Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe
-
Size
348KB
-
MD5
cfe37d94b619b82303018cdcf2568d42
-
SHA1
7cb5917f0bae5492d442140e769b832ad7c3030b
-
SHA256
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6
-
SHA512
c066c3290c16a1d0ba43bf53a88b834a40a97bed7d7f8c4b5574af798699e4e294a31760fdfe96692f80517232b84df88c9d47d110f4df05d23c7331a9e52e59
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa0:l7TcbWXZshJX2VGdb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3436-4-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2364-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5108-19-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4252-17-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3412-30-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3488-38-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2852-43-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/212-50-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1392-52-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1952-65-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1592-64-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2976-74-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1776-78-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2436-85-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3592-92-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4060-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1336-109-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1760-131-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1944-143-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3444-165-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3856-209-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1120-234-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5056-224-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4752-220-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4748-213-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3916-199-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2188-195-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3192-191-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1872-182-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2264-176-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1360-149-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1656-127-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3504-262-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4368-266-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3620-276-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4744-289-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1948-305-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4212-315-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2600-319-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4700-335-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1128-348-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/428-352-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2040-377-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3284-387-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1992-400-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/912-425-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1676-441-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2064-448-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3956-467-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3668-492-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2620-532-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1048-563-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4852-567-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3304-595-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3884-632-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5116-666-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/692-733-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2068-749-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4852-901-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3484-971-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2596-1110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2364 88408.exe 5108 0282644.exe 4252 600884.exe 3412 vpjvj.exe 3488 5lxrrll.exe 2852 g4042.exe 1392 406688.exe 212 1jjdv.exe 1592 8608260.exe 1952 1xrrflx.exe 2976 44042.exe 1776 q08260.exe 2436 rflllfx.exe 2192 642206.exe 3592 422200.exe 4060 hbbnhb.exe 4656 o404006.exe 1336 2442226.exe 4720 fxllxxx.exe 1656 000820.exe 4428 866644.exe 1760 622866.exe 2268 444804.exe 1944 866428.exe 1360 lxxlxrl.exe 1464 20084.exe 4040 dvdvj.exe 3444 hbbthb.exe 2296 04680.exe 2264 htnbnh.exe 1872 284200.exe 3516 2408664.exe 3192 20266.exe 2188 222682.exe 3916 s6286.exe 3936 thhthb.exe 2032 pppdj.exe 3856 2082482.exe 4748 xllfrlx.exe 1052 m6604.exe 4752 nbhtnh.exe 5056 228648.exe 1060 thnhtt.exe 4332 9vpjv.exe 1120 rffxfxl.exe 5020 i008604.exe 1676 2042088.exe 1248 htnhtn.exe 4608 026864.exe 1160 6286008.exe 4780 nbbntt.exe 3484 e20062.exe 3504 thtntn.exe 4368 thhbnh.exe 512 dvpdp.exe 1840 02826.exe 3620 tbttnb.exe 3224 1vpjd.exe 4560 bttnbt.exe 2968 k64684.exe 4744 rrlxrrr.exe 1996 244002.exe 4104 s6660.exe 4188 rlllrrl.exe -
resource yara_rule behavioral2/memory/3436-4-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2364-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5108-10-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5108-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4252-17-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3412-25-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3412-30-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2852-36-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3488-38-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2852-43-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/212-50-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1392-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1592-56-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1952-65-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1592-64-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2976-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1776-78-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2436-85-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3592-92-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4060-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1336-109-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1656-119-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1760-131-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1944-143-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3444-165-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3856-209-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1120-234-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5056-224-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4752-220-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4748-213-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3916-199-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2188-195-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3192-191-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1872-182-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2264-176-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1360-149-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1656-127-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3504-262-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4368-266-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3620-276-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4744-289-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1948-305-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4212-315-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2600-319-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4700-335-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1128-348-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/428-352-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2040-377-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3284-387-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1992-400-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/912-425-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1676-441-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2064-448-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3956-467-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3668-492-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2620-532-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1048-563-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4852-567-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3304-595-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3884-632-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5116-666-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/692-733-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2068-749-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4560-828-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o264662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bntbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4660820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3436 wrote to memory of 2364 3436 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 83 PID 3436 wrote to memory of 2364 3436 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 83 PID 3436 wrote to memory of 2364 3436 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 83 PID 2364 wrote to memory of 5108 2364 88408.exe 84 PID 2364 wrote to memory of 5108 2364 88408.exe 84 PID 2364 wrote to memory of 5108 2364 88408.exe 84 PID 5108 wrote to memory of 4252 5108 0282644.exe 85 PID 5108 wrote to memory of 4252 5108 0282644.exe 85 PID 5108 wrote to memory of 4252 5108 0282644.exe 85 PID 4252 wrote to memory of 3412 4252 600884.exe 86 PID 4252 wrote to memory of 3412 4252 600884.exe 86 PID 4252 wrote to memory of 3412 4252 600884.exe 86 PID 3412 wrote to memory of 3488 3412 vpjvj.exe 87 PID 3412 wrote to memory of 3488 3412 vpjvj.exe 87 PID 3412 wrote to memory of 3488 3412 vpjvj.exe 87 PID 3488 wrote to memory of 2852 3488 5lxrrll.exe 88 PID 3488 wrote to memory of 2852 3488 5lxrrll.exe 88 PID 3488 wrote to memory of 2852 3488 5lxrrll.exe 88 PID 2852 wrote to memory of 1392 2852 g4042.exe 89 PID 2852 wrote to memory of 1392 2852 g4042.exe 89 PID 2852 wrote to memory of 1392 2852 g4042.exe 89 PID 1392 wrote to memory of 212 1392 406688.exe 90 PID 1392 wrote to memory of 212 1392 406688.exe 90 PID 1392 wrote to memory of 212 1392 406688.exe 90 PID 212 wrote to memory of 1592 212 1jjdv.exe 91 PID 212 wrote to memory of 1592 212 1jjdv.exe 91 PID 212 wrote to memory of 1592 212 1jjdv.exe 91 PID 1592 wrote to memory of 1952 1592 8608260.exe 92 PID 1592 wrote to memory of 1952 1592 8608260.exe 92 PID 1592 wrote to memory of 1952 1592 8608260.exe 92 PID 1952 wrote to memory of 2976 1952 1xrrflx.exe 93 PID 1952 wrote to memory of 2976 1952 1xrrflx.exe 93 PID 1952 wrote to memory of 2976 1952 1xrrflx.exe 93 PID 2976 wrote to memory of 1776 2976 44042.exe 94 PID 2976 wrote to memory of 1776 2976 44042.exe 94 PID 2976 wrote to memory of 1776 2976 44042.exe 94 PID 1776 wrote to memory of 2436 1776 q08260.exe 95 PID 1776 wrote to memory of 2436 1776 q08260.exe 95 PID 1776 wrote to memory of 2436 1776 q08260.exe 95 PID 2436 wrote to memory of 2192 2436 rflllfx.exe 96 PID 2436 wrote to memory of 2192 2436 rflllfx.exe 96 PID 2436 wrote to memory of 2192 2436 rflllfx.exe 96 PID 2192 wrote to memory of 3592 2192 642206.exe 97 PID 2192 wrote to memory of 3592 2192 642206.exe 97 PID 2192 wrote to memory of 3592 2192 642206.exe 97 PID 3592 wrote to memory of 4060 3592 422200.exe 98 PID 3592 wrote to memory of 4060 3592 422200.exe 98 PID 3592 wrote to memory of 4060 3592 422200.exe 98 PID 4060 wrote to memory of 4656 4060 hbbnhb.exe 99 PID 4060 wrote to memory of 4656 4060 hbbnhb.exe 99 PID 4060 wrote to memory of 4656 4060 hbbnhb.exe 99 PID 4656 wrote to memory of 1336 4656 o404006.exe 100 PID 4656 wrote to memory of 1336 4656 o404006.exe 100 PID 4656 wrote to memory of 1336 4656 o404006.exe 100 PID 1336 wrote to memory of 4720 1336 2442226.exe 101 PID 1336 wrote to memory of 4720 1336 2442226.exe 101 PID 1336 wrote to memory of 4720 1336 2442226.exe 101 PID 4720 wrote to memory of 1656 4720 fxllxxx.exe 102 PID 4720 wrote to memory of 1656 4720 fxllxxx.exe 102 PID 4720 wrote to memory of 1656 4720 fxllxxx.exe 102 PID 1656 wrote to memory of 4428 1656 000820.exe 103 PID 1656 wrote to memory of 4428 1656 000820.exe 103 PID 1656 wrote to memory of 4428 1656 000820.exe 103 PID 4428 wrote to memory of 1760 4428 866644.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe"C:\Users\Admin\AppData\Local\Temp\c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\88408.exec:\88408.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\0282644.exec:\0282644.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\600884.exec:\600884.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\vpjvj.exec:\vpjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\5lxrrll.exec:\5lxrrll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\g4042.exec:\g4042.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\406688.exec:\406688.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\1jjdv.exec:\1jjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\8608260.exec:\8608260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\1xrrflx.exec:\1xrrflx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\44042.exec:\44042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\q08260.exec:\q08260.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\rflllfx.exec:\rflllfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\642206.exec:\642206.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\422200.exec:\422200.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\hbbnhb.exec:\hbbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\o404006.exec:\o404006.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\2442226.exec:\2442226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\fxllxxx.exec:\fxllxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\000820.exec:\000820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\866644.exec:\866644.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\622866.exec:\622866.exe23⤵
- Executes dropped EXE
PID:1760 -
\??\c:\444804.exec:\444804.exe24⤵
- Executes dropped EXE
PID:2268 -
\??\c:\866428.exec:\866428.exe25⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
\??\c:\20084.exec:\20084.exe27⤵
- Executes dropped EXE
PID:1464 -
\??\c:\dvdvj.exec:\dvdvj.exe28⤵
- Executes dropped EXE
PID:4040 -
\??\c:\hbbthb.exec:\hbbthb.exe29⤵
- Executes dropped EXE
PID:3444 -
\??\c:\04680.exec:\04680.exe30⤵
- Executes dropped EXE
PID:2296 -
\??\c:\htnbnh.exec:\htnbnh.exe31⤵
- Executes dropped EXE
PID:2264 -
\??\c:\284200.exec:\284200.exe32⤵
- Executes dropped EXE
PID:1872 -
\??\c:\2408664.exec:\2408664.exe33⤵
- Executes dropped EXE
PID:3516 -
\??\c:\20266.exec:\20266.exe34⤵
- Executes dropped EXE
PID:3192 -
\??\c:\222682.exec:\222682.exe35⤵
- Executes dropped EXE
PID:2188 -
\??\c:\s6286.exec:\s6286.exe36⤵
- Executes dropped EXE
PID:3916 -
\??\c:\thhthb.exec:\thhthb.exe37⤵
- Executes dropped EXE
PID:3936 -
\??\c:\pppdj.exec:\pppdj.exe38⤵
- Executes dropped EXE
PID:2032 -
\??\c:\2082482.exec:\2082482.exe39⤵
- Executes dropped EXE
PID:3856 -
\??\c:\xllfrlx.exec:\xllfrlx.exe40⤵
- Executes dropped EXE
PID:4748 -
\??\c:\m6604.exec:\m6604.exe41⤵
- Executes dropped EXE
PID:1052 -
\??\c:\nbhtnh.exec:\nbhtnh.exe42⤵
- Executes dropped EXE
PID:4752 -
\??\c:\228648.exec:\228648.exe43⤵
- Executes dropped EXE
PID:5056 -
\??\c:\thnhtt.exec:\thnhtt.exe44⤵
- Executes dropped EXE
PID:1060 -
\??\c:\9vpjv.exec:\9vpjv.exe45⤵
- Executes dropped EXE
PID:4332 -
\??\c:\rffxfxl.exec:\rffxfxl.exe46⤵
- Executes dropped EXE
PID:1120 -
\??\c:\i008604.exec:\i008604.exe47⤵
- Executes dropped EXE
PID:5020 -
\??\c:\2042088.exec:\2042088.exe48⤵
- Executes dropped EXE
PID:1676 -
\??\c:\htnhtn.exec:\htnhtn.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\026864.exec:\026864.exe50⤵
- Executes dropped EXE
PID:4608 -
\??\c:\6286008.exec:\6286008.exe51⤵
- Executes dropped EXE
PID:1160 -
\??\c:\nbbntt.exec:\nbbntt.exe52⤵
- Executes dropped EXE
PID:4780 -
\??\c:\e20062.exec:\e20062.exe53⤵
- Executes dropped EXE
PID:3484 -
\??\c:\thtntn.exec:\thtntn.exe54⤵
- Executes dropped EXE
PID:3504 -
\??\c:\thhbnh.exec:\thhbnh.exe55⤵
- Executes dropped EXE
PID:4368 -
\??\c:\dvpdp.exec:\dvpdp.exe56⤵
- Executes dropped EXE
PID:512 -
\??\c:\02826.exec:\02826.exe57⤵
- Executes dropped EXE
PID:1840 -
\??\c:\tbttnb.exec:\tbttnb.exe58⤵
- Executes dropped EXE
PID:3620 -
\??\c:\1vpjd.exec:\1vpjd.exe59⤵
- Executes dropped EXE
PID:3224 -
\??\c:\bttnbt.exec:\bttnbt.exe60⤵
- Executes dropped EXE
PID:4560 -
\??\c:\k64684.exec:\k64684.exe61⤵
- Executes dropped EXE
PID:2968 -
\??\c:\rrlxrrr.exec:\rrlxrrr.exe62⤵
- Executes dropped EXE
PID:4744 -
\??\c:\244002.exec:\244002.exe63⤵
- Executes dropped EXE
PID:1996 -
\??\c:\s6660.exec:\s6660.exe64⤵
- Executes dropped EXE
PID:4104 -
\??\c:\rlllrrl.exec:\rlllrrl.exe65⤵
- Executes dropped EXE
PID:4188 -
\??\c:\82822.exec:\82822.exe66⤵PID:4576
-
\??\c:\tnbbnn.exec:\tnbbnn.exe67⤵PID:1948
-
\??\c:\482600.exec:\482600.exe68⤵PID:2976
-
\??\c:\022226.exec:\022226.exe69⤵PID:1776
-
\??\c:\20008.exec:\20008.exe70⤵PID:4212
-
\??\c:\g6826.exec:\g6826.exe71⤵PID:2600
-
\??\c:\fflfxxf.exec:\fflfxxf.exe72⤵PID:1756
-
\??\c:\804826.exec:\804826.exe73⤵PID:3204
-
\??\c:\btbbtt.exec:\btbbtt.exe74⤵PID:2740
-
\??\c:\vjdpj.exec:\vjdpj.exe75⤵PID:392
-
\??\c:\60000.exec:\60000.exe76⤵PID:4700
-
\??\c:\2440600.exec:\2440600.exe77⤵PID:3376
-
\??\c:\24600.exec:\24600.exe78⤵PID:5112
-
\??\c:\jddvv.exec:\jddvv.exe79⤵PID:1656
-
\??\c:\ppvvp.exec:\ppvvp.exe80⤵PID:1128
-
\??\c:\pdpjp.exec:\pdpjp.exe81⤵PID:428
-
\??\c:\llfxrxr.exec:\llfxrxr.exe82⤵PID:4216
-
\??\c:\xrxxrrl.exec:\xrxxrrl.exe83⤵PID:1416
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe84⤵PID:1856
-
\??\c:\9rfxflf.exec:\9rfxflf.exe85⤵PID:1464
-
\??\c:\606644.exec:\606644.exe86⤵PID:692
-
\??\c:\bbhnbt.exec:\bbhnbt.exe87⤵PID:1792
-
\??\c:\jvvvv.exec:\jvvvv.exe88⤵PID:2216
-
\??\c:\884488.exec:\884488.exe89⤵PID:2040
-
\??\c:\3bthtn.exec:\3bthtn.exe90⤵PID:1872
-
\??\c:\7rlfflr.exec:\7rlfflr.exe91⤵PID:880
-
\??\c:\httnbt.exec:\httnbt.exe92⤵PID:3284
-
\??\c:\lflllff.exec:\lflllff.exe93⤵PID:1192
-
\??\c:\pjjdp.exec:\pjjdp.exe94⤵PID:2424
-
\??\c:\bhhbhb.exec:\bhhbhb.exe95⤵PID:2208
-
\??\c:\vpddd.exec:\vpddd.exe96⤵PID:1992
-
\??\c:\vjdvd.exec:\vjdvd.exe97⤵
- System Location Discovery: System Language Discovery
PID:3856 -
\??\c:\046060.exec:\046060.exe98⤵PID:4420
-
\??\c:\8082600.exec:\8082600.exe99⤵PID:1076
-
\??\c:\pjdvp.exec:\pjdvp.exe100⤵PID:4664
-
\??\c:\q62026.exec:\q62026.exe101⤵PID:2828
-
\??\c:\nnnhtt.exec:\nnnhtt.exe102⤵PID:1888
-
\??\c:\djjvj.exec:\djjvj.exe103⤵PID:5012
-
\??\c:\82668.exec:\82668.exe104⤵PID:912
-
\??\c:\5vjdj.exec:\5vjdj.exe105⤵PID:5032
-
\??\c:\xlfxxrf.exec:\xlfxxrf.exe106⤵PID:1760
-
\??\c:\260824.exec:\260824.exe107⤵PID:4876
-
\??\c:\btnhhb.exec:\btnhhb.exe108⤵PID:3664
-
\??\c:\9ppjv.exec:\9ppjv.exe109⤵PID:1676
-
\??\c:\262884.exec:\262884.exe110⤵PID:4980
-
\??\c:\7lrrrrr.exec:\7lrrrrr.exe111⤵PID:2064
-
\??\c:\04460.exec:\04460.exe112⤵PID:4904
-
\??\c:\pdjdv.exec:\pdjdv.exe113⤵PID:916
-
\??\c:\80604.exec:\80604.exe114⤵PID:3660
-
\??\c:\2822262.exec:\2822262.exe115⤵PID:3504
-
\??\c:\3nnhtt.exec:\3nnhtt.exe116⤵PID:3996
-
\??\c:\468260.exec:\468260.exe117⤵PID:3956
-
\??\c:\044000.exec:\044000.exe118⤵PID:2052
-
\??\c:\4464264.exec:\4464264.exe119⤵PID:3620
-
\??\c:\bhtbht.exec:\bhtbht.exe120⤵PID:1072
-
\??\c:\5ddvj.exec:\5ddvj.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-