Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
-
Size
454KB
-
MD5
f484a319108eca7ca1710eca7f592c02
-
SHA1
f0fbb191a4c381ac71ab372f64a47e93a118b917
-
SHA256
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855
-
SHA512
8e040a478bc96482d3196f9273d70677b20408b4176e052bd2bfee45de655eb8851993f5d086f3831a98696ac77b7fd39822f355be3d5e917df14206c164018b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1408-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/360-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-1677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1920 k00420.exe 804 rlxflfl.exe 448 424004.exe 2424 26460.exe 2156 284200.exe 1168 pjdpj.exe 2264 g6042.exe 4836 1bbnbh.exe 4560 4064826.exe 1844 5hbthh.exe 4652 dvvjv.exe 508 u888648.exe 3124 xxxlxlf.exe 760 llfxrfx.exe 3584 07dvpvp.exe 4208 bbnhhh.exe 2972 9nthhb.exe 4804 g2642.exe 4304 llxrfxr.exe 3916 888448.exe 3236 i660800.exe 1532 vvvjv.exe 2512 lfxlfxl.exe 5076 8404260.exe 4676 644206.exe 5068 hbthbb.exe 2324 i408266.exe 3208 nbhnnb.exe 3604 468660.exe 4824 e48604.exe 2600 022084.exe 1688 xffrfxl.exe 5044 644642.exe 3764 nhnbnb.exe 3980 1ddpj.exe 4772 vdvvj.exe 4520 1llxlfr.exe 1240 88464.exe 3092 fllxlfr.exe 4452 bhhthb.exe 432 c620044.exe 3028 2004242.exe 228 xfflfxl.exe 208 3xflxrl.exe 3428 9vvjv.exe 4344 e22604.exe 4232 lxfxxrr.exe 3952 w22482.exe 464 86688.exe 3708 bnhthb.exe 636 g8042.exe 2908 886642.exe 1396 2664204.exe 2916 ttthth.exe 4540 a0682.exe 2564 lrrfxlx.exe 4388 pjdpj.exe 4280 bttthn.exe 1516 2286048.exe 4988 3fffflr.exe 3744 xrrfrfx.exe 3192 lxrfrfr.exe 1872 pjjvj.exe 2184 pvvjv.exe -
resource yara_rule behavioral2/memory/1408-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-937-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2288260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k44208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0424882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e20026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4086.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1920 1408 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 1408 wrote to memory of 1920 1408 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 1408 wrote to memory of 1920 1408 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 1920 wrote to memory of 804 1920 k00420.exe 84 PID 1920 wrote to memory of 804 1920 k00420.exe 84 PID 1920 wrote to memory of 804 1920 k00420.exe 84 PID 804 wrote to memory of 448 804 rlxflfl.exe 85 PID 804 wrote to memory of 448 804 rlxflfl.exe 85 PID 804 wrote to memory of 448 804 rlxflfl.exe 85 PID 448 wrote to memory of 2424 448 424004.exe 86 PID 448 wrote to memory of 2424 448 424004.exe 86 PID 448 wrote to memory of 2424 448 424004.exe 86 PID 2424 wrote to memory of 2156 2424 26460.exe 87 PID 2424 wrote to memory of 2156 2424 26460.exe 87 PID 2424 wrote to memory of 2156 2424 26460.exe 87 PID 2156 wrote to memory of 1168 2156 284200.exe 88 PID 2156 wrote to memory of 1168 2156 284200.exe 88 PID 2156 wrote to memory of 1168 2156 284200.exe 88 PID 1168 wrote to memory of 2264 1168 pjdpj.exe 89 PID 1168 wrote to memory of 2264 1168 pjdpj.exe 89 PID 1168 wrote to memory of 2264 1168 pjdpj.exe 89 PID 2264 wrote to memory of 4836 2264 g6042.exe 90 PID 2264 wrote to memory of 4836 2264 g6042.exe 90 PID 2264 wrote to memory of 4836 2264 g6042.exe 90 PID 4836 wrote to memory of 4560 4836 1bbnbh.exe 91 PID 4836 wrote to memory of 4560 4836 1bbnbh.exe 91 PID 4836 wrote to memory of 4560 4836 1bbnbh.exe 91 PID 4560 wrote to memory of 1844 4560 4064826.exe 92 PID 4560 wrote to memory of 1844 4560 4064826.exe 92 PID 4560 wrote to memory of 1844 4560 4064826.exe 92 PID 1844 wrote to memory of 4652 1844 5hbthh.exe 93 PID 1844 wrote to memory of 4652 1844 5hbthh.exe 93 PID 1844 wrote to memory of 4652 1844 5hbthh.exe 93 PID 4652 wrote to memory of 508 4652 dvvjv.exe 94 PID 4652 wrote to memory of 508 4652 dvvjv.exe 94 PID 4652 wrote to memory of 508 4652 dvvjv.exe 94 PID 508 wrote to memory of 3124 508 u888648.exe 95 PID 508 wrote to memory of 3124 508 u888648.exe 95 PID 508 wrote to memory of 3124 508 u888648.exe 95 PID 3124 wrote to memory of 760 3124 xxxlxlf.exe 96 PID 3124 wrote to memory of 760 3124 xxxlxlf.exe 96 PID 3124 wrote to memory of 760 3124 xxxlxlf.exe 96 PID 760 wrote to memory of 3584 760 llfxrfx.exe 97 PID 760 wrote to memory of 3584 760 llfxrfx.exe 97 PID 760 wrote to memory of 3584 760 llfxrfx.exe 97 PID 3584 wrote to memory of 4208 3584 07dvpvp.exe 98 PID 3584 wrote to memory of 4208 3584 07dvpvp.exe 98 PID 3584 wrote to memory of 4208 3584 07dvpvp.exe 98 PID 4208 wrote to memory of 2972 4208 bbnhhh.exe 99 PID 4208 wrote to memory of 2972 4208 bbnhhh.exe 99 PID 4208 wrote to memory of 2972 4208 bbnhhh.exe 99 PID 2972 wrote to memory of 4804 2972 9nthhb.exe 100 PID 2972 wrote to memory of 4804 2972 9nthhb.exe 100 PID 2972 wrote to memory of 4804 2972 9nthhb.exe 100 PID 4804 wrote to memory of 4304 4804 g2642.exe 101 PID 4804 wrote to memory of 4304 4804 g2642.exe 101 PID 4804 wrote to memory of 4304 4804 g2642.exe 101 PID 4304 wrote to memory of 3916 4304 llxrfxr.exe 102 PID 4304 wrote to memory of 3916 4304 llxrfxr.exe 102 PID 4304 wrote to memory of 3916 4304 llxrfxr.exe 102 PID 3916 wrote to memory of 3236 3916 888448.exe 103 PID 3916 wrote to memory of 3236 3916 888448.exe 103 PID 3916 wrote to memory of 3236 3916 888448.exe 103 PID 3236 wrote to memory of 1532 3236 i660800.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\k00420.exec:\k00420.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\rlxflfl.exec:\rlxflfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\424004.exec:\424004.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\26460.exec:\26460.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\284200.exec:\284200.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\pjdpj.exec:\pjdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\g6042.exec:\g6042.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\1bbnbh.exec:\1bbnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\4064826.exec:\4064826.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\5hbthh.exec:\5hbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\dvvjv.exec:\dvvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\u888648.exec:\u888648.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\llfxrfx.exec:\llfxrfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\07dvpvp.exec:\07dvpvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\bbnhhh.exec:\bbnhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\9nthhb.exec:\9nthhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\g2642.exec:\g2642.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\llxrfxr.exec:\llxrfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\888448.exec:\888448.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\i660800.exec:\i660800.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\vvvjv.exec:\vvvjv.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\lfxlfxl.exec:\lfxlfxl.exe24⤵
- Executes dropped EXE
PID:2512 -
\??\c:\8404260.exec:\8404260.exe25⤵
- Executes dropped EXE
PID:5076 -
\??\c:\644206.exec:\644206.exe26⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hbthbb.exec:\hbthbb.exe27⤵
- Executes dropped EXE
PID:5068 -
\??\c:\i408266.exec:\i408266.exe28⤵
- Executes dropped EXE
PID:2324 -
\??\c:\nbhnnb.exec:\nbhnnb.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208 -
\??\c:\468660.exec:\468660.exe30⤵
- Executes dropped EXE
PID:3604 -
\??\c:\e48604.exec:\e48604.exe31⤵
- Executes dropped EXE
PID:4824 -
\??\c:\022084.exec:\022084.exe32⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xffrfxl.exec:\xffrfxl.exe33⤵
- Executes dropped EXE
PID:1688 -
\??\c:\644642.exec:\644642.exe34⤵
- Executes dropped EXE
PID:5044 -
\??\c:\nhnbnb.exec:\nhnbnb.exe35⤵
- Executes dropped EXE
PID:3764 -
\??\c:\1ddpj.exec:\1ddpj.exe36⤵
- Executes dropped EXE
PID:3980 -
\??\c:\vdvvj.exec:\vdvvj.exe37⤵
- Executes dropped EXE
PID:4772 -
\??\c:\1llxlfr.exec:\1llxlfr.exe38⤵
- Executes dropped EXE
PID:4520 -
\??\c:\88464.exec:\88464.exe39⤵
- Executes dropped EXE
PID:1240 -
\??\c:\fllxlfr.exec:\fllxlfr.exe40⤵
- Executes dropped EXE
PID:3092 -
\??\c:\bhhthb.exec:\bhhthb.exe41⤵
- Executes dropped EXE
PID:4452 -
\??\c:\c620044.exec:\c620044.exe42⤵
- Executes dropped EXE
PID:432 -
\??\c:\2004242.exec:\2004242.exe43⤵
- Executes dropped EXE
PID:3028 -
\??\c:\xfflfxl.exec:\xfflfxl.exe44⤵
- Executes dropped EXE
PID:228 -
\??\c:\3xflxrl.exec:\3xflxrl.exe45⤵
- Executes dropped EXE
PID:208 -
\??\c:\9vvjv.exec:\9vvjv.exe46⤵
- Executes dropped EXE
PID:3428 -
\??\c:\e22604.exec:\e22604.exe47⤵
- Executes dropped EXE
PID:4344 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe48⤵
- Executes dropped EXE
PID:4232 -
\??\c:\w22482.exec:\w22482.exe49⤵
- Executes dropped EXE
PID:3952 -
\??\c:\86688.exec:\86688.exe50⤵
- Executes dropped EXE
PID:464 -
\??\c:\bnhthb.exec:\bnhthb.exe51⤵
- Executes dropped EXE
PID:3708 -
\??\c:\g8042.exec:\g8042.exe52⤵
- Executes dropped EXE
PID:636 -
\??\c:\886642.exec:\886642.exe53⤵
- Executes dropped EXE
PID:2908 -
\??\c:\2664204.exec:\2664204.exe54⤵
- Executes dropped EXE
PID:1396 -
\??\c:\ttthth.exec:\ttthth.exe55⤵
- Executes dropped EXE
PID:2916 -
\??\c:\a0682.exec:\a0682.exe56⤵
- Executes dropped EXE
PID:4540 -
\??\c:\lrrfxlx.exec:\lrrfxlx.exe57⤵
- Executes dropped EXE
PID:2564 -
\??\c:\pjdpj.exec:\pjdpj.exe58⤵
- Executes dropped EXE
PID:4388 -
\??\c:\bttthn.exec:\bttthn.exe59⤵
- Executes dropped EXE
PID:4280 -
\??\c:\2286048.exec:\2286048.exe60⤵
- Executes dropped EXE
PID:1516 -
\??\c:\3fffflr.exec:\3fffflr.exe61⤵
- Executes dropped EXE
PID:4988 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe62⤵
- Executes dropped EXE
PID:3744 -
\??\c:\lxrfrfr.exec:\lxrfrfr.exe63⤵
- Executes dropped EXE
PID:3192 -
\??\c:\pjjvj.exec:\pjjvj.exe64⤵
- Executes dropped EXE
PID:1872 -
\??\c:\pvvjv.exec:\pvvjv.exe65⤵
- Executes dropped EXE
PID:2184 -
\??\c:\hhbnnh.exec:\hhbnnh.exe66⤵PID:4632
-
\??\c:\804026.exec:\804026.exe67⤵PID:4860
-
\??\c:\8464826.exec:\8464826.exe68⤵PID:4376
-
\??\c:\40086.exec:\40086.exe69⤵PID:760
-
\??\c:\2200486.exec:\2200486.exe70⤵PID:4992
-
\??\c:\8408604.exec:\8408604.exe71⤵PID:4356
-
\??\c:\606460.exec:\606460.exe72⤵PID:1484
-
\??\c:\vdjdp.exec:\vdjdp.exe73⤵PID:4844
-
\??\c:\8826486.exec:\8826486.exe74⤵PID:3300
-
\??\c:\4848422.exec:\4848422.exe75⤵PID:452
-
\??\c:\xllxllx.exec:\xllxllx.exe76⤵
- System Location Discovery: System Language Discovery
PID:1660 -
\??\c:\hbhtnh.exec:\hbhtnh.exe77⤵PID:1532
-
\??\c:\424226.exec:\424226.exe78⤵PID:3896
-
\??\c:\64864.exec:\64864.exe79⤵PID:4464
-
\??\c:\nttnht.exec:\nttnht.exe80⤵PID:2948
-
\??\c:\xflfflf.exec:\xflfflf.exe81⤵PID:2456
-
\??\c:\3lrfrlf.exec:\3lrfrlf.exe82⤵PID:2164
-
\??\c:\400826.exec:\400826.exe83⤵PID:1072
-
\??\c:\ddjvj.exec:\ddjvj.exe84⤵PID:360
-
\??\c:\08202.exec:\08202.exe85⤵
- System Location Discovery: System Language Discovery
PID:3096 -
\??\c:\s6682.exec:\s6682.exe86⤵PID:3472
-
\??\c:\5jjvj.exec:\5jjvj.exe87⤵PID:3764
-
\??\c:\06286.exec:\06286.exe88⤵PID:3980
-
\??\c:\hnnhtt.exec:\hnnhtt.exe89⤵PID:2720
-
\??\c:\q04264.exec:\q04264.exe90⤵PID:3852
-
\??\c:\nbhhnb.exec:\nbhhnb.exe91⤵PID:4520
-
\??\c:\w26626.exec:\w26626.exe92⤵PID:2464
-
\??\c:\jjjpv.exec:\jjjpv.exe93⤵PID:2488
-
\??\c:\s8264.exec:\s8264.exe94⤵PID:3508
-
\??\c:\pddjv.exec:\pddjv.exe95⤵PID:4532
-
\??\c:\806048.exec:\806048.exe96⤵
- System Location Discovery: System Language Discovery
PID:4364 -
\??\c:\26202.exec:\26202.exe97⤵PID:960
-
\??\c:\424260.exec:\424260.exe98⤵PID:4232
-
\??\c:\xxffrlf.exec:\xxffrlf.exe99⤵PID:1608
-
\??\c:\6064482.exec:\6064482.exe100⤵PID:3860
-
\??\c:\a6228.exec:\a6228.exe101⤵PID:736
-
\??\c:\nbbnbb.exec:\nbbnbb.exe102⤵PID:1540
-
\??\c:\8204440.exec:\8204440.exe103⤵PID:2908
-
\??\c:\868622.exec:\868622.exe104⤵PID:3752
-
\??\c:\s6220.exec:\s6220.exe105⤵PID:3576
-
\??\c:\xflfxxr.exec:\xflfxxr.exe106⤵PID:3632
-
\??\c:\i208224.exec:\i208224.exe107⤵PID:4680
-
\??\c:\htbtnn.exec:\htbtnn.exe108⤵PID:1388
-
\??\c:\nbhbnn.exec:\nbhbnn.exe109⤵PID:3748
-
\??\c:\c660448.exec:\c660448.exe110⤵PID:2076
-
\??\c:\jdjdv.exec:\jdjdv.exe111⤵PID:448
-
\??\c:\2464886.exec:\2464886.exe112⤵PID:2680
-
\??\c:\rfllfll.exec:\rfllfll.exe113⤵PID:2060
-
\??\c:\1fxrxrr.exec:\1fxrxrr.exe114⤵PID:1708
-
\??\c:\xfrrlff.exec:\xfrrlff.exe115⤵PID:3728
-
\??\c:\vpvpd.exec:\vpvpd.exe116⤵PID:1392
-
\??\c:\9ffrlfx.exec:\9ffrlfx.exe117⤵PID:2144
-
\??\c:\028822.exec:\028822.exe118⤵PID:3000
-
\??\c:\3lxrfxr.exec:\3lxrfxr.exe119⤵PID:508
-
\??\c:\406040.exec:\406040.exe120⤵PID:3404
-
\??\c:\7rrxrlf.exec:\7rrxrlf.exe121⤵PID:712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-