Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:33
Behavioral task
behavioral1
Sample
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe
-
Size
335KB
-
MD5
2e7868b0c6b122e9524dcc935540edf0
-
SHA1
b7b85b72c6edcaf68936febd06bd438d18c520cf
-
SHA256
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991
-
SHA512
3f5c04e114228fa9cb8aa1f8629fea4c75c3b7b6a4dd7a30ccebb304e810a91cc0c41a16f84de6e265d5d9344bf12aaf5aeaec29c6910c23bfbe3a280b74d56c
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR:R4wFHoSHYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1900-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1172-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2836-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1844-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1992-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/60-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1192-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2876-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2708-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-321-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-550-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-643-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4656 0884484.exe 3576 200480.exe 3584 llxrlrx.exe 1172 ntbbbh.exe 2960 xfflllr.exe 2336 xxlflfx.exe 1432 bnntnn.exe 3276 lrrxxrr.exe 2016 40866.exe 2836 5jjdv.exe 3252 bnhttn.exe 1844 42480.exe 1992 xrfflfl.exe 2896 xxrllll.exe 1388 i466684.exe 1840 20048.exe 2324 284226.exe 3736 866006.exe 2768 s2062.exe 4204 64000.exe 2072 600048.exe 4256 lflfxfx.exe 4888 4460260.exe 4992 hntnht.exe 1484 6826482.exe 60 o664260.exe 1620 btnhbb.exe 444 lxfrfxl.exe 3272 4060048.exe 3768 3xffffl.exe 2652 044262.exe 4900 lffllxx.exe 4996 vpdpd.exe 3336 66886.exe 5020 40666.exe 4972 00882.exe 4608 hhnntt.exe 3012 djpjd.exe 2516 802828.exe 3800 3lfxllf.exe 2256 402660.exe 2304 22444.exe 4540 pdvjj.exe 3432 606048.exe 2104 846088.exe 3688 066088.exe 1924 866002.exe 3964 084822.exe 956 444406.exe 4940 0044006.exe 3188 pjdvp.exe 4056 fffrfrl.exe 1192 jddjd.exe 3176 6006022.exe 464 6448226.exe 2264 600822.exe 4432 80220.exe 2852 bttnhh.exe 3028 0004804.exe 4656 1xlfrlf.exe 3008 bhhhbb.exe 3584 82202.exe 2152 xxxrllf.exe 4848 4424248.exe -
resource yara_rule behavioral2/memory/1900-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1900-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b29-4.dat upx behavioral2/files/0x000c000000023b85-8.dat upx behavioral2/memory/4656-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023b96-11.dat upx behavioral2/files/0x0008000000023b9f-19.dat upx behavioral2/memory/1172-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3576-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3584-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023ba4-25.dat upx behavioral2/files/0x0009000000023ba6-29.dat upx behavioral2/memory/2336-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2960-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023baa-35.dat upx behavioral2/memory/1432-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-39.dat upx behavioral2/memory/1432-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023baf-44.dat upx behavioral2/memory/2016-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb0-51.dat upx behavioral2/memory/2836-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3276-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb1-55.dat upx behavioral2/memory/2836-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3252-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb2-60.dat upx behavioral2/files/0x000c000000023b86-65.dat upx behavioral2/memory/1844-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be1-70.dat upx behavioral2/memory/2896-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1992-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be2-76.dat upx behavioral2/memory/2896-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be3-81.dat upx behavioral2/files/0x0008000000023be5-86.dat upx behavioral2/memory/2324-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be6-90.dat upx behavioral2/files/0x0008000000023bec-100.dat upx behavioral2/files/0x0008000000023bed-105.dat upx behavioral2/files/0x0008000000023bff-109.dat upx behavioral2/files/0x0008000000023c05-114.dat upx behavioral2/files/0x0008000000023c06-118.dat upx behavioral2/memory/4204-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2768-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3736-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023beb-95.dat upx behavioral2/files/0x0008000000023c07-122.dat upx behavioral2/files/0x0008000000023c08-125.dat upx behavioral2/files/0x0008000000023c09-130.dat upx behavioral2/memory/60-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0a-134.dat upx behavioral2/memory/444-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c1f-140.dat upx behavioral2/files/0x0016000000023c20-144.dat upx behavioral2/files/0x0008000000023c26-147.dat upx behavioral2/memory/3768-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2652-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2a-152.dat upx behavioral2/memory/4900-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5020-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4972-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4608-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3012-173-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u844842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c462266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2644484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 4656 1900 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 83 PID 1900 wrote to memory of 4656 1900 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 83 PID 1900 wrote to memory of 4656 1900 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 83 PID 4656 wrote to memory of 3576 4656 0884484.exe 84 PID 4656 wrote to memory of 3576 4656 0884484.exe 84 PID 4656 wrote to memory of 3576 4656 0884484.exe 84 PID 3576 wrote to memory of 3584 3576 200480.exe 85 PID 3576 wrote to memory of 3584 3576 200480.exe 85 PID 3576 wrote to memory of 3584 3576 200480.exe 85 PID 3584 wrote to memory of 1172 3584 llxrlrx.exe 86 PID 3584 wrote to memory of 1172 3584 llxrlrx.exe 86 PID 3584 wrote to memory of 1172 3584 llxrlrx.exe 86 PID 1172 wrote to memory of 2960 1172 ntbbbh.exe 87 PID 1172 wrote to memory of 2960 1172 ntbbbh.exe 87 PID 1172 wrote to memory of 2960 1172 ntbbbh.exe 87 PID 2960 wrote to memory of 2336 2960 xfflllr.exe 88 PID 2960 wrote to memory of 2336 2960 xfflllr.exe 88 PID 2960 wrote to memory of 2336 2960 xfflllr.exe 88 PID 2336 wrote to memory of 1432 2336 xxlflfx.exe 89 PID 2336 wrote to memory of 1432 2336 xxlflfx.exe 89 PID 2336 wrote to memory of 1432 2336 xxlflfx.exe 89 PID 1432 wrote to memory of 3276 1432 bnntnn.exe 90 PID 1432 wrote to memory of 3276 1432 bnntnn.exe 90 PID 1432 wrote to memory of 3276 1432 bnntnn.exe 90 PID 3276 wrote to memory of 2016 3276 lrrxxrr.exe 91 PID 3276 wrote to memory of 2016 3276 lrrxxrr.exe 91 PID 3276 wrote to memory of 2016 3276 lrrxxrr.exe 91 PID 2016 wrote to memory of 2836 2016 40866.exe 92 PID 2016 wrote to memory of 2836 2016 40866.exe 92 PID 2016 wrote to memory of 2836 2016 40866.exe 92 PID 2836 wrote to memory of 3252 2836 5jjdv.exe 93 PID 2836 wrote to memory of 3252 2836 5jjdv.exe 93 PID 2836 wrote to memory of 3252 2836 5jjdv.exe 93 PID 3252 wrote to memory of 1844 3252 bnhttn.exe 94 PID 3252 wrote to memory of 1844 3252 bnhttn.exe 94 PID 3252 wrote to memory of 1844 3252 bnhttn.exe 94 PID 1844 wrote to memory of 1992 1844 42480.exe 95 PID 1844 wrote to memory of 1992 1844 42480.exe 95 PID 1844 wrote to memory of 1992 1844 42480.exe 95 PID 1992 wrote to memory of 2896 1992 xrfflfl.exe 96 PID 1992 wrote to memory of 2896 1992 xrfflfl.exe 96 PID 1992 wrote to memory of 2896 1992 xrfflfl.exe 96 PID 2896 wrote to memory of 1388 2896 xxrllll.exe 97 PID 2896 wrote to memory of 1388 2896 xxrllll.exe 97 PID 2896 wrote to memory of 1388 2896 xxrllll.exe 97 PID 1388 wrote to memory of 1840 1388 i466684.exe 98 PID 1388 wrote to memory of 1840 1388 i466684.exe 98 PID 1388 wrote to memory of 1840 1388 i466684.exe 98 PID 1840 wrote to memory of 2324 1840 20048.exe 99 PID 1840 wrote to memory of 2324 1840 20048.exe 99 PID 1840 wrote to memory of 2324 1840 20048.exe 99 PID 2324 wrote to memory of 3736 2324 284226.exe 100 PID 2324 wrote to memory of 3736 2324 284226.exe 100 PID 2324 wrote to memory of 3736 2324 284226.exe 100 PID 3736 wrote to memory of 2768 3736 866006.exe 101 PID 3736 wrote to memory of 2768 3736 866006.exe 101 PID 3736 wrote to memory of 2768 3736 866006.exe 101 PID 2768 wrote to memory of 4204 2768 s2062.exe 102 PID 2768 wrote to memory of 4204 2768 s2062.exe 102 PID 2768 wrote to memory of 4204 2768 s2062.exe 102 PID 4204 wrote to memory of 2072 4204 64000.exe 103 PID 4204 wrote to memory of 2072 4204 64000.exe 103 PID 4204 wrote to memory of 2072 4204 64000.exe 103 PID 2072 wrote to memory of 4256 2072 600048.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe"C:\Users\Admin\AppData\Local\Temp\1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\0884484.exec:\0884484.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\200480.exec:\200480.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\llxrlrx.exec:\llxrlrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\ntbbbh.exec:\ntbbbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\xfflllr.exec:\xfflllr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\xxlflfx.exec:\xxlflfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\bnntnn.exec:\bnntnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\lrrxxrr.exec:\lrrxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\40866.exec:\40866.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\5jjdv.exec:\5jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\bnhttn.exec:\bnhttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\42480.exec:\42480.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\xrfflfl.exec:\xrfflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\xxrllll.exec:\xxrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\i466684.exec:\i466684.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\20048.exec:\20048.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\284226.exec:\284226.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\866006.exec:\866006.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\s2062.exec:\s2062.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\64000.exec:\64000.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\600048.exec:\600048.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\lflfxfx.exec:\lflfxfx.exe23⤵
- Executes dropped EXE
PID:4256 -
\??\c:\4460260.exec:\4460260.exe24⤵
- Executes dropped EXE
PID:4888 -
\??\c:\hntnht.exec:\hntnht.exe25⤵
- Executes dropped EXE
PID:4992 -
\??\c:\6826482.exec:\6826482.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\o664260.exec:\o664260.exe27⤵
- Executes dropped EXE
PID:60 -
\??\c:\btnhbb.exec:\btnhbb.exe28⤵
- Executes dropped EXE
PID:1620 -
\??\c:\lxfrfxl.exec:\lxfrfxl.exe29⤵
- Executes dropped EXE
PID:444 -
\??\c:\4060048.exec:\4060048.exe30⤵
- Executes dropped EXE
PID:3272 -
\??\c:\3xffffl.exec:\3xffffl.exe31⤵
- Executes dropped EXE
PID:3768 -
\??\c:\044262.exec:\044262.exe32⤵
- Executes dropped EXE
PID:2652 -
\??\c:\lffllxx.exec:\lffllxx.exe33⤵
- Executes dropped EXE
PID:4900 -
\??\c:\vpdpd.exec:\vpdpd.exe34⤵
- Executes dropped EXE
PID:4996 -
\??\c:\66886.exec:\66886.exe35⤵
- Executes dropped EXE
PID:3336 -
\??\c:\40666.exec:\40666.exe36⤵
- Executes dropped EXE
PID:5020 -
\??\c:\00882.exec:\00882.exe37⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hhnntt.exec:\hhnntt.exe38⤵
- Executes dropped EXE
PID:4608 -
\??\c:\djpjd.exec:\djpjd.exe39⤵
- Executes dropped EXE
PID:3012 -
\??\c:\802828.exec:\802828.exe40⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3lfxllf.exec:\3lfxllf.exe41⤵
- Executes dropped EXE
PID:3800 -
\??\c:\402660.exec:\402660.exe42⤵
- Executes dropped EXE
PID:2256 -
\??\c:\22444.exec:\22444.exe43⤵
- Executes dropped EXE
PID:2304 -
\??\c:\pdvjj.exec:\pdvjj.exe44⤵
- Executes dropped EXE
PID:4540 -
\??\c:\606048.exec:\606048.exe45⤵
- Executes dropped EXE
PID:3432 -
\??\c:\846088.exec:\846088.exe46⤵
- Executes dropped EXE
PID:2104 -
\??\c:\066088.exec:\066088.exe47⤵
- Executes dropped EXE
PID:3688 -
\??\c:\866002.exec:\866002.exe48⤵
- Executes dropped EXE
PID:1924 -
\??\c:\084822.exec:\084822.exe49⤵
- Executes dropped EXE
PID:3964 -
\??\c:\444406.exec:\444406.exe50⤵
- Executes dropped EXE
PID:956 -
\??\c:\0044006.exec:\0044006.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\pjdvp.exec:\pjdvp.exe52⤵
- Executes dropped EXE
PID:3188 -
\??\c:\fffrfrl.exec:\fffrfrl.exe53⤵
- Executes dropped EXE
PID:4056 -
\??\c:\jddjd.exec:\jddjd.exe54⤵
- Executes dropped EXE
PID:1192 -
\??\c:\6006022.exec:\6006022.exe55⤵
- Executes dropped EXE
PID:3176 -
\??\c:\6448226.exec:\6448226.exe56⤵
- Executes dropped EXE
PID:464 -
\??\c:\600822.exec:\600822.exe57⤵
- Executes dropped EXE
PID:2264 -
\??\c:\80220.exec:\80220.exe58⤵
- Executes dropped EXE
PID:4432 -
\??\c:\bttnhh.exec:\bttnhh.exe59⤵
- Executes dropped EXE
PID:2852 -
\??\c:\0004804.exec:\0004804.exe60⤵
- Executes dropped EXE
PID:3028 -
\??\c:\1xlfrlf.exec:\1xlfrlf.exe61⤵
- Executes dropped EXE
PID:4656 -
\??\c:\bhhhbb.exec:\bhhhbb.exe62⤵
- Executes dropped EXE
PID:3008 -
\??\c:\82202.exec:\82202.exe63⤵
- Executes dropped EXE
PID:3584 -
\??\c:\xxxrllf.exec:\xxxrllf.exe64⤵
- Executes dropped EXE
PID:2152 -
\??\c:\4424248.exec:\4424248.exe65⤵
- Executes dropped EXE
PID:4848 -
\??\c:\lflflxx.exec:\lflflxx.exe66⤵PID:4300
-
\??\c:\862242.exec:\862242.exe67⤵PID:4552
-
\??\c:\666622.exec:\666622.exe68⤵PID:952
-
\??\c:\pddvj.exec:\pddvj.exe69⤵PID:1628
-
\??\c:\u882826.exec:\u882826.exe70⤵PID:1964
-
\??\c:\bbbbtn.exec:\bbbbtn.exe71⤵PID:3276
-
\??\c:\pvdvp.exec:\pvdvp.exe72⤵PID:3288
-
\??\c:\6682086.exec:\6682086.exe73⤵PID:1728
-
\??\c:\48488.exec:\48488.exe74⤵PID:2856
-
\??\c:\84408.exec:\84408.exe75⤵PID:1184
-
\??\c:\622448.exec:\622448.exe76⤵PID:2876
-
\??\c:\nhhbtn.exec:\nhhbtn.exe77⤵PID:1928
-
\??\c:\80464.exec:\80464.exe78⤵PID:4728
-
\??\c:\dvppv.exec:\dvppv.exe79⤵PID:4480
-
\??\c:\1ttnbn.exec:\1ttnbn.exe80⤵PID:4860
-
\??\c:\djjvp.exec:\djjvp.exe81⤵PID:216
-
\??\c:\thhnhh.exec:\thhnhh.exe82⤵PID:2020
-
\??\c:\4066006.exec:\4066006.exe83⤵PID:2188
-
\??\c:\pvjvv.exec:\pvjvv.exe84⤵PID:3220
-
\??\c:\pvjvj.exec:\pvjvj.exe85⤵PID:2324
-
\??\c:\8260260.exec:\8260260.exe86⤵PID:536
-
\??\c:\lxrrfrf.exec:\lxrrfrf.exe87⤵PID:2736
-
\??\c:\ddpjd.exec:\ddpjd.exe88⤵PID:4000
-
\??\c:\frlxlrl.exec:\frlxlrl.exe89⤵PID:3216
-
\??\c:\822042.exec:\822042.exe90⤵PID:4560
-
\??\c:\88486.exec:\88486.exe91⤵PID:2708
-
\??\c:\dddpd.exec:\dddpd.exe92⤵PID:3676
-
\??\c:\rlxrxrf.exec:\rlxrxrf.exe93⤵PID:1104
-
\??\c:\884424.exec:\884424.exe94⤵PID:4220
-
\??\c:\ttthtn.exec:\ttthtn.exe95⤵PID:2636
-
\??\c:\xllxfrl.exec:\xllxfrl.exe96⤵PID:1976
-
\??\c:\tnnhtn.exec:\tnnhtn.exe97⤵PID:964
-
\??\c:\8604204.exec:\8604204.exe98⤵PID:1952
-
\??\c:\44820.exec:\44820.exe99⤵
- System Location Discovery: System Language Discovery
PID:1520 -
\??\c:\dddpj.exec:\dddpj.exe100⤵PID:1812
-
\??\c:\002626.exec:\002626.exe101⤵PID:3332
-
\??\c:\0060820.exec:\0060820.exe102⤵PID:3720
-
\??\c:\64204.exec:\64204.exe103⤵PID:4516
-
\??\c:\bbtbnh.exec:\bbtbnh.exe104⤵PID:2692
-
\??\c:\426086.exec:\426086.exe105⤵PID:4036
-
\??\c:\htbnhb.exec:\htbnhb.exe106⤵PID:4464
-
\??\c:\xrrlxrf.exec:\xrrlxrf.exe107⤵PID:3312
-
\??\c:\0888664.exec:\0888664.exe108⤵PID:1588
-
\??\c:\pddpj.exec:\pddpj.exe109⤵PID:4472
-
\??\c:\tntbtn.exec:\tntbtn.exe110⤵PID:4172
-
\??\c:\828866.exec:\828866.exe111⤵PID:1852
-
\??\c:\400660.exec:\400660.exe112⤵PID:3012
-
\??\c:\jddvj.exec:\jddvj.exe113⤵PID:3140
-
\??\c:\62260.exec:\62260.exe114⤵PID:1764
-
\??\c:\644208.exec:\644208.exe115⤵PID:3580
-
\??\c:\8882286.exec:\8882286.exe116⤵PID:5040
-
\??\c:\nnhbtt.exec:\nnhbtt.exe117⤵PID:1724
-
\??\c:\428608.exec:\428608.exe118⤵PID:5036
-
\??\c:\4244822.exec:\4244822.exe119⤵PID:368
-
\??\c:\s2242.exec:\s2242.exe120⤵PID:2104
-
\??\c:\vppjp.exec:\vppjp.exe121⤵PID:3956
-
\??\c:\0040664.exec:\0040664.exe122⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-