Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe
-
Size
454KB
-
MD5
db657e79bafe4599fc777d1a6af81a6d
-
SHA1
3fffadaf55788b2d2ae0ab37c4a22ac075d7ab74
-
SHA256
5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3
-
SHA512
efb94a4a45d97b97d452b959ea1f8d409eddf487543923f22a9585d5674086a738252d1b9614bb27a9aa66bca36ee3537000c773e39d042c98f7286f800c579f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeqY:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3656-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-903-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2144 lfffxxr.exe 1444 0486406.exe 2132 6204488.exe 4560 m2082.exe 3176 bhbbnh.exe 808 a6822.exe 4032 lfxxllf.exe 2304 82282.exe 3240 8444226.exe 2080 6442048.exe 2392 dpvpj.exe 1648 btntbh.exe 2884 ffxxxxx.exe 1376 vdpdv.exe 2956 68606.exe 2240 624820.exe 2244 btthtn.exe 4812 q20404.exe 4188 1bbtnn.exe 4024 048868.exe 3796 thbtnh.exe 4392 rrxlxrl.exe 1340 1pjjd.exe 4512 62264.exe 4276 2844886.exe 4532 rxxxxxx.exe 3016 4642404.exe 2592 ppjpd.exe 2700 xxlllrx.exe 1596 0284888.exe 4016 rxfxfxx.exe 4464 pdvvv.exe 4228 7flxrlf.exe 3188 484444.exe 1480 xlxrrrl.exe 4716 46266.exe 3784 080088.exe 4052 lfffrxx.exe 4868 6800004.exe 4468 rlrllll.exe 2168 008826.exe 2804 nbttbh.exe 3344 e02044.exe 4444 dvjdp.exe 3444 rffxxxr.exe 2056 m6200.exe 1840 5vjpd.exe 2324 428882.exe 4844 406062.exe 4864 9jjdp.exe 4036 4848888.exe 2300 2466042.exe 4008 i628882.exe 2296 6846804.exe 4400 0244884.exe 2820 dppdd.exe 1276 628488.exe 1172 jvppd.exe 5036 s4042.exe 2080 64660.exe 4436 djvvv.exe 3596 q04868.exe 1648 24660.exe 692 464422.exe -
resource yara_rule behavioral2/memory/3656-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-794-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0284888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o204860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6800488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4424.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6660882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3656 wrote to memory of 2144 3656 5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe 85 PID 3656 wrote to memory of 2144 3656 5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe 85 PID 3656 wrote to memory of 2144 3656 5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe 85 PID 2144 wrote to memory of 1444 2144 lfffxxr.exe 86 PID 2144 wrote to memory of 1444 2144 lfffxxr.exe 86 PID 2144 wrote to memory of 1444 2144 lfffxxr.exe 86 PID 1444 wrote to memory of 2132 1444 0486406.exe 87 PID 1444 wrote to memory of 2132 1444 0486406.exe 87 PID 1444 wrote to memory of 2132 1444 0486406.exe 87 PID 2132 wrote to memory of 4560 2132 6204488.exe 88 PID 2132 wrote to memory of 4560 2132 6204488.exe 88 PID 2132 wrote to memory of 4560 2132 6204488.exe 88 PID 4560 wrote to memory of 3176 4560 m2082.exe 89 PID 4560 wrote to memory of 3176 4560 m2082.exe 89 PID 4560 wrote to memory of 3176 4560 m2082.exe 89 PID 3176 wrote to memory of 808 3176 bhbbnh.exe 90 PID 3176 wrote to memory of 808 3176 bhbbnh.exe 90 PID 3176 wrote to memory of 808 3176 bhbbnh.exe 90 PID 808 wrote to memory of 4032 808 a6822.exe 91 PID 808 wrote to memory of 4032 808 a6822.exe 91 PID 808 wrote to memory of 4032 808 a6822.exe 91 PID 4032 wrote to memory of 2304 4032 lfxxllf.exe 92 PID 4032 wrote to memory of 2304 4032 lfxxllf.exe 92 PID 4032 wrote to memory of 2304 4032 lfxxllf.exe 92 PID 2304 wrote to memory of 3240 2304 82282.exe 93 PID 2304 wrote to memory of 3240 2304 82282.exe 93 PID 2304 wrote to memory of 3240 2304 82282.exe 93 PID 3240 wrote to memory of 2080 3240 8444226.exe 94 PID 3240 wrote to memory of 2080 3240 8444226.exe 94 PID 3240 wrote to memory of 2080 3240 8444226.exe 94 PID 2080 wrote to memory of 2392 2080 6442048.exe 95 PID 2080 wrote to memory of 2392 2080 6442048.exe 95 PID 2080 wrote to memory of 2392 2080 6442048.exe 95 PID 2392 wrote to memory of 1648 2392 dpvpj.exe 96 PID 2392 wrote to memory of 1648 2392 dpvpj.exe 96 PID 2392 wrote to memory of 1648 2392 dpvpj.exe 96 PID 1648 wrote to memory of 2884 1648 btntbh.exe 97 PID 1648 wrote to memory of 2884 1648 btntbh.exe 97 PID 1648 wrote to memory of 2884 1648 btntbh.exe 97 PID 2884 wrote to memory of 1376 2884 ffxxxxx.exe 98 PID 2884 wrote to memory of 1376 2884 ffxxxxx.exe 98 PID 2884 wrote to memory of 1376 2884 ffxxxxx.exe 98 PID 1376 wrote to memory of 2956 1376 vdpdv.exe 99 PID 1376 wrote to memory of 2956 1376 vdpdv.exe 99 PID 1376 wrote to memory of 2956 1376 vdpdv.exe 99 PID 2956 wrote to memory of 2240 2956 68606.exe 100 PID 2956 wrote to memory of 2240 2956 68606.exe 100 PID 2956 wrote to memory of 2240 2956 68606.exe 100 PID 2240 wrote to memory of 2244 2240 624820.exe 101 PID 2240 wrote to memory of 2244 2240 624820.exe 101 PID 2240 wrote to memory of 2244 2240 624820.exe 101 PID 2244 wrote to memory of 4812 2244 btthtn.exe 102 PID 2244 wrote to memory of 4812 2244 btthtn.exe 102 PID 2244 wrote to memory of 4812 2244 btthtn.exe 102 PID 4812 wrote to memory of 4188 4812 q20404.exe 103 PID 4812 wrote to memory of 4188 4812 q20404.exe 103 PID 4812 wrote to memory of 4188 4812 q20404.exe 103 PID 4188 wrote to memory of 4024 4188 1bbtnn.exe 104 PID 4188 wrote to memory of 4024 4188 1bbtnn.exe 104 PID 4188 wrote to memory of 4024 4188 1bbtnn.exe 104 PID 4024 wrote to memory of 3796 4024 048868.exe 105 PID 4024 wrote to memory of 3796 4024 048868.exe 105 PID 4024 wrote to memory of 3796 4024 048868.exe 105 PID 3796 wrote to memory of 4392 3796 thbtnh.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe"C:\Users\Admin\AppData\Local\Temp\5c8746e7c799890db1fe0c3a1f36210fbc7835713b9ab6643911b4cdecffadb3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\lfffxxr.exec:\lfffxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\0486406.exec:\0486406.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\6204488.exec:\6204488.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\m2082.exec:\m2082.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\bhbbnh.exec:\bhbbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\a6822.exec:\a6822.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\lfxxllf.exec:\lfxxllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\82282.exec:\82282.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\8444226.exec:\8444226.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\6442048.exec:\6442048.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\dpvpj.exec:\dpvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\btntbh.exec:\btntbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\vdpdv.exec:\vdpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\68606.exec:\68606.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\624820.exec:\624820.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\btthtn.exec:\btthtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\q20404.exec:\q20404.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\1bbtnn.exec:\1bbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\048868.exec:\048868.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\thbtnh.exec:\thbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe23⤵
- Executes dropped EXE
PID:4392 -
\??\c:\1pjjd.exec:\1pjjd.exe24⤵
- Executes dropped EXE
PID:1340 -
\??\c:\62264.exec:\62264.exe25⤵
- Executes dropped EXE
PID:4512 -
\??\c:\2844886.exec:\2844886.exe26⤵
- Executes dropped EXE
PID:4276 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe27⤵
- Executes dropped EXE
PID:4532 -
\??\c:\4642404.exec:\4642404.exe28⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ppjpd.exec:\ppjpd.exe29⤵
- Executes dropped EXE
PID:2592 -
\??\c:\xxlllrx.exec:\xxlllrx.exe30⤵
- Executes dropped EXE
PID:2700 -
\??\c:\0284888.exec:\0284888.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
\??\c:\rxfxfxx.exec:\rxfxfxx.exe32⤵
- Executes dropped EXE
PID:4016 -
\??\c:\pdvvv.exec:\pdvvv.exe33⤵
- Executes dropped EXE
PID:4464 -
\??\c:\7flxrlf.exec:\7flxrlf.exe34⤵
- Executes dropped EXE
PID:4228 -
\??\c:\484444.exec:\484444.exe35⤵
- Executes dropped EXE
PID:3188 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe36⤵
- Executes dropped EXE
PID:1480 -
\??\c:\46266.exec:\46266.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\080088.exec:\080088.exe38⤵
- Executes dropped EXE
PID:3784 -
\??\c:\lfffrxx.exec:\lfffrxx.exe39⤵
- Executes dropped EXE
PID:4052 -
\??\c:\6800004.exec:\6800004.exe40⤵
- Executes dropped EXE
PID:4868 -
\??\c:\rlrllll.exec:\rlrllll.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\008826.exec:\008826.exe42⤵
- Executes dropped EXE
PID:2168 -
\??\c:\nbttbh.exec:\nbttbh.exe43⤵
- Executes dropped EXE
PID:2804 -
\??\c:\e02044.exec:\e02044.exe44⤵
- Executes dropped EXE
PID:3344 -
\??\c:\dvjdp.exec:\dvjdp.exe45⤵
- Executes dropped EXE
PID:4444 -
\??\c:\rffxxxr.exec:\rffxxxr.exe46⤵
- Executes dropped EXE
PID:3444 -
\??\c:\m6200.exec:\m6200.exe47⤵
- Executes dropped EXE
PID:2056 -
\??\c:\5vjpd.exec:\5vjpd.exe48⤵
- Executes dropped EXE
PID:1840 -
\??\c:\428882.exec:\428882.exe49⤵
- Executes dropped EXE
PID:2324 -
\??\c:\406062.exec:\406062.exe50⤵
- Executes dropped EXE
PID:4844 -
\??\c:\9jjdp.exec:\9jjdp.exe51⤵
- Executes dropped EXE
PID:4864 -
\??\c:\4848888.exec:\4848888.exe52⤵
- Executes dropped EXE
PID:4036 -
\??\c:\2466042.exec:\2466042.exe53⤵
- Executes dropped EXE
PID:2300 -
\??\c:\i628882.exec:\i628882.exe54⤵
- Executes dropped EXE
PID:4008 -
\??\c:\6846804.exec:\6846804.exe55⤵
- Executes dropped EXE
PID:2296 -
\??\c:\0244884.exec:\0244884.exe56⤵
- Executes dropped EXE
PID:4400 -
\??\c:\dppdd.exec:\dppdd.exe57⤵
- Executes dropped EXE
PID:2820 -
\??\c:\628488.exec:\628488.exe58⤵
- Executes dropped EXE
PID:1276 -
\??\c:\jvppd.exec:\jvppd.exe59⤵
- Executes dropped EXE
PID:1172 -
\??\c:\s4042.exec:\s4042.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\64660.exec:\64660.exe61⤵
- Executes dropped EXE
PID:2080 -
\??\c:\djvvv.exec:\djvvv.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\q04868.exec:\q04868.exe63⤵
- Executes dropped EXE
PID:3596 -
\??\c:\24660.exec:\24660.exe64⤵
- Executes dropped EXE
PID:1648 -
\??\c:\464422.exec:\464422.exe65⤵
- Executes dropped EXE
PID:692 -
\??\c:\hnnnhh.exec:\hnnnhh.exe66⤵PID:2884
-
\??\c:\660482.exec:\660482.exe67⤵PID:2508
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe68⤵PID:4784
-
\??\c:\rxrxxfx.exec:\rxrxxfx.exe69⤵PID:4380
-
\??\c:\5pvvj.exec:\5pvvj.exe70⤵PID:2656
-
\??\c:\jddpj.exec:\jddpj.exe71⤵PID:2244
-
\??\c:\o088288.exec:\o088288.exe72⤵PID:680
-
\??\c:\jddvp.exec:\jddvp.exe73⤵PID:4292
-
\??\c:\0022004.exec:\0022004.exe74⤵PID:1772
-
\??\c:\dpjdv.exec:\dpjdv.exe75⤵PID:1504
-
\??\c:\606082.exec:\606082.exe76⤵PID:432
-
\??\c:\hbbnbb.exec:\hbbnbb.exe77⤵PID:3416
-
\??\c:\7nhbbb.exec:\7nhbbb.exe78⤵PID:3668
-
\??\c:\080402.exec:\080402.exe79⤵PID:1748
-
\??\c:\e28888.exec:\e28888.exe80⤵PID:4124
-
\??\c:\hbnhtt.exec:\hbnhtt.exe81⤵PID:5112
-
\??\c:\ttbtbt.exec:\ttbtbt.exe82⤵PID:4916
-
\??\c:\k62204.exec:\k62204.exe83⤵PID:3120
-
\??\c:\fffxrrl.exec:\fffxrrl.exe84⤵PID:5004
-
\??\c:\44026.exec:\44026.exe85⤵PID:116
-
\??\c:\7xrlllf.exec:\7xrlllf.exe86⤵PID:1712
-
\??\c:\5djjd.exec:\5djjd.exe87⤵PID:4196
-
\??\c:\48448.exec:\48448.exe88⤵PID:3484
-
\??\c:\6404444.exec:\6404444.exe89⤵PID:3728
-
\??\c:\lxxxxlr.exec:\lxxxxlr.exe90⤵PID:1716
-
\??\c:\228206.exec:\228206.exe91⤵
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\u066002.exec:\u066002.exe92⤵PID:1804
-
\??\c:\00226.exec:\00226.exe93⤵PID:5020
-
\??\c:\648824.exec:\648824.exe94⤵PID:3188
-
\??\c:\1rflfrl.exec:\1rflfrl.exe95⤵PID:3604
-
\??\c:\3bhhbb.exec:\3bhhbb.exe96⤵PID:3996
-
\??\c:\a6822.exec:\a6822.exe97⤵PID:3860
-
\??\c:\2082648.exec:\2082648.exe98⤵PID:864
-
\??\c:\bntthh.exec:\bntthh.exe99⤵PID:4148
-
\??\c:\4024844.exec:\4024844.exe100⤵PID:396
-
\??\c:\vdppj.exec:\vdppj.exe101⤵PID:1184
-
\??\c:\tnbbbb.exec:\tnbbbb.exe102⤵PID:4112
-
\??\c:\026626.exec:\026626.exe103⤵PID:4448
-
\??\c:\28440.exec:\28440.exe104⤵PID:3776
-
\??\c:\3ttnbb.exec:\3ttnbb.exe105⤵PID:3152
-
\??\c:\tnbbth.exec:\tnbbth.exe106⤵PID:1844
-
\??\c:\0400040.exec:\0400040.exe107⤵PID:4348
-
\??\c:\ddpdj.exec:\ddpdj.exe108⤵PID:1444
-
\??\c:\nbbhbt.exec:\nbbhbt.exe109⤵PID:3348
-
\??\c:\g6048.exec:\g6048.exe110⤵PID:2324
-
\??\c:\hnntbn.exec:\hnntbn.exe111⤵PID:3232
-
\??\c:\206082.exec:\206082.exe112⤵PID:2260
-
\??\c:\llfxrlf.exec:\llfxrlf.exe113⤵PID:2812
-
\??\c:\4806004.exec:\4806004.exe114⤵PID:2300
-
\??\c:\vdvpd.exec:\vdvpd.exe115⤵PID:4008
-
\??\c:\8684288.exec:\8684288.exe116⤵PID:2296
-
\??\c:\40666.exec:\40666.exe117⤵PID:3936
-
\??\c:\1jjdv.exec:\1jjdv.exe118⤵PID:4552
-
\??\c:\lllffff.exec:\lllffff.exe119⤵PID:1244
-
\??\c:\jdvpp.exec:\jdvpp.exe120⤵PID:1172
-
\??\c:\0024868.exec:\0024868.exe121⤵PID:5036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-