Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe
-
Size
454KB
-
MD5
15b80259b921f6f991deaee3c731a7a0
-
SHA1
3d30eb348acaef645185cdc3e4013e5b6f1f6512
-
SHA256
e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729
-
SHA512
1dafa72c338af2a360b7c172d93aebdf86664ae05cfdcf1a148cf7daab71d7c3d167b4aeb95b9a3f8190eddae29a264cd67076af84b96b103ddce238b29395f4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2976-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/656-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4320 httttn.exe 2616 22004.exe 1324 ppdpv.exe 3516 xrfrxrr.exe 4104 i682884.exe 2892 lrxrfxr.exe 1660 422822.exe 64 lfxrxxr.exe 2388 lflxrrr.exe 4184 xfxlfrf.exe 3876 djvpd.exe 1100 3dvjj.exe 408 4226420.exe 5084 02420.exe 656 0444422.exe 1188 pdjvv.exe 3688 pdddv.exe 4488 806482.exe 2412 64666.exe 2668 fllfxxr.exe 3124 48444.exe 2180 bhhhbb.exe 2028 5djdd.exe 3716 288824.exe 2292 4444882.exe 3056 nnnhbt.exe 2404 nnnbtt.exe 4080 4486448.exe 4340 88888.exe 4456 242648.exe 1144 vpvdv.exe 4816 nbthbn.exe 1444 ffrffrl.exe 1936 dvvjd.exe 4020 nnnttt.exe 2408 2026204.exe 3780 248642.exe 2280 5vpdv.exe 456 668644.exe 1940 rxxlfxl.exe 4600 dpjvj.exe 4592 vjjjp.exe 1556 082086.exe 1796 880824.exe 100 222426.exe 2232 1jvpd.exe 1320 xrlfrxr.exe 704 644208.exe 3620 w44828.exe 4368 2042486.exe 856 fflxxrf.exe 3572 86608.exe 3656 8882486.exe 772 thbtnh.exe 3660 pdpjj.exe 3668 64208.exe 4036 422648.exe 1792 pjdjv.exe 4984 1dvjd.exe 4104 624860.exe 2024 vjjvp.exe 1200 tbhbnh.exe 3852 5xfxrxr.exe 3680 9ffrfxr.exe -
resource yara_rule behavioral2/memory/2976-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/656-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-805-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6680040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q84426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i048428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4320 2976 e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe 83 PID 2976 wrote to memory of 4320 2976 e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe 83 PID 2976 wrote to memory of 4320 2976 e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe 83 PID 4320 wrote to memory of 2616 4320 httttn.exe 84 PID 4320 wrote to memory of 2616 4320 httttn.exe 84 PID 4320 wrote to memory of 2616 4320 httttn.exe 84 PID 2616 wrote to memory of 1324 2616 22004.exe 85 PID 2616 wrote to memory of 1324 2616 22004.exe 85 PID 2616 wrote to memory of 1324 2616 22004.exe 85 PID 1324 wrote to memory of 3516 1324 ppdpv.exe 86 PID 1324 wrote to memory of 3516 1324 ppdpv.exe 86 PID 1324 wrote to memory of 3516 1324 ppdpv.exe 86 PID 3516 wrote to memory of 4104 3516 xrfrxrr.exe 87 PID 3516 wrote to memory of 4104 3516 xrfrxrr.exe 87 PID 3516 wrote to memory of 4104 3516 xrfrxrr.exe 87 PID 4104 wrote to memory of 2892 4104 i682884.exe 88 PID 4104 wrote to memory of 2892 4104 i682884.exe 88 PID 4104 wrote to memory of 2892 4104 i682884.exe 88 PID 2892 wrote to memory of 1660 2892 lrxrfxr.exe 89 PID 2892 wrote to memory of 1660 2892 lrxrfxr.exe 89 PID 2892 wrote to memory of 1660 2892 lrxrfxr.exe 89 PID 1660 wrote to memory of 64 1660 422822.exe 90 PID 1660 wrote to memory of 64 1660 422822.exe 90 PID 1660 wrote to memory of 64 1660 422822.exe 90 PID 64 wrote to memory of 2388 64 lfxrxxr.exe 91 PID 64 wrote to memory of 2388 64 lfxrxxr.exe 91 PID 64 wrote to memory of 2388 64 lfxrxxr.exe 91 PID 2388 wrote to memory of 4184 2388 lflxrrr.exe 92 PID 2388 wrote to memory of 4184 2388 lflxrrr.exe 92 PID 2388 wrote to memory of 4184 2388 lflxrrr.exe 92 PID 4184 wrote to memory of 3876 4184 xfxlfrf.exe 93 PID 4184 wrote to memory of 3876 4184 xfxlfrf.exe 93 PID 4184 wrote to memory of 3876 4184 xfxlfrf.exe 93 PID 3876 wrote to memory of 1100 3876 djvpd.exe 94 PID 3876 wrote to memory of 1100 3876 djvpd.exe 94 PID 3876 wrote to memory of 1100 3876 djvpd.exe 94 PID 1100 wrote to memory of 408 1100 3dvjj.exe 95 PID 1100 wrote to memory of 408 1100 3dvjj.exe 95 PID 1100 wrote to memory of 408 1100 3dvjj.exe 95 PID 408 wrote to memory of 5084 408 4226420.exe 96 PID 408 wrote to memory of 5084 408 4226420.exe 96 PID 408 wrote to memory of 5084 408 4226420.exe 96 PID 5084 wrote to memory of 656 5084 02420.exe 97 PID 5084 wrote to memory of 656 5084 02420.exe 97 PID 5084 wrote to memory of 656 5084 02420.exe 97 PID 656 wrote to memory of 1188 656 0444422.exe 98 PID 656 wrote to memory of 1188 656 0444422.exe 98 PID 656 wrote to memory of 1188 656 0444422.exe 98 PID 1188 wrote to memory of 3688 1188 pdjvv.exe 99 PID 1188 wrote to memory of 3688 1188 pdjvv.exe 99 PID 1188 wrote to memory of 3688 1188 pdjvv.exe 99 PID 3688 wrote to memory of 4488 3688 pdddv.exe 100 PID 3688 wrote to memory of 4488 3688 pdddv.exe 100 PID 3688 wrote to memory of 4488 3688 pdddv.exe 100 PID 4488 wrote to memory of 2412 4488 806482.exe 101 PID 4488 wrote to memory of 2412 4488 806482.exe 101 PID 4488 wrote to memory of 2412 4488 806482.exe 101 PID 2412 wrote to memory of 2668 2412 64666.exe 102 PID 2412 wrote to memory of 2668 2412 64666.exe 102 PID 2412 wrote to memory of 2668 2412 64666.exe 102 PID 2668 wrote to memory of 3124 2668 fllfxxr.exe 103 PID 2668 wrote to memory of 3124 2668 fllfxxr.exe 103 PID 2668 wrote to memory of 3124 2668 fllfxxr.exe 103 PID 3124 wrote to memory of 2180 3124 48444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe"C:\Users\Admin\AppData\Local\Temp\e9ebfa573fac0249d10e3af589a28ff0e52eb2df4eb1b2669369a2f4b4ad0729N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\httttn.exec:\httttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\22004.exec:\22004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\ppdpv.exec:\ppdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\xrfrxrr.exec:\xrfrxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\i682884.exec:\i682884.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\422822.exec:\422822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\lfxrxxr.exec:\lfxrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\lflxrrr.exec:\lflxrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\xfxlfrf.exec:\xfxlfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\djvpd.exec:\djvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\3dvjj.exec:\3dvjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\4226420.exec:\4226420.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\02420.exec:\02420.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\0444422.exec:\0444422.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656 -
\??\c:\pdjvv.exec:\pdjvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\pdddv.exec:\pdddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\806482.exec:\806482.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\64666.exec:\64666.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\fllfxxr.exec:\fllfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\48444.exec:\48444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\bhhhbb.exec:\bhhhbb.exe23⤵
- Executes dropped EXE
PID:2180 -
\??\c:\5djdd.exec:\5djdd.exe24⤵
- Executes dropped EXE
PID:2028 -
\??\c:\288824.exec:\288824.exe25⤵
- Executes dropped EXE
PID:3716 -
\??\c:\4444882.exec:\4444882.exe26⤵
- Executes dropped EXE
PID:2292 -
\??\c:\nnnhbt.exec:\nnnhbt.exe27⤵
- Executes dropped EXE
PID:3056 -
\??\c:\nnnbtt.exec:\nnnbtt.exe28⤵
- Executes dropped EXE
PID:2404 -
\??\c:\4486448.exec:\4486448.exe29⤵
- Executes dropped EXE
PID:4080 -
\??\c:\88888.exec:\88888.exe30⤵
- Executes dropped EXE
PID:4340 -
\??\c:\242648.exec:\242648.exe31⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vpvdv.exec:\vpvdv.exe32⤵
- Executes dropped EXE
PID:1144 -
\??\c:\nbthbn.exec:\nbthbn.exe33⤵
- Executes dropped EXE
PID:4816 -
\??\c:\ffrffrl.exec:\ffrffrl.exe34⤵
- Executes dropped EXE
PID:1444 -
\??\c:\dvvjd.exec:\dvvjd.exe35⤵
- Executes dropped EXE
PID:1936 -
\??\c:\nnnttt.exec:\nnnttt.exe36⤵
- Executes dropped EXE
PID:4020 -
\??\c:\2026204.exec:\2026204.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\248642.exec:\248642.exe38⤵
- Executes dropped EXE
PID:3780 -
\??\c:\5vpdv.exec:\5vpdv.exe39⤵
- Executes dropped EXE
PID:2280 -
\??\c:\668644.exec:\668644.exe40⤵
- Executes dropped EXE
PID:456 -
\??\c:\rxxlfxl.exec:\rxxlfxl.exe41⤵
- Executes dropped EXE
PID:1940 -
\??\c:\dpjvj.exec:\dpjvj.exe42⤵
- Executes dropped EXE
PID:4600 -
\??\c:\vjjjp.exec:\vjjjp.exe43⤵
- Executes dropped EXE
PID:4592 -
\??\c:\082086.exec:\082086.exe44⤵
- Executes dropped EXE
PID:1556 -
\??\c:\880824.exec:\880824.exe45⤵
- Executes dropped EXE
PID:1796 -
\??\c:\222426.exec:\222426.exe46⤵
- Executes dropped EXE
PID:100 -
\??\c:\1jvpd.exec:\1jvpd.exe47⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xrlfrxr.exec:\xrlfrxr.exe48⤵
- Executes dropped EXE
PID:1320 -
\??\c:\644208.exec:\644208.exe49⤵
- Executes dropped EXE
PID:704 -
\??\c:\w44828.exec:\w44828.exe50⤵
- Executes dropped EXE
PID:3620 -
\??\c:\2042486.exec:\2042486.exe51⤵
- Executes dropped EXE
PID:4368 -
\??\c:\fflxxrf.exec:\fflxxrf.exe52⤵
- Executes dropped EXE
PID:856 -
\??\c:\86608.exec:\86608.exe53⤵
- Executes dropped EXE
PID:3572 -
\??\c:\8882486.exec:\8882486.exe54⤵
- Executes dropped EXE
PID:3656 -
\??\c:\thbtnh.exec:\thbtnh.exe55⤵
- Executes dropped EXE
PID:772 -
\??\c:\pdpjj.exec:\pdpjj.exe56⤵
- Executes dropped EXE
PID:3660 -
\??\c:\64208.exec:\64208.exe57⤵
- Executes dropped EXE
PID:3668 -
\??\c:\422648.exec:\422648.exe58⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pjdjv.exec:\pjdjv.exe59⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1dvjd.exec:\1dvjd.exe60⤵
- Executes dropped EXE
PID:4984 -
\??\c:\624860.exec:\624860.exe61⤵
- Executes dropped EXE
PID:4104 -
\??\c:\vjjvp.exec:\vjjvp.exe62⤵
- Executes dropped EXE
PID:2024 -
\??\c:\tbhbnh.exec:\tbhbnh.exe63⤵
- Executes dropped EXE
PID:1200 -
\??\c:\5xfxrxr.exec:\5xfxrxr.exe64⤵
- Executes dropped EXE
PID:3852 -
\??\c:\9ffrfxr.exec:\9ffrfxr.exe65⤵
- Executes dropped EXE
PID:3680 -
\??\c:\fllfrfr.exec:\fllfrfr.exe66⤵PID:3104
-
\??\c:\m2826.exec:\m2826.exe67⤵PID:404
-
\??\c:\006044.exec:\006044.exe68⤵PID:4184
-
\??\c:\884204.exec:\884204.exe69⤵PID:3876
-
\??\c:\httntn.exec:\httntn.exe70⤵PID:3584
-
\??\c:\pddvj.exec:\pddvj.exe71⤵PID:1100
-
\??\c:\844488.exec:\844488.exe72⤵PID:1884
-
\??\c:\lflxfxf.exec:\lflxfxf.exe73⤵PID:460
-
\??\c:\jppdp.exec:\jppdp.exe74⤵PID:1192
-
\??\c:\vdpvv.exec:\vdpvv.exe75⤵PID:3832
-
\??\c:\9dvjv.exec:\9dvjv.exe76⤵PID:1188
-
\??\c:\k46000.exec:\k46000.exe77⤵PID:920
-
\??\c:\k88608.exec:\k88608.exe78⤵PID:452
-
\??\c:\bnhtht.exec:\bnhtht.exe79⤵PID:4488
-
\??\c:\q02604.exec:\q02604.exe80⤵PID:5052
-
\??\c:\460868.exec:\460868.exe81⤵PID:1872
-
\??\c:\7frllxr.exec:\7frllxr.exe82⤵PID:2520
-
\??\c:\60486.exec:\60486.exe83⤵PID:2676
-
\??\c:\1hhbbb.exec:\1hhbbb.exe84⤵
- System Location Discovery: System Language Discovery
PID:3792 -
\??\c:\bhnbtn.exec:\bhnbtn.exe85⤵PID:2028
-
\??\c:\5vddp.exec:\5vddp.exe86⤵
- System Location Discovery: System Language Discovery
PID:1572 -
\??\c:\rxfxlll.exec:\rxfxlll.exe87⤵PID:1900
-
\??\c:\nbtnhb.exec:\nbtnhb.exe88⤵PID:5020
-
\??\c:\htbthh.exec:\htbthh.exe89⤵PID:3056
-
\??\c:\8604264.exec:\8604264.exe90⤵PID:4844
-
\??\c:\htthbt.exec:\htthbt.exe91⤵PID:4576
-
\??\c:\vvpdv.exec:\vvpdv.exe92⤵PID:2400
-
\??\c:\nbbnbt.exec:\nbbnbt.exe93⤵PID:4340
-
\??\c:\84086.exec:\84086.exe94⤵PID:4456
-
\??\c:\tttnbt.exec:\tttnbt.exe95⤵PID:2036
-
\??\c:\rrxrfrl.exec:\rrxrfrl.exe96⤵PID:412
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe97⤵PID:2696
-
\??\c:\482044.exec:\482044.exe98⤵PID:3096
-
\??\c:\tbthtb.exec:\tbthtb.exe99⤵PID:2584
-
\??\c:\3fflrlr.exec:\3fflrlr.exe100⤵PID:2408
-
\??\c:\nhnhnn.exec:\nhnhnn.exe101⤵PID:3700
-
\??\c:\5lfxrlf.exec:\5lfxrlf.exe102⤵PID:4312
-
\??\c:\fxllrrx.exec:\fxllrrx.exe103⤵PID:1712
-
\??\c:\1bthbt.exec:\1bthbt.exe104⤵PID:4612
-
\??\c:\444804.exec:\444804.exe105⤵PID:4600
-
\??\c:\084822.exec:\084822.exe106⤵PID:4252
-
\??\c:\2026066.exec:\2026066.exe107⤵PID:4324
-
\??\c:\q28604.exec:\q28604.exe108⤵PID:1556
-
\??\c:\xlxrlrr.exec:\xlxrlrr.exe109⤵PID:3336
-
\??\c:\8480082.exec:\8480082.exe110⤵PID:3560
-
\??\c:\28440.exec:\28440.exe111⤵PID:4280
-
\??\c:\5thtnh.exec:\5thtnh.exe112⤵PID:1488
-
\??\c:\4086004.exec:\4086004.exe113⤵PID:2744
-
\??\c:\tnnnnn.exec:\tnnnnn.exe114⤵PID:4384
-
\??\c:\5rrlfxx.exec:\5rrlfxx.exe115⤵PID:2576
-
\??\c:\9rlxrlf.exec:\9rlxrlf.exe116⤵PID:1312
-
\??\c:\vpppj.exec:\vpppj.exe117⤵PID:4392
-
\??\c:\600866.exec:\600866.exe118⤵PID:5080
-
\??\c:\djpjv.exec:\djpjv.exe119⤵PID:2460
-
\??\c:\60026.exec:\60026.exe120⤵PID:1648
-
\??\c:\hbbttt.exec:\hbbttt.exe121⤵PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-