Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe
-
Size
454KB
-
MD5
55bdcf0f8161835c7126612f1e14ab45
-
SHA1
b07903c26287a4e4541a940d1246b9fb28cad629
-
SHA256
ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563
-
SHA512
6be4bad5f0003ea20fa7b517d6bc9092e3328440afd26c01f66832d7f0e8ed9bd7ae414b687b57eae5e3ea69a2abf179f47712edfe58f2d3f2ad7ec46206d744
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2428-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-1056-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-1072-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-1855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1244 btnhtt.exe 4772 lrfrlxr.exe 696 46428.exe 2848 882048.exe 2632 k28668.exe 1748 dvjvj.exe 4036 frrfrfx.exe 4844 xfxlxlf.exe 3540 9flfffx.exe 728 vdjvd.exe 4680 3jdpd.exe 3260 hhnbnb.exe 4732 llxlxlf.exe 376 0086600.exe 2368 63xfxrr.exe 2292 444266.exe 2952 422420.exe 8 pdppp.exe 5044 46266.exe 228 xffrfxr.exe 4380 pdjvp.exe 3544 406426.exe 4324 tnbnhb.exe 3492 228642.exe 872 080882.exe 2772 hbnhtn.exe 4724 682620.exe 1540 jvvdp.exe 4552 lrlxlxl.exe 928 9ppdp.exe 1076 frxrrfx.exe 4816 xxrlxrr.exe 1564 nhbnbn.exe 2216 nnthnh.exe 1536 i084680.exe 2044 08260.exe 3412 lllxlfr.exe 3628 200440.exe 4480 84820.exe 5016 xffxlxr.exe 1660 428648.exe 1964 8862826.exe 4976 482608.exe 3672 hthbbt.exe 4488 840860.exe 1200 lxflxrx.exe 4128 xxxfrfx.exe 1120 0840600.exe 1720 dppdv.exe 3588 66208.exe 2668 2646486.exe 1456 nbbtnh.exe 244 7xxlxrf.exe 2176 5ttbbt.exe 4436 6pdjvj.exe 1816 g8464.exe 1244 u846422.exe 2132 282064.exe 1740 266486.exe 2880 jpjvj.exe 4204 0486408.exe 4212 hbthnb.exe 960 044420.exe 4340 ddppp.exe -
resource yara_rule behavioral2/memory/2428-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-862-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0660820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4488606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1244 2428 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 83 PID 2428 wrote to memory of 1244 2428 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 83 PID 2428 wrote to memory of 1244 2428 ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe 83 PID 1244 wrote to memory of 4772 1244 btnhtt.exe 84 PID 1244 wrote to memory of 4772 1244 btnhtt.exe 84 PID 1244 wrote to memory of 4772 1244 btnhtt.exe 84 PID 4772 wrote to memory of 696 4772 lrfrlxr.exe 85 PID 4772 wrote to memory of 696 4772 lrfrlxr.exe 85 PID 4772 wrote to memory of 696 4772 lrfrlxr.exe 85 PID 696 wrote to memory of 2848 696 46428.exe 86 PID 696 wrote to memory of 2848 696 46428.exe 86 PID 696 wrote to memory of 2848 696 46428.exe 86 PID 2848 wrote to memory of 2632 2848 882048.exe 87 PID 2848 wrote to memory of 2632 2848 882048.exe 87 PID 2848 wrote to memory of 2632 2848 882048.exe 87 PID 2632 wrote to memory of 1748 2632 k28668.exe 88 PID 2632 wrote to memory of 1748 2632 k28668.exe 88 PID 2632 wrote to memory of 1748 2632 k28668.exe 88 PID 1748 wrote to memory of 4036 1748 dvjvj.exe 89 PID 1748 wrote to memory of 4036 1748 dvjvj.exe 89 PID 1748 wrote to memory of 4036 1748 dvjvj.exe 89 PID 4036 wrote to memory of 4844 4036 frrfrfx.exe 90 PID 4036 wrote to memory of 4844 4036 frrfrfx.exe 90 PID 4036 wrote to memory of 4844 4036 frrfrfx.exe 90 PID 4844 wrote to memory of 3540 4844 xfxlxlf.exe 91 PID 4844 wrote to memory of 3540 4844 xfxlxlf.exe 91 PID 4844 wrote to memory of 3540 4844 xfxlxlf.exe 91 PID 3540 wrote to memory of 728 3540 9flfffx.exe 92 PID 3540 wrote to memory of 728 3540 9flfffx.exe 92 PID 3540 wrote to memory of 728 3540 9flfffx.exe 92 PID 728 wrote to memory of 4680 728 vdjvd.exe 93 PID 728 wrote to memory of 4680 728 vdjvd.exe 93 PID 728 wrote to memory of 4680 728 vdjvd.exe 93 PID 4680 wrote to memory of 3260 4680 3jdpd.exe 94 PID 4680 wrote to memory of 3260 4680 3jdpd.exe 94 PID 4680 wrote to memory of 3260 4680 3jdpd.exe 94 PID 3260 wrote to memory of 4732 3260 hhnbnb.exe 95 PID 3260 wrote to memory of 4732 3260 hhnbnb.exe 95 PID 3260 wrote to memory of 4732 3260 hhnbnb.exe 95 PID 4732 wrote to memory of 376 4732 llxlxlf.exe 96 PID 4732 wrote to memory of 376 4732 llxlxlf.exe 96 PID 4732 wrote to memory of 376 4732 llxlxlf.exe 96 PID 376 wrote to memory of 2368 376 0086600.exe 97 PID 376 wrote to memory of 2368 376 0086600.exe 97 PID 376 wrote to memory of 2368 376 0086600.exe 97 PID 2368 wrote to memory of 2292 2368 63xfxrr.exe 98 PID 2368 wrote to memory of 2292 2368 63xfxrr.exe 98 PID 2368 wrote to memory of 2292 2368 63xfxrr.exe 98 PID 2292 wrote to memory of 2952 2292 444266.exe 99 PID 2292 wrote to memory of 2952 2292 444266.exe 99 PID 2292 wrote to memory of 2952 2292 444266.exe 99 PID 2952 wrote to memory of 8 2952 422420.exe 100 PID 2952 wrote to memory of 8 2952 422420.exe 100 PID 2952 wrote to memory of 8 2952 422420.exe 100 PID 8 wrote to memory of 5044 8 pdppp.exe 101 PID 8 wrote to memory of 5044 8 pdppp.exe 101 PID 8 wrote to memory of 5044 8 pdppp.exe 101 PID 5044 wrote to memory of 228 5044 46266.exe 102 PID 5044 wrote to memory of 228 5044 46266.exe 102 PID 5044 wrote to memory of 228 5044 46266.exe 102 PID 228 wrote to memory of 4380 228 xffrfxr.exe 103 PID 228 wrote to memory of 4380 228 xffrfxr.exe 103 PID 228 wrote to memory of 4380 228 xffrfxr.exe 103 PID 4380 wrote to memory of 3544 4380 pdjvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe"C:\Users\Admin\AppData\Local\Temp\ac567f6d56e609f4f7d9fa63a05659a9d1666f036c324b47e05f4200e1cce563.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\btnhtt.exec:\btnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\lrfrlxr.exec:\lrfrlxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\46428.exec:\46428.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\882048.exec:\882048.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\k28668.exec:\k28668.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\dvjvj.exec:\dvjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\frrfrfx.exec:\frrfrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\xfxlxlf.exec:\xfxlxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\9flfffx.exec:\9flfffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\vdjvd.exec:\vdjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\3jdpd.exec:\3jdpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\hhnbnb.exec:\hhnbnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\llxlxlf.exec:\llxlxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\0086600.exec:\0086600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\63xfxrr.exec:\63xfxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\444266.exec:\444266.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\422420.exec:\422420.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pdppp.exec:\pdppp.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\46266.exec:\46266.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\xffrfxr.exec:\xffrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\pdjvp.exec:\pdjvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\406426.exec:\406426.exe23⤵
- Executes dropped EXE
PID:3544 -
\??\c:\tnbnhb.exec:\tnbnhb.exe24⤵
- Executes dropped EXE
PID:4324 -
\??\c:\228642.exec:\228642.exe25⤵
- Executes dropped EXE
PID:3492 -
\??\c:\080882.exec:\080882.exe26⤵
- Executes dropped EXE
PID:872 -
\??\c:\hbnhtn.exec:\hbnhtn.exe27⤵
- Executes dropped EXE
PID:2772 -
\??\c:\682620.exec:\682620.exe28⤵
- Executes dropped EXE
PID:4724 -
\??\c:\jvvdp.exec:\jvvdp.exe29⤵
- Executes dropped EXE
PID:1540 -
\??\c:\lrlxlxl.exec:\lrlxlxl.exe30⤵
- Executes dropped EXE
PID:4552 -
\??\c:\9ppdp.exec:\9ppdp.exe31⤵
- Executes dropped EXE
PID:928 -
\??\c:\frxrrfx.exec:\frxrrfx.exe32⤵
- Executes dropped EXE
PID:1076 -
\??\c:\xxrlxrr.exec:\xxrlxrr.exe33⤵
- Executes dropped EXE
PID:4816 -
\??\c:\nhbnbn.exec:\nhbnbn.exe34⤵
- Executes dropped EXE
PID:1564 -
\??\c:\nnthnh.exec:\nnthnh.exe35⤵
- Executes dropped EXE
PID:2216 -
\??\c:\i084680.exec:\i084680.exe36⤵
- Executes dropped EXE
PID:1536 -
\??\c:\08260.exec:\08260.exe37⤵
- Executes dropped EXE
PID:2044 -
\??\c:\lllxlfr.exec:\lllxlfr.exe38⤵
- Executes dropped EXE
PID:3412 -
\??\c:\200440.exec:\200440.exe39⤵
- Executes dropped EXE
PID:3628 -
\??\c:\84820.exec:\84820.exe40⤵
- Executes dropped EXE
PID:4480 -
\??\c:\xffxlxr.exec:\xffxlxr.exe41⤵
- Executes dropped EXE
PID:5016 -
\??\c:\428648.exec:\428648.exe42⤵
- Executes dropped EXE
PID:1660 -
\??\c:\8862826.exec:\8862826.exe43⤵
- Executes dropped EXE
PID:1964 -
\??\c:\482608.exec:\482608.exe44⤵
- Executes dropped EXE
PID:4976 -
\??\c:\hthbbt.exec:\hthbbt.exe45⤵
- Executes dropped EXE
PID:3672 -
\??\c:\840860.exec:\840860.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\lxflxrx.exec:\lxflxrx.exe47⤵
- Executes dropped EXE
PID:1200 -
\??\c:\xxxfrfx.exec:\xxxfrfx.exe48⤵
- Executes dropped EXE
PID:4128 -
\??\c:\0840600.exec:\0840600.exe49⤵
- Executes dropped EXE
PID:1120 -
\??\c:\dppdv.exec:\dppdv.exe50⤵
- Executes dropped EXE
PID:1720 -
\??\c:\66208.exec:\66208.exe51⤵
- Executes dropped EXE
PID:3588 -
\??\c:\2646486.exec:\2646486.exe52⤵
- Executes dropped EXE
PID:2668 -
\??\c:\nbbtnh.exec:\nbbtnh.exe53⤵
- Executes dropped EXE
PID:1456 -
\??\c:\7xxlxrf.exec:\7xxlxrf.exe54⤵
- Executes dropped EXE
PID:244 -
\??\c:\5ttbbt.exec:\5ttbbt.exe55⤵
- Executes dropped EXE
PID:2176 -
\??\c:\6pdjvj.exec:\6pdjvj.exe56⤵
- Executes dropped EXE
PID:4436 -
\??\c:\g8464.exec:\g8464.exe57⤵
- Executes dropped EXE
PID:1816 -
\??\c:\u846422.exec:\u846422.exe58⤵
- Executes dropped EXE
PID:1244 -
\??\c:\282064.exec:\282064.exe59⤵
- Executes dropped EXE
PID:2132 -
\??\c:\266486.exec:\266486.exe60⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jpjvj.exec:\jpjvj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\0486408.exec:\0486408.exe62⤵
- Executes dropped EXE
PID:4204 -
\??\c:\hbthnb.exec:\hbthnb.exe63⤵
- Executes dropped EXE
PID:4212 -
\??\c:\044420.exec:\044420.exe64⤵
- Executes dropped EXE
PID:960 -
\??\c:\ddppp.exec:\ddppp.exe65⤵
- Executes dropped EXE
PID:4340 -
\??\c:\ddvvj.exec:\ddvvj.exe66⤵PID:4276
-
\??\c:\2604860.exec:\2604860.exe67⤵PID:4008
-
\??\c:\ddppj.exec:\ddppj.exe68⤵PID:1180
-
\??\c:\62266.exec:\62266.exe69⤵PID:4044
-
\??\c:\4626066.exec:\4626066.exe70⤵PID:1392
-
\??\c:\6068800.exec:\6068800.exe71⤵PID:1380
-
\??\c:\xflffxr.exec:\xflffxr.exe72⤵PID:4432
-
\??\c:\04622.exec:\04622.exe73⤵PID:848
-
\??\c:\vppjv.exec:\vppjv.exe74⤵PID:1864
-
\??\c:\xrrllfx.exec:\xrrllfx.exe75⤵PID:3316
-
\??\c:\tbbbtt.exec:\tbbbtt.exe76⤵PID:3180
-
\??\c:\btnhbt.exec:\btnhbt.exe77⤵PID:4200
-
\??\c:\w40666.exec:\w40666.exe78⤵PID:2292
-
\??\c:\066482.exec:\066482.exe79⤵PID:2896
-
\??\c:\thbtnh.exec:\thbtnh.exe80⤵PID:1992
-
\??\c:\8844804.exec:\8844804.exe81⤵PID:3120
-
\??\c:\1jjjd.exec:\1jjjd.exe82⤵PID:844
-
\??\c:\8404882.exec:\8404882.exe83⤵PID:3748
-
\??\c:\0404488.exec:\0404488.exe84⤵PID:624
-
\??\c:\jppjj.exec:\jppjj.exe85⤵PID:4556
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe86⤵PID:4904
-
\??\c:\644822.exec:\644822.exe87⤵PID:1224
-
\??\c:\244442.exec:\244442.exe88⤵PID:4360
-
\??\c:\400484.exec:\400484.exe89⤵PID:1596
-
\??\c:\7rrrlll.exec:\7rrrlll.exe90⤵PID:3068
-
\??\c:\vjdvp.exec:\vjdvp.exe91⤵PID:4932
-
\??\c:\028226.exec:\028226.exe92⤵PID:2916
-
\??\c:\btnnhh.exec:\btnnhh.exe93⤵PID:4160
-
\??\c:\280646.exec:\280646.exe94⤵PID:2216
-
\??\c:\nhtnnn.exec:\nhtnnn.exe95⤵PID:3168
-
\??\c:\5bhbth.exec:\5bhbth.exe96⤵PID:1604
-
\??\c:\nbbnhn.exec:\nbbnhn.exe97⤵PID:2672
-
\??\c:\68048.exec:\68048.exe98⤵PID:3156
-
\??\c:\084426.exec:\084426.exe99⤵PID:1412
-
\??\c:\8026660.exec:\8026660.exe100⤵PID:1660
-
\??\c:\w22482.exec:\w22482.exe101⤵PID:1148
-
\??\c:\22664.exec:\22664.exe102⤵PID:3428
-
\??\c:\628086.exec:\628086.exe103⤵PID:3988
-
\??\c:\204822.exec:\204822.exe104⤵PID:764
-
\??\c:\rlrlllf.exec:\rlrlllf.exe105⤵PID:4016
-
\??\c:\xfxlxrl.exec:\xfxlxrl.exe106⤵PID:3364
-
\??\c:\1nbnht.exec:\1nbnht.exe107⤵PID:2464
-
\??\c:\nbbtbt.exec:\nbbtbt.exe108⤵PID:4116
-
\??\c:\2686486.exec:\2686486.exe109⤵PID:2704
-
\??\c:\2664604.exec:\2664604.exe110⤵PID:4000
-
\??\c:\82208.exec:\82208.exe111⤵PID:4848
-
\??\c:\6808084.exec:\6808084.exe112⤵PID:3516
-
\??\c:\nbhthb.exec:\nbhthb.exe113⤵PID:544
-
\??\c:\e22648.exec:\e22648.exe114⤵PID:3128
-
\??\c:\22608.exec:\22608.exe115⤵PID:244
-
\??\c:\bnbhhn.exec:\bnbhhn.exe116⤵PID:4420
-
\??\c:\bnhhbh.exec:\bnhhbh.exe117⤵PID:2004
-
\??\c:\2008242.exec:\2008242.exe118⤵PID:5012
-
\??\c:\28820.exec:\28820.exe119⤵PID:4672
-
\??\c:\00042.exec:\00042.exe120⤵PID:3448
-
\??\c:\86268.exec:\86268.exe121⤵PID:380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-