Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:38
Behavioral task
behavioral1
Sample
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe
-
Size
333KB
-
MD5
7ec1576f6914fa8334a8cf0dc86d6570
-
SHA1
3673ba21878e5c2ef9ac9895f99cd18b24feaf21
-
SHA256
ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1b
-
SHA512
3e2d772dafda5673f3cdeae8a919fe7424db3428efdc9db5d9eff2bb8b26fdd66ea36d185c4b301695a10c44217a6d5527f6c6f5023d2eae713af993b321a146
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAber:R4wFHoSHYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5072-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1400-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/540-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/720-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1888-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2908-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4136-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3804-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1088-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1648-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2860-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3696-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4136-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-413-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1408-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-495-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 736 40822.exe 2440 dvddd.exe 1836 xrrrllf.exe 4224 60828.exe 3380 224644.exe 1904 ffrxxrx.exe 4876 204064.exe 3144 0226666.exe 4860 0240444.exe 1400 02402.exe 2424 nnhbnn.exe 676 240044.exe 2416 4082060.exe 2552 1bhbtn.exe 3048 444824.exe 3280 6404484.exe 540 6088002.exe 2020 646622.exe 4468 lxffxff.exe 5016 262288.exe 1848 lxlxxxf.exe 4548 7jjdd.exe 4800 8248664.exe 3244 9pvjd.exe 4980 tttnhh.exe 2468 24622.exe 2588 jdvpj.exe 2948 i860022.exe 5044 28404.exe 3800 xlrrllf.exe 860 28826.exe 4992 7frlfll.exe 1384 lllfxff.exe 720 btnntt.exe 928 4640268.exe 1272 u628222.exe 1176 0488446.exe 2820 88048.exe 1888 684444.exe 2932 lxfflll.exe 3152 e06604.exe 1100 g0004.exe 1728 xxxfflf.exe 3612 nhnntt.exe 660 thhbbt.exe 1124 xlfrlfx.exe 2612 dpdvp.exe 2404 hntnth.exe 1544 hhhthb.exe 3588 u664826.exe 952 204208.exe 3656 846482.exe 3856 1ffxlfl.exe 3776 4286666.exe 3288 5hnhhb.exe 4968 4480400.exe 3620 ddjpj.exe 4940 002648.exe 2164 xxxlxrf.exe 1752 224860.exe 2908 ffxxffl.exe 4136 42648.exe 4564 vvjdp.exe 3276 5bbthb.exe -
resource yara_rule behavioral2/memory/5072-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c52-3.dat upx behavioral2/memory/5072-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-8.dat upx behavioral2/memory/2440-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-11.dat upx behavioral2/memory/1836-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-19.dat upx behavioral2/memory/736-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-23.dat upx behavioral2/memory/4224-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-29.dat upx behavioral2/files/0x0007000000023cb6-33.dat upx behavioral2/memory/1904-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-38.dat upx behavioral2/memory/4876-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3144-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3380-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-44.dat upx behavioral2/files/0x0007000000023cb9-48.dat upx behavioral2/memory/4860-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-53.dat upx behavioral2/memory/1400-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2424-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-59.dat upx behavioral2/memory/676-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cae-63.dat upx behavioral2/files/0x0007000000023cbc-68.dat upx behavioral2/memory/2416-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-74.dat upx behavioral2/files/0x0007000000023cbf-79.dat upx behavioral2/files/0x0007000000023cc0-84.dat upx behavioral2/files/0x0007000000023cc1-88.dat upx behavioral2/memory/540-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/540-85-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-94.dat upx behavioral2/memory/3048-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2020-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-98.dat upx behavioral2/memory/4468-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-103.dat upx behavioral2/memory/1848-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-108.dat upx behavioral2/files/0x0007000000023cc6-112.dat upx behavioral2/memory/4548-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-117.dat upx behavioral2/files/0x0007000000023cc8-121.dat upx behavioral2/files/0x0007000000023cc9-127.dat upx behavioral2/memory/3244-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2468-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-130.dat upx behavioral2/files/0x0007000000023ccb-135.dat upx behavioral2/files/0x0007000000023ccc-141.dat upx behavioral2/files/0x0007000000023ccd-145.dat upx behavioral2/memory/2588-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cce-148.dat upx behavioral2/memory/860-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-153.dat upx behavioral2/memory/4992-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1384-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/720-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1272-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1176-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 736 5072 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 83 PID 5072 wrote to memory of 736 5072 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 83 PID 5072 wrote to memory of 736 5072 ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe 83 PID 736 wrote to memory of 2440 736 40822.exe 84 PID 736 wrote to memory of 2440 736 40822.exe 84 PID 736 wrote to memory of 2440 736 40822.exe 84 PID 2440 wrote to memory of 1836 2440 dvddd.exe 85 PID 2440 wrote to memory of 1836 2440 dvddd.exe 85 PID 2440 wrote to memory of 1836 2440 dvddd.exe 85 PID 1836 wrote to memory of 4224 1836 xrrrllf.exe 86 PID 1836 wrote to memory of 4224 1836 xrrrllf.exe 86 PID 1836 wrote to memory of 4224 1836 xrrrllf.exe 86 PID 4224 wrote to memory of 3380 4224 60828.exe 87 PID 4224 wrote to memory of 3380 4224 60828.exe 87 PID 4224 wrote to memory of 3380 4224 60828.exe 87 PID 3380 wrote to memory of 1904 3380 224644.exe 88 PID 3380 wrote to memory of 1904 3380 224644.exe 88 PID 3380 wrote to memory of 1904 3380 224644.exe 88 PID 1904 wrote to memory of 4876 1904 ffrxxrx.exe 89 PID 1904 wrote to memory of 4876 1904 ffrxxrx.exe 89 PID 1904 wrote to memory of 4876 1904 ffrxxrx.exe 89 PID 4876 wrote to memory of 3144 4876 204064.exe 90 PID 4876 wrote to memory of 3144 4876 204064.exe 90 PID 4876 wrote to memory of 3144 4876 204064.exe 90 PID 3144 wrote to memory of 4860 3144 0226666.exe 91 PID 3144 wrote to memory of 4860 3144 0226666.exe 91 PID 3144 wrote to memory of 4860 3144 0226666.exe 91 PID 4860 wrote to memory of 1400 4860 0240444.exe 92 PID 4860 wrote to memory of 1400 4860 0240444.exe 92 PID 4860 wrote to memory of 1400 4860 0240444.exe 92 PID 1400 wrote to memory of 2424 1400 02402.exe 93 PID 1400 wrote to memory of 2424 1400 02402.exe 93 PID 1400 wrote to memory of 2424 1400 02402.exe 93 PID 2424 wrote to memory of 676 2424 nnhbnn.exe 94 PID 2424 wrote to memory of 676 2424 nnhbnn.exe 94 PID 2424 wrote to memory of 676 2424 nnhbnn.exe 94 PID 676 wrote to memory of 2416 676 240044.exe 95 PID 676 wrote to memory of 2416 676 240044.exe 95 PID 676 wrote to memory of 2416 676 240044.exe 95 PID 2416 wrote to memory of 2552 2416 4082060.exe 96 PID 2416 wrote to memory of 2552 2416 4082060.exe 96 PID 2416 wrote to memory of 2552 2416 4082060.exe 96 PID 2552 wrote to memory of 3048 2552 1bhbtn.exe 97 PID 2552 wrote to memory of 3048 2552 1bhbtn.exe 97 PID 2552 wrote to memory of 3048 2552 1bhbtn.exe 97 PID 3048 wrote to memory of 3280 3048 444824.exe 98 PID 3048 wrote to memory of 3280 3048 444824.exe 98 PID 3048 wrote to memory of 3280 3048 444824.exe 98 PID 3280 wrote to memory of 540 3280 6404484.exe 99 PID 3280 wrote to memory of 540 3280 6404484.exe 99 PID 3280 wrote to memory of 540 3280 6404484.exe 99 PID 540 wrote to memory of 2020 540 6088002.exe 100 PID 540 wrote to memory of 2020 540 6088002.exe 100 PID 540 wrote to memory of 2020 540 6088002.exe 100 PID 2020 wrote to memory of 4468 2020 646622.exe 101 PID 2020 wrote to memory of 4468 2020 646622.exe 101 PID 2020 wrote to memory of 4468 2020 646622.exe 101 PID 4468 wrote to memory of 5016 4468 lxffxff.exe 102 PID 4468 wrote to memory of 5016 4468 lxffxff.exe 102 PID 4468 wrote to memory of 5016 4468 lxffxff.exe 102 PID 5016 wrote to memory of 1848 5016 262288.exe 103 PID 5016 wrote to memory of 1848 5016 262288.exe 103 PID 5016 wrote to memory of 1848 5016 262288.exe 103 PID 1848 wrote to memory of 4548 1848 lxlxxxf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe"C:\Users\Admin\AppData\Local\Temp\ea66a835b94123afe2221074fecebf8269b7c4afe401f5fb3ad67cb3f726ae1bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\40822.exec:\40822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\dvddd.exec:\dvddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\xrrrllf.exec:\xrrrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\60828.exec:\60828.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\224644.exec:\224644.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\ffrxxrx.exec:\ffrxxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\204064.exec:\204064.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\0226666.exec:\0226666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\0240444.exec:\0240444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\02402.exec:\02402.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\nnhbnn.exec:\nnhbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\240044.exec:\240044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\4082060.exec:\4082060.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\1bhbtn.exec:\1bhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\444824.exec:\444824.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\6404484.exec:\6404484.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\6088002.exec:\6088002.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\646622.exec:\646622.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\lxffxff.exec:\lxffxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\262288.exec:\262288.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\lxlxxxf.exec:\lxlxxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\7jjdd.exec:\7jjdd.exe23⤵
- Executes dropped EXE
PID:4548 -
\??\c:\8248664.exec:\8248664.exe24⤵
- Executes dropped EXE
PID:4800 -
\??\c:\9pvjd.exec:\9pvjd.exe25⤵
- Executes dropped EXE
PID:3244 -
\??\c:\tttnhh.exec:\tttnhh.exe26⤵
- Executes dropped EXE
PID:4980 -
\??\c:\24622.exec:\24622.exe27⤵
- Executes dropped EXE
PID:2468 -
\??\c:\jdvpj.exec:\jdvpj.exe28⤵
- Executes dropped EXE
PID:2588 -
\??\c:\i860022.exec:\i860022.exe29⤵
- Executes dropped EXE
PID:2948 -
\??\c:\28404.exec:\28404.exe30⤵
- Executes dropped EXE
PID:5044 -
\??\c:\xlrrllf.exec:\xlrrllf.exe31⤵
- Executes dropped EXE
PID:3800 -
\??\c:\28826.exec:\28826.exe32⤵
- Executes dropped EXE
PID:860 -
\??\c:\7frlfll.exec:\7frlfll.exe33⤵
- Executes dropped EXE
PID:4992 -
\??\c:\lllfxff.exec:\lllfxff.exe34⤵
- Executes dropped EXE
PID:1384 -
\??\c:\btnntt.exec:\btnntt.exe35⤵
- Executes dropped EXE
PID:720 -
\??\c:\4640268.exec:\4640268.exe36⤵
- Executes dropped EXE
PID:928 -
\??\c:\u628222.exec:\u628222.exe37⤵
- Executes dropped EXE
PID:1272 -
\??\c:\0488446.exec:\0488446.exe38⤵
- Executes dropped EXE
PID:1176 -
\??\c:\88048.exec:\88048.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\684444.exec:\684444.exe40⤵
- Executes dropped EXE
PID:1888 -
\??\c:\lxfflll.exec:\lxfflll.exe41⤵
- Executes dropped EXE
PID:2932 -
\??\c:\e06604.exec:\e06604.exe42⤵
- Executes dropped EXE
PID:3152 -
\??\c:\g0004.exec:\g0004.exe43⤵
- Executes dropped EXE
PID:1100 -
\??\c:\xxxfflf.exec:\xxxfflf.exe44⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nhnntt.exec:\nhnntt.exe45⤵
- Executes dropped EXE
PID:3612 -
\??\c:\thhbbt.exec:\thhbbt.exe46⤵
- Executes dropped EXE
PID:660 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe47⤵
- Executes dropped EXE
PID:1124 -
\??\c:\dpdvp.exec:\dpdvp.exe48⤵
- Executes dropped EXE
PID:2612 -
\??\c:\hntnth.exec:\hntnth.exe49⤵
- Executes dropped EXE
PID:2404 -
\??\c:\hhhthb.exec:\hhhthb.exe50⤵
- Executes dropped EXE
PID:1544 -
\??\c:\u664826.exec:\u664826.exe51⤵
- Executes dropped EXE
PID:3588 -
\??\c:\204208.exec:\204208.exe52⤵
- Executes dropped EXE
PID:952 -
\??\c:\846482.exec:\846482.exe53⤵
- Executes dropped EXE
PID:3656 -
\??\c:\1ffxlfl.exec:\1ffxlfl.exe54⤵
- Executes dropped EXE
PID:3856 -
\??\c:\4286666.exec:\4286666.exe55⤵
- Executes dropped EXE
PID:3776 -
\??\c:\5hnhhb.exec:\5hnhhb.exe56⤵
- Executes dropped EXE
PID:3288 -
\??\c:\4480400.exec:\4480400.exe57⤵
- Executes dropped EXE
PID:4968 -
\??\c:\ddjpj.exec:\ddjpj.exe58⤵
- Executes dropped EXE
PID:3620 -
\??\c:\002648.exec:\002648.exe59⤵
- Executes dropped EXE
PID:4940 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe60⤵
- Executes dropped EXE
PID:2164 -
\??\c:\224860.exec:\224860.exe61⤵
- Executes dropped EXE
PID:1752 -
\??\c:\ffxxffl.exec:\ffxxffl.exe62⤵
- Executes dropped EXE
PID:2908 -
\??\c:\42648.exec:\42648.exe63⤵
- Executes dropped EXE
PID:4136 -
\??\c:\vvjdp.exec:\vvjdp.exe64⤵
- Executes dropped EXE
PID:4564 -
\??\c:\5bbthb.exec:\5bbthb.exe65⤵
- Executes dropped EXE
PID:3276 -
\??\c:\84244.exec:\84244.exe66⤵PID:3864
-
\??\c:\8260886.exec:\8260886.exe67⤵PID:320
-
\??\c:\a2220.exec:\a2220.exe68⤵PID:1912
-
\??\c:\20026.exec:\20026.exe69⤵PID:1688
-
\??\c:\84626.exec:\84626.exe70⤵PID:524
-
\??\c:\648826.exec:\648826.exe71⤵PID:2540
-
\??\c:\9hhbnh.exec:\9hhbnh.exe72⤵PID:2004
-
\??\c:\xfflfxr.exec:\xfflfxr.exe73⤵PID:4860
-
\??\c:\46428.exec:\46428.exe74⤵PID:4032
-
\??\c:\446644.exec:\446644.exe75⤵PID:2692
-
\??\c:\840048.exec:\840048.exe76⤵PID:1696
-
\??\c:\7vvpp.exec:\7vvpp.exe77⤵PID:3808
-
\??\c:\426644.exec:\426644.exe78⤵
- System Location Discovery: System Language Discovery
PID:4296 -
\??\c:\k24260.exec:\k24260.exe79⤵PID:2416
-
\??\c:\rrfxrll.exec:\rrfxrll.exe80⤵PID:3804
-
\??\c:\024044.exec:\024044.exe81⤵PID:4304
-
\??\c:\48480.exec:\48480.exe82⤵PID:3156
-
\??\c:\frrrlrr.exec:\frrrlrr.exe83⤵PID:3852
-
\??\c:\7lllffx.exec:\7lllffx.exe84⤵PID:4616
-
\??\c:\26682.exec:\26682.exe85⤵PID:4496
-
\??\c:\dvddv.exec:\dvddv.exe86⤵PID:2020
-
\??\c:\06860.exec:\06860.exe87⤵PID:1440
-
\??\c:\606088.exec:\606088.exe88⤵PID:388
-
\??\c:\9xrlfrl.exec:\9xrlfrl.exe89⤵PID:5104
-
\??\c:\s8440.exec:\s8440.exe90⤵PID:1088
-
\??\c:\2066044.exec:\2066044.exe91⤵PID:2796
-
\??\c:\lrffxxx.exec:\lrffxxx.exe92⤵PID:4548
-
\??\c:\828622.exec:\828622.exe93⤵PID:3124
-
\??\c:\6864888.exec:\6864888.exe94⤵PID:1648
-
\??\c:\440488.exec:\440488.exe95⤵PID:2232
-
\??\c:\xrxxfxf.exec:\xrxxfxf.exe96⤵
- System Location Discovery: System Language Discovery
PID:1560 -
\??\c:\vvdjd.exec:\vvdjd.exe97⤵PID:1624
-
\??\c:\o466040.exec:\o466040.exe98⤵PID:4948
-
\??\c:\6084444.exec:\6084444.exe99⤵PID:5024
-
\??\c:\62888.exec:\62888.exe100⤵PID:976
-
\??\c:\6206626.exec:\6206626.exe101⤵PID:2860
-
\??\c:\4664462.exec:\4664462.exe102⤵PID:632
-
\??\c:\hhttnn.exec:\hhttnn.exe103⤵PID:4716
-
\??\c:\a8000.exec:\a8000.exe104⤵PID:4784
-
\??\c:\bhbhbh.exec:\bhbhbh.exe105⤵PID:916
-
\??\c:\rxxrrxf.exec:\rxxrrxf.exe106⤵PID:3428
-
\??\c:\0604268.exec:\0604268.exe107⤵PID:4952
-
\??\c:\thtnbt.exec:\thtnbt.exe108⤵PID:2572
-
\??\c:\ddvpv.exec:\ddvpv.exe109⤵PID:5004
-
\??\c:\djjjj.exec:\djjjj.exe110⤵PID:4024
-
\??\c:\e86666.exec:\e86666.exe111⤵PID:1120
-
\??\c:\llxrlll.exec:\llxrlll.exe112⤵PID:3956
-
\??\c:\4048648.exec:\4048648.exe113⤵PID:1676
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe114⤵PID:2768
-
\??\c:\g4048.exec:\g4048.exe115⤵PID:1680
-
\??\c:\c244488.exec:\c244488.exe116⤵PID:1100
-
\??\c:\60862.exec:\60862.exe117⤵PID:2816
-
\??\c:\62060.exec:\62060.exe118⤵PID:2488
-
\??\c:\vpdvv.exec:\vpdvv.exe119⤵PID:660
-
\??\c:\6240066.exec:\6240066.exe120⤵PID:3812
-
\??\c:\xrxxlll.exec:\xrxxlll.exe121⤵PID:4488
-
\??\c:\60642.exec:\60642.exe122⤵PID:2404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-