Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe
-
Size
454KB
-
MD5
b0ed066228c36f715ac3b14440c01d17
-
SHA1
0fe302f0f6cded692d118304d762df9e8ed6cbf8
-
SHA256
abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245
-
SHA512
de74dbd511c625feca3a8a88a46dc6ac565e37e7a61f22c1607ce11e9dde7e412eceea2c10b04f8f29bb33b5e5930b477ad3027404a8c4223f0c0ab635a55c27
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4452-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-1189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-1344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-1609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-1895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4236 286600.exe 1284 5xlfffr.exe 1096 hbtbbb.exe 1496 28000.exe 3956 9ntnbn.exe 4672 2640004.exe 208 5lxrllf.exe 4920 rrfxxfx.exe 8 tttttt.exe 3004 80226.exe 4624 668862.exe 3736 bbbtnn.exe 4628 22222.exe 3260 82440.exe 2808 o866004.exe 5076 08040.exe 4492 s6204.exe 1160 flrfxrl.exe 2776 hnnbnt.exe 924 rlllrrx.exe 4484 66826.exe 532 xrxlrrf.exe 1416 6626486.exe 4080 nbnhbb.exe 3452 hhntbb.exe 3280 ddjpv.exe 624 e00822.exe 752 rlrrxrl.exe 4440 64000.exe 1628 nhhbtt.exe 2600 062600.exe 764 rflfffx.exe 2344 88048.exe 452 pdjdd.exe 3676 lfrlrrx.exe 2436 lfrlfff.exe 4584 644822.exe 3408 bbhbhh.exe 3084 pjpjp.exe 3528 246048.exe 1424 c808226.exe 4396 080066.exe 4908 9lfxrrr.exe 2628 866226.exe 3092 pjvpj.exe 4916 2686000.exe 1328 3llrllf.exe 1844 42484.exe 1560 rlxlrrl.exe 3124 jvvdj.exe 1452 1bhtnn.exe 1772 60004.exe 100 666644.exe 3504 frrlxrr.exe 2032 ttnntt.exe 1508 48860.exe 1100 60088.exe 3192 bnbhhn.exe 4004 02204.exe 3004 202088.exe 1992 5lfrlxl.exe 4188 2620482.exe 4976 7hbnhb.exe 1648 00620.exe -
resource yara_rule behavioral2/memory/4452-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-839-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-873-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w80442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2682424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o248884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4236 4452 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 4452 wrote to memory of 4236 4452 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 4452 wrote to memory of 4236 4452 abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe 83 PID 4236 wrote to memory of 1284 4236 286600.exe 84 PID 4236 wrote to memory of 1284 4236 286600.exe 84 PID 4236 wrote to memory of 1284 4236 286600.exe 84 PID 1284 wrote to memory of 1096 1284 5xlfffr.exe 85 PID 1284 wrote to memory of 1096 1284 5xlfffr.exe 85 PID 1284 wrote to memory of 1096 1284 5xlfffr.exe 85 PID 1096 wrote to memory of 1496 1096 hbtbbb.exe 86 PID 1096 wrote to memory of 1496 1096 hbtbbb.exe 86 PID 1096 wrote to memory of 1496 1096 hbtbbb.exe 86 PID 1496 wrote to memory of 3956 1496 28000.exe 87 PID 1496 wrote to memory of 3956 1496 28000.exe 87 PID 1496 wrote to memory of 3956 1496 28000.exe 87 PID 3956 wrote to memory of 4672 3956 9ntnbn.exe 88 PID 3956 wrote to memory of 4672 3956 9ntnbn.exe 88 PID 3956 wrote to memory of 4672 3956 9ntnbn.exe 88 PID 4672 wrote to memory of 208 4672 2640004.exe 89 PID 4672 wrote to memory of 208 4672 2640004.exe 89 PID 4672 wrote to memory of 208 4672 2640004.exe 89 PID 208 wrote to memory of 4920 208 5lxrllf.exe 90 PID 208 wrote to memory of 4920 208 5lxrllf.exe 90 PID 208 wrote to memory of 4920 208 5lxrllf.exe 90 PID 4920 wrote to memory of 8 4920 rrfxxfx.exe 91 PID 4920 wrote to memory of 8 4920 rrfxxfx.exe 91 PID 4920 wrote to memory of 8 4920 rrfxxfx.exe 91 PID 8 wrote to memory of 3004 8 tttttt.exe 92 PID 8 wrote to memory of 3004 8 tttttt.exe 92 PID 8 wrote to memory of 3004 8 tttttt.exe 92 PID 3004 wrote to memory of 4624 3004 80226.exe 93 PID 3004 wrote to memory of 4624 3004 80226.exe 93 PID 3004 wrote to memory of 4624 3004 80226.exe 93 PID 4624 wrote to memory of 3736 4624 668862.exe 94 PID 4624 wrote to memory of 3736 4624 668862.exe 94 PID 4624 wrote to memory of 3736 4624 668862.exe 94 PID 3736 wrote to memory of 4628 3736 bbbtnn.exe 95 PID 3736 wrote to memory of 4628 3736 bbbtnn.exe 95 PID 3736 wrote to memory of 4628 3736 bbbtnn.exe 95 PID 4628 wrote to memory of 3260 4628 22222.exe 96 PID 4628 wrote to memory of 3260 4628 22222.exe 96 PID 4628 wrote to memory of 3260 4628 22222.exe 96 PID 3260 wrote to memory of 2808 3260 82440.exe 97 PID 3260 wrote to memory of 2808 3260 82440.exe 97 PID 3260 wrote to memory of 2808 3260 82440.exe 97 PID 2808 wrote to memory of 5076 2808 o866004.exe 98 PID 2808 wrote to memory of 5076 2808 o866004.exe 98 PID 2808 wrote to memory of 5076 2808 o866004.exe 98 PID 5076 wrote to memory of 4492 5076 08040.exe 99 PID 5076 wrote to memory of 4492 5076 08040.exe 99 PID 5076 wrote to memory of 4492 5076 08040.exe 99 PID 4492 wrote to memory of 1160 4492 s6204.exe 100 PID 4492 wrote to memory of 1160 4492 s6204.exe 100 PID 4492 wrote to memory of 1160 4492 s6204.exe 100 PID 1160 wrote to memory of 2776 1160 flrfxrl.exe 101 PID 1160 wrote to memory of 2776 1160 flrfxrl.exe 101 PID 1160 wrote to memory of 2776 1160 flrfxrl.exe 101 PID 2776 wrote to memory of 924 2776 hnnbnt.exe 102 PID 2776 wrote to memory of 924 2776 hnnbnt.exe 102 PID 2776 wrote to memory of 924 2776 hnnbnt.exe 102 PID 924 wrote to memory of 4484 924 rlllrrx.exe 103 PID 924 wrote to memory of 4484 924 rlllrrx.exe 103 PID 924 wrote to memory of 4484 924 rlllrrx.exe 103 PID 4484 wrote to memory of 532 4484 66826.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"C:\Users\Admin\AppData\Local\Temp\abd7048939512740ab1deaf4c795e7d94657e3f61ee0ca03d6b4484259c5d245.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\286600.exec:\286600.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\5xlfffr.exec:\5xlfffr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\hbtbbb.exec:\hbtbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\28000.exec:\28000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\9ntnbn.exec:\9ntnbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\2640004.exec:\2640004.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\5lxrllf.exec:\5lxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\rrfxxfx.exec:\rrfxxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\tttttt.exec:\tttttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\80226.exec:\80226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\668862.exec:\668862.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\bbbtnn.exec:\bbbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\22222.exec:\22222.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\82440.exec:\82440.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\o866004.exec:\o866004.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\08040.exec:\08040.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\s6204.exec:\s6204.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\flrfxrl.exec:\flrfxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\hnnbnt.exec:\hnnbnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\rlllrrx.exec:\rlllrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\66826.exec:\66826.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\xrxlrrf.exec:\xrxlrrf.exe23⤵
- Executes dropped EXE
PID:532 -
\??\c:\6626486.exec:\6626486.exe24⤵
- Executes dropped EXE
PID:1416 -
\??\c:\nbnhbb.exec:\nbnhbb.exe25⤵
- Executes dropped EXE
PID:4080 -
\??\c:\hhntbb.exec:\hhntbb.exe26⤵
- Executes dropped EXE
PID:3452 -
\??\c:\ddjpv.exec:\ddjpv.exe27⤵
- Executes dropped EXE
PID:3280 -
\??\c:\e00822.exec:\e00822.exe28⤵
- Executes dropped EXE
PID:624 -
\??\c:\rlrrxrl.exec:\rlrrxrl.exe29⤵
- Executes dropped EXE
PID:752 -
\??\c:\64000.exec:\64000.exe30⤵
- Executes dropped EXE
PID:4440 -
\??\c:\nhhbtt.exec:\nhhbtt.exe31⤵
- Executes dropped EXE
PID:1628 -
\??\c:\062600.exec:\062600.exe32⤵
- Executes dropped EXE
PID:2600 -
\??\c:\rflfffx.exec:\rflfffx.exe33⤵
- Executes dropped EXE
PID:764 -
\??\c:\88048.exec:\88048.exe34⤵
- Executes dropped EXE
PID:2344 -
\??\c:\pdjdd.exec:\pdjdd.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe36⤵
- Executes dropped EXE
PID:3676 -
\??\c:\lfrlfff.exec:\lfrlfff.exe37⤵
- Executes dropped EXE
PID:2436 -
\??\c:\644822.exec:\644822.exe38⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bbhbhh.exec:\bbhbhh.exe39⤵
- Executes dropped EXE
PID:3408 -
\??\c:\pjpjp.exec:\pjpjp.exe40⤵
- Executes dropped EXE
PID:3084 -
\??\c:\246048.exec:\246048.exe41⤵
- Executes dropped EXE
PID:3528 -
\??\c:\c808226.exec:\c808226.exe42⤵
- Executes dropped EXE
PID:1424 -
\??\c:\080066.exec:\080066.exe43⤵
- Executes dropped EXE
PID:4396 -
\??\c:\9lfxrrr.exec:\9lfxrrr.exe44⤵
- Executes dropped EXE
PID:4908 -
\??\c:\866226.exec:\866226.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\pjvpj.exec:\pjvpj.exe46⤵
- Executes dropped EXE
PID:3092 -
\??\c:\2686000.exec:\2686000.exe47⤵
- Executes dropped EXE
PID:4916 -
\??\c:\3llrllf.exec:\3llrllf.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328 -
\??\c:\42484.exec:\42484.exe49⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rlxlrrl.exec:\rlxlrrl.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
\??\c:\jvvdj.exec:\jvvdj.exe51⤵
- Executes dropped EXE
PID:3124 -
\??\c:\1bhtnn.exec:\1bhtnn.exe52⤵
- Executes dropped EXE
PID:1452 -
\??\c:\60004.exec:\60004.exe53⤵
- Executes dropped EXE
PID:1772 -
\??\c:\666644.exec:\666644.exe54⤵
- Executes dropped EXE
PID:100 -
\??\c:\frrlxrr.exec:\frrlxrr.exe55⤵
- Executes dropped EXE
PID:3504 -
\??\c:\ttnntt.exec:\ttnntt.exe56⤵
- Executes dropped EXE
PID:2032 -
\??\c:\48860.exec:\48860.exe57⤵
- Executes dropped EXE
PID:1508 -
\??\c:\60088.exec:\60088.exe58⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bnbhhn.exec:\bnbhhn.exe59⤵
- Executes dropped EXE
PID:3192 -
\??\c:\02204.exec:\02204.exe60⤵
- Executes dropped EXE
PID:4004 -
\??\c:\202088.exec:\202088.exe61⤵
- Executes dropped EXE
PID:3004 -
\??\c:\5lfrlxl.exec:\5lfrlxl.exe62⤵
- Executes dropped EXE
PID:1992 -
\??\c:\2620482.exec:\2620482.exe63⤵
- Executes dropped EXE
PID:4188 -
\??\c:\7hbnhb.exec:\7hbnhb.exe64⤵
- Executes dropped EXE
PID:4976 -
\??\c:\00620.exec:\00620.exe65⤵
- Executes dropped EXE
PID:1648 -
\??\c:\q26044.exec:\q26044.exe66⤵PID:3572
-
\??\c:\800420.exec:\800420.exe67⤵PID:1480
-
\??\c:\bhthht.exec:\bhthht.exe68⤵PID:2808
-
\??\c:\pdvjd.exec:\pdvjd.exe69⤵PID:4632
-
\??\c:\868622.exec:\868622.exe70⤵PID:3020
-
\??\c:\jppdv.exec:\jppdv.exe71⤵PID:4492
-
\??\c:\jddpj.exec:\jddpj.exe72⤵PID:1060
-
\??\c:\86822.exec:\86822.exe73⤵PID:5012
-
\??\c:\402682.exec:\402682.exe74⤵
- System Location Discovery: System Language Discovery
PID:3936 -
\??\c:\480888.exec:\480888.exe75⤵PID:1868
-
\??\c:\86262.exec:\86262.exe76⤵PID:3060
-
\??\c:\264840.exec:\264840.exe77⤵PID:3376
-
\??\c:\btthtn.exec:\btthtn.exe78⤵PID:4972
-
\??\c:\44864.exec:\44864.exe79⤵PID:1416
-
\??\c:\ddjvj.exec:\ddjvj.exe80⤵PID:4080
-
\??\c:\662602.exec:\662602.exe81⤵PID:3452
-
\??\c:\248622.exec:\248622.exe82⤵PID:3820
-
\??\c:\42208.exec:\42208.exe83⤵PID:1736
-
\??\c:\jvjdj.exec:\jvjdj.exe84⤵PID:3772
-
\??\c:\rffrfrf.exec:\rffrfrf.exe85⤵PID:1256
-
\??\c:\pvdpj.exec:\pvdpj.exe86⤵PID:3520
-
\??\c:\tbtbnt.exec:\tbtbnt.exe87⤵PID:2396
-
\??\c:\vvvjd.exec:\vvvjd.exe88⤵PID:4316
-
\??\c:\rllfflf.exec:\rllfflf.exe89⤵PID:4644
-
\??\c:\nttnbt.exec:\nttnbt.exe90⤵PID:2896
-
\??\c:\jpvjd.exec:\jpvjd.exe91⤵PID:1188
-
\??\c:\02808.exec:\02808.exe92⤵PID:1360
-
\??\c:\btbnhb.exec:\btbnhb.exe93⤵PID:2556
-
\??\c:\4460888.exec:\4460888.exe94⤵PID:4992
-
\??\c:\o224260.exec:\o224260.exe95⤵PID:2712
-
\??\c:\28246.exec:\28246.exe96⤵PID:876
-
\??\c:\btbbtt.exec:\btbbtt.exe97⤵PID:632
-
\??\c:\frxxllf.exec:\frxxllf.exe98⤵PID:232
-
\??\c:\84204.exec:\84204.exe99⤵PID:212
-
\??\c:\thnhnn.exec:\thnhnn.exe100⤵PID:1424
-
\??\c:\thhbhb.exec:\thhbhb.exe101⤵PID:3036
-
\??\c:\djjvp.exec:\djjvp.exe102⤵PID:4908
-
\??\c:\frfrrlx.exec:\frfrrlx.exe103⤵PID:2628
-
\??\c:\46204.exec:\46204.exe104⤵PID:2968
-
\??\c:\82866.exec:\82866.exe105⤵PID:4236
-
\??\c:\flxxrrl.exec:\flxxrrl.exe106⤵PID:2416
-
\??\c:\068644.exec:\068644.exe107⤵PID:2052
-
\??\c:\02260.exec:\02260.exe108⤵PID:4072
-
\??\c:\26604.exec:\26604.exe109⤵PID:3436
-
\??\c:\624866.exec:\624866.exe110⤵PID:4100
-
\??\c:\jvvpj.exec:\jvvpj.exe111⤵PID:3956
-
\??\c:\jdjjv.exec:\jdjjv.exe112⤵PID:5072
-
\??\c:\e62044.exec:\e62044.exe113⤵PID:4140
-
\??\c:\42482.exec:\42482.exe114⤵PID:4520
-
\??\c:\8686426.exec:\8686426.exe115⤵PID:1228
-
\??\c:\4026048.exec:\4026048.exe116⤵PID:3032
-
\??\c:\jdjdp.exec:\jdjdp.exe117⤵PID:3140
-
\??\c:\26668.exec:\26668.exe118⤵PID:2180
-
\??\c:\g2420.exec:\g2420.exe119⤵PID:4820
-
\??\c:\5hhbtt.exec:\5hhbtt.exe120⤵PID:4920
-
\??\c:\8840880.exec:\8840880.exe121⤵PID:4004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-