Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
-
Size
455KB
-
MD5
b02d0f5dbca4b4a74000cc28ff1a8c2f
-
SHA1
6febccd3d37816c5f48aab0399f2a9ea2302d2fe
-
SHA256
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209
-
SHA512
bbf03096c35eca93a9b9a3239ee19cc8d2ca525e991158aa65b19631cd15a1988f4c1ade992eeb6c6afb4cbaa46841f936677fac57bd42ee8f87d612ada9cfb5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/540-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-1135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-1230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-1296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-1438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1836 64464.exe 3972 rlxlrll.exe 1736 088064.exe 644 hbtntb.exe 3408 24426.exe 816 xflffxf.exe 4588 btnbth.exe 5012 88040.exe 1860 00082.exe 2768 q66420.exe 212 fxxrffx.exe 216 8286486.exe 4896 jvpdp.exe 3936 284826.exe 5060 i226480.exe 2628 lrrlxrf.exe 1208 jvdvv.exe 4012 g8464.exe 4524 244284.exe 3092 802608.exe 2616 1xrfrlx.exe 2572 htbnbt.exe 1508 226486.exe 4004 q22086.exe 1484 84464.exe 4028 40282.exe 3008 66082.exe 1632 5vvjj.exe 4008 48882.exe 1600 w28642.exe 3012 ddvdp.exe 4528 jjjpj.exe 4176 vvvjv.exe 2192 hnbntn.exe 2916 04486.exe 2608 xllflxr.exe 3844 882088.exe 2972 thbhtn.exe 2000 a0642.exe 3692 1dpjv.exe 1776 e80026.exe 2484 406860.exe 560 frrfrrf.exe 3000 rfffxxr.exe 3740 g6048.exe 3588 82242.exe 4928 nnnhbb.exe 4304 448682.exe 2880 q06482.exe 1792 dvdvp.exe 1232 5bbthh.exe 544 24082.exe 1948 i220448.exe 3428 flrlfrf.exe 1832 e44648.exe 244 bhbthb.exe 3408 484848.exe 5028 jdpvj.exe 5080 rfrfrlx.exe 1812 6626866.exe 1744 0002086.exe 1188 u064800.exe 4500 006426.exe 348 a2268.exe -
resource yara_rule behavioral2/memory/540-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-865-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k28288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u886604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6880820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 1836 540 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 84 PID 540 wrote to memory of 1836 540 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 84 PID 540 wrote to memory of 1836 540 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 84 PID 1836 wrote to memory of 3972 1836 64464.exe 85 PID 1836 wrote to memory of 3972 1836 64464.exe 85 PID 1836 wrote to memory of 3972 1836 64464.exe 85 PID 3972 wrote to memory of 1736 3972 rlxlrll.exe 86 PID 3972 wrote to memory of 1736 3972 rlxlrll.exe 86 PID 3972 wrote to memory of 1736 3972 rlxlrll.exe 86 PID 1736 wrote to memory of 644 1736 088064.exe 87 PID 1736 wrote to memory of 644 1736 088064.exe 87 PID 1736 wrote to memory of 644 1736 088064.exe 87 PID 644 wrote to memory of 3408 644 hbtntb.exe 88 PID 644 wrote to memory of 3408 644 hbtntb.exe 88 PID 644 wrote to memory of 3408 644 hbtntb.exe 88 PID 3408 wrote to memory of 816 3408 24426.exe 89 PID 3408 wrote to memory of 816 3408 24426.exe 89 PID 3408 wrote to memory of 816 3408 24426.exe 89 PID 816 wrote to memory of 4588 816 xflffxf.exe 90 PID 816 wrote to memory of 4588 816 xflffxf.exe 90 PID 816 wrote to memory of 4588 816 xflffxf.exe 90 PID 4588 wrote to memory of 5012 4588 btnbth.exe 91 PID 4588 wrote to memory of 5012 4588 btnbth.exe 91 PID 4588 wrote to memory of 5012 4588 btnbth.exe 91 PID 5012 wrote to memory of 1860 5012 88040.exe 92 PID 5012 wrote to memory of 1860 5012 88040.exe 92 PID 5012 wrote to memory of 1860 5012 88040.exe 92 PID 1860 wrote to memory of 2768 1860 00082.exe 93 PID 1860 wrote to memory of 2768 1860 00082.exe 93 PID 1860 wrote to memory of 2768 1860 00082.exe 93 PID 2768 wrote to memory of 212 2768 q66420.exe 94 PID 2768 wrote to memory of 212 2768 q66420.exe 94 PID 2768 wrote to memory of 212 2768 q66420.exe 94 PID 212 wrote to memory of 216 212 fxxrffx.exe 95 PID 212 wrote to memory of 216 212 fxxrffx.exe 95 PID 212 wrote to memory of 216 212 fxxrffx.exe 95 PID 216 wrote to memory of 4896 216 8286486.exe 96 PID 216 wrote to memory of 4896 216 8286486.exe 96 PID 216 wrote to memory of 4896 216 8286486.exe 96 PID 4896 wrote to memory of 3936 4896 jvpdp.exe 97 PID 4896 wrote to memory of 3936 4896 jvpdp.exe 97 PID 4896 wrote to memory of 3936 4896 jvpdp.exe 97 PID 3936 wrote to memory of 5060 3936 284826.exe 98 PID 3936 wrote to memory of 5060 3936 284826.exe 98 PID 3936 wrote to memory of 5060 3936 284826.exe 98 PID 5060 wrote to memory of 2628 5060 i226480.exe 99 PID 5060 wrote to memory of 2628 5060 i226480.exe 99 PID 5060 wrote to memory of 2628 5060 i226480.exe 99 PID 2628 wrote to memory of 1208 2628 lrrlxrf.exe 100 PID 2628 wrote to memory of 1208 2628 lrrlxrf.exe 100 PID 2628 wrote to memory of 1208 2628 lrrlxrf.exe 100 PID 1208 wrote to memory of 4012 1208 jvdvv.exe 101 PID 1208 wrote to memory of 4012 1208 jvdvv.exe 101 PID 1208 wrote to memory of 4012 1208 jvdvv.exe 101 PID 4012 wrote to memory of 4524 4012 g8464.exe 102 PID 4012 wrote to memory of 4524 4012 g8464.exe 102 PID 4012 wrote to memory of 4524 4012 g8464.exe 102 PID 4524 wrote to memory of 3092 4524 244284.exe 103 PID 4524 wrote to memory of 3092 4524 244284.exe 103 PID 4524 wrote to memory of 3092 4524 244284.exe 103 PID 3092 wrote to memory of 2616 3092 802608.exe 104 PID 3092 wrote to memory of 2616 3092 802608.exe 104 PID 3092 wrote to memory of 2616 3092 802608.exe 104 PID 2616 wrote to memory of 2572 2616 1xrfrlx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\64464.exec:\64464.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\rlxlrll.exec:\rlxlrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\088064.exec:\088064.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\hbtntb.exec:\hbtntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\24426.exec:\24426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\xflffxf.exec:\xflffxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\btnbth.exec:\btnbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\88040.exec:\88040.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\00082.exec:\00082.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\q66420.exec:\q66420.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\fxxrffx.exec:\fxxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\8286486.exec:\8286486.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\jvpdp.exec:\jvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\284826.exec:\284826.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\i226480.exec:\i226480.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\lrrlxrf.exec:\lrrlxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\jvdvv.exec:\jvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\g8464.exec:\g8464.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\244284.exec:\244284.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\802608.exec:\802608.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\1xrfrlx.exec:\1xrfrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\htbnbt.exec:\htbnbt.exe23⤵
- Executes dropped EXE
PID:2572 -
\??\c:\226486.exec:\226486.exe24⤵
- Executes dropped EXE
PID:1508 -
\??\c:\q22086.exec:\q22086.exe25⤵
- Executes dropped EXE
PID:4004 -
\??\c:\84464.exec:\84464.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\40282.exec:\40282.exe27⤵
- Executes dropped EXE
PID:4028 -
\??\c:\66082.exec:\66082.exe28⤵
- Executes dropped EXE
PID:3008 -
\??\c:\5vvjj.exec:\5vvjj.exe29⤵
- Executes dropped EXE
PID:1632 -
\??\c:\48882.exec:\48882.exe30⤵
- Executes dropped EXE
PID:4008 -
\??\c:\w28642.exec:\w28642.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\ddvdp.exec:\ddvdp.exe32⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jjjpj.exec:\jjjpj.exe33⤵
- Executes dropped EXE
PID:4528 -
\??\c:\vvvjv.exec:\vvvjv.exe34⤵
- Executes dropped EXE
PID:4176 -
\??\c:\hnbntn.exec:\hnbntn.exe35⤵
- Executes dropped EXE
PID:2192 -
\??\c:\04486.exec:\04486.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
\??\c:\xllflxr.exec:\xllflxr.exe37⤵
- Executes dropped EXE
PID:2608 -
\??\c:\882088.exec:\882088.exe38⤵
- Executes dropped EXE
PID:3844 -
\??\c:\thbhtn.exec:\thbhtn.exe39⤵
- Executes dropped EXE
PID:2972 -
\??\c:\a0642.exec:\a0642.exe40⤵
- Executes dropped EXE
PID:2000 -
\??\c:\1dpjv.exec:\1dpjv.exe41⤵
- Executes dropped EXE
PID:3692 -
\??\c:\e80026.exec:\e80026.exe42⤵
- Executes dropped EXE
PID:1776 -
\??\c:\406860.exec:\406860.exe43⤵
- Executes dropped EXE
PID:2484 -
\??\c:\frrfrrf.exec:\frrfrrf.exe44⤵
- Executes dropped EXE
PID:560 -
\??\c:\rfffxxr.exec:\rfffxxr.exe45⤵
- Executes dropped EXE
PID:3000 -
\??\c:\g6048.exec:\g6048.exe46⤵
- Executes dropped EXE
PID:3740 -
\??\c:\82242.exec:\82242.exe47⤵
- Executes dropped EXE
PID:3588 -
\??\c:\nnnhbb.exec:\nnnhbb.exe48⤵
- Executes dropped EXE
PID:4928 -
\??\c:\448682.exec:\448682.exe49⤵
- Executes dropped EXE
PID:4304 -
\??\c:\q06482.exec:\q06482.exe50⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dvdvp.exec:\dvdvp.exe51⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5bbthh.exec:\5bbthh.exe52⤵
- Executes dropped EXE
PID:1232 -
\??\c:\24082.exec:\24082.exe53⤵
- Executes dropped EXE
PID:544 -
\??\c:\i220448.exec:\i220448.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\flrlfrf.exec:\flrlfrf.exe55⤵
- Executes dropped EXE
PID:3428 -
\??\c:\e44648.exec:\e44648.exe56⤵
- Executes dropped EXE
PID:1832 -
\??\c:\bhbthb.exec:\bhbthb.exe57⤵
- Executes dropped EXE
PID:244 -
\??\c:\484848.exec:\484848.exe58⤵
- Executes dropped EXE
PID:3408 -
\??\c:\jdpvj.exec:\jdpvj.exe59⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rfrfrlx.exec:\rfrfrlx.exe60⤵
- Executes dropped EXE
PID:5080 -
\??\c:\6626866.exec:\6626866.exe61⤵
- Executes dropped EXE
PID:1812 -
\??\c:\0002086.exec:\0002086.exe62⤵
- Executes dropped EXE
PID:1744 -
\??\c:\u064800.exec:\u064800.exe63⤵
- Executes dropped EXE
PID:1188 -
\??\c:\006426.exec:\006426.exe64⤵
- Executes dropped EXE
PID:4500 -
\??\c:\a2268.exec:\a2268.exe65⤵
- Executes dropped EXE
PID:348 -
\??\c:\nhtntn.exec:\nhtntn.exe66⤵PID:2472
-
\??\c:\u848604.exec:\u848604.exe67⤵PID:3960
-
\??\c:\vvvdp.exec:\vvvdp.exe68⤵PID:3936
-
\??\c:\i468266.exec:\i468266.exe69⤵PID:3940
-
\??\c:\llfrfxl.exec:\llfrfxl.exe70⤵PID:2632
-
\??\c:\btthbt.exec:\btthbt.exe71⤵PID:3828
-
\??\c:\lffrxrf.exec:\lffrxrf.exe72⤵PID:3432
-
\??\c:\i042042.exec:\i042042.exe73⤵PID:704
-
\??\c:\hhhbbt.exec:\hhhbbt.exe74⤵PID:2404
-
\??\c:\482206.exec:\482206.exe75⤵PID:2272
-
\??\c:\vppdv.exec:\vppdv.exe76⤵PID:4012
-
\??\c:\u404400.exec:\u404400.exe77⤵PID:4524
-
\??\c:\jppjd.exec:\jppjd.exe78⤵PID:868
-
\??\c:\044204.exec:\044204.exe79⤵PID:1880
-
\??\c:\1jdvp.exec:\1jdvp.exe80⤵PID:2476
-
\??\c:\fflxxxr.exec:\fflxxxr.exe81⤵PID:2572
-
\??\c:\5bbthb.exec:\5bbthb.exe82⤵PID:1508
-
\??\c:\4848048.exec:\4848048.exe83⤵PID:3648
-
\??\c:\hhbtht.exec:\hhbtht.exe84⤵PID:764
-
\??\c:\dpvpd.exec:\dpvpd.exe85⤵PID:4296
-
\??\c:\6048260.exec:\6048260.exe86⤵PID:1020
-
\??\c:\c866482.exec:\c866482.exe87⤵PID:4492
-
\??\c:\1ppjd.exec:\1ppjd.exe88⤵PID:4904
-
\??\c:\bhhbnh.exec:\bhhbnh.exe89⤵PID:1632
-
\??\c:\hhnbtn.exec:\hhnbtn.exe90⤵PID:2260
-
\??\c:\dppdj.exec:\dppdj.exe91⤵PID:4008
-
\??\c:\002086.exec:\002086.exe92⤵PID:1600
-
\??\c:\8220886.exec:\8220886.exe93⤵PID:1080
-
\??\c:\rffrlxx.exec:\rffrlxx.exe94⤵PID:3188
-
\??\c:\pvvpp.exec:\pvvpp.exe95⤵PID:1560
-
\??\c:\pdjdj.exec:\pdjdj.exe96⤵PID:392
-
\??\c:\3bthtn.exec:\3bthtn.exe97⤵PID:3080
-
\??\c:\vvvvp.exec:\vvvvp.exe98⤵PID:1664
-
\??\c:\8226060.exec:\8226060.exe99⤵PID:1496
-
\??\c:\8400004.exec:\8400004.exe100⤵PID:3844
-
\??\c:\0626448.exec:\0626448.exe101⤵PID:2972
-
\??\c:\e40886.exec:\e40886.exe102⤵PID:4604
-
\??\c:\262084.exec:\262084.exe103⤵PID:3696
-
\??\c:\868822.exec:\868822.exe104⤵PID:1776
-
\??\c:\0626482.exec:\0626482.exe105⤵PID:628
-
\??\c:\ntthth.exec:\ntthth.exe106⤵PID:4384
-
\??\c:\288082.exec:\288082.exe107⤵PID:184
-
\??\c:\080604.exec:\080604.exe108⤵PID:2996
-
\??\c:\frlxfxx.exec:\frlxfxx.exe109⤵PID:4648
-
\??\c:\vjjdp.exec:\vjjdp.exe110⤵PID:2560
-
\??\c:\0620264.exec:\0620264.exe111⤵PID:3124
-
\??\c:\1lxlxrf.exec:\1lxlxrf.exe112⤵PID:220
-
\??\c:\nbbbtn.exec:\nbbbtn.exe113⤵PID:1480
-
\??\c:\u042008.exec:\u042008.exe114⤵PID:4544
-
\??\c:\2664608.exec:\2664608.exe115⤵PID:2028
-
\??\c:\1lrrxxx.exec:\1lrrxxx.exe116⤵
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\nhbtnb.exec:\nhbtnb.exe117⤵PID:3772
-
\??\c:\q42600.exec:\q42600.exe118⤵PID:3612
-
\??\c:\k24208.exec:\k24208.exe119⤵PID:3104
-
\??\c:\628266.exec:\628266.exe120⤵PID:208
-
\??\c:\pjjvd.exec:\pjjvd.exe121⤵PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-