Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe
-
Size
454KB
-
MD5
5ad8220291f0dd0997a6ae1d67709501
-
SHA1
51514aab950a20489d7e3f00bc86fe4378decf08
-
SHA256
5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0
-
SHA512
49f0be8f18671c7a92b5eaf165a600c0705994f956841599ca41f17ce70dd046efc37f2e746a021441d4846a1c519f40dab82726d811c7561a9a5185f20a4d7d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1312-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-897-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-949-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3304 lffxllx.exe 2132 rlrlrrr.exe 4204 46260.exe 2700 bnnnhb.exe 2504 606040.exe 2452 6408886.exe 1204 6042666.exe 3344 86428.exe 740 s8086.exe 2672 084822.exe 3328 408244.exe 3248 9ppjv.exe 540 8808226.exe 1852 4888262.exe 4980 thbnhn.exe 4928 4408266.exe 1556 204208.exe 3552 rlfxlff.exe 4392 vvvjv.exe 1408 006860.exe 4412 c008004.exe 1428 5jjvv.exe 4740 84420.exe 4948 5xxlxrf.exe 3592 tnbnth.exe 4396 206048.exe 2164 4444620.exe 3612 q04204.exe 2292 pjpdv.exe 3500 7dppd.exe 4704 vjdpd.exe 4776 7ppvj.exe 4416 6444660.exe 2140 pvjdp.exe 4808 u286000.exe 3824 5vpdp.exe 3156 c242648.exe 3016 bhhtbt.exe 2060 60686.exe 4936 btthnh.exe 2360 htnbhh.exe 3772 tbhtnh.exe 4000 8680604.exe 3064 bnthhb.exe 4812 rxfxlfr.exe 5048 6620220.exe 1260 dvvjv.exe 1632 fllxrfl.exe 1956 666420.exe 4364 0220824.exe 3976 q00860.exe 116 06642.exe 2856 4624220.exe 4332 c046666.exe 4736 42642.exe 4268 86800.exe 2132 tbnnbt.exe 2712 0624882.exe 4252 3ffrrrl.exe 2040 1htnbt.exe 1732 644426.exe 1724 fflxrlx.exe 1204 tbbnbt.exe 3532 4224080.exe -
resource yara_rule behavioral2/memory/1312-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-851-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-949-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o408048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w68600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2086000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440860.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 3304 1312 5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe 83 PID 1312 wrote to memory of 3304 1312 5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe 83 PID 1312 wrote to memory of 3304 1312 5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe 83 PID 3304 wrote to memory of 2132 3304 lffxllx.exe 139 PID 3304 wrote to memory of 2132 3304 lffxllx.exe 139 PID 3304 wrote to memory of 2132 3304 lffxllx.exe 139 PID 2132 wrote to memory of 4204 2132 rlrlrrr.exe 85 PID 2132 wrote to memory of 4204 2132 rlrlrrr.exe 85 PID 2132 wrote to memory of 4204 2132 rlrlrrr.exe 85 PID 4204 wrote to memory of 2700 4204 46260.exe 86 PID 4204 wrote to memory of 2700 4204 46260.exe 86 PID 4204 wrote to memory of 2700 4204 46260.exe 86 PID 2700 wrote to memory of 2504 2700 bnnnhb.exe 87 PID 2700 wrote to memory of 2504 2700 bnnnhb.exe 87 PID 2700 wrote to memory of 2504 2700 bnnnhb.exe 87 PID 2504 wrote to memory of 2452 2504 606040.exe 88 PID 2504 wrote to memory of 2452 2504 606040.exe 88 PID 2504 wrote to memory of 2452 2504 606040.exe 88 PID 2452 wrote to memory of 1204 2452 6408886.exe 145 PID 2452 wrote to memory of 1204 2452 6408886.exe 145 PID 2452 wrote to memory of 1204 2452 6408886.exe 145 PID 1204 wrote to memory of 3344 1204 6042666.exe 90 PID 1204 wrote to memory of 3344 1204 6042666.exe 90 PID 1204 wrote to memory of 3344 1204 6042666.exe 90 PID 3344 wrote to memory of 740 3344 86428.exe 91 PID 3344 wrote to memory of 740 3344 86428.exe 91 PID 3344 wrote to memory of 740 3344 86428.exe 91 PID 740 wrote to memory of 2672 740 s8086.exe 92 PID 740 wrote to memory of 2672 740 s8086.exe 92 PID 740 wrote to memory of 2672 740 s8086.exe 92 PID 2672 wrote to memory of 3328 2672 084822.exe 93 PID 2672 wrote to memory of 3328 2672 084822.exe 93 PID 2672 wrote to memory of 3328 2672 084822.exe 93 PID 3328 wrote to memory of 3248 3328 408244.exe 94 PID 3328 wrote to memory of 3248 3328 408244.exe 94 PID 3328 wrote to memory of 3248 3328 408244.exe 94 PID 3248 wrote to memory of 540 3248 9ppjv.exe 95 PID 3248 wrote to memory of 540 3248 9ppjv.exe 95 PID 3248 wrote to memory of 540 3248 9ppjv.exe 95 PID 540 wrote to memory of 1852 540 8808226.exe 96 PID 540 wrote to memory of 1852 540 8808226.exe 96 PID 540 wrote to memory of 1852 540 8808226.exe 96 PID 1852 wrote to memory of 4980 1852 4888262.exe 97 PID 1852 wrote to memory of 4980 1852 4888262.exe 97 PID 1852 wrote to memory of 4980 1852 4888262.exe 97 PID 4980 wrote to memory of 4928 4980 thbnhn.exe 98 PID 4980 wrote to memory of 4928 4980 thbnhn.exe 98 PID 4980 wrote to memory of 4928 4980 thbnhn.exe 98 PID 4928 wrote to memory of 1556 4928 4408266.exe 99 PID 4928 wrote to memory of 1556 4928 4408266.exe 99 PID 4928 wrote to memory of 1556 4928 4408266.exe 99 PID 1556 wrote to memory of 3552 1556 204208.exe 100 PID 1556 wrote to memory of 3552 1556 204208.exe 100 PID 1556 wrote to memory of 3552 1556 204208.exe 100 PID 3552 wrote to memory of 4392 3552 rlfxlff.exe 101 PID 3552 wrote to memory of 4392 3552 rlfxlff.exe 101 PID 3552 wrote to memory of 4392 3552 rlfxlff.exe 101 PID 4392 wrote to memory of 1408 4392 vvvjv.exe 102 PID 4392 wrote to memory of 1408 4392 vvvjv.exe 102 PID 4392 wrote to memory of 1408 4392 vvvjv.exe 102 PID 1408 wrote to memory of 4412 1408 006860.exe 103 PID 1408 wrote to memory of 4412 1408 006860.exe 103 PID 1408 wrote to memory of 4412 1408 006860.exe 103 PID 4412 wrote to memory of 1428 4412 c008004.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe"C:\Users\Admin\AppData\Local\Temp\5d67470325ddb8eff703ff42ec0dabcd02014bd9c2739a11729b9cc3c1b3e6c0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\lffxllx.exec:\lffxllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\rlrlrrr.exec:\rlrlrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\46260.exec:\46260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\bnnnhb.exec:\bnnnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\606040.exec:\606040.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\6408886.exec:\6408886.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\6042666.exec:\6042666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\86428.exec:\86428.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\s8086.exec:\s8086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\084822.exec:\084822.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\408244.exec:\408244.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\9ppjv.exec:\9ppjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\8808226.exec:\8808226.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\4888262.exec:\4888262.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\thbnhn.exec:\thbnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\4408266.exec:\4408266.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\204208.exec:\204208.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\rlfxlff.exec:\rlfxlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\vvvjv.exec:\vvvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\006860.exec:\006860.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\c008004.exec:\c008004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\5jjvv.exec:\5jjvv.exe23⤵
- Executes dropped EXE
PID:1428 -
\??\c:\84420.exec:\84420.exe24⤵
- Executes dropped EXE
PID:4740 -
\??\c:\5xxlxrf.exec:\5xxlxrf.exe25⤵
- Executes dropped EXE
PID:4948 -
\??\c:\tnbnth.exec:\tnbnth.exe26⤵
- Executes dropped EXE
PID:3592 -
\??\c:\206048.exec:\206048.exe27⤵
- Executes dropped EXE
PID:4396 -
\??\c:\4444620.exec:\4444620.exe28⤵
- Executes dropped EXE
PID:2164 -
\??\c:\q04204.exec:\q04204.exe29⤵
- Executes dropped EXE
PID:3612 -
\??\c:\pjpdv.exec:\pjpdv.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\7dppd.exec:\7dppd.exe31⤵
- Executes dropped EXE
PID:3500 -
\??\c:\vjdpd.exec:\vjdpd.exe32⤵
- Executes dropped EXE
PID:4704 -
\??\c:\7ppvj.exec:\7ppvj.exe33⤵
- Executes dropped EXE
PID:4776 -
\??\c:\6444660.exec:\6444660.exe34⤵
- Executes dropped EXE
PID:4416 -
\??\c:\pvjdp.exec:\pvjdp.exe35⤵
- Executes dropped EXE
PID:2140 -
\??\c:\u286000.exec:\u286000.exe36⤵
- Executes dropped EXE
PID:4808 -
\??\c:\5vpdp.exec:\5vpdp.exe37⤵
- Executes dropped EXE
PID:3824 -
\??\c:\c242648.exec:\c242648.exe38⤵
- Executes dropped EXE
PID:3156 -
\??\c:\bhhtbt.exec:\bhhtbt.exe39⤵
- Executes dropped EXE
PID:3016 -
\??\c:\60686.exec:\60686.exe40⤵
- Executes dropped EXE
PID:2060 -
\??\c:\btthnh.exec:\btthnh.exe41⤵
- Executes dropped EXE
PID:4936 -
\??\c:\htnbhh.exec:\htnbhh.exe42⤵
- Executes dropped EXE
PID:2360 -
\??\c:\tbhtnh.exec:\tbhtnh.exe43⤵
- Executes dropped EXE
PID:3772 -
\??\c:\8680604.exec:\8680604.exe44⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bnthhb.exec:\bnthhb.exe45⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rxfxlfr.exec:\rxfxlfr.exe46⤵
- Executes dropped EXE
PID:4812 -
\??\c:\6620220.exec:\6620220.exe47⤵
- Executes dropped EXE
PID:5048 -
\??\c:\dvvjv.exec:\dvvjv.exe48⤵
- Executes dropped EXE
PID:1260 -
\??\c:\fllxrfl.exec:\fllxrfl.exe49⤵
- Executes dropped EXE
PID:1632 -
\??\c:\666420.exec:\666420.exe50⤵
- Executes dropped EXE
PID:1956 -
\??\c:\0220824.exec:\0220824.exe51⤵
- Executes dropped EXE
PID:4364 -
\??\c:\q00860.exec:\q00860.exe52⤵
- Executes dropped EXE
PID:3976 -
\??\c:\06642.exec:\06642.exe53⤵
- Executes dropped EXE
PID:116 -
\??\c:\4624220.exec:\4624220.exe54⤵
- Executes dropped EXE
PID:2856 -
\??\c:\c046666.exec:\c046666.exe55⤵
- Executes dropped EXE
PID:4332 -
\??\c:\42642.exec:\42642.exe56⤵
- Executes dropped EXE
PID:4736 -
\??\c:\86800.exec:\86800.exe57⤵
- Executes dropped EXE
PID:4268 -
\??\c:\tbnnbt.exec:\tbnnbt.exe58⤵
- Executes dropped EXE
PID:2132 -
\??\c:\0624882.exec:\0624882.exe59⤵
- Executes dropped EXE
PID:2712 -
\??\c:\3ffrrrl.exec:\3ffrrrl.exe60⤵
- Executes dropped EXE
PID:4252 -
\??\c:\1htnbt.exec:\1htnbt.exe61⤵
- Executes dropped EXE
PID:2040 -
\??\c:\644426.exec:\644426.exe62⤵
- Executes dropped EXE
PID:1732 -
\??\c:\fflxrlx.exec:\fflxrlx.exe63⤵
- Executes dropped EXE
PID:1724 -
\??\c:\tbbnbt.exec:\tbbnbt.exe64⤵
- Executes dropped EXE
PID:1204 -
\??\c:\4224080.exec:\4224080.exe65⤵
- Executes dropped EXE
PID:3532 -
\??\c:\tbbnhb.exec:\tbbnhb.exe66⤵PID:4732
-
\??\c:\4008648.exec:\4008648.exe67⤵PID:760
-
\??\c:\446864.exec:\446864.exe68⤵PID:544
-
\??\c:\6486608.exec:\6486608.exe69⤵PID:3040
-
\??\c:\2248606.exec:\2248606.exe70⤵PID:3648
-
\??\c:\hnnbbt.exec:\hnnbbt.exe71⤵PID:1852
-
\??\c:\9tnnbn.exec:\9tnnbn.exe72⤵PID:2608
-
\??\c:\nbhtbn.exec:\nbhtbn.exe73⤵PID:596
-
\??\c:\bhnbtb.exec:\bhnbtb.exe74⤵PID:3652
-
\??\c:\64864.exec:\64864.exe75⤵PID:472
-
\??\c:\frxllrf.exec:\frxllrf.exe76⤵PID:3464
-
\??\c:\w60426.exec:\w60426.exe77⤵PID:4664
-
\??\c:\1jdpv.exec:\1jdpv.exe78⤵PID:1848
-
\??\c:\884204.exec:\884204.exe79⤵PID:3188
-
\??\c:\884248.exec:\884248.exe80⤵PID:844
-
\??\c:\lllxlfr.exec:\lllxlfr.exe81⤵PID:5068
-
\??\c:\btthth.exec:\btthth.exe82⤵PID:2616
-
\??\c:\6220264.exec:\6220264.exe83⤵PID:3312
-
\??\c:\i060820.exec:\i060820.exe84⤵PID:3396
-
\??\c:\7ppvj.exec:\7ppvj.exe85⤵PID:688
-
\??\c:\08244.exec:\08244.exe86⤵PID:2008
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe87⤵PID:2780
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe88⤵PID:4312
-
\??\c:\httnbn.exec:\httnbn.exe89⤵PID:944
-
\??\c:\08422.exec:\08422.exe90⤵PID:4360
-
\??\c:\bnnhbt.exec:\bnnhbt.exe91⤵PID:460
-
\??\c:\860208.exec:\860208.exe92⤵PID:1320
-
\??\c:\rxxxfrr.exec:\rxxxfrr.exe93⤵PID:5084
-
\??\c:\3nnbnh.exec:\3nnbnh.exe94⤵PID:4072
-
\??\c:\pjpjp.exec:\pjpjp.exe95⤵PID:4936
-
\??\c:\jvvjp.exec:\jvvjp.exe96⤵PID:2360
-
\??\c:\7pvjv.exec:\7pvjv.exe97⤵PID:4480
-
\??\c:\4442480.exec:\4442480.exe98⤵PID:1008
-
\??\c:\6220864.exec:\6220864.exe99⤵PID:1876
-
\??\c:\0804208.exec:\0804208.exe100⤵PID:5016
-
\??\c:\640660.exec:\640660.exe101⤵PID:1656
-
\??\c:\bhhtbt.exec:\bhhtbt.exe102⤵PID:1716
-
\??\c:\rfxlrfr.exec:\rfxlrfr.exe103⤵PID:4200
-
\??\c:\s6664.exec:\s6664.exe104⤵PID:1988
-
\??\c:\6666820.exec:\6666820.exe105⤵PID:3956
-
\??\c:\dvpdv.exec:\dvpdv.exe106⤵PID:3440
-
\??\c:\rffrxrr.exec:\rffrxrr.exe107⤵PID:3076
-
\??\c:\8808608.exec:\8808608.exe108⤵PID:1932
-
\??\c:\5thtbt.exec:\5thtbt.exe109⤵PID:2840
-
\??\c:\nhhbhb.exec:\nhhbhb.exe110⤵PID:3888
-
\??\c:\88864.exec:\88864.exe111⤵PID:5000
-
\??\c:\nntbbt.exec:\nntbbt.exe112⤵PID:3672
-
\??\c:\i842260.exec:\i842260.exe113⤵PID:3000
-
\??\c:\w84864.exec:\w84864.exe114⤵PID:3228
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe115⤵PID:3108
-
\??\c:\40086.exec:\40086.exe116⤵PID:2960
-
\??\c:\lxrfrff.exec:\lxrfrff.exe117⤵PID:1972
-
\??\c:\lxllxlx.exec:\lxllxlx.exe118⤵PID:1560
-
\??\c:\hnhth.exec:\hnhth.exe119⤵PID:2316
-
\??\c:\284626.exec:\284626.exe120⤵PID:4460
-
\??\c:\40608.exec:\40608.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-