- Executes dropped EXE
PID:4276 -
\??\c:\2068822.exec:\2068822.exe61⤵
- Executes dropped EXE
PID:1524 -
\??\c:\8860448.exec:\8860448.exe62⤵
- Executes dropped EXE
PID:4900 -
\??\c:\pddvp.exec:\pddvp.exe63⤵
- Executes dropped EXE
PID:632 -
\??\c:\flxlffx.exec:\flxlffx.exe64⤵
- Executes dropped EXE
PID:1608 -
\??\c:\62826.exec:\62826.exe65⤵
- Executes dropped EXE
PID:3904 -
\??\c:\hbhbnn.exec:\hbhbnn.exe66⤵PID:1756
-
\??\c:\062600.exec:\062600.exe67⤵PID:3452
-
\??\c:\i444888.exec:\i444888.exe68⤵PID:1860
-
\??\c:\880868.exec:\880868.exe69⤵PID:5000
-
\??\c:\3flfffx.exec:\3flfffx.exe70⤵PID:2368
-
\??\c:\6486486.exec:\6486486.exe71⤵PID:4200
-
\??\c:\htbnhb.exec:\htbnhb.exe72⤵PID:2588
-
\??\c:\482644.exec:\482644.exe73⤵PID:3564
-
\??\c:\24420.exec:\24420.exe74⤵PID:3116
-
\??\c:\86808.exec:\86808.exe75⤵PID:5088
-
\??\c:\vpvvp.exec:\vpvvp.exe76⤵PID:3928
-
\??\c:\nhtnbt.exec:\nhtnbt.exe77⤵PID:348
-
\??\c:\nhhtht.exec:\nhhtht.exe78⤵PID:2932
-
\??\c:\pjdvv.exec:\pjdvv.exe79⤵PID:4124
-
\??\c:\k24282.exec:\k24282.exe80⤵PID:2316
-
\??\c:\206062.exec:\206062.exe81⤵PID:872
-
\??\c:\20644.exec:\20644.exe82⤵PID:1356
-
\??\c:\bttnbn.exec:\bttnbn.exe83⤵PID:4724
-
\??\c:\hbtnbt.exec:\hbtnbt.exe84⤵PID:4304
-
\??\c:\48804.exec:\48804.exe85⤵PID:4912
-
\??\c:\hntnbt.exec:\hntnbt.exe86⤵PID:4552
-
\??\c:\lfflrfx.exec:\lfflrfx.exe87⤵PID:2624
-
\??\c:\48264.exec:\48264.exe88⤵PID:3484
-
\??\c:\406042.exec:\406042.exe89⤵PID:4320
-
\??\c:\62282.exec:\62282.exe90⤵PID:60
-
\??\c:\640622.exec:\640622.exe91⤵PID:3168
-
\??\c:\64448.exec:\64448.exe92⤵PID:2432
-
\??\c:\2848444.exec:\2848444.exe93⤵PID:2044
-
\??\c:\8648866.exec:\8648866.exe94⤵PID:4444
-
\??\c:\4222204.exec:\4222204.exe95⤵PID:1148
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe96⤵PID:5048
-
\??\c:\ddvvv.exec:\ddvvv.exe97⤵PID:4300
-
\??\c:\06226.exec:\06226.exe98⤵PID:552
-
\??\c:\bnnhbb.exec:\bnnhbb.exe99⤵PID:5012
-
\??\c:\ffffrrl.exec:\ffffrrl.exe100⤵PID:1808
-
\??\c:\rfllffx.exec:\rfllffx.exe101⤵
- System Location Discovery: System Language Discovery
PID:3980 -
\??\c:\jdppp.exec:\jdppp.exe102⤵PID:2856
-
\??\c:\xfrlllf.exec:\xfrlllf.exe103⤵PID:1120
-
\??\c:\pjdpp.exec:\pjdpp.exe104⤵PID:4980
-
\??\c:\48882.exec:\48882.exe105⤵PID:4664
-
\??\c:\64240.exec:\64240.exe106⤵PID:1772
-
\??\c:\xllxrlf.exec:\xllxrlf.exe107⤵PID:1376
-
\??\c:\rrfffll.exec:\rrfffll.exe108⤵PID:1640
-
\??\c:\c282004.exec:\c282004.exe109⤵PID:1872
-
\??\c:\22048.exec:\22048.exe110⤵PID:4436
-
\??\c:\rlrlxlf.exec:\rlrlxlf.exe111⤵PID:1516
-
\??\c:\3vdvp.exec:\3vdvp.exe112⤵PID:4920
-
\??\c:\80048.exec:\80048.exe113⤵PID:3032
-
\??\c:\lffxrrf.exec:\lffxrrf.exe114⤵PID:1152
-
\??\c:\6808226.exec:\6808226.exe115⤵PID:2908
-
\??\c:\482222.exec:\482222.exe116⤵PID:3968
-
\??\c:\0808460.exec:\0808460.exe117⤵PID:3788
-
\??\c:\8200488.exec:\8200488.exe118⤵PID:2524
-
\??\c:\a4666.exec:\a4666.exe119⤵PID:636
-
\??\c:\4062824.exec:\4062824.exe120⤵PID:4844
-
\??\c:\rrxrxxf.exec:\rrxrxxf.exe121⤵PID:3004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-