Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:13
Behavioral task
behavioral1
Sample
5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe
-
Size
335KB
-
MD5
8683e87330813c165d02f97299dc7480
-
SHA1
b102ae817d516feb9e5d776fbad4e911c97d6fa4
-
SHA256
5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1d
-
SHA512
1e3f947e673874e84bf29e95b9c8c601f05dd0a786236abf648ff4f65f433a643321b21eee5ee876a7fea38227583306e424f6abce0a6aa543b28e3bac0ba691
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe4GE:R4wFHoSHYHUrAwfMp3CD4GE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2896-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4908-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4104-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2624-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3048-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1532-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1708-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3224-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1448-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4260-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-463-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-480-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-489-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/900-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-569-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-731-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-784-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1972 6004882.exe 4908 bbtnnh.exe 3204 9xffffx.exe 1176 o642602.exe 4700 644426.exe 5032 9btnbb.exe 4104 fxxrfxx.exe 1840 84064.exe 4912 btthtn.exe 3536 046644.exe 1404 rxlxlxr.exe 2624 m4648.exe 2160 xffrlfx.exe 1988 000860.exe 3048 hnnhtt.exe 2656 000260.exe 4300 xlxrxrf.exe 2884 888000.exe 4408 266840.exe 1828 jdddd.exe 1552 flrlfxr.exe 552 jvdvv.exe 2608 vpdjp.exe 4116 vpvjd.exe 1732 bthbbb.exe 4208 pdvvp.exe 3464 202266.exe 1996 pdvvv.exe 4080 nbhbtn.exe 4940 nntnbb.exe 4616 1rrllrr.exe 2680 24422.exe 3352 pdjpp.exe 4664 vvjjj.exe 3060 640482.exe 1184 ffrlxxr.exe 1896 bhhnhb.exe 2104 nnnhnt.exe 1528 hnttbb.exe 2372 00282.exe 4992 668888.exe 3472 9flfflr.exe 4552 3lxrxrx.exe 1816 860426.exe 1532 hnthbn.exe 4084 5xlrxll.exe 436 068604.exe 1152 vdjdp.exe 3216 3pvpj.exe 1400 hhhbnn.exe 4624 bthbbb.exe 4140 480226.exe 1708 u800822.exe 2920 04404.exe 4868 hhnhhh.exe 868 xllfrlx.exe 1780 408624.exe 3212 4866668.exe 900 lrfxrrl.exe 4020 rrxlxxx.exe 3600 fxffllr.exe 5052 864842.exe 1308 82666.exe 1248 06826.exe -
resource yara_rule behavioral2/memory/2896-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b29-3.dat upx behavioral2/memory/2896-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1972-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-9.dat upx behavioral2/files/0x0009000000023ba5-11.dat upx behavioral2/memory/4908-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023ba6-18.dat upx behavioral2/memory/3204-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bac-23.dat upx behavioral2/memory/1176-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023baf-28.dat upx behavioral2/memory/4700-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5032-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb0-33.dat upx behavioral2/files/0x0008000000023bb1-38.dat upx behavioral2/memory/4104-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb2-43.dat upx behavioral2/memory/1840-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be1-48.dat upx behavioral2/memory/4912-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000f000000023b96-53.dat upx behavioral2/memory/3536-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be2-58.dat upx behavioral2/memory/1404-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be3-64.dat upx behavioral2/memory/2624-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be4-69.dat upx behavioral2/memory/1988-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023be6-73.dat upx behavioral2/memory/3048-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023beb-78.dat upx behavioral2/files/0x0008000000023bec-83.dat upx behavioral2/memory/4300-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bed-88.dat upx behavioral2/memory/4300-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bff-93.dat upx behavioral2/files/0x0008000000023c05-97.dat upx behavioral2/memory/1552-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c06-101.dat upx behavioral2/files/0x0008000000023c07-105.dat upx behavioral2/files/0x0008000000023c08-109.dat upx behavioral2/memory/2608-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c09-114.dat upx behavioral2/memory/2608-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0a-119.dat upx behavioral2/memory/4116-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c1f-124.dat upx behavioral2/memory/1732-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4208-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0016000000023c20-130.dat upx behavioral2/files/0x0008000000023c26-133.dat upx behavioral2/memory/3464-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c2a-139.dat upx behavioral2/files/0x0008000000023c36-145.dat upx behavioral2/memory/4940-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1996-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c37-149.dat upx behavioral2/memory/4616-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c38-154.dat upx behavioral2/memory/2680-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3352-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3060-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1184-169-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o004882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1972 2896 5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe 83 PID 2896 wrote to memory of 1972 2896 5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe 83 PID 2896 wrote to memory of 1972 2896 5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe 83 PID 1972 wrote to memory of 4908 1972 6004882.exe 84 PID 1972 wrote to memory of 4908 1972 6004882.exe 84 PID 1972 wrote to memory of 4908 1972 6004882.exe 84 PID 4908 wrote to memory of 3204 4908 bbtnnh.exe 85 PID 4908 wrote to memory of 3204 4908 bbtnnh.exe 85 PID 4908 wrote to memory of 3204 4908 bbtnnh.exe 85 PID 3204 wrote to memory of 1176 3204 9xffffx.exe 86 PID 3204 wrote to memory of 1176 3204 9xffffx.exe 86 PID 3204 wrote to memory of 1176 3204 9xffffx.exe 86 PID 1176 wrote to memory of 4700 1176 o642602.exe 87 PID 1176 wrote to memory of 4700 1176 o642602.exe 87 PID 1176 wrote to memory of 4700 1176 o642602.exe 87 PID 4700 wrote to memory of 5032 4700 644426.exe 88 PID 4700 wrote to memory of 5032 4700 644426.exe 88 PID 4700 wrote to memory of 5032 4700 644426.exe 88 PID 5032 wrote to memory of 4104 5032 9btnbb.exe 89 PID 5032 wrote to memory of 4104 5032 9btnbb.exe 89 PID 5032 wrote to memory of 4104 5032 9btnbb.exe 89 PID 4104 wrote to memory of 1840 4104 fxxrfxx.exe 90 PID 4104 wrote to memory of 1840 4104 fxxrfxx.exe 90 PID 4104 wrote to memory of 1840 4104 fxxrfxx.exe 90 PID 1840 wrote to memory of 4912 1840 84064.exe 91 PID 1840 wrote to memory of 4912 1840 84064.exe 91 PID 1840 wrote to memory of 4912 1840 84064.exe 91 PID 4912 wrote to memory of 3536 4912 btthtn.exe 92 PID 4912 wrote to memory of 3536 4912 btthtn.exe 92 PID 4912 wrote to memory of 3536 4912 btthtn.exe 92 PID 3536 wrote to memory of 1404 3536 046644.exe 93 PID 3536 wrote to memory of 1404 3536 046644.exe 93 PID 3536 wrote to memory of 1404 3536 046644.exe 93 PID 1404 wrote to memory of 2624 1404 rxlxlxr.exe 94 PID 1404 wrote to memory of 2624 1404 rxlxlxr.exe 94 PID 1404 wrote to memory of 2624 1404 rxlxlxr.exe 94 PID 2624 wrote to memory of 2160 2624 m4648.exe 95 PID 2624 wrote to memory of 2160 2624 m4648.exe 95 PID 2624 wrote to memory of 2160 2624 m4648.exe 95 PID 2160 wrote to memory of 1988 2160 xffrlfx.exe 96 PID 2160 wrote to memory of 1988 2160 xffrlfx.exe 96 PID 2160 wrote to memory of 1988 2160 xffrlfx.exe 96 PID 1988 wrote to memory of 3048 1988 000860.exe 97 PID 1988 wrote to memory of 3048 1988 000860.exe 97 PID 1988 wrote to memory of 3048 1988 000860.exe 97 PID 3048 wrote to memory of 2656 3048 hnnhtt.exe 98 PID 3048 wrote to memory of 2656 3048 hnnhtt.exe 98 PID 3048 wrote to memory of 2656 3048 hnnhtt.exe 98 PID 2656 wrote to memory of 4300 2656 000260.exe 99 PID 2656 wrote to memory of 4300 2656 000260.exe 99 PID 2656 wrote to memory of 4300 2656 000260.exe 99 PID 4300 wrote to memory of 2884 4300 xlxrxrf.exe 100 PID 4300 wrote to memory of 2884 4300 xlxrxrf.exe 100 PID 4300 wrote to memory of 2884 4300 xlxrxrf.exe 100 PID 2884 wrote to memory of 4408 2884 888000.exe 101 PID 2884 wrote to memory of 4408 2884 888000.exe 101 PID 2884 wrote to memory of 4408 2884 888000.exe 101 PID 4408 wrote to memory of 1828 4408 266840.exe 102 PID 4408 wrote to memory of 1828 4408 266840.exe 102 PID 4408 wrote to memory of 1828 4408 266840.exe 102 PID 1828 wrote to memory of 1552 1828 jdddd.exe 103 PID 1828 wrote to memory of 1552 1828 jdddd.exe 103 PID 1828 wrote to memory of 1552 1828 jdddd.exe 103 PID 1552 wrote to memory of 552 1552 flrlfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe"C:\Users\Admin\AppData\Local\Temp\5a2167e8684d1275919ab85e411ef4a80a7d5c800022a1e6a7113f7811db9a1dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\6004882.exec:\6004882.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\bbtnnh.exec:\bbtnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\9xffffx.exec:\9xffffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\o642602.exec:\o642602.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\644426.exec:\644426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\9btnbb.exec:\9btnbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\fxxrfxx.exec:\fxxrfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\84064.exec:\84064.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\btthtn.exec:\btthtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\046644.exec:\046644.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\rxlxlxr.exec:\rxlxlxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\m4648.exec:\m4648.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\xffrlfx.exec:\xffrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\000860.exec:\000860.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\hnnhtt.exec:\hnnhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\000260.exec:\000260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\xlxrxrf.exec:\xlxrxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\888000.exec:\888000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\266840.exec:\266840.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\jdddd.exec:\jdddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\flrlfxr.exec:\flrlfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\jvdvv.exec:\jvdvv.exe23⤵
- Executes dropped EXE
PID:552 -
\??\c:\vpdjp.exec:\vpdjp.exe24⤵
- Executes dropped EXE
PID:2608 -
\??\c:\vpvjd.exec:\vpvjd.exe25⤵
- Executes dropped EXE
PID:4116 -
\??\c:\bthbbb.exec:\bthbbb.exe26⤵
- Executes dropped EXE
PID:1732 -
\??\c:\pdvvp.exec:\pdvvp.exe27⤵
- Executes dropped EXE
PID:4208 -
\??\c:\202266.exec:\202266.exe28⤵
- Executes dropped EXE
PID:3464 -
\??\c:\pdvvv.exec:\pdvvv.exe29⤵
- Executes dropped EXE
PID:1996 -
\??\c:\nbhbtn.exec:\nbhbtn.exe30⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nntnbb.exec:\nntnbb.exe31⤵
- Executes dropped EXE
PID:4940 -
\??\c:\1rrllrr.exec:\1rrllrr.exe32⤵
- Executes dropped EXE
PID:4616 -
\??\c:\24422.exec:\24422.exe33⤵
- Executes dropped EXE
PID:2680 -
\??\c:\pdjpp.exec:\pdjpp.exe34⤵
- Executes dropped EXE
PID:3352 -
\??\c:\vvjjj.exec:\vvjjj.exe35⤵
- Executes dropped EXE
PID:4664 -
\??\c:\640482.exec:\640482.exe36⤵
- Executes dropped EXE
PID:3060 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe37⤵
- Executes dropped EXE
PID:1184 -
\??\c:\bhhnhb.exec:\bhhnhb.exe38⤵
- Executes dropped EXE
PID:1896 -
\??\c:\nnnhnt.exec:\nnnhnt.exe39⤵
- Executes dropped EXE
PID:2104 -
\??\c:\hnttbb.exec:\hnttbb.exe40⤵
- Executes dropped EXE
PID:1528 -
\??\c:\00282.exec:\00282.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\668888.exec:\668888.exe42⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9flfflr.exec:\9flfflr.exe43⤵
- Executes dropped EXE
PID:3472 -
\??\c:\3lxrxrx.exec:\3lxrxrx.exe44⤵
- Executes dropped EXE
PID:4552 -
\??\c:\860426.exec:\860426.exe45⤵
- Executes dropped EXE
PID:1816 -
\??\c:\hnthbn.exec:\hnthbn.exe46⤵
- Executes dropped EXE
PID:1532 -
\??\c:\5xlrxll.exec:\5xlrxll.exe47⤵
- Executes dropped EXE
PID:4084 -
\??\c:\068604.exec:\068604.exe48⤵
- Executes dropped EXE
PID:436 -
\??\c:\vdjdp.exec:\vdjdp.exe49⤵
- Executes dropped EXE
PID:1152 -
\??\c:\3pvpj.exec:\3pvpj.exe50⤵
- Executes dropped EXE
PID:3216 -
\??\c:\hhhbnn.exec:\hhhbnn.exe51⤵
- Executes dropped EXE
PID:1400 -
\??\c:\bthbbb.exec:\bthbbb.exe52⤵
- Executes dropped EXE
PID:4624 -
\??\c:\480226.exec:\480226.exe53⤵
- Executes dropped EXE
PID:4140 -
\??\c:\u800822.exec:\u800822.exe54⤵
- Executes dropped EXE
PID:1708 -
\??\c:\04404.exec:\04404.exe55⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hhnhhh.exec:\hhnhhh.exe56⤵
- Executes dropped EXE
PID:4868 -
\??\c:\pjvpj.exec:\pjvpj.exe57⤵PID:3224
-
\??\c:\xllfrlx.exec:\xllfrlx.exe58⤵
- Executes dropped EXE
PID:868 -
\??\c:\408624.exec:\408624.exe59⤵
- Executes dropped EXE
PID:1780 -
\??\c:\4866668.exec:\4866668.exe60⤵
- Executes dropped EXE
PID:3212 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe61⤵
- Executes dropped EXE
PID:900 -
\??\c:\rrxlxxx.exec:\rrxlxxx.exe62⤵
- Executes dropped EXE
PID:4020 -
\??\c:\fxffllr.exec:\fxffllr.exe63⤵
- Executes dropped EXE
PID:3600 -
\??\c:\864842.exec:\864842.exe64⤵
- Executes dropped EXE
PID:5052 -
\??\c:\82666.exec:\82666.exe65⤵
- Executes dropped EXE
PID:1308 -
\??\c:\06826.exec:\06826.exe66⤵
- Executes dropped EXE
PID:1248 -
\??\c:\c888660.exec:\c888660.exe67⤵PID:2432
-
\??\c:\6448044.exec:\6448044.exe68⤵PID:2364
-
\??\c:\0662804.exec:\0662804.exe69⤵PID:4916
-
\??\c:\tntnhb.exec:\tntnhb.exe70⤵PID:1840
-
\??\c:\g2426.exec:\g2426.exe71⤵PID:4188
-
\??\c:\44660.exec:\44660.exe72⤵PID:4088
-
\??\c:\008860.exec:\008860.exe73⤵PID:712
-
\??\c:\rxfrlfx.exec:\rxfrlfx.exe74⤵PID:216
-
\??\c:\2644002.exec:\2644002.exe75⤵PID:2184
-
\??\c:\dvdvp.exec:\dvdvp.exe76⤵PID:1600
-
\??\c:\pvddp.exec:\pvddp.exe77⤵PID:3676
-
\??\c:\42666.exec:\42666.exe78⤵PID:2724
-
\??\c:\thnntb.exec:\thnntb.exe79⤵PID:756
-
\??\c:\u882600.exec:\u882600.exe80⤵PID:1988
-
\??\c:\402644.exec:\402644.exe81⤵PID:4228
-
\??\c:\9jjdd.exec:\9jjdd.exe82⤵PID:4864
-
\??\c:\flxrrrl.exec:\flxrrrl.exe83⤵PID:1128
-
\??\c:\22044.exec:\22044.exe84⤵PID:4300
-
\??\c:\2660480.exec:\2660480.exe85⤵PID:3528
-
\??\c:\222884.exec:\222884.exe86⤵PID:1168
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe87⤵PID:1156
-
\??\c:\rllrllf.exec:\rllrllf.exe88⤵PID:3124
-
\??\c:\462688.exec:\462688.exe89⤵PID:3884
-
\??\c:\480622.exec:\480622.exe90⤵PID:1552
-
\??\c:\826040.exec:\826040.exe91⤵PID:2328
-
\??\c:\btbttt.exec:\btbttt.exe92⤵PID:1048
-
\??\c:\jvdvp.exec:\jvdvp.exe93⤵PID:3312
-
\??\c:\u404226.exec:\u404226.exe94⤵PID:4296
-
\??\c:\2622266.exec:\2622266.exe95⤵PID:2600
-
\??\c:\7rrrlll.exec:\7rrrlll.exe96⤵PID:1824
-
\??\c:\4444842.exec:\4444842.exe97⤵PID:4556
-
\??\c:\bbhhhh.exec:\bbhhhh.exe98⤵PID:2908
-
\??\c:\686044.exec:\686044.exe99⤵PID:3800
-
\??\c:\260064.exec:\260064.exe100⤵PID:1768
-
\??\c:\080666.exec:\080666.exe101⤵PID:760
-
\??\c:\xrrrffx.exec:\xrrrffx.exe102⤵PID:3496
-
\??\c:\lffxrrr.exec:\lffxrrr.exe103⤵PID:2868
-
\??\c:\7jvpv.exec:\7jvpv.exe104⤵PID:4632
-
\??\c:\tbbnbb.exec:\tbbnbb.exe105⤵PID:2276
-
\??\c:\pjdvp.exec:\pjdvp.exe106⤵PID:2412
-
\??\c:\m0042.exec:\m0042.exe107⤵PID:3352
-
\??\c:\62820.exec:\62820.exe108⤵PID:1448
-
\??\c:\266666.exec:\266666.exe109⤵PID:1984
-
\??\c:\826666.exec:\826666.exe110⤵PID:1804
-
\??\c:\i288666.exec:\i288666.exe111⤵PID:4260
-
\??\c:\80084.exec:\80084.exe112⤵PID:4284
-
\??\c:\jjdvd.exec:\jjdvd.exe113⤵PID:2340
-
\??\c:\64826.exec:\64826.exe114⤵PID:1276
-
\??\c:\dvvpd.exec:\dvvpd.exe115⤵PID:460
-
\??\c:\6406686.exec:\6406686.exe116⤵PID:3428
-
\??\c:\flrfflx.exec:\flrfflx.exe117⤵PID:3472
-
\??\c:\086688.exec:\086688.exe118⤵PID:4552
-
\??\c:\220444.exec:\220444.exe119⤵PID:2916
-
\??\c:\hntbnn.exec:\hntbnn.exe120⤵PID:4584
-
\??\c:\vpppd.exec:\vpppd.exe121⤵PID:1280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-