Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe
-
Size
453KB
-
MD5
7b13c325b4816296c67343bead78647f
-
SHA1
36edad457e248e5f90af82b53f9d604dcf027eef
-
SHA256
e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f
-
SHA512
c1673e203329c17c9d19a942126538ce1e3d2d78eca523ea54596099337eaaf12912a251a785db966f862c28b2849302fb7717f4c0b82e45286b39c29ee5e647
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1224-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-1666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-1715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-1923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1320 0026266.exe 1224 g6448.exe 2624 840044.exe 4000 4660000.exe 4564 6400488.exe 2220 k88828.exe 4476 vdvvv.exe 5040 6282228.exe 4588 6844444.exe 4188 rrfxxxf.exe 3068 26666.exe 5032 5ttnbb.exe 1660 000444.exe 1712 rxrrlll.exe 3028 1lrlrrr.exe 1432 u808006.exe 3024 rxffxxx.exe 4172 ddjjj.exe 2444 3rrlxxr.exe 4952 0602666.exe 4852 pjpjj.exe 1588 q28266.exe 3036 8244000.exe 4156 llxxrff.exe 3108 u688226.exe 1152 0248822.exe 3360 840488.exe 1892 rlxflfl.exe 1736 46222.exe 3676 22884.exe 4888 jddjd.exe 2056 600044.exe 4968 hbhnbb.exe 3340 844448.exe 1020 tthhnh.exe 2388 46666.exe 2368 rrxxxfx.exe 3396 k40440.exe 3928 68600.exe 3668 6064448.exe 4536 04404.exe 2748 djvjj.exe 3420 9jjdv.exe 3524 626066.exe 2180 068826.exe 224 402226.exe 3572 6802262.exe 1752 822200.exe 3520 6226604.exe 4940 62260.exe 4736 pdddv.exe 228 284828.exe 2528 480666.exe 1532 0828260.exe 1944 ttbtht.exe 1760 g2866.exe 3612 bnttnn.exe 4420 hhnnnn.exe 528 2620448.exe 3116 46264.exe 3664 0288222.exe 3712 84448.exe 2852 rrxrlll.exe 3804 rxfxrrr.exe -
resource yara_rule behavioral2/memory/1224-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-909-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o062682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6226048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u844888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k88644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 844 wrote to memory of 1320 844 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 85 PID 844 wrote to memory of 1320 844 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 85 PID 844 wrote to memory of 1320 844 e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe 85 PID 1320 wrote to memory of 1224 1320 0026266.exe 86 PID 1320 wrote to memory of 1224 1320 0026266.exe 86 PID 1320 wrote to memory of 1224 1320 0026266.exe 86 PID 1224 wrote to memory of 2624 1224 g6448.exe 87 PID 1224 wrote to memory of 2624 1224 g6448.exe 87 PID 1224 wrote to memory of 2624 1224 g6448.exe 87 PID 2624 wrote to memory of 4000 2624 840044.exe 88 PID 2624 wrote to memory of 4000 2624 840044.exe 88 PID 2624 wrote to memory of 4000 2624 840044.exe 88 PID 4000 wrote to memory of 4564 4000 4660000.exe 89 PID 4000 wrote to memory of 4564 4000 4660000.exe 89 PID 4000 wrote to memory of 4564 4000 4660000.exe 89 PID 4564 wrote to memory of 2220 4564 6400488.exe 90 PID 4564 wrote to memory of 2220 4564 6400488.exe 90 PID 4564 wrote to memory of 2220 4564 6400488.exe 90 PID 2220 wrote to memory of 4476 2220 k88828.exe 91 PID 2220 wrote to memory of 4476 2220 k88828.exe 91 PID 2220 wrote to memory of 4476 2220 k88828.exe 91 PID 4476 wrote to memory of 5040 4476 vdvvv.exe 92 PID 4476 wrote to memory of 5040 4476 vdvvv.exe 92 PID 4476 wrote to memory of 5040 4476 vdvvv.exe 92 PID 5040 wrote to memory of 4588 5040 6282228.exe 93 PID 5040 wrote to memory of 4588 5040 6282228.exe 93 PID 5040 wrote to memory of 4588 5040 6282228.exe 93 PID 4588 wrote to memory of 4188 4588 6844444.exe 94 PID 4588 wrote to memory of 4188 4588 6844444.exe 94 PID 4588 wrote to memory of 4188 4588 6844444.exe 94 PID 4188 wrote to memory of 3068 4188 rrfxxxf.exe 95 PID 4188 wrote to memory of 3068 4188 rrfxxxf.exe 95 PID 4188 wrote to memory of 3068 4188 rrfxxxf.exe 95 PID 3068 wrote to memory of 5032 3068 26666.exe 96 PID 3068 wrote to memory of 5032 3068 26666.exe 96 PID 3068 wrote to memory of 5032 3068 26666.exe 96 PID 5032 wrote to memory of 1660 5032 5ttnbb.exe 97 PID 5032 wrote to memory of 1660 5032 5ttnbb.exe 97 PID 5032 wrote to memory of 1660 5032 5ttnbb.exe 97 PID 1660 wrote to memory of 1712 1660 000444.exe 98 PID 1660 wrote to memory of 1712 1660 000444.exe 98 PID 1660 wrote to memory of 1712 1660 000444.exe 98 PID 1712 wrote to memory of 3028 1712 rxrrlll.exe 99 PID 1712 wrote to memory of 3028 1712 rxrrlll.exe 99 PID 1712 wrote to memory of 3028 1712 rxrrlll.exe 99 PID 3028 wrote to memory of 1432 3028 1lrlrrr.exe 100 PID 3028 wrote to memory of 1432 3028 1lrlrrr.exe 100 PID 3028 wrote to memory of 1432 3028 1lrlrrr.exe 100 PID 1432 wrote to memory of 3024 1432 u808006.exe 101 PID 1432 wrote to memory of 3024 1432 u808006.exe 101 PID 1432 wrote to memory of 3024 1432 u808006.exe 101 PID 3024 wrote to memory of 4172 3024 rxffxxx.exe 102 PID 3024 wrote to memory of 4172 3024 rxffxxx.exe 102 PID 3024 wrote to memory of 4172 3024 rxffxxx.exe 102 PID 4172 wrote to memory of 2444 4172 ddjjj.exe 103 PID 4172 wrote to memory of 2444 4172 ddjjj.exe 103 PID 4172 wrote to memory of 2444 4172 ddjjj.exe 103 PID 2444 wrote to memory of 4952 2444 3rrlxxr.exe 104 PID 2444 wrote to memory of 4952 2444 3rrlxxr.exe 104 PID 2444 wrote to memory of 4952 2444 3rrlxxr.exe 104 PID 4952 wrote to memory of 4852 4952 0602666.exe 105 PID 4952 wrote to memory of 4852 4952 0602666.exe 105 PID 4952 wrote to memory of 4852 4952 0602666.exe 105 PID 4852 wrote to memory of 1588 4852 pjpjj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"C:\Users\Admin\AppData\Local\Temp\e03aa0e3f145fde5f069d8bcf7815924a9c508ce6ed7adecc4f5ef3ca804212f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\0026266.exec:\0026266.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\g6448.exec:\g6448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\840044.exec:\840044.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\4660000.exec:\4660000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\6400488.exec:\6400488.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\k88828.exec:\k88828.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\vdvvv.exec:\vdvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\6282228.exec:\6282228.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\6844444.exec:\6844444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\rrfxxxf.exec:\rrfxxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\26666.exec:\26666.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\5ttnbb.exec:\5ttnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\000444.exec:\000444.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\rxrrlll.exec:\rxrrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\1lrlrrr.exec:\1lrlrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\u808006.exec:\u808006.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\rxffxxx.exec:\rxffxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ddjjj.exec:\ddjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\3rrlxxr.exec:\3rrlxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\0602666.exec:\0602666.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\pjpjj.exec:\pjpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\q28266.exec:\q28266.exe23⤵
- Executes dropped EXE
PID:1588 -
\??\c:\8244000.exec:\8244000.exe24⤵
- Executes dropped EXE
PID:3036 -
\??\c:\llxxrff.exec:\llxxrff.exe25⤵
- Executes dropped EXE
PID:4156 -
\??\c:\u688226.exec:\u688226.exe26⤵
- Executes dropped EXE
PID:3108 -
\??\c:\0248822.exec:\0248822.exe27⤵
- Executes dropped EXE
PID:1152 -
\??\c:\840488.exec:\840488.exe28⤵
- Executes dropped EXE
PID:3360 -
\??\c:\rlxflfl.exec:\rlxflfl.exe29⤵
- Executes dropped EXE
PID:1892 -
\??\c:\46222.exec:\46222.exe30⤵
- Executes dropped EXE
PID:1736 -
\??\c:\22884.exec:\22884.exe31⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jddjd.exec:\jddjd.exe32⤵
- Executes dropped EXE
PID:4888 -
\??\c:\600044.exec:\600044.exe33⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hbhnbb.exec:\hbhnbb.exe34⤵
- Executes dropped EXE
PID:4968 -
\??\c:\844448.exec:\844448.exe35⤵
- Executes dropped EXE
PID:3340 -
\??\c:\tthhnh.exec:\tthhnh.exe36⤵
- Executes dropped EXE
PID:1020 -
\??\c:\46666.exec:\46666.exe37⤵
- Executes dropped EXE
PID:2388 -
\??\c:\rrxxxfx.exec:\rrxxxfx.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\k40440.exec:\k40440.exe39⤵
- Executes dropped EXE
PID:3396 -
\??\c:\68600.exec:\68600.exe40⤵
- Executes dropped EXE
PID:3928 -
\??\c:\6064448.exec:\6064448.exe41⤵
- Executes dropped EXE
PID:3668 -
\??\c:\04404.exec:\04404.exe42⤵
- Executes dropped EXE
PID:4536 -
\??\c:\djvjj.exec:\djvjj.exe43⤵
- Executes dropped EXE
PID:2748 -
\??\c:\9jjdv.exec:\9jjdv.exe44⤵
- Executes dropped EXE
PID:3420 -
\??\c:\626066.exec:\626066.exe45⤵
- Executes dropped EXE
PID:3524 -
\??\c:\068826.exec:\068826.exe46⤵
- Executes dropped EXE
PID:2180 -
\??\c:\402226.exec:\402226.exe47⤵
- Executes dropped EXE
PID:224 -
\??\c:\6802262.exec:\6802262.exe48⤵
- Executes dropped EXE
PID:3572 -
\??\c:\822200.exec:\822200.exe49⤵
- Executes dropped EXE
PID:1752 -
\??\c:\6226604.exec:\6226604.exe50⤵
- Executes dropped EXE
PID:3520 -
\??\c:\62260.exec:\62260.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\pdddv.exec:\pdddv.exe52⤵
- Executes dropped EXE
PID:4736 -
\??\c:\284828.exec:\284828.exe53⤵
- Executes dropped EXE
PID:228 -
\??\c:\480666.exec:\480666.exe54⤵
- Executes dropped EXE
PID:2528 -
\??\c:\0828260.exec:\0828260.exe55⤵
- Executes dropped EXE
PID:1532 -
\??\c:\ttbtht.exec:\ttbtht.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lllllll.exec:\lllllll.exe57⤵PID:4576
-
\??\c:\g2866.exec:\g2866.exe58⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bnttnn.exec:\bnttnn.exe59⤵
- Executes dropped EXE
PID:3612 -
\??\c:\hhnnnn.exec:\hhnnnn.exe60⤵
- Executes dropped EXE
PID:4420 -
\??\c:\2620448.exec:\2620448.exe61⤵
- Executes dropped EXE
PID:528 -
\??\c:\46264.exec:\46264.exe62⤵
- Executes dropped EXE
PID:3116 -
\??\c:\0288222.exec:\0288222.exe63⤵
- Executes dropped EXE
PID:3664 -
\??\c:\84448.exec:\84448.exe64⤵
- Executes dropped EXE
PID:3712 -
\??\c:\rrxrlll.exec:\rrxrlll.exe65⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe66⤵
- Executes dropped EXE
PID:3804 -
\??\c:\rxlfffx.exec:\rxlfffx.exe67⤵PID:840
-
\??\c:\rxlfrrr.exec:\rxlfrrr.exe68⤵PID:464
-
\??\c:\nhhbtt.exec:\nhhbtt.exe69⤵PID:5084
-
\??\c:\jdvvv.exec:\jdvvv.exe70⤵PID:3068
-
\??\c:\a2606.exec:\a2606.exe71⤵PID:3092
-
\??\c:\tthtnb.exec:\tthtnb.exe72⤵PID:872
-
\??\c:\pdddv.exec:\pdddv.exe73⤵PID:3516
-
\??\c:\822622.exec:\822622.exe74⤵PID:3544
-
\??\c:\bhtnnh.exec:\bhtnnh.exe75⤵PID:2100
-
\??\c:\40604.exec:\40604.exe76⤵PID:4996
-
\??\c:\jjvdj.exec:\jjvdj.exe77⤵PID:1844
-
\??\c:\6660826.exec:\6660826.exe78⤵PID:2356
-
\??\c:\vpdvj.exec:\vpdvj.exe79⤵PID:4952
-
\??\c:\dvvdj.exec:\dvvdj.exe80⤵PID:4852
-
\??\c:\802284.exec:\802284.exe81⤵PID:2064
-
\??\c:\o226004.exec:\o226004.exe82⤵PID:4156
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe83⤵PID:2272
-
\??\c:\60640.exec:\60640.exe84⤵PID:3732
-
\??\c:\vpjdp.exec:\vpjdp.exe85⤵PID:2404
-
\??\c:\lrxxxxf.exec:\lrxxxxf.exe86⤵PID:2596
-
\??\c:\2022042.exec:\2022042.exe87⤵PID:1968
-
\??\c:\9rffxxr.exec:\9rffxxr.exe88⤵PID:3336
-
\??\c:\bhnhhn.exec:\bhnhhn.exe89⤵PID:2056
-
\??\c:\604448.exec:\604448.exe90⤵PID:964
-
\??\c:\hntnnn.exec:\hntnnn.exe91⤵PID:3340
-
\??\c:\8808826.exec:\8808826.exe92⤵PID:4896
-
\??\c:\vvvpp.exec:\vvvpp.exe93⤵PID:1168
-
\??\c:\tttttn.exec:\tttttn.exe94⤵PID:2308
-
\??\c:\lxrrllx.exec:\lxrrllx.exe95⤵PID:2856
-
\??\c:\4022666.exec:\4022666.exe96⤵PID:4252
-
\??\c:\0466884.exec:\0466884.exe97⤵PID:2268
-
\??\c:\pddvv.exec:\pddvv.exe98⤵PID:3648
-
\??\c:\pdjdv.exec:\pdjdv.exe99⤵PID:3428
-
\??\c:\5fxxlfx.exec:\5fxxlfx.exe100⤵PID:224
-
\??\c:\a8406.exec:\a8406.exe101⤵PID:3572
-
\??\c:\2448882.exec:\2448882.exe102⤵PID:4356
-
\??\c:\5rrlrfl.exec:\5rrlrfl.exe103⤵PID:2928
-
\??\c:\4686666.exec:\4686666.exe104⤵PID:4484
-
\??\c:\dvdvj.exec:\dvdvj.exe105⤵PID:4396
-
\??\c:\444466.exec:\444466.exe106⤵PID:2528
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe107⤵PID:4504
-
\??\c:\frlrlfx.exec:\frlrlfx.exe108⤵PID:4508
-
\??\c:\dvjvv.exec:\dvjvv.exe109⤵PID:2612
-
\??\c:\0208000.exec:\0208000.exe110⤵PID:396
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe111⤵PID:4652
-
\??\c:\66884.exec:\66884.exe112⤵PID:4660
-
\??\c:\068884.exec:\068884.exe113⤵PID:3712
-
\??\c:\dvdvp.exec:\dvdvp.exe114⤵PID:3252
-
\??\c:\04004.exec:\04004.exe115⤵PID:2476
-
\??\c:\frrrrfl.exec:\frrrrfl.exe116⤵PID:3652
-
\??\c:\20800.exec:\20800.exe117⤵PID:1960
-
\??\c:\44868.exec:\44868.exe118⤵PID:4864
-
\??\c:\1hbtnn.exec:\1hbtnn.exe119⤵PID:2208
-
\??\c:\600000.exec:\600000.exe120⤵PID:1660
-
\??\c:\flxrlll.exec:\flxrlll.exe121⤵PID:4440
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-