Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 07:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe
-
Size
454KB
-
MD5
e8ac4fe267ecfde930016dc7fbbd77e6
-
SHA1
d6a2c62afb1dfef5ff211421e6ad4b771dea16b2
-
SHA256
e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac
-
SHA512
bd3075ff5b6cbb156c848971fe659412b0310876d107648cb1d48dc63c943c3844282e026c79f7ba70511295fe42fca1a44091e74fbcf1ac657974328e06e168
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3512-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-953-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-1195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-1674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3212 4408642.exe 312 808686.exe 4040 068222.exe 1028 20800.exe 676 ppjpd.exe 620 42642.exe 4036 284864.exe 4788 fxfrfxl.exe 2728 vpjvd.exe 4460 xllxrfx.exe 3540 4886082.exe 3372 002082.exe 1820 406420.exe 1076 ppddj.exe 1988 xffxrxx.exe 3940 ntthtn.exe 4196 88446.exe 2696 866008.exe 5092 0842222.exe 2584 826042.exe 4284 jjjvj.exe 1112 68208.exe 1384 bbtbtn.exe 4680 2222686.exe 3496 42048.exe 2088 2886820.exe 1164 nbbnbh.exe 4964 ffrfrlr.exe 376 84048.exe 4452 64866.exe 2268 2088248.exe 5088 jddpp.exe 2152 ddvdv.exe 4512 408642.exe 1928 nthbnb.exe 724 88426.exe 928 htnbnb.exe 2228 6008602.exe 1920 088608.exe 3604 jvpdj.exe 5096 64088.exe 4236 vjdpj.exe 780 thbtht.exe 4944 42204.exe 2536 lxfrrlf.exe 4516 vddpd.exe 3720 bbhttn.exe 2896 xlrllfx.exe 1572 64220.exe 2412 xrlffxf.exe 2304 8820048.exe 3948 htbnth.exe 1788 640204.exe 3428 rrxllrf.exe 2580 40042.exe 2144 800808.exe 4132 26086.exe 2728 fllfxrf.exe 3916 00082.exe 4460 480260.exe 2316 682086.exe 3204 422082.exe 392 lfflrlf.exe 1820 xlfxlfr.exe -
resource yara_rule behavioral2/memory/3512-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-1196-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 620440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 446044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8604820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8464888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3212 3512 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 81 PID 3512 wrote to memory of 3212 3512 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 81 PID 3512 wrote to memory of 3212 3512 e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe 81 PID 3212 wrote to memory of 312 3212 4408642.exe 82 PID 3212 wrote to memory of 312 3212 4408642.exe 82 PID 3212 wrote to memory of 312 3212 4408642.exe 82 PID 312 wrote to memory of 4040 312 808686.exe 83 PID 312 wrote to memory of 4040 312 808686.exe 83 PID 312 wrote to memory of 4040 312 808686.exe 83 PID 4040 wrote to memory of 1028 4040 068222.exe 85 PID 4040 wrote to memory of 1028 4040 068222.exe 85 PID 4040 wrote to memory of 1028 4040 068222.exe 85 PID 1028 wrote to memory of 676 1028 20800.exe 86 PID 1028 wrote to memory of 676 1028 20800.exe 86 PID 1028 wrote to memory of 676 1028 20800.exe 86 PID 676 wrote to memory of 620 676 ppjpd.exe 87 PID 676 wrote to memory of 620 676 ppjpd.exe 87 PID 676 wrote to memory of 620 676 ppjpd.exe 87 PID 620 wrote to memory of 4036 620 42642.exe 88 PID 620 wrote to memory of 4036 620 42642.exe 88 PID 620 wrote to memory of 4036 620 42642.exe 88 PID 4036 wrote to memory of 4788 4036 284864.exe 90 PID 4036 wrote to memory of 4788 4036 284864.exe 90 PID 4036 wrote to memory of 4788 4036 284864.exe 90 PID 4788 wrote to memory of 2728 4788 fxfrfxl.exe 92 PID 4788 wrote to memory of 2728 4788 fxfrfxl.exe 92 PID 4788 wrote to memory of 2728 4788 fxfrfxl.exe 92 PID 2728 wrote to memory of 4460 2728 vpjvd.exe 93 PID 2728 wrote to memory of 4460 2728 vpjvd.exe 93 PID 2728 wrote to memory of 4460 2728 vpjvd.exe 93 PID 4460 wrote to memory of 3540 4460 xllxrfx.exe 94 PID 4460 wrote to memory of 3540 4460 xllxrfx.exe 94 PID 4460 wrote to memory of 3540 4460 xllxrfx.exe 94 PID 3540 wrote to memory of 3372 3540 4886082.exe 95 PID 3540 wrote to memory of 3372 3540 4886082.exe 95 PID 3540 wrote to memory of 3372 3540 4886082.exe 95 PID 3372 wrote to memory of 1820 3372 002082.exe 96 PID 3372 wrote to memory of 1820 3372 002082.exe 96 PID 3372 wrote to memory of 1820 3372 002082.exe 96 PID 1820 wrote to memory of 1076 1820 406420.exe 97 PID 1820 wrote to memory of 1076 1820 406420.exe 97 PID 1820 wrote to memory of 1076 1820 406420.exe 97 PID 1076 wrote to memory of 1988 1076 ppddj.exe 98 PID 1076 wrote to memory of 1988 1076 ppddj.exe 98 PID 1076 wrote to memory of 1988 1076 ppddj.exe 98 PID 1988 wrote to memory of 3940 1988 xffxrxx.exe 99 PID 1988 wrote to memory of 3940 1988 xffxrxx.exe 99 PID 1988 wrote to memory of 3940 1988 xffxrxx.exe 99 PID 3940 wrote to memory of 4196 3940 ntthtn.exe 100 PID 3940 wrote to memory of 4196 3940 ntthtn.exe 100 PID 3940 wrote to memory of 4196 3940 ntthtn.exe 100 PID 4196 wrote to memory of 2696 4196 88446.exe 101 PID 4196 wrote to memory of 2696 4196 88446.exe 101 PID 4196 wrote to memory of 2696 4196 88446.exe 101 PID 2696 wrote to memory of 5092 2696 866008.exe 102 PID 2696 wrote to memory of 5092 2696 866008.exe 102 PID 2696 wrote to memory of 5092 2696 866008.exe 102 PID 5092 wrote to memory of 2584 5092 0842222.exe 103 PID 5092 wrote to memory of 2584 5092 0842222.exe 103 PID 5092 wrote to memory of 2584 5092 0842222.exe 103 PID 2584 wrote to memory of 4284 2584 826042.exe 104 PID 2584 wrote to memory of 4284 2584 826042.exe 104 PID 2584 wrote to memory of 4284 2584 826042.exe 104 PID 4284 wrote to memory of 1112 4284 jjjvj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe"C:\Users\Admin\AppData\Local\Temp\e66ba4f9a7a5aaaf9dacbc81c893dc9391ee5abde92b1cce1a76e611253cfbac.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\4408642.exec:\4408642.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\808686.exec:\808686.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\068222.exec:\068222.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\20800.exec:\20800.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\ppjpd.exec:\ppjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\42642.exec:\42642.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\284864.exec:\284864.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\fxfrfxl.exec:\fxfrfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\vpjvd.exec:\vpjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\xllxrfx.exec:\xllxrfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\4886082.exec:\4886082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\002082.exec:\002082.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\406420.exec:\406420.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\ppddj.exec:\ppddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\xffxrxx.exec:\xffxrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\ntthtn.exec:\ntthtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\88446.exec:\88446.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\866008.exec:\866008.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\0842222.exec:\0842222.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\826042.exec:\826042.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\jjjvj.exec:\jjjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\68208.exec:\68208.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1112 -
\??\c:\bbtbtn.exec:\bbtbtn.exe24⤵
- Executes dropped EXE
PID:1384 -
\??\c:\2222686.exec:\2222686.exe25⤵
- Executes dropped EXE
PID:4680 -
\??\c:\42048.exec:\42048.exe26⤵
- Executes dropped EXE
PID:3496 -
\??\c:\2886820.exec:\2886820.exe27⤵
- Executes dropped EXE
PID:2088 -
\??\c:\nbbnbh.exec:\nbbnbh.exe28⤵
- Executes dropped EXE
PID:1164 -
\??\c:\ffrfrlr.exec:\ffrfrlr.exe29⤵
- Executes dropped EXE
PID:4964 -
\??\c:\84048.exec:\84048.exe30⤵
- Executes dropped EXE
PID:376 -
\??\c:\64866.exec:\64866.exe31⤵
- Executes dropped EXE
PID:4452 -
\??\c:\2088248.exec:\2088248.exe32⤵
- Executes dropped EXE
PID:2268 -
\??\c:\jddpp.exec:\jddpp.exe33⤵
- Executes dropped EXE
PID:5088 -
\??\c:\ddvdv.exec:\ddvdv.exe34⤵
- Executes dropped EXE
PID:2152 -
\??\c:\408642.exec:\408642.exe35⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nthbnb.exec:\nthbnb.exe36⤵
- Executes dropped EXE
PID:1928 -
\??\c:\88426.exec:\88426.exe37⤵
- Executes dropped EXE
PID:724 -
\??\c:\htnbnb.exec:\htnbnb.exe38⤵
- Executes dropped EXE
PID:928 -
\??\c:\6008602.exec:\6008602.exe39⤵
- Executes dropped EXE
PID:2228 -
\??\c:\088608.exec:\088608.exe40⤵
- Executes dropped EXE
PID:1920 -
\??\c:\jvpdj.exec:\jvpdj.exe41⤵
- Executes dropped EXE
PID:3604 -
\??\c:\64088.exec:\64088.exe42⤵
- Executes dropped EXE
PID:5096 -
\??\c:\vjdpj.exec:\vjdpj.exe43⤵
- Executes dropped EXE
PID:4236 -
\??\c:\thbtht.exec:\thbtht.exe44⤵
- Executes dropped EXE
PID:780 -
\??\c:\42204.exec:\42204.exe45⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lxfrrlf.exec:\lxfrrlf.exe46⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vddpd.exec:\vddpd.exe47⤵
- Executes dropped EXE
PID:4516 -
\??\c:\bbhttn.exec:\bbhttn.exe48⤵
- Executes dropped EXE
PID:3720 -
\??\c:\xlrllfx.exec:\xlrllfx.exe49⤵
- Executes dropped EXE
PID:2896 -
\??\c:\64220.exec:\64220.exe50⤵
- Executes dropped EXE
PID:1572 -
\??\c:\xrlffxf.exec:\xrlffxf.exe51⤵
- Executes dropped EXE
PID:2412 -
\??\c:\8820048.exec:\8820048.exe52⤵
- Executes dropped EXE
PID:2304 -
\??\c:\htbnth.exec:\htbnth.exe53⤵
- Executes dropped EXE
PID:3948 -
\??\c:\640204.exec:\640204.exe54⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rrxllrf.exec:\rrxllrf.exe55⤵
- Executes dropped EXE
PID:3428 -
\??\c:\40042.exec:\40042.exe56⤵
- Executes dropped EXE
PID:2580 -
\??\c:\800808.exec:\800808.exe57⤵
- Executes dropped EXE
PID:2144 -
\??\c:\26086.exec:\26086.exe58⤵
- Executes dropped EXE
PID:4132 -
\??\c:\fllfxrf.exec:\fllfxrf.exe59⤵
- Executes dropped EXE
PID:2728 -
\??\c:\00082.exec:\00082.exe60⤵
- Executes dropped EXE
PID:3916 -
\??\c:\480260.exec:\480260.exe61⤵
- Executes dropped EXE
PID:4460 -
\??\c:\682086.exec:\682086.exe62⤵
- Executes dropped EXE
PID:2316 -
\??\c:\422082.exec:\422082.exe63⤵
- Executes dropped EXE
PID:3204 -
\??\c:\lfflrlf.exec:\lfflrlf.exe64⤵
- Executes dropped EXE
PID:392 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe65⤵
- Executes dropped EXE
PID:1820 -
\??\c:\hhhbnh.exec:\hhhbnh.exe66⤵PID:4484
-
\??\c:\088004.exec:\088004.exe67⤵PID:672
-
\??\c:\xflxlfr.exec:\xflxlfr.exe68⤵PID:1608
-
\??\c:\08488.exec:\08488.exe69⤵PID:3216
-
\??\c:\fllxlrf.exec:\fllxlrf.exe70⤵PID:4196
-
\??\c:\6860048.exec:\6860048.exe71⤵PID:4968
-
\??\c:\046448.exec:\046448.exe72⤵PID:2596
-
\??\c:\8660264.exec:\8660264.exe73⤵PID:2336
-
\??\c:\082086.exec:\082086.exe74⤵
- System Location Discovery: System Language Discovery
PID:4952 -
\??\c:\6020842.exec:\6020842.exe75⤵PID:1564
-
\??\c:\nbbttn.exec:\nbbttn.exe76⤵
- System Location Discovery: System Language Discovery
PID:1956 -
\??\c:\60208.exec:\60208.exe77⤵PID:2204
-
\??\c:\bhhthh.exec:\bhhthh.exe78⤵PID:1384
-
\??\c:\02086.exec:\02086.exe79⤵PID:3036
-
\??\c:\6668604.exec:\6668604.exe80⤵PID:3176
-
\??\c:\pdjvv.exec:\pdjvv.exe81⤵PID:2016
-
\??\c:\62420.exec:\62420.exe82⤵PID:2124
-
\??\c:\ppjvj.exec:\ppjvj.exe83⤵PID:4768
-
\??\c:\0804826.exec:\0804826.exe84⤵PID:708
-
\??\c:\440866.exec:\440866.exe85⤵PID:2964
-
\??\c:\pppdp.exec:\pppdp.exe86⤵PID:4824
-
\??\c:\jjpvj.exec:\jjpvj.exe87⤵PID:400
-
\??\c:\tbthnh.exec:\tbthnh.exe88⤵PID:4544
-
\??\c:\htbnbn.exec:\htbnbn.exe89⤵PID:5116
-
\??\c:\088604.exec:\088604.exe90⤵PID:1036
-
\??\c:\rxfllxl.exec:\rxfllxl.exe91⤵PID:1500
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe92⤵PID:1216
-
\??\c:\6844882.exec:\6844882.exe93⤵PID:3904
-
\??\c:\dpppj.exec:\dpppj.exe94⤵PID:4564
-
\??\c:\0824266.exec:\0824266.exe95⤵PID:3052
-
\??\c:\bntnhh.exec:\bntnhh.exe96⤵PID:2228
-
\??\c:\202208.exec:\202208.exe97⤵PID:3628
-
\??\c:\thnhtt.exec:\thnhtt.exe98⤵PID:4492
-
\??\c:\tnthbt.exec:\tnthbt.exe99⤵PID:4252
-
\??\c:\4264820.exec:\4264820.exe100⤵PID:4312
-
\??\c:\62420.exec:\62420.exe101⤵PID:1848
-
\??\c:\rrrrrlf.exec:\rrrrrlf.exe102⤵PID:460
-
\??\c:\288204.exec:\288204.exe103⤵PID:2644
-
\??\c:\48268.exec:\48268.exe104⤵PID:4140
-
\??\c:\rxxlrlx.exec:\rxxlrlx.exe105⤵PID:4916
-
\??\c:\6064208.exec:\6064208.exe106⤵PID:5060
-
\??\c:\lrfxxxr.exec:\lrfxxxr.exe107⤵PID:676
-
\??\c:\nbhnhn.exec:\nbhnhn.exe108⤵PID:4528
-
\??\c:\hnhthb.exec:\hnhthb.exe109⤵PID:3968
-
\??\c:\xflxlfx.exec:\xflxlfx.exe110⤵PID:4856
-
\??\c:\3btnnn.exec:\3btnnn.exe111⤵PID:3708
-
\??\c:\64488.exec:\64488.exe112⤵PID:3592
-
\??\c:\8222482.exec:\8222482.exe113⤵PID:4756
-
\??\c:\0882666.exec:\0882666.exe114⤵PID:3828
-
\??\c:\840482.exec:\840482.exe115⤵PID:2012
-
\??\c:\84048.exec:\84048.exe116⤵PID:1000
-
\??\c:\vpvvj.exec:\vpvvj.exe117⤵PID:4912
-
\??\c:\xrxxxrr.exec:\xrxxxrr.exe118⤵PID:3916
-
\??\c:\6008608.exec:\6008608.exe119⤵PID:4460
-
\??\c:\xxlffxr.exec:\xxlffxr.exe120⤵PID:3296
-
\??\c:\httnhh.exec:\httnhh.exe121⤵PID:3204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-