Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 09:00
Behavioral task
behavioral1
Sample
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
-
Size
335KB
-
MD5
7a0f333a155797167d0c5c56254cc806
-
SHA1
a2b255e1eb252ef27942c16ee3031bf6d5f63d5e
-
SHA256
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f
-
SHA512
7d1e40cafc3463f84b2610ef06f5644e9f5bab008da42a78d8d270a17d2110830377b4668643b74000d5ab296659dc930f710c647e80869b837a74c90a4cc82d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/5116-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-279-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1864-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4672-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4264-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2328-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1128-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/780-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3704-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/432-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-459-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1188-496-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-512-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-527-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/840-614-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-637-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
224488.exek46682.exettbbbh.exe2062682.exethhbnh.exe8420882.exehbnhtn.exe2626044.exe406600.exe60600.exe7xxlxfx.exe4066660.exe9hhhtn.exe6000826.exe884228.exe00664.exe424488.exerrrfxrl.exeo088882.exerfxlfxr.exe9xlfrrl.exe20882.exe40286.exebnhbnn.exes4004.exefffxrrf.exe7vvpd.exejddvp.exe240486.exe4060482.exe04668.exedjpjd.exe802482.exe00286.exe646622.exe442084.exe5ttnhb.exevpvpj.exe26248.exeq60482.exe86200.exe28486.exe68486.exerlfxrlr.exe24664.exenhtthh.exe64064.exe208426.exe6688260.exerlxlllf.exe8466604.exepvpjv.exefxxrllf.exellxrxxf.exe40842.exejdjvp.exelffrllf.exeq06666.exe22448.exe48824.exe84660.exeg6822.exetbhbtn.exejppjd.exepid Process 4056 224488.exe 5036 k46682.exe 4084 ttbbbh.exe 4208 2062682.exe 2396 thhbnh.exe 2816 8420882.exe 1616 hbnhtn.exe 3704 2626044.exe 780 406600.exe 4136 60600.exe 4008 7xxlxfx.exe 1268 4066660.exe 4776 9hhhtn.exe 380 6000826.exe 3036 884228.exe 2552 00664.exe 3184 424488.exe 1928 rrrfxrl.exe 1128 o088882.exe 3588 rfxlfxr.exe 3104 9xlfrrl.exe 4328 20882.exe 3228 40286.exe 4680 bnhbnn.exe 1476 s4004.exe 2328 fffxrrf.exe 1828 7vvpd.exe 2564 jddvp.exe 1952 240486.exe 928 4060482.exe 3948 04668.exe 2880 djpjd.exe 2688 802482.exe 4700 00286.exe 2380 646622.exe 4764 442084.exe 4264 5ttnhb.exe 3868 vpvpj.exe 4672 26248.exe 1384 q60482.exe 3668 86200.exe 4488 28486.exe 404 68486.exe 1664 rlfxrlr.exe 4992 24664.exe 4756 nhtthh.exe 4512 64064.exe 536 208426.exe 3208 6688260.exe 4204 rlxlllf.exe 4280 8466604.exe 2432 pvpjv.exe 1864 fxxrllf.exe 400 llxrxxf.exe 3188 40842.exe 3000 jdjvp.exe 3616 lffrllf.exe 4712 q06666.exe 1036 22448.exe 1444 48824.exe 4624 84660.exe 2304 g6822.exe 3252 tbhbtn.exe 1608 jppjd.exe -
Processes:
resource yara_rule behavioral2/memory/5116-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-4.dat upx behavioral2/memory/5116-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4056-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-9.dat upx behavioral2/files/0x000a000000023b97-12.dat upx behavioral2/memory/4056-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-20.dat upx behavioral2/memory/2396-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1616-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-46.dat upx behavioral2/memory/1268-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba3-74.dat upx behavioral2/files/0x000b000000023ba5-83.dat upx behavioral2/files/0x0009000000023bc2-100.dat upx behavioral2/memory/3228-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c00-148.dat upx behavioral2/memory/2380-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/780-274-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/516-282-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3036-288-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5100-279-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-264-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2468-240-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1608-235-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1444-225-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4712-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3616-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/400-211-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1864-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2432-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4280-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4204-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4512-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/404-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4488-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3668-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1384-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4672-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4264-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c01-152.dat upx behavioral2/files/0x0008000000023bff-144.dat upx behavioral2/memory/1952-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd0-139.dat upx behavioral2/files/0x0008000000023bcf-135.dat upx behavioral2/memory/1828-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bce-130.dat upx behavioral2/memory/2328-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bcd-125.dat upx behavioral2/memory/1476-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bca-120.dat upx behavioral2/memory/4680-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bc8-115.dat upx behavioral2/files/0x0009000000023bc4-110.dat upx behavioral2/memory/4328-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc3-105.dat upx behavioral2/memory/3104-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bbd-96.dat upx behavioral2/memory/1128-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bb4-91.dat upx behavioral2/files/0x000a000000023bad-87.dat upx behavioral2/memory/2552-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba4-78.dat upx behavioral2/files/0x000a000000023ba2-70.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7fllfxl.exe042488.exevvdpd.exe0860828.exe288822.exe64064.exe02006.exedppjd.exetttnhb.exe46266.exeu226048.exe4060882.exe8486400.exerxrfrrl.exe3lrlfll.exee04860.exeddjdd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fllfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0860828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u226048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8486400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe224488.exek46682.exettbbbh.exe2062682.exethhbnh.exe8420882.exehbnhtn.exe2626044.exe406600.exe60600.exe7xxlxfx.exe4066660.exe9hhhtn.exe6000826.exe884228.exe00664.exe424488.exerrrfxrl.exeo088882.exerfxlfxr.exe9xlfrrl.exedescription pid Process procid_target PID 5116 wrote to memory of 4056 5116 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 84 PID 5116 wrote to memory of 4056 5116 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 84 PID 5116 wrote to memory of 4056 5116 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 84 PID 4056 wrote to memory of 5036 4056 224488.exe 85 PID 4056 wrote to memory of 5036 4056 224488.exe 85 PID 4056 wrote to memory of 5036 4056 224488.exe 85 PID 5036 wrote to memory of 4084 5036 k46682.exe 86 PID 5036 wrote to memory of 4084 5036 k46682.exe 86 PID 5036 wrote to memory of 4084 5036 k46682.exe 86 PID 4084 wrote to memory of 4208 4084 ttbbbh.exe 87 PID 4084 wrote to memory of 4208 4084 ttbbbh.exe 87 PID 4084 wrote to memory of 4208 4084 ttbbbh.exe 87 PID 4208 wrote to memory of 2396 4208 2062682.exe 88 PID 4208 wrote to memory of 2396 4208 2062682.exe 88 PID 4208 wrote to memory of 2396 4208 2062682.exe 88 PID 2396 wrote to memory of 2816 2396 thhbnh.exe 89 PID 2396 wrote to memory of 2816 2396 thhbnh.exe 89 PID 2396 wrote to memory of 2816 2396 thhbnh.exe 89 PID 2816 wrote to memory of 1616 2816 8420882.exe 90 PID 2816 wrote to memory of 1616 2816 8420882.exe 90 PID 2816 wrote to memory of 1616 2816 8420882.exe 90 PID 1616 wrote to memory of 3704 1616 hbnhtn.exe 91 PID 1616 wrote to memory of 3704 1616 hbnhtn.exe 91 PID 1616 wrote to memory of 3704 1616 hbnhtn.exe 91 PID 3704 wrote to memory of 780 3704 2626044.exe 92 PID 3704 wrote to memory of 780 3704 2626044.exe 92 PID 3704 wrote to memory of 780 3704 2626044.exe 92 PID 780 wrote to memory of 4136 780 406600.exe 93 PID 780 wrote to memory of 4136 780 406600.exe 93 PID 780 wrote to memory of 4136 780 406600.exe 93 PID 4136 wrote to memory of 4008 4136 60600.exe 94 PID 4136 wrote to memory of 4008 4136 60600.exe 94 PID 4136 wrote to memory of 4008 4136 60600.exe 94 PID 4008 wrote to memory of 1268 4008 7xxlxfx.exe 95 PID 4008 wrote to memory of 1268 4008 7xxlxfx.exe 95 PID 4008 wrote to memory of 1268 4008 7xxlxfx.exe 95 PID 1268 wrote to memory of 4776 1268 4066660.exe 96 PID 1268 wrote to memory of 4776 1268 4066660.exe 96 PID 1268 wrote to memory of 4776 1268 4066660.exe 96 PID 4776 wrote to memory of 380 4776 9hhhtn.exe 97 PID 4776 wrote to memory of 380 4776 9hhhtn.exe 97 PID 4776 wrote to memory of 380 4776 9hhhtn.exe 97 PID 380 wrote to memory of 3036 380 6000826.exe 98 PID 380 wrote to memory of 3036 380 6000826.exe 98 PID 380 wrote to memory of 3036 380 6000826.exe 98 PID 3036 wrote to memory of 2552 3036 884228.exe 99 PID 3036 wrote to memory of 2552 3036 884228.exe 99 PID 3036 wrote to memory of 2552 3036 884228.exe 99 PID 2552 wrote to memory of 3184 2552 00664.exe 100 PID 2552 wrote to memory of 3184 2552 00664.exe 100 PID 2552 wrote to memory of 3184 2552 00664.exe 100 PID 3184 wrote to memory of 1928 3184 424488.exe 101 PID 3184 wrote to memory of 1928 3184 424488.exe 101 PID 3184 wrote to memory of 1928 3184 424488.exe 101 PID 1928 wrote to memory of 1128 1928 rrrfxrl.exe 102 PID 1928 wrote to memory of 1128 1928 rrrfxrl.exe 102 PID 1928 wrote to memory of 1128 1928 rrrfxrl.exe 102 PID 1128 wrote to memory of 3588 1128 o088882.exe 103 PID 1128 wrote to memory of 3588 1128 o088882.exe 103 PID 1128 wrote to memory of 3588 1128 o088882.exe 103 PID 3588 wrote to memory of 3104 3588 rfxlfxr.exe 104 PID 3588 wrote to memory of 3104 3588 rfxlfxr.exe 104 PID 3588 wrote to memory of 3104 3588 rfxlfxr.exe 104 PID 3104 wrote to memory of 4328 3104 9xlfrrl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\224488.exec:\224488.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\k46682.exec:\k46682.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\ttbbbh.exec:\ttbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\2062682.exec:\2062682.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\thhbnh.exec:\thhbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\8420882.exec:\8420882.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\hbnhtn.exec:\hbnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\2626044.exec:\2626044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\406600.exec:\406600.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\60600.exec:\60600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\7xxlxfx.exec:\7xxlxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\4066660.exec:\4066660.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\9hhhtn.exec:\9hhhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\6000826.exec:\6000826.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\884228.exec:\884228.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\00664.exec:\00664.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\424488.exec:\424488.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\o088882.exec:\o088882.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\9xlfrrl.exec:\9xlfrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\20882.exec:\20882.exe23⤵
- Executes dropped EXE
PID:4328 -
\??\c:\40286.exec:\40286.exe24⤵
- Executes dropped EXE
PID:3228 -
\??\c:\bnhbnn.exec:\bnhbnn.exe25⤵
- Executes dropped EXE
PID:4680 -
\??\c:\s4004.exec:\s4004.exe26⤵
- Executes dropped EXE
PID:1476 -
\??\c:\fffxrrf.exec:\fffxrrf.exe27⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7vvpd.exec:\7vvpd.exe28⤵
- Executes dropped EXE
PID:1828 -
\??\c:\jddvp.exec:\jddvp.exe29⤵
- Executes dropped EXE
PID:2564 -
\??\c:\240486.exec:\240486.exe30⤵
- Executes dropped EXE
PID:1952 -
\??\c:\4060482.exec:\4060482.exe31⤵
- Executes dropped EXE
PID:928 -
\??\c:\04668.exec:\04668.exe32⤵
- Executes dropped EXE
PID:3948 -
\??\c:\djpjd.exec:\djpjd.exe33⤵
- Executes dropped EXE
PID:2880 -
\??\c:\802482.exec:\802482.exe34⤵
- Executes dropped EXE
PID:2688 -
\??\c:\00286.exec:\00286.exe35⤵
- Executes dropped EXE
PID:4700 -
\??\c:\646622.exec:\646622.exe36⤵
- Executes dropped EXE
PID:2380 -
\??\c:\442084.exec:\442084.exe37⤵
- Executes dropped EXE
PID:4764 -
\??\c:\5ttnhb.exec:\5ttnhb.exe38⤵
- Executes dropped EXE
PID:4264 -
\??\c:\vpvpj.exec:\vpvpj.exe39⤵
- Executes dropped EXE
PID:3868 -
\??\c:\26248.exec:\26248.exe40⤵
- Executes dropped EXE
PID:4672 -
\??\c:\q60482.exec:\q60482.exe41⤵
- Executes dropped EXE
PID:1384 -
\??\c:\86200.exec:\86200.exe42⤵
- Executes dropped EXE
PID:3668 -
\??\c:\28486.exec:\28486.exe43⤵
- Executes dropped EXE
PID:4488 -
\??\c:\68486.exec:\68486.exe44⤵
- Executes dropped EXE
PID:404 -
\??\c:\rlfxrlr.exec:\rlfxrlr.exe45⤵
- Executes dropped EXE
PID:1664 -
\??\c:\24664.exec:\24664.exe46⤵
- Executes dropped EXE
PID:4992 -
\??\c:\nhtthh.exec:\nhtthh.exe47⤵
- Executes dropped EXE
PID:4756 -
\??\c:\64064.exec:\64064.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
\??\c:\208426.exec:\208426.exe49⤵
- Executes dropped EXE
PID:536 -
\??\c:\6688260.exec:\6688260.exe50⤵
- Executes dropped EXE
PID:3208 -
\??\c:\rlxlllf.exec:\rlxlllf.exe51⤵
- Executes dropped EXE
PID:4204 -
\??\c:\8466604.exec:\8466604.exe52⤵
- Executes dropped EXE
PID:4280 -
\??\c:\pvpjv.exec:\pvpjv.exe53⤵
- Executes dropped EXE
PID:2432 -
\??\c:\fxxrllf.exec:\fxxrllf.exe54⤵
- Executes dropped EXE
PID:1864 -
\??\c:\llxrxxf.exec:\llxrxxf.exe55⤵
- Executes dropped EXE
PID:400 -
\??\c:\40842.exec:\40842.exe56⤵
- Executes dropped EXE
PID:3188 -
\??\c:\jdjvp.exec:\jdjvp.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\lffrllf.exec:\lffrllf.exe58⤵
- Executes dropped EXE
PID:3616 -
\??\c:\q06666.exec:\q06666.exe59⤵
- Executes dropped EXE
PID:4712 -
\??\c:\22448.exec:\22448.exe60⤵
- Executes dropped EXE
PID:1036 -
\??\c:\48824.exec:\48824.exe61⤵
- Executes dropped EXE
PID:1444 -
\??\c:\84660.exec:\84660.exe62⤵
- Executes dropped EXE
PID:4624 -
\??\c:\g6822.exec:\g6822.exe63⤵
- Executes dropped EXE
PID:2304 -
\??\c:\tbhbtn.exec:\tbhbtn.exe64⤵
- Executes dropped EXE
PID:3252 -
\??\c:\jppjd.exec:\jppjd.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\tnhbtn.exec:\tnhbtn.exe66⤵PID:3640
-
\??\c:\a0806.exec:\a0806.exe67⤵PID:2468
-
\??\c:\846628.exec:\846628.exe68⤵PID:3136
-
\??\c:\llfxrrl.exec:\llfxrrl.exe69⤵PID:736
-
\??\c:\6244000.exec:\6244000.exe70⤵PID:1424
-
\??\c:\48448.exec:\48448.exe71⤵PID:2300
-
\??\c:\fffxrlf.exec:\fffxrlf.exe72⤵PID:2420
-
\??\c:\flrrllf.exec:\flrrllf.exe73⤵PID:4056
-
\??\c:\s6220.exec:\s6220.exe74⤵PID:3636
-
\??\c:\o648602.exec:\o648602.exe75⤵PID:3212
-
\??\c:\1fxlfrl.exec:\1fxlfrl.exe76⤵PID:1448
-
\??\c:\jpdvp.exec:\jpdvp.exe77⤵PID:2308
-
\??\c:\k48600.exec:\k48600.exe78⤵PID:1512
-
\??\c:\00286.exec:\00286.exe79⤵PID:4532
-
\??\c:\5jjdp.exec:\5jjdp.exe80⤵PID:4476
-
\??\c:\648264.exec:\648264.exe81⤵PID:3944
-
\??\c:\pjjdp.exec:\pjjdp.exe82⤵PID:4748
-
\??\c:\rxrfrrl.exec:\rxrfrrl.exe83⤵
- System Location Discovery: System Language Discovery
PID:780 -
\??\c:\bhbtnh.exec:\bhbtnh.exe84⤵PID:4552
-
\??\c:\20260.exec:\20260.exe85⤵PID:5100
-
\??\c:\htbthh.exec:\htbthh.exe86⤵PID:516
-
\??\c:\4204040.exec:\4204040.exe87⤵PID:2900
-
\??\c:\48264.exec:\48264.exe88⤵PID:3240
-
\??\c:\frxlfrf.exec:\frxlfrf.exe89⤵PID:3036
-
\??\c:\20426.exec:\20426.exe90⤵PID:432
-
\??\c:\22448.exec:\22448.exe91⤵PID:4960
-
\??\c:\9ttnnh.exec:\9ttnnh.exe92⤵PID:3028
-
\??\c:\228604.exec:\228604.exe93⤵PID:2936
-
\??\c:\624868.exec:\624868.exe94⤵PID:3508
-
\??\c:\3lfxllf.exec:\3lfxllf.exe95⤵PID:4660
-
\??\c:\k26260.exec:\k26260.exe96⤵PID:4460
-
\??\c:\bntnnh.exec:\bntnnh.exe97⤵PID:3904
-
\??\c:\hbhntn.exec:\hbhntn.exe98⤵PID:4936
-
\??\c:\m4886.exec:\m4886.exe99⤵PID:1308
-
\??\c:\ddpjj.exec:\ddpjj.exe100⤵PID:1924
-
\??\c:\802260.exec:\802260.exe101⤵PID:2372
-
\??\c:\rlflflf.exec:\rlflflf.exe102⤵PID:928
-
\??\c:\s8048.exec:\s8048.exe103⤵PID:2204
-
\??\c:\06864.exec:\06864.exe104⤵PID:672
-
\??\c:\pjvvv.exec:\pjvvv.exe105⤵PID:4216
-
\??\c:\8022004.exec:\8022004.exe106⤵PID:4244
-
\??\c:\626822.exec:\626822.exe107⤵PID:2568
-
\??\c:\2844248.exec:\2844248.exe108⤵PID:3488
-
\??\c:\hnhhbb.exec:\hnhhbb.exe109⤵PID:3868
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe110⤵PID:3076
-
\??\c:\20408.exec:\20408.exe111⤵PID:4928
-
\??\c:\5bttnh.exec:\5bttnh.exe112⤵PID:4368
-
\??\c:\3ttnhn.exec:\3ttnhn.exe113⤵PID:2912
-
\??\c:\62820.exec:\62820.exe114⤵PID:1664
-
\??\c:\28042.exec:\28042.exe115⤵PID:3096
-
\??\c:\m6822.exec:\m6822.exe116⤵PID:1528
-
\??\c:\q62660.exec:\q62660.exe117⤵PID:4164
-
\??\c:\4226264.exec:\4226264.exe118⤵PID:4812
-
\??\c:\nhnhtn.exec:\nhnhtn.exe119⤵PID:1372
-
\??\c:\vvpjd.exec:\vvpjd.exe120⤵PID:4292
-
\??\c:\hnhtnh.exec:\hnhtnh.exe121⤵PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-