Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe
-
Size
456KB
-
MD5
b7fefaf787ba7ac0a484e5f89c794725
-
SHA1
44f2812f6d337f5d3d7b78e9d687dbea15345eee
-
SHA256
e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5
-
SHA512
4fe56d7c9c227ca28451d82e8052a8efee78cf41e93dd82f938ee45b77387d0fa667140e1a2c2b15b5a667cc8c75bc8764407b3f6b7d499199c0cd82c024a4e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRH:q7Tc2NYHUrAwfMp3CDRH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3660-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-1042-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-1434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 732 6440040.exe 3896 tbnnhn.exe 3568 08864.exe 2996 2020046.exe 3404 2844664.exe 3956 lfrrxff.exe 1236 o242026.exe 4336 64486.exe 4596 jvvjv.exe 4856 o842048.exe 4844 862026.exe 3156 a6602.exe 620 4040246.exe 1940 4282044.exe 3456 04608.exe 2180 1llxfxp.exe 4560 88824.exe 1132 flrfxxl.exe 3620 6606464.exe 2036 0840886.exe 3232 448602.exe 1720 86080.exe 704 pjdpj.exe 3116 86868.exe 1192 240082.exe 5100 8820824.exe 1040 00246.exe 3760 0084242.exe 944 dvvjj.exe 3524 g4486.exe 4268 9jvjv.exe 180 pvvpp.exe 868 86062.exe 1688 3lfxlfx.exe 3564 5nhtht.exe 1828 5ppdp.exe 4352 8846048.exe 2476 thhtht.exe 2556 djpdv.exe 1900 3pjvp.exe 1340 88068.exe 4740 64842.exe 2696 thbnbt.exe 1592 o282048.exe 1292 llflxll.exe 836 q68082.exe 4600 e84204.exe 632 9lxrlll.exe 3748 dpjjv.exe 2272 rxflxxl.exe 1400 nttthh.exe 3452 5nbhnh.exe 3896 ttntth.exe 2792 ffffxfr.exe 2140 nhnnnb.exe 232 60688.exe 3104 fxfxrrl.exe 840 ppvvp.exe 3956 ffllffx.exe 2088 q80844.exe 1440 ppvpp.exe 4336 640060.exe 4756 i086662.exe 4856 468226.exe -
resource yara_rule behavioral2/memory/3660-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-772-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 066482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0660664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6406004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3660 wrote to memory of 732 3660 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 83 PID 3660 wrote to memory of 732 3660 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 83 PID 3660 wrote to memory of 732 3660 e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe 83 PID 732 wrote to memory of 3896 732 6440040.exe 84 PID 732 wrote to memory of 3896 732 6440040.exe 84 PID 732 wrote to memory of 3896 732 6440040.exe 84 PID 3896 wrote to memory of 3568 3896 tbnnhn.exe 85 PID 3896 wrote to memory of 3568 3896 tbnnhn.exe 85 PID 3896 wrote to memory of 3568 3896 tbnnhn.exe 85 PID 3568 wrote to memory of 2996 3568 08864.exe 86 PID 3568 wrote to memory of 2996 3568 08864.exe 86 PID 3568 wrote to memory of 2996 3568 08864.exe 86 PID 2996 wrote to memory of 3404 2996 2020046.exe 87 PID 2996 wrote to memory of 3404 2996 2020046.exe 87 PID 2996 wrote to memory of 3404 2996 2020046.exe 87 PID 3404 wrote to memory of 3956 3404 2844664.exe 88 PID 3404 wrote to memory of 3956 3404 2844664.exe 88 PID 3404 wrote to memory of 3956 3404 2844664.exe 88 PID 3956 wrote to memory of 1236 3956 lfrrxff.exe 89 PID 3956 wrote to memory of 1236 3956 lfrrxff.exe 89 PID 3956 wrote to memory of 1236 3956 lfrrxff.exe 89 PID 1236 wrote to memory of 4336 1236 o242026.exe 90 PID 1236 wrote to memory of 4336 1236 o242026.exe 90 PID 1236 wrote to memory of 4336 1236 o242026.exe 90 PID 4336 wrote to memory of 4596 4336 64486.exe 91 PID 4336 wrote to memory of 4596 4336 64486.exe 91 PID 4336 wrote to memory of 4596 4336 64486.exe 91 PID 4596 wrote to memory of 4856 4596 jvvjv.exe 92 PID 4596 wrote to memory of 4856 4596 jvvjv.exe 92 PID 4596 wrote to memory of 4856 4596 jvvjv.exe 92 PID 4856 wrote to memory of 4844 4856 o842048.exe 93 PID 4856 wrote to memory of 4844 4856 o842048.exe 93 PID 4856 wrote to memory of 4844 4856 o842048.exe 93 PID 4844 wrote to memory of 3156 4844 862026.exe 94 PID 4844 wrote to memory of 3156 4844 862026.exe 94 PID 4844 wrote to memory of 3156 4844 862026.exe 94 PID 3156 wrote to memory of 620 3156 a6602.exe 95 PID 3156 wrote to memory of 620 3156 a6602.exe 95 PID 3156 wrote to memory of 620 3156 a6602.exe 95 PID 620 wrote to memory of 1940 620 4040246.exe 96 PID 620 wrote to memory of 1940 620 4040246.exe 96 PID 620 wrote to memory of 1940 620 4040246.exe 96 PID 1940 wrote to memory of 3456 1940 4282044.exe 97 PID 1940 wrote to memory of 3456 1940 4282044.exe 97 PID 1940 wrote to memory of 3456 1940 4282044.exe 97 PID 3456 wrote to memory of 2180 3456 04608.exe 98 PID 3456 wrote to memory of 2180 3456 04608.exe 98 PID 3456 wrote to memory of 2180 3456 04608.exe 98 PID 2180 wrote to memory of 4560 2180 1llxfxp.exe 99 PID 2180 wrote to memory of 4560 2180 1llxfxp.exe 99 PID 2180 wrote to memory of 4560 2180 1llxfxp.exe 99 PID 4560 wrote to memory of 1132 4560 88824.exe 100 PID 4560 wrote to memory of 1132 4560 88824.exe 100 PID 4560 wrote to memory of 1132 4560 88824.exe 100 PID 1132 wrote to memory of 3620 1132 flrfxxl.exe 101 PID 1132 wrote to memory of 3620 1132 flrfxxl.exe 101 PID 1132 wrote to memory of 3620 1132 flrfxxl.exe 101 PID 3620 wrote to memory of 2036 3620 6606464.exe 102 PID 3620 wrote to memory of 2036 3620 6606464.exe 102 PID 3620 wrote to memory of 2036 3620 6606464.exe 102 PID 2036 wrote to memory of 3232 2036 0840886.exe 103 PID 2036 wrote to memory of 3232 2036 0840886.exe 103 PID 2036 wrote to memory of 3232 2036 0840886.exe 103 PID 3232 wrote to memory of 1720 3232 448602.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe"C:\Users\Admin\AppData\Local\Temp\e49fc89357dfd9d60a03c8a343b900cb93d1a882e2b8affc90bcbcf92aa7a4e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\6440040.exec:\6440040.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\tbnnhn.exec:\tbnnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\08864.exec:\08864.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\2020046.exec:\2020046.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\2844664.exec:\2844664.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\lfrrxff.exec:\lfrrxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\o242026.exec:\o242026.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\64486.exec:\64486.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\jvvjv.exec:\jvvjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\o842048.exec:\o842048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\862026.exec:\862026.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\a6602.exec:\a6602.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\4040246.exec:\4040246.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\4282044.exec:\4282044.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\04608.exec:\04608.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\1llxfxp.exec:\1llxfxp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\88824.exec:\88824.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\flrfxxl.exec:\flrfxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\6606464.exec:\6606464.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\0840886.exec:\0840886.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\448602.exec:\448602.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\86080.exec:\86080.exe23⤵
- Executes dropped EXE
PID:1720 -
\??\c:\pjdpj.exec:\pjdpj.exe24⤵
- Executes dropped EXE
PID:704 -
\??\c:\86868.exec:\86868.exe25⤵
- Executes dropped EXE
PID:3116 -
\??\c:\240082.exec:\240082.exe26⤵
- Executes dropped EXE
PID:1192 -
\??\c:\8820824.exec:\8820824.exe27⤵
- Executes dropped EXE
PID:5100 -
\??\c:\00246.exec:\00246.exe28⤵
- Executes dropped EXE
PID:1040 -
\??\c:\0084242.exec:\0084242.exe29⤵
- Executes dropped EXE
PID:3760 -
\??\c:\dvvjj.exec:\dvvjj.exe30⤵
- Executes dropped EXE
PID:944 -
\??\c:\g4486.exec:\g4486.exe31⤵
- Executes dropped EXE
PID:3524 -
\??\c:\9jvjv.exec:\9jvjv.exe32⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pvvpp.exec:\pvvpp.exe33⤵
- Executes dropped EXE
PID:180 -
\??\c:\86062.exec:\86062.exe34⤵
- Executes dropped EXE
PID:868 -
\??\c:\3lfxlfx.exec:\3lfxlfx.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\5nhtht.exec:\5nhtht.exe36⤵
- Executes dropped EXE
PID:3564 -
\??\c:\5ppdp.exec:\5ppdp.exe37⤵
- Executes dropped EXE
PID:1828 -
\??\c:\8846048.exec:\8846048.exe38⤵
- Executes dropped EXE
PID:4352 -
\??\c:\thhtht.exec:\thhtht.exe39⤵
- Executes dropped EXE
PID:2476 -
\??\c:\djpdv.exec:\djpdv.exe40⤵
- Executes dropped EXE
PID:2556 -
\??\c:\3pjvp.exec:\3pjvp.exe41⤵
- Executes dropped EXE
PID:1900 -
\??\c:\88068.exec:\88068.exe42⤵
- Executes dropped EXE
PID:1340 -
\??\c:\64842.exec:\64842.exe43⤵
- Executes dropped EXE
PID:4740 -
\??\c:\thbnbt.exec:\thbnbt.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\o282048.exec:\o282048.exe45⤵
- Executes dropped EXE
PID:1592 -
\??\c:\llflxll.exec:\llflxll.exe46⤵
- Executes dropped EXE
PID:1292 -
\??\c:\q68082.exec:\q68082.exe47⤵
- Executes dropped EXE
PID:836 -
\??\c:\e84204.exec:\e84204.exe48⤵
- Executes dropped EXE
PID:4600 -
\??\c:\9lxrlll.exec:\9lxrlll.exe49⤵
- Executes dropped EXE
PID:632 -
\??\c:\dpjjv.exec:\dpjjv.exe50⤵
- Executes dropped EXE
PID:3748 -
\??\c:\rxflxxl.exec:\rxflxxl.exe51⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nttthh.exec:\nttthh.exe52⤵
- Executes dropped EXE
PID:1400 -
\??\c:\5nbhnh.exec:\5nbhnh.exe53⤵
- Executes dropped EXE
PID:3452 -
\??\c:\ttntth.exec:\ttntth.exe54⤵
- Executes dropped EXE
PID:3896 -
\??\c:\ffffxfr.exec:\ffffxfr.exe55⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nhnnnb.exec:\nhnnnb.exe56⤵
- Executes dropped EXE
PID:2140 -
\??\c:\60688.exec:\60688.exe57⤵
- Executes dropped EXE
PID:232 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe58⤵
- Executes dropped EXE
PID:3104 -
\??\c:\ppvvp.exec:\ppvvp.exe59⤵
- Executes dropped EXE
PID:840 -
\??\c:\ffllffx.exec:\ffllffx.exe60⤵
- Executes dropped EXE
PID:3956 -
\??\c:\q80844.exec:\q80844.exe61⤵
- Executes dropped EXE
PID:2088 -
\??\c:\ppvpp.exec:\ppvpp.exe62⤵
- Executes dropped EXE
PID:1440 -
\??\c:\640060.exec:\640060.exe63⤵
- Executes dropped EXE
PID:4336 -
\??\c:\i086662.exec:\i086662.exe64⤵
- Executes dropped EXE
PID:4756 -
\??\c:\468226.exec:\468226.exe65⤵
- Executes dropped EXE
PID:4856 -
\??\c:\64284.exec:\64284.exe66⤵PID:4808
-
\??\c:\vpjdj.exec:\vpjdj.exe67⤵PID:4844
-
\??\c:\2026608.exec:\2026608.exe68⤵PID:4784
-
\??\c:\xlrrrrf.exec:\xlrrrrf.exe69⤵PID:1744
-
\??\c:\1xllrll.exec:\1xllrll.exe70⤵PID:1644
-
\??\c:\frxxrrl.exec:\frxxrrl.exe71⤵PID:1636
-
\??\c:\frxrrrl.exec:\frxrrrl.exe72⤵PID:2944
-
\??\c:\084866.exec:\084866.exe73⤵PID:2440
-
\??\c:\frlfrlx.exec:\frlfrlx.exe74⤵PID:2508
-
\??\c:\5hhtnh.exec:\5hhtnh.exe75⤵PID:3296
-
\??\c:\nhbttt.exec:\nhbttt.exe76⤵PID:2848
-
\??\c:\7pddv.exec:\7pddv.exe77⤵PID:3936
-
\??\c:\22264.exec:\22264.exe78⤵PID:3932
-
\??\c:\ddjpv.exec:\ddjpv.exe79⤵PID:2712
-
\??\c:\xxrrlll.exec:\xxrrlll.exe80⤵PID:4284
-
\??\c:\8444466.exec:\8444466.exe81⤵PID:4764
-
\??\c:\lfrlfxr.exec:\lfrlfxr.exe82⤵PID:3556
-
\??\c:\u460448.exec:\u460448.exe83⤵PID:3792
-
\??\c:\2064282.exec:\2064282.exe84⤵PID:2252
-
\??\c:\tttnnn.exec:\tttnnn.exe85⤵PID:1028
-
\??\c:\w80666.exec:\w80666.exe86⤵PID:408
-
\??\c:\6804448.exec:\6804448.exe87⤵PID:4880
-
\??\c:\826426.exec:\826426.exe88⤵PID:1568
-
\??\c:\64046.exec:\64046.exe89⤵PID:2596
-
\??\c:\hnhnbt.exec:\hnhnbt.exe90⤵PID:1040
-
\??\c:\6044rf.exec:\6044rf.exe91⤵PID:1944
-
\??\c:\868288.exec:\868288.exe92⤵PID:3488
-
\??\c:\04604.exec:\04604.exe93⤵PID:944
-
\??\c:\846460.exec:\846460.exe94⤵PID:900
-
\??\c:\0286266.exec:\0286266.exe95⤵PID:4976
-
\??\c:\rlllfxr.exec:\rlllfxr.exe96⤵PID:668
-
\??\c:\htnhbt.exec:\htnhbt.exe97⤵PID:2864
-
\??\c:\hntntt.exec:\hntntt.exe98⤵PID:1300
-
\??\c:\bntnbb.exec:\bntnbb.exe99⤵PID:2448
-
\??\c:\6200884.exec:\6200884.exe100⤵PID:2176
-
\??\c:\llffxxx.exec:\llffxxx.exe101⤵PID:3564
-
\??\c:\4004860.exec:\4004860.exe102⤵PID:1828
-
\??\c:\bbhnhn.exec:\bbhnhn.exe103⤵PID:4836
-
\??\c:\tnnhtn.exec:\tnnhtn.exe104⤵PID:4260
-
\??\c:\6844488.exec:\6844488.exe105⤵PID:4320
-
\??\c:\42226.exec:\42226.exe106⤵PID:5044
-
\??\c:\0288604.exec:\0288604.exe107⤵PID:1012
-
\??\c:\q66642.exec:\q66642.exe108⤵PID:4760
-
\??\c:\jdjdd.exec:\jdjdd.exe109⤵PID:4548
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe110⤵PID:2452
-
\??\c:\rrlxrlr.exec:\rrlxrlr.exe111⤵PID:1592
-
\??\c:\4888844.exec:\4888844.exe112⤵PID:4312
-
\??\c:\xlrlllf.exec:\xlrlllf.exe113⤵PID:1876
-
\??\c:\htttnn.exec:\htttnn.exe114⤵PID:2672
-
\??\c:\402600.exec:\402600.exe115⤵PID:1524
-
\??\c:\868840.exec:\868840.exe116⤵PID:3748
-
\??\c:\m2882.exec:\m2882.exe117⤵PID:1628
-
\??\c:\hhhhbt.exec:\hhhhbt.exe118⤵PID:3212
-
\??\c:\nntbtb.exec:\nntbtb.exe119⤵PID:3496
-
\??\c:\btbtnn.exec:\btbtnn.exe120⤵PID:4892
-
\??\c:\q02866.exec:\q02866.exe121⤵PID:424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-