Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 21:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe
-
Size
453KB
-
MD5
9c1fecad1cd23ea84cb2db7703cc25d6
-
SHA1
489b3363c7edf4d7873f434238f49f1a6906d5d4
-
SHA256
e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5
-
SHA512
237b8364eed706af30327e7325d0161a77ce08dbecc64055175a20c763d63ea0d48e4a01d2fd9bf3298b90db90cf6acf11dda1186f191b22a7c028767a2b1c75
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/244-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/520-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/900-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-1008-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-1286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-1472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 xxxxrrr.exe 3340 jdjdd.exe 5080 hnbbbb.exe 1384 thtnht.exe 4848 lxxrlxr.exe 3692 jdppj.exe 1688 nhnhbb.exe 4996 xxfffll.exe 3332 bhhbbb.exe 2036 llrrxxf.exe 768 thhhbb.exe 3992 lfrrrrr.exe 1624 9ttbtt.exe 1572 djvpj.exe 4696 djjdv.exe 4932 xxrrrxr.exe 1628 jpjjd.exe 520 lflrlrl.exe 1944 ddjdd.exe 2644 rrrlllf.exe 4988 ppvpj.exe 4060 7vvpj.exe 2736 bhtbhn.exe 1832 tnnhhh.exe 1316 nbttnt.exe 1556 bbnbhb.exe 4448 pdpjj.exe 4264 rlrlfxr.exe 4864 ddvvj.exe 3752 nbnhhh.exe 1376 lxfxxxr.exe 2808 jdvvd.exe 1636 rfxxffr.exe 3084 vvjvj.exe 2972 ddjdv.exe 676 fxlxffx.exe 3624 7bbttt.exe 3380 jdjdj.exe 472 lxlfxrr.exe 3672 bthhtt.exe 3684 djvpp.exe 1312 frxrlrx.exe 4432 7hthbb.exe 3520 btbtnb.exe 5088 jdjjj.exe 4964 rrfffxr.exe 2212 bnbtnb.exe 2764 pdjdd.exe 4312 xrrxxff.exe 4304 xflrrrl.exe 2604 3nbbnn.exe 4668 dddjd.exe 4956 xxrfxrr.exe 4536 9flxxrr.exe 4780 hnhhtb.exe 996 nthbbb.exe 2744 jjjjd.exe 4564 rxfxlrl.exe 2072 3rxxllr.exe 2360 bbbttt.exe 2116 dvdpj.exe 1716 xflfxff.exe 3452 ntttnn.exe 2936 pjddd.exe -
resource yara_rule behavioral2/memory/1804-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/520-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/900-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-914-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-1008-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 244 wrote to memory of 1804 244 e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe 83 PID 244 wrote to memory of 1804 244 e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe 83 PID 244 wrote to memory of 1804 244 e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe 83 PID 1804 wrote to memory of 3340 1804 xxxxrrr.exe 84 PID 1804 wrote to memory of 3340 1804 xxxxrrr.exe 84 PID 1804 wrote to memory of 3340 1804 xxxxrrr.exe 84 PID 3340 wrote to memory of 5080 3340 jdjdd.exe 85 PID 3340 wrote to memory of 5080 3340 jdjdd.exe 85 PID 3340 wrote to memory of 5080 3340 jdjdd.exe 85 PID 5080 wrote to memory of 1384 5080 hnbbbb.exe 86 PID 5080 wrote to memory of 1384 5080 hnbbbb.exe 86 PID 5080 wrote to memory of 1384 5080 hnbbbb.exe 86 PID 1384 wrote to memory of 4848 1384 thtnht.exe 87 PID 1384 wrote to memory of 4848 1384 thtnht.exe 87 PID 1384 wrote to memory of 4848 1384 thtnht.exe 87 PID 4848 wrote to memory of 3692 4848 lxxrlxr.exe 88 PID 4848 wrote to memory of 3692 4848 lxxrlxr.exe 88 PID 4848 wrote to memory of 3692 4848 lxxrlxr.exe 88 PID 3692 wrote to memory of 1688 3692 jdppj.exe 89 PID 3692 wrote to memory of 1688 3692 jdppj.exe 89 PID 3692 wrote to memory of 1688 3692 jdppj.exe 89 PID 1688 wrote to memory of 4996 1688 nhnhbb.exe 90 PID 1688 wrote to memory of 4996 1688 nhnhbb.exe 90 PID 1688 wrote to memory of 4996 1688 nhnhbb.exe 90 PID 4996 wrote to memory of 3332 4996 xxfffll.exe 91 PID 4996 wrote to memory of 3332 4996 xxfffll.exe 91 PID 4996 wrote to memory of 3332 4996 xxfffll.exe 91 PID 3332 wrote to memory of 2036 3332 bhhbbb.exe 92 PID 3332 wrote to memory of 2036 3332 bhhbbb.exe 92 PID 3332 wrote to memory of 2036 3332 bhhbbb.exe 92 PID 2036 wrote to memory of 768 2036 llrrxxf.exe 93 PID 2036 wrote to memory of 768 2036 llrrxxf.exe 93 PID 2036 wrote to memory of 768 2036 llrrxxf.exe 93 PID 768 wrote to memory of 3992 768 thhhbb.exe 94 PID 768 wrote to memory of 3992 768 thhhbb.exe 94 PID 768 wrote to memory of 3992 768 thhhbb.exe 94 PID 3992 wrote to memory of 1624 3992 lfrrrrr.exe 95 PID 3992 wrote to memory of 1624 3992 lfrrrrr.exe 95 PID 3992 wrote to memory of 1624 3992 lfrrrrr.exe 95 PID 1624 wrote to memory of 1572 1624 9ttbtt.exe 96 PID 1624 wrote to memory of 1572 1624 9ttbtt.exe 96 PID 1624 wrote to memory of 1572 1624 9ttbtt.exe 96 PID 1572 wrote to memory of 4696 1572 djvpj.exe 97 PID 1572 wrote to memory of 4696 1572 djvpj.exe 97 PID 1572 wrote to memory of 4696 1572 djvpj.exe 97 PID 4696 wrote to memory of 4932 4696 djjdv.exe 98 PID 4696 wrote to memory of 4932 4696 djjdv.exe 98 PID 4696 wrote to memory of 4932 4696 djjdv.exe 98 PID 4932 wrote to memory of 1628 4932 xxrrrxr.exe 99 PID 4932 wrote to memory of 1628 4932 xxrrrxr.exe 99 PID 4932 wrote to memory of 1628 4932 xxrrrxr.exe 99 PID 1628 wrote to memory of 520 1628 jpjjd.exe 100 PID 1628 wrote to memory of 520 1628 jpjjd.exe 100 PID 1628 wrote to memory of 520 1628 jpjjd.exe 100 PID 520 wrote to memory of 1944 520 lflrlrl.exe 101 PID 520 wrote to memory of 1944 520 lflrlrl.exe 101 PID 520 wrote to memory of 1944 520 lflrlrl.exe 101 PID 1944 wrote to memory of 2644 1944 ddjdd.exe 102 PID 1944 wrote to memory of 2644 1944 ddjdd.exe 102 PID 1944 wrote to memory of 2644 1944 ddjdd.exe 102 PID 2644 wrote to memory of 4988 2644 rrrlllf.exe 103 PID 2644 wrote to memory of 4988 2644 rrrlllf.exe 103 PID 2644 wrote to memory of 4988 2644 rrrlllf.exe 103 PID 4988 wrote to memory of 4060 4988 ppvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe"C:\Users\Admin\AppData\Local\Temp\e83616065672424b95d05561cfea7f7065abf653769f5a72e332ce4348592ba5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\jdjdd.exec:\jdjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\hnbbbb.exec:\hnbbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\thtnht.exec:\thtnht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\jdppj.exec:\jdppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\nhnhbb.exec:\nhnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\xxfffll.exec:\xxfffll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\bhhbbb.exec:\bhhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\llrrxxf.exec:\llrrxxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\thhhbb.exec:\thhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\9ttbtt.exec:\9ttbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\djvpj.exec:\djvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\djjdv.exec:\djjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\xxrrrxr.exec:\xxrrrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\jpjjd.exec:\jpjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\lflrlrl.exec:\lflrlrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
\??\c:\ddjdd.exec:\ddjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\rrrlllf.exec:\rrrlllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\ppvpj.exec:\ppvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\7vvpj.exec:\7vvpj.exe23⤵
- Executes dropped EXE
PID:4060 -
\??\c:\bhtbhn.exec:\bhtbhn.exe24⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tnnhhh.exec:\tnnhhh.exe25⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nbttnt.exec:\nbttnt.exe26⤵
- Executes dropped EXE
PID:1316 -
\??\c:\bbnbhb.exec:\bbnbhb.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pdpjj.exec:\pdpjj.exe28⤵
- Executes dropped EXE
PID:4448 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe29⤵
- Executes dropped EXE
PID:4264 -
\??\c:\ddvvj.exec:\ddvvj.exe30⤵
- Executes dropped EXE
PID:4864 -
\??\c:\nbnhhh.exec:\nbnhhh.exe31⤵
- Executes dropped EXE
PID:3752 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe32⤵
- Executes dropped EXE
PID:1376 -
\??\c:\jdvvd.exec:\jdvvd.exe33⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rfxxffr.exec:\rfxxffr.exe34⤵
- Executes dropped EXE
PID:1636 -
\??\c:\vvjvj.exec:\vvjvj.exe35⤵
- Executes dropped EXE
PID:3084 -
\??\c:\ddjdv.exec:\ddjdv.exe36⤵
- Executes dropped EXE
PID:2972 -
\??\c:\fxlxffx.exec:\fxlxffx.exe37⤵
- Executes dropped EXE
PID:676 -
\??\c:\7bbttt.exec:\7bbttt.exe38⤵
- Executes dropped EXE
PID:3624 -
\??\c:\jdjdj.exec:\jdjdj.exe39⤵
- Executes dropped EXE
PID:3380 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe40⤵
- Executes dropped EXE
PID:472 -
\??\c:\bthhtt.exec:\bthhtt.exe41⤵
- Executes dropped EXE
PID:3672 -
\??\c:\djvpp.exec:\djvpp.exe42⤵
- Executes dropped EXE
PID:3684 -
\??\c:\frxrlrx.exec:\frxrlrx.exe43⤵
- Executes dropped EXE
PID:1312 -
\??\c:\7hthbb.exec:\7hthbb.exe44⤵
- Executes dropped EXE
PID:4432 -
\??\c:\btbtnb.exec:\btbtnb.exe45⤵
- Executes dropped EXE
PID:3520 -
\??\c:\jdjjj.exec:\jdjjj.exe46⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rrfffxr.exec:\rrfffxr.exe47⤵
- Executes dropped EXE
PID:4964 -
\??\c:\bnbtnb.exec:\bnbtnb.exe48⤵
- Executes dropped EXE
PID:2212 -
\??\c:\pdjdd.exec:\pdjdd.exe49⤵
- Executes dropped EXE
PID:2764 -
\??\c:\xrrxxff.exec:\xrrxxff.exe50⤵
- Executes dropped EXE
PID:4312 -
\??\c:\xflrrrl.exec:\xflrrrl.exe51⤵
- Executes dropped EXE
PID:4304 -
\??\c:\3nbbnn.exec:\3nbbnn.exe52⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dddjd.exec:\dddjd.exe53⤵
- Executes dropped EXE
PID:4668 -
\??\c:\xxrfxrr.exec:\xxrfxrr.exe54⤵
- Executes dropped EXE
PID:4956 -
\??\c:\9flxxrr.exec:\9flxxrr.exe55⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hnhhtb.exec:\hnhhtb.exe56⤵
- Executes dropped EXE
PID:4780 -
\??\c:\nthbbb.exec:\nthbbb.exe57⤵
- Executes dropped EXE
PID:996 -
\??\c:\jjjjd.exec:\jjjjd.exe58⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rxfxlrl.exec:\rxfxlrl.exe59⤵
- Executes dropped EXE
PID:4564 -
\??\c:\3rxxllr.exec:\3rxxllr.exe60⤵
- Executes dropped EXE
PID:2072 -
\??\c:\bbbttt.exec:\bbbttt.exe61⤵
- Executes dropped EXE
PID:2360 -
\??\c:\dvdpj.exec:\dvdpj.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\xflfxff.exec:\xflfxff.exe63⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ntttnn.exec:\ntttnn.exe64⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pjddd.exec:\pjddd.exe65⤵
- Executes dropped EXE
PID:2936 -
\??\c:\flfxrrl.exec:\flfxrrl.exe66⤵PID:1084
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe67⤵PID:4268
-
\??\c:\7hbttn.exec:\7hbttn.exe68⤵PID:2104
-
\??\c:\dvdvv.exec:\dvdvv.exe69⤵PID:2388
-
\??\c:\fflllll.exec:\fflllll.exe70⤵PID:2668
-
\??\c:\tbttht.exec:\tbttht.exe71⤵PID:2348
-
\??\c:\bnthbb.exec:\bnthbb.exe72⤵PID:3648
-
\??\c:\vpjdj.exec:\vpjdj.exe73⤵PID:4696
-
\??\c:\xxxrlll.exec:\xxxrlll.exe74⤵PID:4664
-
\??\c:\bhnhhb.exec:\bhnhhb.exe75⤵PID:4184
-
\??\c:\tbntnn.exec:\tbntnn.exe76⤵PID:4596
-
\??\c:\pdpjd.exec:\pdpjd.exe77⤵PID:520
-
\??\c:\xxllrrr.exec:\xxllrrr.exe78⤵PID:2896
-
\??\c:\nthbtn.exec:\nthbtn.exe79⤵PID:4532
-
\??\c:\9tnnhh.exec:\9tnnhh.exe80⤵PID:1392
-
\??\c:\vjvpj.exec:\vjvpj.exe81⤵PID:1532
-
\??\c:\lxrlffx.exec:\lxrlffx.exe82⤵PID:4876
-
\??\c:\tbnhbb.exec:\tbnhbb.exe83⤵PID:1008
-
\??\c:\ttbtnb.exec:\ttbtnb.exe84⤵PID:2736
-
\??\c:\vvppd.exec:\vvppd.exe85⤵PID:4412
-
\??\c:\9dpjd.exec:\9dpjd.exe86⤵PID:4592
-
\??\c:\frlfxxx.exec:\frlfxxx.exe87⤵PID:4324
-
\??\c:\hnttbh.exec:\hnttbh.exe88⤵PID:3972
-
\??\c:\pdpjj.exec:\pdpjj.exe89⤵PID:900
-
\??\c:\vpvpj.exec:\vpvpj.exe90⤵PID:720
-
\??\c:\rfrfxxx.exec:\rfrfxxx.exe91⤵PID:1040
-
\??\c:\nhtnhh.exec:\nhtnhh.exe92⤵PID:4868
-
\??\c:\jvjdv.exec:\jvjdv.exe93⤵PID:1140
-
\??\c:\lxffxxx.exec:\lxffxxx.exe94⤵PID:4480
-
\??\c:\tttttb.exec:\tttttb.exe95⤵PID:1640
-
\??\c:\btbtnn.exec:\btbtnn.exe96⤵PID:628
-
\??\c:\pjppj.exec:\pjppj.exe97⤵PID:2556
-
\??\c:\xxxffrr.exec:\xxxffrr.exe98⤵PID:1144
-
\??\c:\nntnnh.exec:\nntnnh.exe99⤵PID:796
-
\??\c:\5bbtbb.exec:\5bbtbb.exe100⤵PID:2408
-
\??\c:\dvpjd.exec:\dvpjd.exe101⤵PID:4524
-
\??\c:\fflfxfx.exec:\fflfxfx.exe102⤵PID:3020
-
\??\c:\btnhnn.exec:\btnhnn.exe103⤵PID:804
-
\??\c:\hbhbtb.exec:\hbhbtb.exe104⤵PID:4968
-
\??\c:\vppjj.exec:\vppjj.exe105⤵PID:3104
-
\??\c:\5lllxxx.exec:\5lllxxx.exe106⤵PID:1224
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe107⤵PID:2032
-
\??\c:\thnhbh.exec:\thnhbh.exe108⤵PID:3136
-
\??\c:\vjvpj.exec:\vjvpj.exe109⤵PID:3968
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe110⤵PID:2364
-
\??\c:\hnttnb.exec:\hnttnb.exe111⤵PID:2728
-
\??\c:\tntttb.exec:\tntttb.exe112⤵PID:4948
-
\??\c:\3pjjd.exec:\3pjjd.exe113⤵PID:2764
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe114⤵PID:4312
-
\??\c:\lxlffxr.exec:\lxlffxr.exe115⤵PID:3832
-
\??\c:\9bnnnh.exec:\9bnnnh.exe116⤵PID:1736
-
\??\c:\djpdp.exec:\djpdp.exe117⤵PID:4188
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe118⤵PID:4796
-
\??\c:\3nnhnn.exec:\3nnhnn.exe119⤵PID:4536
-
\??\c:\ddpjp.exec:\ddpjp.exe120⤵PID:4728
-
\??\c:\vpdvj.exec:\vpdvj.exe121⤵PID:3812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-