Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe
-
Size
454KB
-
MD5
7214ca5b07d4ffa638e0b5750e8fc3c4
-
SHA1
f7f4f0a113a9847e59fe4b986f7bd3861966d2f6
-
SHA256
64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179
-
SHA512
bc952feb2c19304b0148a3f63d40ceeb6b49fcaf74da21e326256d6004c213356580ad7fc1e519511b36a036c433d744c43b31a0b0d36c20763dbf432e023e58
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/840-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-745-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-1311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 tthbtn.exe 4024 1rfxxlf.exe 3776 rlfffff.exe 4512 xrrrlfx.exe 1916 nbhhbb.exe 3784 i606000.exe 1128 440026.exe 2492 vjvdv.exe 3928 jvjdd.exe 4076 w04068.exe 4960 82686.exe 1084 dpppp.exe 5040 1vdvv.exe 5112 02828.exe 5092 m6488.exe 1464 pppjp.exe 1228 dvvdd.exe 4968 02882.exe 3236 06266.exe 2000 xllrfxl.exe 4212 ppjjd.exe 1428 pjvpd.exe 3568 006600.exe 4020 60848.exe 4956 bthbhh.exe 2544 nnbtnn.exe 4052 3jpjj.exe 3728 pjpjd.exe 1500 tnhnbn.exe 4384 u000888.exe 496 s2004.exe 3484 6060488.exe 2380 vjpdd.exe 4732 464422.exe 2740 g2266.exe 2212 282266.exe 4992 flxxf.exe 4192 2844000.exe 1376 80204.exe 4880 xffxxrl.exe 2680 22204.exe 3144 282888.exe 4468 3nnbnh.exe 3352 28820.exe 2300 q00826.exe 3224 ddjpd.exe 2180 fxfrfxx.exe 4472 rlxrllf.exe 4844 648826.exe 2448 7xxlxrx.exe 1564 jppdv.exe 4544 pjdvp.exe 4028 7fxrlxx.exe 492 i004860.exe 3696 tthnbn.exe 224 60604.exe 3744 tbhbtn.exe 2628 6226444.exe 3572 djdvv.exe 3680 8060460.exe 2284 9jdpj.exe 1928 ffrfrlf.exe 1540 64826.exe 3292 xlfrlfx.exe -
resource yara_rule behavioral2/memory/840-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-764-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4264204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 4544 840 64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe 83 PID 840 wrote to memory of 4544 840 64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe 83 PID 840 wrote to memory of 4544 840 64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe 83 PID 4544 wrote to memory of 4024 4544 tthbtn.exe 84 PID 4544 wrote to memory of 4024 4544 tthbtn.exe 84 PID 4544 wrote to memory of 4024 4544 tthbtn.exe 84 PID 4024 wrote to memory of 3776 4024 1rfxxlf.exe 85 PID 4024 wrote to memory of 3776 4024 1rfxxlf.exe 85 PID 4024 wrote to memory of 3776 4024 1rfxxlf.exe 85 PID 3776 wrote to memory of 4512 3776 rlfffff.exe 86 PID 3776 wrote to memory of 4512 3776 rlfffff.exe 86 PID 3776 wrote to memory of 4512 3776 rlfffff.exe 86 PID 4512 wrote to memory of 1916 4512 xrrrlfx.exe 87 PID 4512 wrote to memory of 1916 4512 xrrrlfx.exe 87 PID 4512 wrote to memory of 1916 4512 xrrrlfx.exe 87 PID 1916 wrote to memory of 3784 1916 nbhhbb.exe 88 PID 1916 wrote to memory of 3784 1916 nbhhbb.exe 88 PID 1916 wrote to memory of 3784 1916 nbhhbb.exe 88 PID 3784 wrote to memory of 1128 3784 i606000.exe 89 PID 3784 wrote to memory of 1128 3784 i606000.exe 89 PID 3784 wrote to memory of 1128 3784 i606000.exe 89 PID 1128 wrote to memory of 2492 1128 440026.exe 90 PID 1128 wrote to memory of 2492 1128 440026.exe 90 PID 1128 wrote to memory of 2492 1128 440026.exe 90 PID 2492 wrote to memory of 3928 2492 vjvdv.exe 91 PID 2492 wrote to memory of 3928 2492 vjvdv.exe 91 PID 2492 wrote to memory of 3928 2492 vjvdv.exe 91 PID 3928 wrote to memory of 4076 3928 jvjdd.exe 92 PID 3928 wrote to memory of 4076 3928 jvjdd.exe 92 PID 3928 wrote to memory of 4076 3928 jvjdd.exe 92 PID 4076 wrote to memory of 4960 4076 w04068.exe 93 PID 4076 wrote to memory of 4960 4076 w04068.exe 93 PID 4076 wrote to memory of 4960 4076 w04068.exe 93 PID 4960 wrote to memory of 1084 4960 82686.exe 94 PID 4960 wrote to memory of 1084 4960 82686.exe 94 PID 4960 wrote to memory of 1084 4960 82686.exe 94 PID 1084 wrote to memory of 5040 1084 dpppp.exe 95 PID 1084 wrote to memory of 5040 1084 dpppp.exe 95 PID 1084 wrote to memory of 5040 1084 dpppp.exe 95 PID 5040 wrote to memory of 5112 5040 1vdvv.exe 96 PID 5040 wrote to memory of 5112 5040 1vdvv.exe 96 PID 5040 wrote to memory of 5112 5040 1vdvv.exe 96 PID 5112 wrote to memory of 5092 5112 02828.exe 97 PID 5112 wrote to memory of 5092 5112 02828.exe 97 PID 5112 wrote to memory of 5092 5112 02828.exe 97 PID 5092 wrote to memory of 1464 5092 m6488.exe 98 PID 5092 wrote to memory of 1464 5092 m6488.exe 98 PID 5092 wrote to memory of 1464 5092 m6488.exe 98 PID 1464 wrote to memory of 1228 1464 pppjp.exe 99 PID 1464 wrote to memory of 1228 1464 pppjp.exe 99 PID 1464 wrote to memory of 1228 1464 pppjp.exe 99 PID 1228 wrote to memory of 4968 1228 dvvdd.exe 100 PID 1228 wrote to memory of 4968 1228 dvvdd.exe 100 PID 1228 wrote to memory of 4968 1228 dvvdd.exe 100 PID 4968 wrote to memory of 3236 4968 02882.exe 101 PID 4968 wrote to memory of 3236 4968 02882.exe 101 PID 4968 wrote to memory of 3236 4968 02882.exe 101 PID 3236 wrote to memory of 2000 3236 06266.exe 102 PID 3236 wrote to memory of 2000 3236 06266.exe 102 PID 3236 wrote to memory of 2000 3236 06266.exe 102 PID 2000 wrote to memory of 4212 2000 xllrfxl.exe 103 PID 2000 wrote to memory of 4212 2000 xllrfxl.exe 103 PID 2000 wrote to memory of 4212 2000 xllrfxl.exe 103 PID 4212 wrote to memory of 1428 4212 ppjjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe"C:\Users\Admin\AppData\Local\Temp\64fdac8e5fd6d516fa726d64e8afb6a7e215b00b59abfabb0f62af74d784b179.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\tthbtn.exec:\tthbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\1rfxxlf.exec:\1rfxxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\rlfffff.exec:\rlfffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\xrrrlfx.exec:\xrrrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\nbhhbb.exec:\nbhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\i606000.exec:\i606000.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\440026.exec:\440026.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\vjvdv.exec:\vjvdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\jvjdd.exec:\jvjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\w04068.exec:\w04068.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\82686.exec:\82686.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\dpppp.exec:\dpppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\1vdvv.exec:\1vdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\02828.exec:\02828.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\m6488.exec:\m6488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\pppjp.exec:\pppjp.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\dvvdd.exec:\dvvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\02882.exec:\02882.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\06266.exec:\06266.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\xllrfxl.exec:\xllrfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\ppjjd.exec:\ppjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\pjvpd.exec:\pjvpd.exe23⤵
- Executes dropped EXE
PID:1428 -
\??\c:\006600.exec:\006600.exe24⤵
- Executes dropped EXE
PID:3568 -
\??\c:\60848.exec:\60848.exe25⤵
- Executes dropped EXE
PID:4020 -
\??\c:\bthbhh.exec:\bthbhh.exe26⤵
- Executes dropped EXE
PID:4956 -
\??\c:\nnbtnn.exec:\nnbtnn.exe27⤵
- Executes dropped EXE
PID:2544 -
\??\c:\3jpjj.exec:\3jpjj.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\pjpjd.exec:\pjpjd.exe29⤵
- Executes dropped EXE
PID:3728 -
\??\c:\tnhnbn.exec:\tnhnbn.exe30⤵
- Executes dropped EXE
PID:1500 -
\??\c:\u000888.exec:\u000888.exe31⤵
- Executes dropped EXE
PID:4384 -
\??\c:\s2004.exec:\s2004.exe32⤵
- Executes dropped EXE
PID:496 -
\??\c:\6060488.exec:\6060488.exe33⤵
- Executes dropped EXE
PID:3484 -
\??\c:\vjpdd.exec:\vjpdd.exe34⤵
- Executes dropped EXE
PID:2380 -
\??\c:\464422.exec:\464422.exe35⤵
- Executes dropped EXE
PID:4732 -
\??\c:\g2266.exec:\g2266.exe36⤵
- Executes dropped EXE
PID:2740 -
\??\c:\282266.exec:\282266.exe37⤵
- Executes dropped EXE
PID:2212 -
\??\c:\flxxf.exec:\flxxf.exe38⤵
- Executes dropped EXE
PID:4992 -
\??\c:\2844000.exec:\2844000.exe39⤵
- Executes dropped EXE
PID:4192 -
\??\c:\80204.exec:\80204.exe40⤵
- Executes dropped EXE
PID:1376 -
\??\c:\xffxxrl.exec:\xffxxrl.exe41⤵
- Executes dropped EXE
PID:4880 -
\??\c:\22204.exec:\22204.exe42⤵
- Executes dropped EXE
PID:2680 -
\??\c:\282888.exec:\282888.exe43⤵
- Executes dropped EXE
PID:3144 -
\??\c:\3nnbnh.exec:\3nnbnh.exe44⤵
- Executes dropped EXE
PID:4468 -
\??\c:\28820.exec:\28820.exe45⤵
- Executes dropped EXE
PID:3352 -
\??\c:\q00826.exec:\q00826.exe46⤵
- Executes dropped EXE
PID:2300 -
\??\c:\ddjpd.exec:\ddjpd.exe47⤵
- Executes dropped EXE
PID:3224 -
\??\c:\fxfrfxx.exec:\fxfrfxx.exe48⤵
- Executes dropped EXE
PID:2180 -
\??\c:\rlxrllf.exec:\rlxrllf.exe49⤵
- Executes dropped EXE
PID:4472 -
\??\c:\648826.exec:\648826.exe50⤵
- Executes dropped EXE
PID:4844 -
\??\c:\7xxlxrx.exec:\7xxlxrx.exe51⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jppdv.exec:\jppdv.exe52⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pjdvp.exec:\pjdvp.exe53⤵
- Executes dropped EXE
PID:4544 -
\??\c:\7fxrlxx.exec:\7fxrlxx.exe54⤵
- Executes dropped EXE
PID:4028 -
\??\c:\i004860.exec:\i004860.exe55⤵
- Executes dropped EXE
PID:492 -
\??\c:\tthnbn.exec:\tthnbn.exe56⤵
- Executes dropped EXE
PID:3696 -
\??\c:\60604.exec:\60604.exe57⤵
- Executes dropped EXE
PID:224 -
\??\c:\tbhbtn.exec:\tbhbtn.exe58⤵
- Executes dropped EXE
PID:3744 -
\??\c:\6226444.exec:\6226444.exe59⤵
- Executes dropped EXE
PID:2628 -
\??\c:\djdvv.exec:\djdvv.exe60⤵
- Executes dropped EXE
PID:3572 -
\??\c:\8060460.exec:\8060460.exe61⤵
- Executes dropped EXE
PID:3680 -
\??\c:\9jdpj.exec:\9jdpj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284 -
\??\c:\ffrfrlf.exec:\ffrfrlf.exe63⤵
- Executes dropped EXE
PID:1928 -
\??\c:\64826.exec:\64826.exe64⤵
- Executes dropped EXE
PID:1540 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3292 -
\??\c:\nhhbtn.exec:\nhhbtn.exe66⤵PID:4064
-
\??\c:\86264.exec:\86264.exe67⤵PID:780
-
\??\c:\408064.exec:\408064.exe68⤵PID:3684
-
\??\c:\7jjjv.exec:\7jjjv.exe69⤵PID:1996
-
\??\c:\i648484.exec:\i648484.exe70⤵PID:1124
-
\??\c:\200820.exec:\200820.exe71⤵PID:1084
-
\??\c:\bntnbt.exec:\bntnbt.exe72⤵PID:2960
-
\??\c:\8620482.exec:\8620482.exe73⤵PID:2708
-
\??\c:\jjvpp.exec:\jjvpp.exe74⤵PID:3052
-
\??\c:\0628680.exec:\0628680.exe75⤵PID:4084
-
\??\c:\7ddvp.exec:\7ddvp.exe76⤵PID:2832
-
\??\c:\6060826.exec:\6060826.exe77⤵PID:1904
-
\??\c:\pjjdd.exec:\pjjdd.exe78⤵PID:4816
-
\??\c:\82604.exec:\82604.exe79⤵PID:1588
-
\??\c:\ppppd.exec:\ppppd.exe80⤵PID:5096
-
\??\c:\3bbttn.exec:\3bbttn.exe81⤵PID:2476
-
\??\c:\dvpdp.exec:\dvpdp.exe82⤵PID:2932
-
\??\c:\4848848.exec:\4848848.exe83⤵PID:3588
-
\??\c:\xxxlflx.exec:\xxxlflx.exe84⤵PID:2084
-
\??\c:\02822.exec:\02822.exe85⤵PID:1868
-
\??\c:\6248822.exec:\6248822.exe86⤵PID:3844
-
\??\c:\48424.exec:\48424.exe87⤵PID:496
-
\??\c:\02004.exec:\02004.exe88⤵PID:1640
-
\??\c:\e66048.exec:\e66048.exe89⤵PID:4852
-
\??\c:\hhnhh2.exec:\hhnhh2.exe90⤵PID:2740
-
\??\c:\48608.exec:\48608.exe91⤵PID:4948
-
\??\c:\880444.exec:\880444.exe92⤵PID:4988
-
\??\c:\1flxrlf.exec:\1flxrlf.exe93⤵PID:4996
-
\??\c:\5lrlfxx.exec:\5lrlfxx.exe94⤵PID:4668
-
\??\c:\286064.exec:\286064.exe95⤵PID:2680
-
\??\c:\k80844.exec:\k80844.exe96⤵PID:4980
-
\??\c:\hbthhb.exec:\hbthhb.exe97⤵PID:1992
-
\??\c:\0264488.exec:\0264488.exe98⤵PID:4728
-
\??\c:\1hbnhb.exec:\1hbnhb.exe99⤵PID:4884
-
\??\c:\hhnbth.exec:\hhnbth.exe100⤵PID:2180
-
\??\c:\llfxrll.exec:\llfxrll.exe101⤵PID:4588
-
\??\c:\jjvpj.exec:\jjvpj.exe102⤵PID:1556
-
\??\c:\222266.exec:\222266.exe103⤵PID:1256
-
\??\c:\420668.exec:\420668.exe104⤵
- System Location Discovery: System Language Discovery
PID:4024 -
\??\c:\9pppp.exec:\9pppp.exe105⤵PID:2384
-
\??\c:\684826.exec:\684826.exe106⤵PID:3636
-
\??\c:\0646422.exec:\0646422.exe107⤵PID:2196
-
\??\c:\a2666.exec:\a2666.exe108⤵PID:1052
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe109⤵PID:3976
-
\??\c:\46006.exec:\46006.exe110⤵PID:4748
-
\??\c:\nhhhhh.exec:\nhhhhh.exe111⤵PID:1176
-
\??\c:\nnhbnh.exec:\nnhbnh.exe112⤵PID:3264
-
\??\c:\9pvdv.exec:\9pvdv.exe113⤵PID:4388
-
\??\c:\6402624.exec:\6402624.exe114⤵PID:3628
-
\??\c:\e82066.exec:\e82066.exe115⤵PID:348
-
\??\c:\tnnhhh.exec:\tnnhhh.exe116⤵PID:4548
-
\??\c:\vjjjj.exec:\vjjjj.exe117⤵PID:1528
-
\??\c:\0088222.exec:\0088222.exe118⤵PID:4972
-
\??\c:\fxfffxx.exec:\fxfffxx.exe119⤵PID:4900
-
\??\c:\5fffxfx.exec:\5fffxfx.exe120⤵PID:3492
-
\??\c:\82884.exec:\82884.exe121⤵PID:4228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-