Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe
-
Size
454KB
-
MD5
1aabde183d6414432cb8c0cb4b271ce0
-
SHA1
7084df84d5faa5194d8edf460dea8f2040deeb37
-
SHA256
e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2
-
SHA512
6ee2c5c40f4f841615a7c14a6b328129cc883b5bb33c54d150666e0798ad7816a33f2bcdb33c579e4f06ff95878121647d69db92fd1f932e32f26788311ce424
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/552-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-1338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3344 4062008.exe 2964 tttnhb.exe 4984 vjvpj.exe 400 e62644.exe 5100 006604.exe 3488 nnhtnh.exe 1048 828282.exe 2916 1pjdd.exe 112 bbbtnn.exe 3836 bbbthh.exe 4880 4048260.exe 4336 xrfxrlf.exe 2880 lrxrllf.exe 1116 3hhhbt.exe 4436 dvvpv.exe 2960 422600.exe 1584 1jdvp.exe 1312 a4642.exe 3172 u804048.exe 4452 820400.exe 5084 2804444.exe 4480 060486.exe 1864 62082.exe 4980 2646082.exe 836 9tthhb.exe 736 1rfxrrl.exe 1132 4826482.exe 3604 hbbttt.exe 5104 m6604.exe 2420 flrfxxr.exe 4088 884482.exe 4100 nbbtth.exe 3224 i626004.exe 336 fxffxxr.exe 2260 0860668.exe 3168 llfrxlf.exe 3936 o826448.exe 1396 86048.exe 4584 vpdvp.exe 4656 4062660.exe 4588 86260.exe 4304 66840.exe 3340 684822.exe 4808 vdjpp.exe 2736 680662.exe 2024 8266004.exe 3840 044488.exe 776 02062.exe 3500 pdjdv.exe 4548 ffrlfll.exe 696 2042042.exe 5100 8260886.exe 2096 86042.exe 3088 4228600.exe 5064 thbthh.exe 2444 464644.exe 1684 g8482.exe 2724 xffrlfx.exe 4568 s0648.exe 4880 400860.exe 3636 jvdvp.exe 4336 0862840.exe 964 640044.exe 1116 frffxlf.exe -
resource yara_rule behavioral2/memory/552-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-800-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4826482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2628660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8248484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8282660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 552 wrote to memory of 3344 552 e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe 83 PID 552 wrote to memory of 3344 552 e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe 83 PID 552 wrote to memory of 3344 552 e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe 83 PID 3344 wrote to memory of 2964 3344 4062008.exe 84 PID 3344 wrote to memory of 2964 3344 4062008.exe 84 PID 3344 wrote to memory of 2964 3344 4062008.exe 84 PID 2964 wrote to memory of 4984 2964 tttnhb.exe 85 PID 2964 wrote to memory of 4984 2964 tttnhb.exe 85 PID 2964 wrote to memory of 4984 2964 tttnhb.exe 85 PID 4984 wrote to memory of 400 4984 vjvpj.exe 86 PID 4984 wrote to memory of 400 4984 vjvpj.exe 86 PID 4984 wrote to memory of 400 4984 vjvpj.exe 86 PID 400 wrote to memory of 5100 400 e62644.exe 87 PID 400 wrote to memory of 5100 400 e62644.exe 87 PID 400 wrote to memory of 5100 400 e62644.exe 87 PID 5100 wrote to memory of 3488 5100 006604.exe 88 PID 5100 wrote to memory of 3488 5100 006604.exe 88 PID 5100 wrote to memory of 3488 5100 006604.exe 88 PID 3488 wrote to memory of 1048 3488 nnhtnh.exe 89 PID 3488 wrote to memory of 1048 3488 nnhtnh.exe 89 PID 3488 wrote to memory of 1048 3488 nnhtnh.exe 89 PID 1048 wrote to memory of 2916 1048 828282.exe 90 PID 1048 wrote to memory of 2916 1048 828282.exe 90 PID 1048 wrote to memory of 2916 1048 828282.exe 90 PID 2916 wrote to memory of 112 2916 1pjdd.exe 91 PID 2916 wrote to memory of 112 2916 1pjdd.exe 91 PID 2916 wrote to memory of 112 2916 1pjdd.exe 91 PID 112 wrote to memory of 3836 112 bbbtnn.exe 92 PID 112 wrote to memory of 3836 112 bbbtnn.exe 92 PID 112 wrote to memory of 3836 112 bbbtnn.exe 92 PID 3836 wrote to memory of 4880 3836 bbbthh.exe 93 PID 3836 wrote to memory of 4880 3836 bbbthh.exe 93 PID 3836 wrote to memory of 4880 3836 bbbthh.exe 93 PID 4880 wrote to memory of 4336 4880 4048260.exe 94 PID 4880 wrote to memory of 4336 4880 4048260.exe 94 PID 4880 wrote to memory of 4336 4880 4048260.exe 94 PID 4336 wrote to memory of 2880 4336 xrfxrlf.exe 95 PID 4336 wrote to memory of 2880 4336 xrfxrlf.exe 95 PID 4336 wrote to memory of 2880 4336 xrfxrlf.exe 95 PID 2880 wrote to memory of 1116 2880 lrxrllf.exe 96 PID 2880 wrote to memory of 1116 2880 lrxrllf.exe 96 PID 2880 wrote to memory of 1116 2880 lrxrllf.exe 96 PID 1116 wrote to memory of 4436 1116 3hhhbt.exe 97 PID 1116 wrote to memory of 4436 1116 3hhhbt.exe 97 PID 1116 wrote to memory of 4436 1116 3hhhbt.exe 97 PID 4436 wrote to memory of 2960 4436 dvvpv.exe 98 PID 4436 wrote to memory of 2960 4436 dvvpv.exe 98 PID 4436 wrote to memory of 2960 4436 dvvpv.exe 98 PID 2960 wrote to memory of 1584 2960 422600.exe 99 PID 2960 wrote to memory of 1584 2960 422600.exe 99 PID 2960 wrote to memory of 1584 2960 422600.exe 99 PID 1584 wrote to memory of 1312 1584 1jdvp.exe 100 PID 1584 wrote to memory of 1312 1584 1jdvp.exe 100 PID 1584 wrote to memory of 1312 1584 1jdvp.exe 100 PID 1312 wrote to memory of 3172 1312 a4642.exe 101 PID 1312 wrote to memory of 3172 1312 a4642.exe 101 PID 1312 wrote to memory of 3172 1312 a4642.exe 101 PID 3172 wrote to memory of 4452 3172 u804048.exe 102 PID 3172 wrote to memory of 4452 3172 u804048.exe 102 PID 3172 wrote to memory of 4452 3172 u804048.exe 102 PID 4452 wrote to memory of 5084 4452 820400.exe 103 PID 4452 wrote to memory of 5084 4452 820400.exe 103 PID 4452 wrote to memory of 5084 4452 820400.exe 103 PID 5084 wrote to memory of 4480 5084 2804444.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe"C:\Users\Admin\AppData\Local\Temp\e5b4502eb3ef3424e3e205fdc20ad42933b104a53073da1767981c84d11ad5a2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\4062008.exec:\4062008.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\tttnhb.exec:\tttnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vjvpj.exec:\vjvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\e62644.exec:\e62644.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\006604.exec:\006604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\nnhtnh.exec:\nnhtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\828282.exec:\828282.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\1pjdd.exec:\1pjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\bbbtnn.exec:\bbbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\bbbthh.exec:\bbbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\4048260.exec:\4048260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\xrfxrlf.exec:\xrfxrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\lrxrllf.exec:\lrxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\3hhhbt.exec:\3hhhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\dvvpv.exec:\dvvpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\422600.exec:\422600.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\1jdvp.exec:\1jdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\a4642.exec:\a4642.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\u804048.exec:\u804048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\820400.exec:\820400.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\2804444.exec:\2804444.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\060486.exec:\060486.exe23⤵
- Executes dropped EXE
PID:4480 -
\??\c:\62082.exec:\62082.exe24⤵
- Executes dropped EXE
PID:1864 -
\??\c:\2646082.exec:\2646082.exe25⤵
- Executes dropped EXE
PID:4980 -
\??\c:\9tthhb.exec:\9tthhb.exe26⤵
- Executes dropped EXE
PID:836 -
\??\c:\1rfxrrl.exec:\1rfxrrl.exe27⤵
- Executes dropped EXE
PID:736 -
\??\c:\4826482.exec:\4826482.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1132 -
\??\c:\hbbttt.exec:\hbbttt.exe29⤵
- Executes dropped EXE
PID:3604 -
\??\c:\m6604.exec:\m6604.exe30⤵
- Executes dropped EXE
PID:5104 -
\??\c:\flrfxxr.exec:\flrfxxr.exe31⤵
- Executes dropped EXE
PID:2420 -
\??\c:\884482.exec:\884482.exe32⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nbbtth.exec:\nbbtth.exe33⤵
- Executes dropped EXE
PID:4100 -
\??\c:\i626004.exec:\i626004.exe34⤵
- Executes dropped EXE
PID:3224 -
\??\c:\fxffxxr.exec:\fxffxxr.exe35⤵
- Executes dropped EXE
PID:336 -
\??\c:\0860668.exec:\0860668.exe36⤵
- Executes dropped EXE
PID:2260 -
\??\c:\llfrxlf.exec:\llfrxlf.exe37⤵
- Executes dropped EXE
PID:3168 -
\??\c:\o826448.exec:\o826448.exe38⤵
- Executes dropped EXE
PID:3936 -
\??\c:\86048.exec:\86048.exe39⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vpdvp.exec:\vpdvp.exe40⤵
- Executes dropped EXE
PID:4584 -
\??\c:\4062660.exec:\4062660.exe41⤵
- Executes dropped EXE
PID:4656 -
\??\c:\86260.exec:\86260.exe42⤵
- Executes dropped EXE
PID:4588 -
\??\c:\66840.exec:\66840.exe43⤵
- Executes dropped EXE
PID:4304 -
\??\c:\684822.exec:\684822.exe44⤵
- Executes dropped EXE
PID:3340 -
\??\c:\vdjpp.exec:\vdjpp.exe45⤵
- Executes dropped EXE
PID:4808 -
\??\c:\680662.exec:\680662.exe46⤵
- Executes dropped EXE
PID:2736 -
\??\c:\8266004.exec:\8266004.exe47⤵
- Executes dropped EXE
PID:2024 -
\??\c:\044488.exec:\044488.exe48⤵
- Executes dropped EXE
PID:3840 -
\??\c:\02062.exec:\02062.exe49⤵
- Executes dropped EXE
PID:776 -
\??\c:\pdjdv.exec:\pdjdv.exe50⤵
- Executes dropped EXE
PID:3500 -
\??\c:\ffrlfll.exec:\ffrlfll.exe51⤵
- Executes dropped EXE
PID:4548 -
\??\c:\2042042.exec:\2042042.exe52⤵
- Executes dropped EXE
PID:696 -
\??\c:\8260886.exec:\8260886.exe53⤵
- Executes dropped EXE
PID:5100 -
\??\c:\86042.exec:\86042.exe54⤵
- Executes dropped EXE
PID:2096 -
\??\c:\4228600.exec:\4228600.exe55⤵
- Executes dropped EXE
PID:3088 -
\??\c:\thbthh.exec:\thbthh.exe56⤵
- Executes dropped EXE
PID:5064 -
\??\c:\464644.exec:\464644.exe57⤵
- Executes dropped EXE
PID:2444 -
\??\c:\g8482.exec:\g8482.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xffrlfx.exec:\xffrlfx.exe59⤵
- Executes dropped EXE
PID:2724 -
\??\c:\s0648.exec:\s0648.exe60⤵
- Executes dropped EXE
PID:4568 -
\??\c:\400860.exec:\400860.exe61⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jvdvp.exec:\jvdvp.exe62⤵
- Executes dropped EXE
PID:3636 -
\??\c:\0862840.exec:\0862840.exe63⤵
- Executes dropped EXE
PID:4336 -
\??\c:\640044.exec:\640044.exe64⤵
- Executes dropped EXE
PID:964 -
\??\c:\frffxlf.exec:\frffxlf.exe65⤵
- Executes dropped EXE
PID:1116 -
\??\c:\vjppd.exec:\vjppd.exe66⤵PID:4092
-
\??\c:\48044.exec:\48044.exe67⤵PID:1288
-
\??\c:\jvdvj.exec:\jvdvj.exe68⤵PID:3440
-
\??\c:\a0200.exec:\a0200.exe69⤵PID:1584
-
\??\c:\lxxllfl.exec:\lxxllfl.exe70⤵PID:3360
-
\??\c:\httnnh.exec:\httnnh.exe71⤵PID:3292
-
\??\c:\i448268.exec:\i448268.exe72⤵PID:2140
-
\??\c:\1pjvp.exec:\1pjvp.exe73⤵PID:4864
-
\??\c:\66200.exec:\66200.exe74⤵PID:1488
-
\??\c:\i888226.exec:\i888226.exe75⤵PID:4276
-
\??\c:\6862262.exec:\6862262.exe76⤵PID:4240
-
\??\c:\666604.exec:\666604.exe77⤵PID:1864
-
\??\c:\bttbht.exec:\bttbht.exe78⤵PID:3496
-
\??\c:\jjdpv.exec:\jjdpv.exe79⤵PID:3352
-
\??\c:\1vdpd.exec:\1vdpd.exe80⤵PID:836
-
\??\c:\6604062.exec:\6604062.exe81⤵PID:2216
-
\??\c:\8404888.exec:\8404888.exe82⤵PID:1480
-
\??\c:\pvjdv.exec:\pvjdv.exe83⤵PID:2948
-
\??\c:\1fxrllr.exec:\1fxrllr.exe84⤵PID:3604
-
\??\c:\626004.exec:\626004.exe85⤵PID:4268
-
\??\c:\hnbbtt.exec:\hnbbtt.exe86⤵PID:5104
-
\??\c:\40404.exec:\40404.exe87⤵PID:3472
-
\??\c:\064264.exec:\064264.exe88⤵PID:740
-
\??\c:\rxxxllf.exec:\rxxxllf.exe89⤵PID:3944
-
\??\c:\hhthnn.exec:\hhthnn.exe90⤵PID:4100
-
\??\c:\9ddjv.exec:\9ddjv.exe91⤵PID:428
-
\??\c:\4226080.exec:\4226080.exe92⤵PID:4204
-
\??\c:\284264.exec:\284264.exe93⤵PID:4844
-
\??\c:\bhhbnn.exec:\bhhbnn.exe94⤵PID:4196
-
\??\c:\tbbtnh.exec:\tbbtnh.exe95⤵PID:3844
-
\??\c:\08044.exec:\08044.exe96⤵PID:1188
-
\??\c:\6064226.exec:\6064226.exe97⤵PID:4856
-
\??\c:\dppjd.exec:\dppjd.exe98⤵PID:536
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe99⤵PID:4300
-
\??\c:\hbhhnn.exec:\hbhhnn.exe100⤵PID:4304
-
\??\c:\2460448.exec:\2460448.exe101⤵PID:3340
-
\??\c:\dvpjd.exec:\dvpjd.exe102⤵PID:4808
-
\??\c:\llrlxlx.exec:\llrlxlx.exe103⤵PID:2648
-
\??\c:\lxrlffx.exec:\lxrlffx.exe104⤵PID:2800
-
\??\c:\60082.exec:\60082.exe105⤵PID:3860
-
\??\c:\g6208.exec:\g6208.exe106⤵PID:1352
-
\??\c:\6408040.exec:\6408040.exe107⤵PID:3500
-
\??\c:\624848.exec:\624848.exe108⤵PID:4740
-
\??\c:\llrlffx.exec:\llrlffx.exe109⤵PID:3032
-
\??\c:\xxxxlfx.exec:\xxxxlfx.exe110⤵PID:2008
-
\??\c:\vdjvj.exec:\vdjvj.exe111⤵PID:4904
-
\??\c:\06826.exec:\06826.exe112⤵PID:372
-
\??\c:\pddpd.exec:\pddpd.exe113⤵PID:2968
-
\??\c:\04642.exec:\04642.exe114⤵PID:1932
-
\??\c:\846482.exec:\846482.exe115⤵PID:2268
-
\??\c:\vjjvp.exec:\vjjvp.exe116⤵PID:1652
-
\??\c:\8204488.exec:\8204488.exe117⤵PID:2576
-
\??\c:\g0264.exec:\g0264.exe118⤵PID:952
-
\??\c:\bttnbb.exec:\bttnbb.exe119⤵PID:640
-
\??\c:\4804444.exec:\4804444.exe120⤵PID:4644
-
\??\c:\vvdvj.exec:\vvdvj.exe121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-