Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe
-
Size
454KB
-
MD5
8eb9f195a8662417fe6edcfcaa8ea250
-
SHA1
5fdebc333cfa9cc63444f4eae7c7b9063f79e094
-
SHA256
e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757
-
SHA512
f66c8ab79b2fb4599222d2733815b97aad7a5edfb0aefd5ce8c67ce3ce8c5204df4662611510b92acfd15e201cc9b5357441d12437dba820121c6702342c3fd6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5068-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-894-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-1258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-1277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4172 9rrfxxr.exe 1184 0668604.exe 1496 xxfrfxf.exe 4876 400608.exe 2896 48226.exe 3908 224260.exe 1172 626868.exe 2124 222042.exe 436 q60422.exe 1896 682080.exe 2924 6488642.exe 4308 e66642.exe 1864 7bbthh.exe 3256 bbthtn.exe 1752 6220486.exe 4004 rfxlxrf.exe 1108 20402.exe 1600 jvdpp.exe 2304 9vpdv.exe 4956 4820048.exe 220 08486.exe 1776 602086.exe 1364 rllfxll.exe 4344 jvddv.exe 1372 hnnhhh.exe 1004 m2488.exe 2728 2844826.exe 1740 04446.exe 3288 m8826.exe 4944 nhnbbt.exe 2140 4282260.exe 2272 28228.exe 1092 6622600.exe 3968 0622000.exe 3364 pdjjd.exe 4216 bnttnn.exe 2584 1flfflf.exe 4856 nhnhbb.exe 652 w68822.exe 720 rxlfxxx.exe 3068 662640.exe 3128 662268.exe 4060 rfrxflr.exe 3892 26860.exe 2308 rxffxll.exe 3572 rfffxfx.exe 928 a8806.exe 4300 ddvpv.exe 3556 646000.exe 432 880488.exe 224 frrllff.exe 4608 xrxfxrl.exe 2612 26682.exe 1984 jvvjd.exe 5060 2882666.exe 1480 08640.exe 1824 vvjdp.exe 1472 862262.exe 3832 64820.exe 700 8664208.exe 1864 64466.exe 816 6606888.exe 2352 tbhbbt.exe 1752 xxrrlll.exe -
resource yara_rule behavioral2/memory/5068-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8842648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0822082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2622004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o220242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8466000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4172 5068 e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe 83 PID 5068 wrote to memory of 4172 5068 e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe 83 PID 5068 wrote to memory of 4172 5068 e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe 83 PID 4172 wrote to memory of 1184 4172 9rrfxxr.exe 84 PID 4172 wrote to memory of 1184 4172 9rrfxxr.exe 84 PID 4172 wrote to memory of 1184 4172 9rrfxxr.exe 84 PID 1184 wrote to memory of 1496 1184 0668604.exe 85 PID 1184 wrote to memory of 1496 1184 0668604.exe 85 PID 1184 wrote to memory of 1496 1184 0668604.exe 85 PID 1496 wrote to memory of 4876 1496 xxfrfxf.exe 86 PID 1496 wrote to memory of 4876 1496 xxfrfxf.exe 86 PID 1496 wrote to memory of 4876 1496 xxfrfxf.exe 86 PID 4876 wrote to memory of 2896 4876 400608.exe 87 PID 4876 wrote to memory of 2896 4876 400608.exe 87 PID 4876 wrote to memory of 2896 4876 400608.exe 87 PID 2896 wrote to memory of 3908 2896 48226.exe 88 PID 2896 wrote to memory of 3908 2896 48226.exe 88 PID 2896 wrote to memory of 3908 2896 48226.exe 88 PID 3908 wrote to memory of 1172 3908 224260.exe 89 PID 3908 wrote to memory of 1172 3908 224260.exe 89 PID 3908 wrote to memory of 1172 3908 224260.exe 89 PID 1172 wrote to memory of 2124 1172 626868.exe 90 PID 1172 wrote to memory of 2124 1172 626868.exe 90 PID 1172 wrote to memory of 2124 1172 626868.exe 90 PID 2124 wrote to memory of 436 2124 222042.exe 91 PID 2124 wrote to memory of 436 2124 222042.exe 91 PID 2124 wrote to memory of 436 2124 222042.exe 91 PID 436 wrote to memory of 1896 436 q60422.exe 92 PID 436 wrote to memory of 1896 436 q60422.exe 92 PID 436 wrote to memory of 1896 436 q60422.exe 92 PID 1896 wrote to memory of 2924 1896 682080.exe 93 PID 1896 wrote to memory of 2924 1896 682080.exe 93 PID 1896 wrote to memory of 2924 1896 682080.exe 93 PID 2924 wrote to memory of 4308 2924 6488642.exe 94 PID 2924 wrote to memory of 4308 2924 6488642.exe 94 PID 2924 wrote to memory of 4308 2924 6488642.exe 94 PID 4308 wrote to memory of 1864 4308 e66642.exe 95 PID 4308 wrote to memory of 1864 4308 e66642.exe 95 PID 4308 wrote to memory of 1864 4308 e66642.exe 95 PID 1864 wrote to memory of 3256 1864 7bbthh.exe 96 PID 1864 wrote to memory of 3256 1864 7bbthh.exe 96 PID 1864 wrote to memory of 3256 1864 7bbthh.exe 96 PID 3256 wrote to memory of 1752 3256 bbthtn.exe 97 PID 3256 wrote to memory of 1752 3256 bbthtn.exe 97 PID 3256 wrote to memory of 1752 3256 bbthtn.exe 97 PID 1752 wrote to memory of 4004 1752 6220486.exe 98 PID 1752 wrote to memory of 4004 1752 6220486.exe 98 PID 1752 wrote to memory of 4004 1752 6220486.exe 98 PID 4004 wrote to memory of 1108 4004 rfxlxrf.exe 99 PID 4004 wrote to memory of 1108 4004 rfxlxrf.exe 99 PID 4004 wrote to memory of 1108 4004 rfxlxrf.exe 99 PID 1108 wrote to memory of 1600 1108 20402.exe 100 PID 1108 wrote to memory of 1600 1108 20402.exe 100 PID 1108 wrote to memory of 1600 1108 20402.exe 100 PID 1600 wrote to memory of 2304 1600 jvdpp.exe 101 PID 1600 wrote to memory of 2304 1600 jvdpp.exe 101 PID 1600 wrote to memory of 2304 1600 jvdpp.exe 101 PID 2304 wrote to memory of 4956 2304 9vpdv.exe 102 PID 2304 wrote to memory of 4956 2304 9vpdv.exe 102 PID 2304 wrote to memory of 4956 2304 9vpdv.exe 102 PID 4956 wrote to memory of 220 4956 4820048.exe 103 PID 4956 wrote to memory of 220 4956 4820048.exe 103 PID 4956 wrote to memory of 220 4956 4820048.exe 103 PID 220 wrote to memory of 1776 220 08486.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe"C:\Users\Admin\AppData\Local\Temp\e978886241331efeea5fd92fcb47848d193bfe06fea507cde1487714092ff757N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\9rrfxxr.exec:\9rrfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\0668604.exec:\0668604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\xxfrfxf.exec:\xxfrfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\400608.exec:\400608.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\48226.exec:\48226.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\224260.exec:\224260.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\626868.exec:\626868.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\222042.exec:\222042.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\q60422.exec:\q60422.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\682080.exec:\682080.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\6488642.exec:\6488642.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\e66642.exec:\e66642.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\7bbthh.exec:\7bbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\bbthtn.exec:\bbthtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\6220486.exec:\6220486.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\20402.exec:\20402.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\jvdpp.exec:\jvdpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\9vpdv.exec:\9vpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\4820048.exec:\4820048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\08486.exec:\08486.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\602086.exec:\602086.exe23⤵
- Executes dropped EXE
PID:1776 -
\??\c:\rllfxll.exec:\rllfxll.exe24⤵
- Executes dropped EXE
PID:1364 -
\??\c:\jvddv.exec:\jvddv.exe25⤵
- Executes dropped EXE
PID:4344 -
\??\c:\hnnhhh.exec:\hnnhhh.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372 -
\??\c:\m2488.exec:\m2488.exe27⤵
- Executes dropped EXE
PID:1004 -
\??\c:\2844826.exec:\2844826.exe28⤵
- Executes dropped EXE
PID:2728 -
\??\c:\04446.exec:\04446.exe29⤵
- Executes dropped EXE
PID:1740 -
\??\c:\m8826.exec:\m8826.exe30⤵
- Executes dropped EXE
PID:3288 -
\??\c:\nhnbbt.exec:\nhnbbt.exe31⤵
- Executes dropped EXE
PID:4944 -
\??\c:\4282260.exec:\4282260.exe32⤵
- Executes dropped EXE
PID:2140 -
\??\c:\28228.exec:\28228.exe33⤵
- Executes dropped EXE
PID:2272 -
\??\c:\6622600.exec:\6622600.exe34⤵
- Executes dropped EXE
PID:1092 -
\??\c:\0622000.exec:\0622000.exe35⤵
- Executes dropped EXE
PID:3968 -
\??\c:\pdjjd.exec:\pdjjd.exe36⤵
- Executes dropped EXE
PID:3364 -
\??\c:\bnttnn.exec:\bnttnn.exe37⤵
- Executes dropped EXE
PID:4216 -
\??\c:\1flfflf.exec:\1flfflf.exe38⤵
- Executes dropped EXE
PID:2584 -
\??\c:\nhnhbb.exec:\nhnhbb.exe39⤵
- Executes dropped EXE
PID:4856 -
\??\c:\w68822.exec:\w68822.exe40⤵
- Executes dropped EXE
PID:652 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe41⤵
- Executes dropped EXE
PID:720 -
\??\c:\662640.exec:\662640.exe42⤵
- Executes dropped EXE
PID:3068 -
\??\c:\662268.exec:\662268.exe43⤵
- Executes dropped EXE
PID:3128 -
\??\c:\rfrxflr.exec:\rfrxflr.exe44⤵
- Executes dropped EXE
PID:4060 -
\??\c:\26860.exec:\26860.exe45⤵
- Executes dropped EXE
PID:3892 -
\??\c:\rxffxll.exec:\rxffxll.exe46⤵
- Executes dropped EXE
PID:2308 -
\??\c:\rfffxfx.exec:\rfffxfx.exe47⤵
- Executes dropped EXE
PID:3572 -
\??\c:\a8806.exec:\a8806.exe48⤵
- Executes dropped EXE
PID:928 -
\??\c:\ddvpv.exec:\ddvpv.exe49⤵
- Executes dropped EXE
PID:4300 -
\??\c:\646000.exec:\646000.exe50⤵
- Executes dropped EXE
PID:3556 -
\??\c:\880488.exec:\880488.exe51⤵
- Executes dropped EXE
PID:432 -
\??\c:\frrllff.exec:\frrllff.exe52⤵
- Executes dropped EXE
PID:224 -
\??\c:\xrxfxrl.exec:\xrxfxrl.exe53⤵
- Executes dropped EXE
PID:4608 -
\??\c:\26682.exec:\26682.exe54⤵
- Executes dropped EXE
PID:2612 -
\??\c:\jvvjd.exec:\jvvjd.exe55⤵
- Executes dropped EXE
PID:1984 -
\??\c:\2882666.exec:\2882666.exe56⤵
- Executes dropped EXE
PID:5060 -
\??\c:\08640.exec:\08640.exe57⤵
- Executes dropped EXE
PID:1480 -
\??\c:\vvjdp.exec:\vvjdp.exe58⤵
- Executes dropped EXE
PID:1824 -
\??\c:\862262.exec:\862262.exe59⤵
- Executes dropped EXE
PID:1472 -
\??\c:\64820.exec:\64820.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3832 -
\??\c:\8664208.exec:\8664208.exe61⤵
- Executes dropped EXE
PID:700 -
\??\c:\64466.exec:\64466.exe62⤵
- Executes dropped EXE
PID:1864 -
\??\c:\6606888.exec:\6606888.exe63⤵
- Executes dropped EXE
PID:816 -
\??\c:\tbhbbt.exec:\tbhbbt.exe64⤵
- Executes dropped EXE
PID:2352 -
\??\c:\xxrrlll.exec:\xxrrlll.exe65⤵
- Executes dropped EXE
PID:1752 -
\??\c:\8848260.exec:\8848260.exe66⤵PID:1840
-
\??\c:\4804448.exec:\4804448.exe67⤵PID:3044
-
\??\c:\jddvp.exec:\jddvp.exe68⤵PID:428
-
\??\c:\48008.exec:\48008.exe69⤵PID:2408
-
\??\c:\82440.exec:\82440.exe70⤵PID:3392
-
\??\c:\hbnnnn.exec:\hbnnnn.exe71⤵PID:5116
-
\??\c:\q24222.exec:\q24222.exe72⤵PID:1516
-
\??\c:\046044.exec:\046044.exe73⤵PID:2400
-
\??\c:\a4604.exec:\a4604.exe74⤵PID:4456
-
\??\c:\640048.exec:\640048.exe75⤵PID:4252
-
\??\c:\866420.exec:\866420.exe76⤵PID:2756
-
\??\c:\rlrlllf.exec:\rlrlllf.exe77⤵PID:4444
-
\??\c:\42264.exec:\42264.exe78⤵PID:4012
-
\??\c:\4280480.exec:\4280480.exe79⤵PID:4452
-
\??\c:\g0200.exec:\g0200.exe80⤵PID:2660
-
\??\c:\hbhbnb.exec:\hbhbnb.exe81⤵PID:3852
-
\??\c:\htbnhn.exec:\htbnhn.exe82⤵PID:4344
-
\??\c:\1hbnbt.exec:\1hbnbt.exe83⤵PID:3756
-
\??\c:\5bbbnn.exec:\5bbbnn.exe84⤵PID:1372
-
\??\c:\xxfrrlf.exec:\xxfrrlf.exe85⤵PID:2960
-
\??\c:\3llxxxr.exec:\3llxxxr.exe86⤵PID:2252
-
\??\c:\60880.exec:\60880.exe87⤵PID:3380
-
\??\c:\7djvj.exec:\7djvj.exe88⤵PID:3408
-
\??\c:\nbhthb.exec:\nbhthb.exe89⤵PID:2152
-
\??\c:\2664208.exec:\2664208.exe90⤵PID:4656
-
\??\c:\nttnbb.exec:\nttnbb.exe91⤵PID:3992
-
\??\c:\fllxlll.exec:\fllxlll.exe92⤵PID:5044
-
\??\c:\208644.exec:\208644.exe93⤵PID:1784
-
\??\c:\httthn.exec:\httthn.exe94⤵PID:788
-
\??\c:\fxffxlf.exec:\fxffxlf.exe95⤵PID:2272
-
\??\c:\5ffxrrr.exec:\5ffxrrr.exe96⤵PID:1092
-
\??\c:\ppppv.exec:\ppppv.exe97⤵PID:4528
-
\??\c:\dvppj.exec:\dvppj.exe98⤵PID:1352
-
\??\c:\vjddd.exec:\vjddd.exe99⤵PID:3444
-
\??\c:\rllfrlf.exec:\rllfrlf.exe100⤵PID:4636
-
\??\c:\c248404.exec:\c248404.exe101⤵PID:1936
-
\??\c:\vpvpj.exec:\vpvpj.exe102⤵PID:4368
-
\??\c:\828822.exec:\828822.exe103⤵PID:544
-
\??\c:\3jpjj.exec:\3jpjj.exe104⤵PID:5068
-
\??\c:\nthnbn.exec:\nthnbn.exe105⤵PID:3820
-
\??\c:\frrrlll.exec:\frrrlll.exe106⤵PID:3128
-
\??\c:\dvjdd.exec:\dvjdd.exe107⤵PID:1496
-
\??\c:\464448.exec:\464448.exe108⤵PID:3892
-
\??\c:\ffxrxlf.exec:\ffxrxlf.exe109⤵PID:4864
-
\??\c:\pddjd.exec:\pddjd.exe110⤵
- System Location Discovery: System Language Discovery
PID:4872 -
\??\c:\5lllfll.exec:\5lllfll.exe111⤵PID:2516
-
\??\c:\006040.exec:\006040.exe112⤵PID:4784
-
\??\c:\tttbbh.exec:\tttbbh.exe113⤵PID:1432
-
\??\c:\vjdvj.exec:\vjdvj.exe114⤵PID:1172
-
\??\c:\i400482.exec:\i400482.exe115⤵PID:2656
-
\??\c:\028484.exec:\028484.exe116⤵PID:3916
-
\??\c:\hntnhh.exec:\hntnhh.exe117⤵PID:2112
-
\??\c:\7jvvv.exec:\7jvvv.exe118⤵PID:3480
-
\??\c:\9fxfxff.exec:\9fxfxff.exe119⤵PID:1360
-
\??\c:\o688822.exec:\o688822.exe120⤵PID:3812
-
\??\c:\fffxrll.exec:\fffxrll.exe121⤵PID:3108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-