Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe
-
Size
454KB
-
MD5
81e3959b60b73d25ac79e22ed38b4b5f
-
SHA1
0735eddf4305b979e8fcd934005d62c22ac41ab6
-
SHA256
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad
-
SHA512
db79ae6c4af41ae884f90c079702b3680b0ba600752471531255e95f6ee780e680a82d3c1d7f25202f097ef23578297533c139392869f66ec4a98da390ad6e29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/2880-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/296-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-434-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-544-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2492-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-592-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1032-618-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2056-638-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2112-931-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2220-938-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-963-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1340-1044-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2512-1090-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2380-1127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/836-1175-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/836-1173-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2756 28224.exe 2864 3btbnn.exe 2868 0228406.exe 2640 86840.exe 892 vdjjp.exe 1616 nnbnbh.exe 296 4806884.exe 2956 08624.exe 2144 7ththn.exe 2124 642806.exe 2912 xlfxffl.exe 2000 ntnbnt.exe 2960 lxrfxfr.exe 2728 dddpj.exe 1856 s8628.exe 3000 264428.exe 1436 jdpjv.exe 2456 jdvdj.exe 2428 lfllxff.exe 1756 642240.exe 2388 4606844.exe 2068 042406.exe 1548 i866828.exe 2080 tthnnb.exe 1352 5jpvd.exe 1736 20228.exe 904 222844.exe 1748 220480.exe 2540 thnhhh.exe 2484 xflflfr.exe 880 jjvpp.exe 612 pjvvv.exe 3048 1pdvv.exe 2860 7nbttt.exe 2752 428844.exe 2916 20222.exe 2812 6044062.exe 2644 7tbbhh.exe 2288 20222.exe 2424 djvjp.exe 1048 c828488.exe 1852 frllrlr.exe 2144 0866206.exe 2176 464844.exe 484 k80060.exe 2940 86066.exe 2000 bhbnbb.exe 2920 i640224.exe 2904 40224.exe 2536 rrlxllf.exe 3024 lrfrxrr.exe 3000 ppvpv.exe 1424 226240.exe 2156 bhbhbn.exe 2188 9vjjj.exe 1224 q46668.exe 2948 080666.exe 2212 nbtbnn.exe 1828 btnthb.exe 1772 28602.exe 696 200066.exe 1340 lxfrlxr.exe 2052 nnhtth.exe 1732 824068.exe -
resource yara_rule behavioral1/memory/2880-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-336-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1852-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-638-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2332-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-931-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2308-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-1148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2066268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lxxxxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2756 2880 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 30 PID 2880 wrote to memory of 2756 2880 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 30 PID 2880 wrote to memory of 2756 2880 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 30 PID 2880 wrote to memory of 2756 2880 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 30 PID 2756 wrote to memory of 2864 2756 28224.exe 31 PID 2756 wrote to memory of 2864 2756 28224.exe 31 PID 2756 wrote to memory of 2864 2756 28224.exe 31 PID 2756 wrote to memory of 2864 2756 28224.exe 31 PID 2864 wrote to memory of 2868 2864 3btbnn.exe 32 PID 2864 wrote to memory of 2868 2864 3btbnn.exe 32 PID 2864 wrote to memory of 2868 2864 3btbnn.exe 32 PID 2864 wrote to memory of 2868 2864 3btbnn.exe 32 PID 2868 wrote to memory of 2640 2868 0228406.exe 33 PID 2868 wrote to memory of 2640 2868 0228406.exe 33 PID 2868 wrote to memory of 2640 2868 0228406.exe 33 PID 2868 wrote to memory of 2640 2868 0228406.exe 33 PID 2640 wrote to memory of 892 2640 86840.exe 34 PID 2640 wrote to memory of 892 2640 86840.exe 34 PID 2640 wrote to memory of 892 2640 86840.exe 34 PID 2640 wrote to memory of 892 2640 86840.exe 34 PID 892 wrote to memory of 1616 892 vdjjp.exe 35 PID 892 wrote to memory of 1616 892 vdjjp.exe 35 PID 892 wrote to memory of 1616 892 vdjjp.exe 35 PID 892 wrote to memory of 1616 892 vdjjp.exe 35 PID 1616 wrote to memory of 296 1616 nnbnbh.exe 36 PID 1616 wrote to memory of 296 1616 nnbnbh.exe 36 PID 1616 wrote to memory of 296 1616 nnbnbh.exe 36 PID 1616 wrote to memory of 296 1616 nnbnbh.exe 36 PID 296 wrote to memory of 2956 296 4806884.exe 37 PID 296 wrote to memory of 2956 296 4806884.exe 37 PID 296 wrote to memory of 2956 296 4806884.exe 37 PID 296 wrote to memory of 2956 296 4806884.exe 37 PID 2956 wrote to memory of 2144 2956 08624.exe 38 PID 2956 wrote to memory of 2144 2956 08624.exe 38 PID 2956 wrote to memory of 2144 2956 08624.exe 38 PID 2956 wrote to memory of 2144 2956 08624.exe 38 PID 2144 wrote to memory of 2124 2144 7ththn.exe 39 PID 2144 wrote to memory of 2124 2144 7ththn.exe 39 PID 2144 wrote to memory of 2124 2144 7ththn.exe 39 PID 2144 wrote to memory of 2124 2144 7ththn.exe 39 PID 2124 wrote to memory of 2912 2124 642806.exe 40 PID 2124 wrote to memory of 2912 2124 642806.exe 40 PID 2124 wrote to memory of 2912 2124 642806.exe 40 PID 2124 wrote to memory of 2912 2124 642806.exe 40 PID 2912 wrote to memory of 2000 2912 xlfxffl.exe 41 PID 2912 wrote to memory of 2000 2912 xlfxffl.exe 41 PID 2912 wrote to memory of 2000 2912 xlfxffl.exe 41 PID 2912 wrote to memory of 2000 2912 xlfxffl.exe 41 PID 2000 wrote to memory of 2960 2000 ntnbnt.exe 42 PID 2000 wrote to memory of 2960 2000 ntnbnt.exe 42 PID 2000 wrote to memory of 2960 2000 ntnbnt.exe 42 PID 2000 wrote to memory of 2960 2000 ntnbnt.exe 42 PID 2960 wrote to memory of 2728 2960 lxrfxfr.exe 43 PID 2960 wrote to memory of 2728 2960 lxrfxfr.exe 43 PID 2960 wrote to memory of 2728 2960 lxrfxfr.exe 43 PID 2960 wrote to memory of 2728 2960 lxrfxfr.exe 43 PID 2728 wrote to memory of 1856 2728 dddpj.exe 44 PID 2728 wrote to memory of 1856 2728 dddpj.exe 44 PID 2728 wrote to memory of 1856 2728 dddpj.exe 44 PID 2728 wrote to memory of 1856 2728 dddpj.exe 44 PID 1856 wrote to memory of 3000 1856 s8628.exe 45 PID 1856 wrote to memory of 3000 1856 s8628.exe 45 PID 1856 wrote to memory of 3000 1856 s8628.exe 45 PID 1856 wrote to memory of 3000 1856 s8628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe"C:\Users\Admin\AppData\Local\Temp\e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\28224.exec:\28224.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\3btbnn.exec:\3btbnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\0228406.exec:\0228406.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\86840.exec:\86840.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\vdjjp.exec:\vdjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\nnbnbh.exec:\nnbnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\4806884.exec:\4806884.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296 -
\??\c:\08624.exec:\08624.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\7ththn.exec:\7ththn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\642806.exec:\642806.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\xlfxffl.exec:\xlfxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\ntnbnt.exec:\ntnbnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\lxrfxfr.exec:\lxrfxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\dddpj.exec:\dddpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\s8628.exec:\s8628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\264428.exec:\264428.exe17⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jdpjv.exec:\jdpjv.exe18⤵
- Executes dropped EXE
PID:1436 -
\??\c:\jdvdj.exec:\jdvdj.exe19⤵
- Executes dropped EXE
PID:2456 -
\??\c:\lfllxff.exec:\lfllxff.exe20⤵
- Executes dropped EXE
PID:2428 -
\??\c:\642240.exec:\642240.exe21⤵
- Executes dropped EXE
PID:1756 -
\??\c:\4606844.exec:\4606844.exe22⤵
- Executes dropped EXE
PID:2388 -
\??\c:\042406.exec:\042406.exe23⤵
- Executes dropped EXE
PID:2068 -
\??\c:\i866828.exec:\i866828.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\tthnnb.exec:\tthnnb.exe25⤵
- Executes dropped EXE
PID:2080 -
\??\c:\5jpvd.exec:\5jpvd.exe26⤵
- Executes dropped EXE
PID:1352 -
\??\c:\20228.exec:\20228.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\222844.exec:\222844.exe28⤵
- Executes dropped EXE
PID:904 -
\??\c:\220480.exec:\220480.exe29⤵
- Executes dropped EXE
PID:1748 -
\??\c:\thnhhh.exec:\thnhhh.exe30⤵
- Executes dropped EXE
PID:2540 -
\??\c:\xflflfr.exec:\xflflfr.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\jjvpp.exec:\jjvpp.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\pjvvv.exec:\pjvvv.exe33⤵
- Executes dropped EXE
PID:612 -
\??\c:\1pdvv.exec:\1pdvv.exe34⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7nbttt.exec:\7nbttt.exe35⤵
- Executes dropped EXE
PID:2860 -
\??\c:\428844.exec:\428844.exe36⤵
- Executes dropped EXE
PID:2752 -
\??\c:\20222.exec:\20222.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\6044062.exec:\6044062.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\7tbbhh.exec:\7tbbhh.exe39⤵
- Executes dropped EXE
PID:2644 -
\??\c:\20222.exec:\20222.exe40⤵
- Executes dropped EXE
PID:2288 -
\??\c:\djvjp.exec:\djvjp.exe41⤵
- Executes dropped EXE
PID:2424 -
\??\c:\c828488.exec:\c828488.exe42⤵
- Executes dropped EXE
PID:1048 -
\??\c:\frllrlr.exec:\frllrlr.exe43⤵
- Executes dropped EXE
PID:1852 -
\??\c:\0866206.exec:\0866206.exe44⤵
- Executes dropped EXE
PID:2144 -
\??\c:\464844.exec:\464844.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\k80060.exec:\k80060.exe46⤵
- Executes dropped EXE
PID:484 -
\??\c:\86066.exec:\86066.exe47⤵
- Executes dropped EXE
PID:2940 -
\??\c:\bhbnbb.exec:\bhbnbb.exe48⤵
- Executes dropped EXE
PID:2000 -
\??\c:\i640224.exec:\i640224.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\40224.exec:\40224.exe50⤵
- Executes dropped EXE
PID:2904 -
\??\c:\rrlxllf.exec:\rrlxllf.exe51⤵
- Executes dropped EXE
PID:2536 -
\??\c:\lrfrxrr.exec:\lrfrxrr.exe52⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ppvpv.exec:\ppvpv.exe53⤵
- Executes dropped EXE
PID:3000 -
\??\c:\226240.exec:\226240.exe54⤵
- Executes dropped EXE
PID:1424 -
\??\c:\bhbhbn.exec:\bhbhbn.exe55⤵
- Executes dropped EXE
PID:2156 -
\??\c:\9vjjj.exec:\9vjjj.exe56⤵
- Executes dropped EXE
PID:2188 -
\??\c:\q46668.exec:\q46668.exe57⤵
- Executes dropped EXE
PID:1224 -
\??\c:\080666.exec:\080666.exe58⤵
- Executes dropped EXE
PID:2948 -
\??\c:\nbtbnn.exec:\nbtbnn.exe59⤵
- Executes dropped EXE
PID:2212 -
\??\c:\btnthb.exec:\btnthb.exe60⤵
- Executes dropped EXE
PID:1828 -
\??\c:\28602.exec:\28602.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
\??\c:\200066.exec:\200066.exe62⤵
- Executes dropped EXE
PID:696 -
\??\c:\lxfrlxr.exec:\lxfrlxr.exe63⤵
- Executes dropped EXE
PID:1340 -
\??\c:\nnhtth.exec:\nnhtth.exe64⤵
- Executes dropped EXE
PID:2052 -
\??\c:\824068.exec:\824068.exe65⤵
- Executes dropped EXE
PID:1732 -
\??\c:\e80066.exec:\e80066.exe66⤵PID:1648
-
\??\c:\7jvdj.exec:\7jvdj.exe67⤵PID:2448
-
\??\c:\frflllx.exec:\frflllx.exe68⤵PID:1860
-
\??\c:\5rllflf.exec:\5rllflf.exe69⤵PID:576
-
\??\c:\9hbbhh.exec:\9hbbhh.exe70⤵PID:2100
-
\??\c:\flfflll.exec:\flfflll.exe71⤵PID:2512
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe72⤵PID:2832
-
\??\c:\208466.exec:\208466.exe73⤵PID:1808
-
\??\c:\444042.exec:\444042.exe74⤵PID:2492
-
\??\c:\68006.exec:\68006.exe75⤵PID:1608
-
\??\c:\086640.exec:\086640.exe76⤵PID:1716
-
\??\c:\2040602.exec:\2040602.exe77⤵PID:2752
-
\??\c:\u266224.exec:\u266224.exe78⤵PID:1700
-
\??\c:\42888.exec:\42888.exe79⤵PID:2648
-
\??\c:\42664.exec:\42664.exe80⤵PID:2680
-
\??\c:\4866880.exec:\4866880.exe81⤵PID:3004
-
\??\c:\4288422.exec:\4288422.exe82⤵PID:892
-
\??\c:\ttnntt.exec:\ttnntt.exe83⤵PID:1032
-
\??\c:\082444.exec:\082444.exe84⤵PID:2748
-
\??\c:\c248866.exec:\c248866.exe85⤵PID:2956
-
\??\c:\20828.exec:\20828.exe86⤵PID:2056
-
\??\c:\k24066.exec:\k24066.exe87⤵PID:2332
-
\??\c:\2028028.exec:\2028028.exe88⤵PID:3012
-
\??\c:\hbhbbh.exec:\hbhbbh.exe89⤵PID:2220
-
\??\c:\fxxxfxf.exec:\fxxxfxf.exe90⤵PID:2104
-
\??\c:\vdvdp.exec:\vdvdp.exe91⤵PID:2000
-
\??\c:\k64066.exec:\k64066.exe92⤵PID:2728
-
\??\c:\3jvpd.exec:\3jvpd.exe93⤵PID:2904
-
\??\c:\20002.exec:\20002.exe94⤵PID:2088
-
\??\c:\lllrflx.exec:\lllrflx.exe95⤵
- System Location Discovery: System Language Discovery
PID:3024 -
\??\c:\5rflxfx.exec:\5rflxfx.exe96⤵PID:1152
-
\??\c:\rlflrrf.exec:\rlflrrf.exe97⤵PID:1816
-
\??\c:\08628.exec:\08628.exe98⤵PID:2156
-
\??\c:\22202.exec:\22202.exe99⤵PID:2252
-
\??\c:\jvjdv.exec:\jvjdv.exe100⤵PID:2356
-
\??\c:\0426880.exec:\0426880.exe101⤵PID:2164
-
\??\c:\vpjpv.exec:\vpjpv.exe102⤵PID:2212
-
\??\c:\468268.exec:\468268.exe103⤵PID:3052
-
\??\c:\4866228.exec:\4866228.exe104⤵PID:1772
-
\??\c:\nthnhn.exec:\nthnhn.exe105⤵PID:992
-
\??\c:\w20066.exec:\w20066.exe106⤵PID:2008
-
\??\c:\1hnthh.exec:\1hnthh.exe107⤵PID:1964
-
\??\c:\pvjpv.exec:\pvjpv.exe108⤵PID:920
-
\??\c:\9rfxxxx.exec:\9rfxxxx.exe109⤵PID:1736
-
\??\c:\6022268.exec:\6022268.exe110⤵PID:1648
-
\??\c:\0462002.exec:\0462002.exe111⤵PID:2412
-
\??\c:\6606840.exec:\6606840.exe112⤵PID:1860
-
\??\c:\o600228.exec:\o600228.exe113⤵PID:576
-
\??\c:\g8002.exec:\g8002.exe114⤵PID:888
-
\??\c:\1pddp.exec:\1pddp.exe115⤵PID:300
-
\??\c:\tnhntt.exec:\tnhntt.exe116⤵PID:2832
-
\??\c:\fxrxflx.exec:\fxrxflx.exe117⤵PID:2140
-
\??\c:\frlrxfr.exec:\frlrxfr.exe118⤵PID:1600
-
\??\c:\3dpjj.exec:\3dpjj.exe119⤵PID:2732
-
\??\c:\o600268.exec:\o600268.exe120⤵PID:2300
-
\??\c:\nhbhth.exec:\nhbhth.exe121⤵PID:2580
-
\??\c:\60846.exec:\60846.exe122⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-