Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe
-
Size
456KB
-
MD5
3e2819656660c84060062ded37a52d90
-
SHA1
c240e1e671d02bd821f2b8d50245d05d3fa16eb2
-
SHA256
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811
-
SHA512
9c6a262b97ac454b954ff5a2c6abc21a506b52ca4a012c38668bf5163a0f6515fc3483e55cfa6ddfbc455d8a2a2de13aae5569713948207ef237acc2824aa47c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl8Z:q7Tc2NYHUrAwfMp3CDRY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/3916-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-1186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1748 o282666.exe 1948 846606.exe 1376 c026066.exe 2168 0448260.exe 4656 6628222.exe 1356 dvpjj.exe 64 6060044.exe 5076 1vpjp.exe 1028 q06286.exe 2532 628866.exe 2572 frrrlll.exe 3604 2066262.exe 1676 xlfflxf.exe 4132 64860.exe 2160 jjjdp.exe 2792 2668448.exe 4300 llfxlfx.exe 3692 9hnnbn.exe 5116 68000.exe 1184 fllflff.exe 4076 hththt.exe 1012 6848820.exe 1952 jvjvp.exe 2684 rrxrrlx.exe 512 pjdpj.exe 2040 thnbbt.exe 4108 ttbtbb.exe 2012 bnnbtn.exe 5100 28680.exe 1604 802648.exe 212 vvvjv.exe 3032 1thnbn.exe 4776 dpjvj.exe 3144 64420.exe 1784 g2664.exe 4892 60086.exe 3412 w00864.exe 2020 6820208.exe 1132 7frxlxl.exe 3912 46028.exe 2424 9frxfrr.exe 3600 xfxlxrr.exe 2828 46200.exe 1596 24240.exe 2544 hthtbt.exe 4420 e40086.exe 2876 60042.exe 8 bhhnbb.exe 1748 8002086.exe 1168 hhbhth.exe 2208 8820860.exe 456 02062.exe 1144 624044.exe 3068 dpdpd.exe 372 c886408.exe 1392 u264260.exe 3824 6886082.exe 4480 60464.exe 4928 02860.exe 1804 bnnbtn.exe 1576 4800480.exe 2668 pjjpd.exe 752 hnnnhh.exe 4352 q22020.exe -
resource yara_rule behavioral2/memory/3916-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-887-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8888226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 1748 3916 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 83 PID 3916 wrote to memory of 1748 3916 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 83 PID 3916 wrote to memory of 1748 3916 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 83 PID 1748 wrote to memory of 1948 1748 o282666.exe 84 PID 1748 wrote to memory of 1948 1748 o282666.exe 84 PID 1748 wrote to memory of 1948 1748 o282666.exe 84 PID 1948 wrote to memory of 1376 1948 846606.exe 85 PID 1948 wrote to memory of 1376 1948 846606.exe 85 PID 1948 wrote to memory of 1376 1948 846606.exe 85 PID 1376 wrote to memory of 2168 1376 c026066.exe 86 PID 1376 wrote to memory of 2168 1376 c026066.exe 86 PID 1376 wrote to memory of 2168 1376 c026066.exe 86 PID 2168 wrote to memory of 4656 2168 0448260.exe 87 PID 2168 wrote to memory of 4656 2168 0448260.exe 87 PID 2168 wrote to memory of 4656 2168 0448260.exe 87 PID 4656 wrote to memory of 1356 4656 6628222.exe 88 PID 4656 wrote to memory of 1356 4656 6628222.exe 88 PID 4656 wrote to memory of 1356 4656 6628222.exe 88 PID 1356 wrote to memory of 64 1356 dvpjj.exe 89 PID 1356 wrote to memory of 64 1356 dvpjj.exe 89 PID 1356 wrote to memory of 64 1356 dvpjj.exe 89 PID 64 wrote to memory of 5076 64 6060044.exe 90 PID 64 wrote to memory of 5076 64 6060044.exe 90 PID 64 wrote to memory of 5076 64 6060044.exe 90 PID 5076 wrote to memory of 1028 5076 1vpjp.exe 91 PID 5076 wrote to memory of 1028 5076 1vpjp.exe 91 PID 5076 wrote to memory of 1028 5076 1vpjp.exe 91 PID 1028 wrote to memory of 2532 1028 q06286.exe 92 PID 1028 wrote to memory of 2532 1028 q06286.exe 92 PID 1028 wrote to memory of 2532 1028 q06286.exe 92 PID 2532 wrote to memory of 2572 2532 628866.exe 93 PID 2532 wrote to memory of 2572 2532 628866.exe 93 PID 2532 wrote to memory of 2572 2532 628866.exe 93 PID 2572 wrote to memory of 3604 2572 frrrlll.exe 94 PID 2572 wrote to memory of 3604 2572 frrrlll.exe 94 PID 2572 wrote to memory of 3604 2572 frrrlll.exe 94 PID 3604 wrote to memory of 1676 3604 2066262.exe 95 PID 3604 wrote to memory of 1676 3604 2066262.exe 95 PID 3604 wrote to memory of 1676 3604 2066262.exe 95 PID 1676 wrote to memory of 4132 1676 xlfflxf.exe 96 PID 1676 wrote to memory of 4132 1676 xlfflxf.exe 96 PID 1676 wrote to memory of 4132 1676 xlfflxf.exe 96 PID 4132 wrote to memory of 2160 4132 64860.exe 97 PID 4132 wrote to memory of 2160 4132 64860.exe 97 PID 4132 wrote to memory of 2160 4132 64860.exe 97 PID 2160 wrote to memory of 2792 2160 jjjdp.exe 98 PID 2160 wrote to memory of 2792 2160 jjjdp.exe 98 PID 2160 wrote to memory of 2792 2160 jjjdp.exe 98 PID 2792 wrote to memory of 4300 2792 2668448.exe 99 PID 2792 wrote to memory of 4300 2792 2668448.exe 99 PID 2792 wrote to memory of 4300 2792 2668448.exe 99 PID 4300 wrote to memory of 3692 4300 llfxlfx.exe 100 PID 4300 wrote to memory of 3692 4300 llfxlfx.exe 100 PID 4300 wrote to memory of 3692 4300 llfxlfx.exe 100 PID 3692 wrote to memory of 5116 3692 9hnnbn.exe 101 PID 3692 wrote to memory of 5116 3692 9hnnbn.exe 101 PID 3692 wrote to memory of 5116 3692 9hnnbn.exe 101 PID 5116 wrote to memory of 1184 5116 68000.exe 102 PID 5116 wrote to memory of 1184 5116 68000.exe 102 PID 5116 wrote to memory of 1184 5116 68000.exe 102 PID 1184 wrote to memory of 4076 1184 fllflff.exe 103 PID 1184 wrote to memory of 4076 1184 fllflff.exe 103 PID 1184 wrote to memory of 4076 1184 fllflff.exe 103 PID 4076 wrote to memory of 1012 4076 hththt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe"C:\Users\Admin\AppData\Local\Temp\1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\o282666.exec:\o282666.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\846606.exec:\846606.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\c026066.exec:\c026066.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\0448260.exec:\0448260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\6628222.exec:\6628222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\dvpjj.exec:\dvpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\6060044.exec:\6060044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\1vpjp.exec:\1vpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\q06286.exec:\q06286.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\628866.exec:\628866.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\frrrlll.exec:\frrrlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\2066262.exec:\2066262.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xlfflxf.exec:\xlfflxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\64860.exec:\64860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\jjjdp.exec:\jjjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\2668448.exec:\2668448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\llfxlfx.exec:\llfxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\9hnnbn.exec:\9hnnbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\68000.exec:\68000.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\fllflff.exec:\fllflff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\hththt.exec:\hththt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\6848820.exec:\6848820.exe23⤵
- Executes dropped EXE
PID:1012 -
\??\c:\jvjvp.exec:\jvjvp.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rrxrrlx.exec:\rrxrrlx.exe25⤵
- Executes dropped EXE
PID:2684 -
\??\c:\pjdpj.exec:\pjdpj.exe26⤵
- Executes dropped EXE
PID:512 -
\??\c:\thnbbt.exec:\thnbbt.exe27⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ttbtbb.exec:\ttbtbb.exe28⤵
- Executes dropped EXE
PID:4108 -
\??\c:\bnnbtn.exec:\bnnbtn.exe29⤵
- Executes dropped EXE
PID:2012 -
\??\c:\28680.exec:\28680.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\802648.exec:\802648.exe31⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vvvjv.exec:\vvvjv.exe32⤵
- Executes dropped EXE
PID:212 -
\??\c:\1thnbn.exec:\1thnbn.exe33⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dpjvj.exec:\dpjvj.exe34⤵
- Executes dropped EXE
PID:4776 -
\??\c:\64420.exec:\64420.exe35⤵
- Executes dropped EXE
PID:3144 -
\??\c:\g2664.exec:\g2664.exe36⤵
- Executes dropped EXE
PID:1784 -
\??\c:\60086.exec:\60086.exe37⤵
- Executes dropped EXE
PID:4892 -
\??\c:\w00864.exec:\w00864.exe38⤵
- Executes dropped EXE
PID:3412 -
\??\c:\6820208.exec:\6820208.exe39⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7frxlxl.exec:\7frxlxl.exe40⤵
- Executes dropped EXE
PID:1132 -
\??\c:\46028.exec:\46028.exe41⤵
- Executes dropped EXE
PID:3912 -
\??\c:\9frxfrr.exec:\9frxfrr.exe42⤵
- Executes dropped EXE
PID:2424 -
\??\c:\xfxlxrr.exec:\xfxlxrr.exe43⤵
- Executes dropped EXE
PID:3600 -
\??\c:\46200.exec:\46200.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\24240.exec:\24240.exe45⤵
- Executes dropped EXE
PID:1596 -
\??\c:\hthtbt.exec:\hthtbt.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\e40086.exec:\e40086.exe47⤵
- Executes dropped EXE
PID:4420 -
\??\c:\60042.exec:\60042.exe48⤵
- Executes dropped EXE
PID:2876 -
\??\c:\bhhnbb.exec:\bhhnbb.exe49⤵
- Executes dropped EXE
PID:8 -
\??\c:\8002086.exec:\8002086.exe50⤵
- Executes dropped EXE
PID:1748 -
\??\c:\hhbhth.exec:\hhbhth.exe51⤵
- Executes dropped EXE
PID:1168 -
\??\c:\8820860.exec:\8820860.exe52⤵
- Executes dropped EXE
PID:2208 -
\??\c:\02062.exec:\02062.exe53⤵
- Executes dropped EXE
PID:456 -
\??\c:\624044.exec:\624044.exe54⤵
- Executes dropped EXE
PID:1144 -
\??\c:\dpdpd.exec:\dpdpd.exe55⤵
- Executes dropped EXE
PID:3068 -
\??\c:\c886408.exec:\c886408.exe56⤵
- Executes dropped EXE
PID:372 -
\??\c:\u264260.exec:\u264260.exe57⤵
- Executes dropped EXE
PID:1392 -
\??\c:\6886082.exec:\6886082.exe58⤵
- Executes dropped EXE
PID:3824 -
\??\c:\60464.exec:\60464.exe59⤵
- Executes dropped EXE
PID:4480 -
\??\c:\02860.exec:\02860.exe60⤵
- Executes dropped EXE
PID:4928 -
\??\c:\bnnbtn.exec:\bnnbtn.exe61⤵
- Executes dropped EXE
PID:1804 -
\??\c:\4800480.exec:\4800480.exe62⤵
- Executes dropped EXE
PID:1576 -
\??\c:\pjjpd.exec:\pjjpd.exe63⤵
- Executes dropped EXE
PID:2668 -
\??\c:\hnnnhh.exec:\hnnnhh.exe64⤵
- Executes dropped EXE
PID:752 -
\??\c:\q22020.exec:\q22020.exe65⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rrxxxrx.exec:\rrxxxrx.exe66⤵PID:3112
-
\??\c:\8846200.exec:\8846200.exe67⤵PID:2904
-
\??\c:\868664.exec:\868664.exe68⤵PID:2640
-
\??\c:\g8202.exec:\g8202.exe69⤵PID:4832
-
\??\c:\tbbntn.exec:\tbbntn.exe70⤵PID:3316
-
\??\c:\w40226.exec:\w40226.exe71⤵PID:2832
-
\??\c:\0848046.exec:\0848046.exe72⤵PID:4888
-
\??\c:\ntthbt.exec:\ntthbt.exe73⤵
- System Location Discovery: System Language Discovery
PID:4540 -
\??\c:\a0242.exec:\a0242.exe74⤵PID:1488
-
\??\c:\040860.exec:\040860.exe75⤵PID:3516
-
\??\c:\9pjvd.exec:\9pjvd.exe76⤵PID:2836
-
\??\c:\9ppdp.exec:\9ppdp.exe77⤵PID:2556
-
\??\c:\frfrxxl.exec:\frfrxxl.exe78⤵PID:3768
-
\??\c:\04420.exec:\04420.exe79⤵PID:3956
-
\??\c:\flffxlx.exec:\flffxlx.exe80⤵PID:1952
-
\??\c:\1pjvj.exec:\1pjvj.exe81⤵PID:1728
-
\??\c:\22220.exec:\22220.exe82⤵PID:1236
-
\??\c:\tttbnh.exec:\tttbnh.exe83⤵PID:208
-
\??\c:\1jvjv.exec:\1jvjv.exe84⤵PID:2040
-
\??\c:\08482.exec:\08482.exe85⤵PID:5016
-
\??\c:\pvvdp.exec:\pvvdp.exe86⤵PID:804
-
\??\c:\pdvjp.exec:\pdvjp.exe87⤵PID:2012
-
\??\c:\jvvjp.exec:\jvvjp.exe88⤵PID:4316
-
\??\c:\088668.exec:\088668.exe89⤵PID:1280
-
\??\c:\lrlxrfx.exec:\lrlxrfx.exe90⤵PID:1768
-
\??\c:\jvppd.exec:\jvppd.exe91⤵PID:212
-
\??\c:\08286.exec:\08286.exe92⤵PID:3032
-
\??\c:\1vdpv.exec:\1vdpv.exe93⤵PID:2032
-
\??\c:\22086.exec:\22086.exe94⤵PID:2696
-
\??\c:\08204.exec:\08204.exe95⤵PID:4960
-
\??\c:\i208642.exec:\i208642.exe96⤵PID:2804
-
\??\c:\rxfxfrf.exec:\rxfxfrf.exe97⤵PID:1096
-
\??\c:\8064866.exec:\8064866.exe98⤵PID:2596
-
\??\c:\xrrlrlr.exec:\xrrlrlr.exe99⤵PID:4796
-
\??\c:\5ttbnb.exec:\5ttbnb.exe100⤵PID:3628
-
\??\c:\a2466.exec:\a2466.exe101⤵PID:3028
-
\??\c:\3dvjv.exec:\3dvjv.exe102⤵PID:3196
-
\??\c:\662022.exec:\662022.exe103⤵PID:1472
-
\??\c:\64420.exec:\64420.exe104⤵PID:2148
-
\??\c:\httnht.exec:\httnht.exe105⤵PID:4344
-
\??\c:\lllxfrf.exec:\lllxfrf.exe106⤵PID:1276
-
\??\c:\7pjvv.exec:\7pjvv.exe107⤵PID:1460
-
\??\c:\2280426.exec:\2280426.exe108⤵PID:2848
-
\??\c:\3rffrfr.exec:\3rffrfr.exe109⤵PID:1036
-
\??\c:\k82082.exec:\k82082.exe110⤵PID:4168
-
\??\c:\bbnhtn.exec:\bbnhtn.exe111⤵PID:3908
-
\??\c:\lrrffxl.exec:\lrrffxl.exe112⤵PID:2168
-
\??\c:\rllxxll.exec:\rllxxll.exe113⤵PID:3068
-
\??\c:\1rxlfrr.exec:\1rxlfrr.exe114⤵PID:1356
-
\??\c:\rrrflfl.exec:\rrrflfl.exe115⤵PID:3504
-
\??\c:\1nnhbb.exec:\1nnhbb.exe116⤵PID:3224
-
\??\c:\llrlxrf.exec:\llrlxrf.exe117⤵PID:4864
-
\??\c:\68886.exec:\68886.exe118⤵PID:1840
-
\??\c:\lffrxxl.exec:\lffrxxl.exe119⤵PID:2152
-
\??\c:\fxrrfrf.exec:\fxrrfrf.exe120⤵PID:4204
-
\??\c:\9hhthb.exec:\9hhthb.exe121⤵PID:1780
-
\??\c:\0008642.exec:\0008642.exe122⤵PID:3572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-