Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe
-
Size
454KB
-
MD5
657ba59f1a5dd319a82d6f9cf854c14d
-
SHA1
3291d7fbee11fac06d0880d861f58bf4c767613e
-
SHA256
d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561
-
SHA512
cc9a62295e1f53cdb296dc9e4f472269c4d5edc418071b21187e68cc67f910025f19be326d6909c0924e24aad5c2c9141d4fefc881328044567e81c0dcbcacdc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbecMb:q7Tc2NYHUrAwfMp3CDpb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2808-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-1699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4232 4866044.exe 4364 flxfxfl.exe 1672 2882604.exe 4360 9jjdv.exe 2608 hnbnhh.exe 3680 rlxrrfx.exe 944 8244486.exe 3768 bthbbb.exe 2076 086000.exe 4584 bbttnn.exe 2200 e28080.exe 1220 04644.exe 1392 6066606.exe 3772 408228.exe 3000 thnnhb.exe 2596 5tbtnh.exe 4092 8464482.exe 3320 4888226.exe 1124 btttnn.exe 4056 xllfxrl.exe 4140 bhnhbt.exe 3784 80284.exe 3896 bttnhh.exe 4968 4200882.exe 2072 6464444.exe 2952 jddjd.exe 948 2622668.exe 4952 vdpjd.exe 1152 0820606.exe 4040 08440.exe 1744 680048.exe 1864 pvjdj.exe 3488 djvpv.exe 2600 hnhhbt.exe 3832 flrlrrl.exe 5100 406266.exe 5028 5bhnhh.exe 3380 46666.exe 5060 62826.exe 772 080404.exe 684 dppjj.exe 1240 llrrllr.exe 4452 tnbnbt.exe 4536 i226046.exe 1828 tbbnhb.exe 2368 g2222.exe 3692 fxxrrrl.exe 1316 fxfxrrr.exe 4336 hbtbnb.exe 1608 dddjv.exe 4660 68066.exe 804 bbthbh.exe 2024 pvdvj.exe 1284 ppvpd.exe 1500 vjjvp.exe 1396 80008.exe 2680 684406.exe 3540 lrxrlfr.exe 1360 vdjvd.exe 1468 2064226.exe 3728 xlrfxrl.exe 4280 nbhtnh.exe 4416 ttttnt.exe 4008 u604260.exe -
resource yara_rule behavioral2/memory/2808-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-887-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 842044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0286048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2208844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6086666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4232 2808 d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe 83 PID 2808 wrote to memory of 4232 2808 d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe 83 PID 2808 wrote to memory of 4232 2808 d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe 83 PID 4232 wrote to memory of 4364 4232 4866044.exe 84 PID 4232 wrote to memory of 4364 4232 4866044.exe 84 PID 4232 wrote to memory of 4364 4232 4866044.exe 84 PID 4364 wrote to memory of 1672 4364 flxfxfl.exe 85 PID 4364 wrote to memory of 1672 4364 flxfxfl.exe 85 PID 4364 wrote to memory of 1672 4364 flxfxfl.exe 85 PID 1672 wrote to memory of 4360 1672 2882604.exe 86 PID 1672 wrote to memory of 4360 1672 2882604.exe 86 PID 1672 wrote to memory of 4360 1672 2882604.exe 86 PID 4360 wrote to memory of 2608 4360 9jjdv.exe 87 PID 4360 wrote to memory of 2608 4360 9jjdv.exe 87 PID 4360 wrote to memory of 2608 4360 9jjdv.exe 87 PID 2608 wrote to memory of 3680 2608 hnbnhh.exe 88 PID 2608 wrote to memory of 3680 2608 hnbnhh.exe 88 PID 2608 wrote to memory of 3680 2608 hnbnhh.exe 88 PID 3680 wrote to memory of 944 3680 rlxrrfx.exe 89 PID 3680 wrote to memory of 944 3680 rlxrrfx.exe 89 PID 3680 wrote to memory of 944 3680 rlxrrfx.exe 89 PID 944 wrote to memory of 3768 944 8244486.exe 90 PID 944 wrote to memory of 3768 944 8244486.exe 90 PID 944 wrote to memory of 3768 944 8244486.exe 90 PID 3768 wrote to memory of 2076 3768 bthbbb.exe 91 PID 3768 wrote to memory of 2076 3768 bthbbb.exe 91 PID 3768 wrote to memory of 2076 3768 bthbbb.exe 91 PID 2076 wrote to memory of 4584 2076 086000.exe 92 PID 2076 wrote to memory of 4584 2076 086000.exe 92 PID 2076 wrote to memory of 4584 2076 086000.exe 92 PID 4584 wrote to memory of 2200 4584 bbttnn.exe 93 PID 4584 wrote to memory of 2200 4584 bbttnn.exe 93 PID 4584 wrote to memory of 2200 4584 bbttnn.exe 93 PID 2200 wrote to memory of 1220 2200 e28080.exe 94 PID 2200 wrote to memory of 1220 2200 e28080.exe 94 PID 2200 wrote to memory of 1220 2200 e28080.exe 94 PID 1220 wrote to memory of 1392 1220 04644.exe 95 PID 1220 wrote to memory of 1392 1220 04644.exe 95 PID 1220 wrote to memory of 1392 1220 04644.exe 95 PID 1392 wrote to memory of 3772 1392 6066606.exe 96 PID 1392 wrote to memory of 3772 1392 6066606.exe 96 PID 1392 wrote to memory of 3772 1392 6066606.exe 96 PID 3772 wrote to memory of 3000 3772 408228.exe 97 PID 3772 wrote to memory of 3000 3772 408228.exe 97 PID 3772 wrote to memory of 3000 3772 408228.exe 97 PID 3000 wrote to memory of 2596 3000 thnnhb.exe 98 PID 3000 wrote to memory of 2596 3000 thnnhb.exe 98 PID 3000 wrote to memory of 2596 3000 thnnhb.exe 98 PID 2596 wrote to memory of 4092 2596 5tbtnh.exe 99 PID 2596 wrote to memory of 4092 2596 5tbtnh.exe 99 PID 2596 wrote to memory of 4092 2596 5tbtnh.exe 99 PID 4092 wrote to memory of 3320 4092 8464482.exe 100 PID 4092 wrote to memory of 3320 4092 8464482.exe 100 PID 4092 wrote to memory of 3320 4092 8464482.exe 100 PID 3320 wrote to memory of 1124 3320 4888226.exe 101 PID 3320 wrote to memory of 1124 3320 4888226.exe 101 PID 3320 wrote to memory of 1124 3320 4888226.exe 101 PID 1124 wrote to memory of 4056 1124 btttnn.exe 102 PID 1124 wrote to memory of 4056 1124 btttnn.exe 102 PID 1124 wrote to memory of 4056 1124 btttnn.exe 102 PID 4056 wrote to memory of 4140 4056 xllfxrl.exe 103 PID 4056 wrote to memory of 4140 4056 xllfxrl.exe 103 PID 4056 wrote to memory of 4140 4056 xllfxrl.exe 103 PID 4140 wrote to memory of 3784 4140 bhnhbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe"C:\Users\Admin\AppData\Local\Temp\d54dd942a001e7090b91c30d23ffc7faf36acec1cd82757a4255a93baad1c561.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\4866044.exec:\4866044.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\flxfxfl.exec:\flxfxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\2882604.exec:\2882604.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\9jjdv.exec:\9jjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\hnbnhh.exec:\hnbnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\rlxrrfx.exec:\rlxrrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\8244486.exec:\8244486.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\bthbbb.exec:\bthbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\086000.exec:\086000.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\bbttnn.exec:\bbttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\e28080.exec:\e28080.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\04644.exec:\04644.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\6066606.exec:\6066606.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\408228.exec:\408228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\thnnhb.exec:\thnnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\5tbtnh.exec:\5tbtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\8464482.exec:\8464482.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\4888226.exec:\4888226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\btttnn.exec:\btttnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\xllfxrl.exec:\xllfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\bhnhbt.exec:\bhnhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\80284.exec:\80284.exe23⤵
- Executes dropped EXE
PID:3784 -
\??\c:\bttnhh.exec:\bttnhh.exe24⤵
- Executes dropped EXE
PID:3896 -
\??\c:\4200882.exec:\4200882.exe25⤵
- Executes dropped EXE
PID:4968 -
\??\c:\6464444.exec:\6464444.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jddjd.exec:\jddjd.exe27⤵
- Executes dropped EXE
PID:2952 -
\??\c:\2622668.exec:\2622668.exe28⤵
- Executes dropped EXE
PID:948 -
\??\c:\vdpjd.exec:\vdpjd.exe29⤵
- Executes dropped EXE
PID:4952 -
\??\c:\0820606.exec:\0820606.exe30⤵
- Executes dropped EXE
PID:1152 -
\??\c:\08440.exec:\08440.exe31⤵
- Executes dropped EXE
PID:4040 -
\??\c:\680048.exec:\680048.exe32⤵
- Executes dropped EXE
PID:1744 -
\??\c:\pvjdj.exec:\pvjdj.exe33⤵
- Executes dropped EXE
PID:1864 -
\??\c:\djvpv.exec:\djvpv.exe34⤵
- Executes dropped EXE
PID:3488 -
\??\c:\hnhhbt.exec:\hnhhbt.exe35⤵
- Executes dropped EXE
PID:2600 -
\??\c:\flrlrrl.exec:\flrlrrl.exe36⤵
- Executes dropped EXE
PID:3832 -
\??\c:\406266.exec:\406266.exe37⤵
- Executes dropped EXE
PID:5100 -
\??\c:\5bhnhh.exec:\5bhnhh.exe38⤵
- Executes dropped EXE
PID:5028 -
\??\c:\46666.exec:\46666.exe39⤵
- Executes dropped EXE
PID:3380 -
\??\c:\62826.exec:\62826.exe40⤵
- Executes dropped EXE
PID:5060 -
\??\c:\080404.exec:\080404.exe41⤵
- Executes dropped EXE
PID:772 -
\??\c:\dppjj.exec:\dppjj.exe42⤵
- Executes dropped EXE
PID:684 -
\??\c:\llrrllr.exec:\llrrllr.exe43⤵
- Executes dropped EXE
PID:1240 -
\??\c:\tnbnbt.exec:\tnbnbt.exe44⤵
- Executes dropped EXE
PID:4452 -
\??\c:\i226046.exec:\i226046.exe45⤵
- Executes dropped EXE
PID:4536 -
\??\c:\tbbnhb.exec:\tbbnhb.exe46⤵
- Executes dropped EXE
PID:1828 -
\??\c:\g2222.exec:\g2222.exe47⤵
- Executes dropped EXE
PID:2368 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe48⤵
- Executes dropped EXE
PID:3692 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe49⤵
- Executes dropped EXE
PID:1316 -
\??\c:\hbtbnb.exec:\hbtbnb.exe50⤵
- Executes dropped EXE
PID:4336 -
\??\c:\dddjv.exec:\dddjv.exe51⤵
- Executes dropped EXE
PID:1608 -
\??\c:\68066.exec:\68066.exe52⤵
- Executes dropped EXE
PID:4660 -
\??\c:\bbthbh.exec:\bbthbh.exe53⤵
- Executes dropped EXE
PID:804 -
\??\c:\pvdvj.exec:\pvdvj.exe54⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ppvpd.exec:\ppvpd.exe55⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vjjvp.exec:\vjjvp.exe56⤵
- Executes dropped EXE
PID:1500 -
\??\c:\80008.exec:\80008.exe57⤵
- Executes dropped EXE
PID:1396 -
\??\c:\684406.exec:\684406.exe58⤵
- Executes dropped EXE
PID:2680 -
\??\c:\lrxrlfr.exec:\lrxrlfr.exe59⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vdjvd.exec:\vdjvd.exe60⤵
- Executes dropped EXE
PID:1360 -
\??\c:\2064226.exec:\2064226.exe61⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe62⤵
- Executes dropped EXE
PID:3728 -
\??\c:\nbhtnh.exec:\nbhtnh.exe63⤵
- Executes dropped EXE
PID:4280 -
\??\c:\ttttnt.exec:\ttttnt.exe64⤵
- Executes dropped EXE
PID:4416 -
\??\c:\u604260.exec:\u604260.exe65⤵
- Executes dropped EXE
PID:4008 -
\??\c:\o626488.exec:\o626488.exe66⤵PID:3788
-
\??\c:\7nnbnh.exec:\7nnbnh.exe67⤵PID:3556
-
\??\c:\pdpjv.exec:\pdpjv.exe68⤵PID:3000
-
\??\c:\htthbt.exec:\htthbt.exe69⤵PID:2064
-
\??\c:\6408264.exec:\6408264.exe70⤵PID:4680
-
\??\c:\xrxrffx.exec:\xrxrffx.exe71⤵PID:3404
-
\??\c:\6442608.exec:\6442608.exe72⤵PID:4572
-
\??\c:\thnbtt.exec:\thnbtt.exe73⤵PID:2432
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe74⤵PID:4140
-
\??\c:\xflxlfx.exec:\xflxlfx.exe75⤵PID:3300
-
\??\c:\dppdv.exec:\dppdv.exe76⤵
- System Location Discovery: System Language Discovery
PID:1996 -
\??\c:\42864.exec:\42864.exe77⤵PID:2340
-
\??\c:\422604.exec:\422604.exe78⤵PID:3100
-
\??\c:\204820.exec:\204820.exe79⤵PID:2164
-
\??\c:\thhthb.exec:\thhthb.exe80⤵PID:4704
-
\??\c:\64064.exec:\64064.exe81⤵PID:4952
-
\??\c:\7rfxfxr.exec:\7rfxfxr.exe82⤵PID:3752
-
\??\c:\rfxlfxf.exec:\rfxlfxf.exe83⤵PID:836
-
\??\c:\8624826.exec:\8624826.exe84⤵PID:3508
-
\??\c:\rflxrlx.exec:\rflxrlx.exe85⤵PID:3588
-
\??\c:\vdpdp.exec:\vdpdp.exe86⤵PID:1864
-
\??\c:\9jjjd.exec:\9jjjd.exe87⤵PID:2948
-
\??\c:\6446048.exec:\6446048.exe88⤵PID:4608
-
\??\c:\684482.exec:\684482.exe89⤵PID:4768
-
\??\c:\btbnbt.exec:\btbnbt.exe90⤵PID:4888
-
\??\c:\64600.exec:\64600.exe91⤵PID:5060
-
\??\c:\8664220.exec:\8664220.exe92⤵PID:1212
-
\??\c:\462644.exec:\462644.exe93⤵PID:4612
-
\??\c:\6626448.exec:\6626448.exe94⤵PID:3624
-
\??\c:\tbthbt.exec:\tbthbt.exe95⤵PID:4936
-
\??\c:\8664266.exec:\8664266.exe96⤵PID:4532
-
\??\c:\fxxlxrl.exec:\fxxlxrl.exe97⤵PID:1316
-
\??\c:\rffflff.exec:\rffflff.exe98⤵PID:1936
-
\??\c:\80220.exec:\80220.exe99⤵PID:1980
-
\??\c:\860060.exec:\860060.exe100⤵PID:3092
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe101⤵PID:208
-
\??\c:\bthbbb.exec:\bthbbb.exe102⤵PID:3028
-
\??\c:\202622.exec:\202622.exe103⤵PID:1284
-
\??\c:\5jpjd.exec:\5jpjd.exe104⤵PID:2788
-
\??\c:\i686042.exec:\i686042.exe105⤵PID:1500
-
\??\c:\xrrlffx.exec:\xrrlffx.exe106⤵PID:3952
-
\??\c:\040482.exec:\040482.exe107⤵PID:2680
-
\??\c:\28482.exec:\28482.exe108⤵PID:3184
-
\??\c:\c460488.exec:\c460488.exe109⤵PID:4584
-
\??\c:\vvvpp.exec:\vvvpp.exe110⤵PID:972
-
\??\c:\w28600.exec:\w28600.exe111⤵PID:1504
-
\??\c:\06648.exec:\06648.exe112⤵PID:3680
-
\??\c:\0486266.exec:\0486266.exe113⤵PID:2820
-
\??\c:\86860.exec:\86860.exe114⤵PID:3516
-
\??\c:\rxrrfff.exec:\rxrrfff.exe115⤵PID:3000
-
\??\c:\42042.exec:\42042.exe116⤵PID:2596
-
\??\c:\9pvjv.exec:\9pvjv.exe117⤵PID:3576
-
\??\c:\06260.exec:\06260.exe118⤵PID:4680
-
\??\c:\c200484.exec:\c200484.exe119⤵PID:1780
-
\??\c:\6220048.exec:\6220048.exe120⤵PID:1220
-
\??\c:\046048.exec:\046048.exe121⤵PID:1788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-