Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe
-
Size
453KB
-
MD5
c8121d1beda68ab3b5178387102c7e14
-
SHA1
aacbe37f4debd150bd9a1090f5bfb26249b8cf8c
-
SHA256
e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec
-
SHA512
cf7a38fac52e840492e65b716d2bdc7066d050e9d03bcbad26fcfe63bd2bce8dd460ed2cac14bf905253245d014958fec989d427771e6dc8e50dc877509f960b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3480-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4128 3bbtnh.exe 1428 jpvvp.exe 636 8682606.exe 1788 bbnhhb.exe 464 1vdvp.exe 4828 4204006.exe 2520 xrxrrrl.exe 4392 rffrfrx.exe 1444 dpvpj.exe 5068 jvvjd.exe 64 fllfxxr.exe 524 8266004.exe 3660 nbnnnh.exe 2536 022666.exe 1880 bbnbtt.exe 444 1lfxrff.exe 760 g6266.exe 4500 i060460.exe 1332 24660.exe 4612 lfrlllr.exe 2904 g0262.exe 3628 486480.exe 2876 e68660.exe 2956 7jddd.exe 2532 bnnhbb.exe 4312 624822.exe 3676 9dvpj.exe 4964 frrllff.exe 3444 7jvpp.exe 1344 vdjvp.exe 4180 08664.exe 3176 64040.exe 932 6282264.exe 1588 062660.exe 1184 60604.exe 2984 s0664.exe 5104 pjjjd.exe 5032 02826.exe 5060 btbhbn.exe 1400 u682666.exe 1420 frfxxxf.exe 1352 jdddv.exe 2680 082048.exe 4284 c282626.exe 3004 tnbtbb.exe 4928 rllxrrl.exe 1468 vjjpj.exe 1572 i068260.exe 4748 04404.exe 3868 thtnnn.exe 4660 a0042.exe 3204 7btnhh.exe 3460 482266.exe 1248 pvppd.exe 2768 468824.exe 3312 486622.exe 1832 ntttnh.exe 1044 42604.exe 3084 66604.exe 224 02826.exe 116 k24244.exe 2052 thhbbb.exe 4560 1flrffl.exe 1092 680426.exe -
resource yara_rule behavioral2/memory/3480-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-808-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k02622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w68226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 4128 3480 e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe 82 PID 3480 wrote to memory of 4128 3480 e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe 82 PID 3480 wrote to memory of 4128 3480 e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe 82 PID 4128 wrote to memory of 1428 4128 3bbtnh.exe 83 PID 4128 wrote to memory of 1428 4128 3bbtnh.exe 83 PID 4128 wrote to memory of 1428 4128 3bbtnh.exe 83 PID 1428 wrote to memory of 636 1428 jpvvp.exe 84 PID 1428 wrote to memory of 636 1428 jpvvp.exe 84 PID 1428 wrote to memory of 636 1428 jpvvp.exe 84 PID 636 wrote to memory of 1788 636 8682606.exe 85 PID 636 wrote to memory of 1788 636 8682606.exe 85 PID 636 wrote to memory of 1788 636 8682606.exe 85 PID 1788 wrote to memory of 464 1788 bbnhhb.exe 86 PID 1788 wrote to memory of 464 1788 bbnhhb.exe 86 PID 1788 wrote to memory of 464 1788 bbnhhb.exe 86 PID 464 wrote to memory of 4828 464 1vdvp.exe 87 PID 464 wrote to memory of 4828 464 1vdvp.exe 87 PID 464 wrote to memory of 4828 464 1vdvp.exe 87 PID 4828 wrote to memory of 2520 4828 4204006.exe 88 PID 4828 wrote to memory of 2520 4828 4204006.exe 88 PID 4828 wrote to memory of 2520 4828 4204006.exe 88 PID 2520 wrote to memory of 4392 2520 xrxrrrl.exe 89 PID 2520 wrote to memory of 4392 2520 xrxrrrl.exe 89 PID 2520 wrote to memory of 4392 2520 xrxrrrl.exe 89 PID 4392 wrote to memory of 1444 4392 rffrfrx.exe 90 PID 4392 wrote to memory of 1444 4392 rffrfrx.exe 90 PID 4392 wrote to memory of 1444 4392 rffrfrx.exe 90 PID 1444 wrote to memory of 5068 1444 dpvpj.exe 91 PID 1444 wrote to memory of 5068 1444 dpvpj.exe 91 PID 1444 wrote to memory of 5068 1444 dpvpj.exe 91 PID 5068 wrote to memory of 64 5068 jvvjd.exe 92 PID 5068 wrote to memory of 64 5068 jvvjd.exe 92 PID 5068 wrote to memory of 64 5068 jvvjd.exe 92 PID 64 wrote to memory of 524 64 fllfxxr.exe 93 PID 64 wrote to memory of 524 64 fllfxxr.exe 93 PID 64 wrote to memory of 524 64 fllfxxr.exe 93 PID 524 wrote to memory of 3660 524 8266004.exe 94 PID 524 wrote to memory of 3660 524 8266004.exe 94 PID 524 wrote to memory of 3660 524 8266004.exe 94 PID 3660 wrote to memory of 2536 3660 nbnnnh.exe 95 PID 3660 wrote to memory of 2536 3660 nbnnnh.exe 95 PID 3660 wrote to memory of 2536 3660 nbnnnh.exe 95 PID 2536 wrote to memory of 1880 2536 022666.exe 96 PID 2536 wrote to memory of 1880 2536 022666.exe 96 PID 2536 wrote to memory of 1880 2536 022666.exe 96 PID 1880 wrote to memory of 444 1880 bbnbtt.exe 97 PID 1880 wrote to memory of 444 1880 bbnbtt.exe 97 PID 1880 wrote to memory of 444 1880 bbnbtt.exe 97 PID 444 wrote to memory of 760 444 1lfxrff.exe 98 PID 444 wrote to memory of 760 444 1lfxrff.exe 98 PID 444 wrote to memory of 760 444 1lfxrff.exe 98 PID 760 wrote to memory of 4500 760 g6266.exe 99 PID 760 wrote to memory of 4500 760 g6266.exe 99 PID 760 wrote to memory of 4500 760 g6266.exe 99 PID 4500 wrote to memory of 1332 4500 i060460.exe 100 PID 4500 wrote to memory of 1332 4500 i060460.exe 100 PID 4500 wrote to memory of 1332 4500 i060460.exe 100 PID 1332 wrote to memory of 4612 1332 24660.exe 101 PID 1332 wrote to memory of 4612 1332 24660.exe 101 PID 1332 wrote to memory of 4612 1332 24660.exe 101 PID 4612 wrote to memory of 2904 4612 lfrlllr.exe 102 PID 4612 wrote to memory of 2904 4612 lfrlllr.exe 102 PID 4612 wrote to memory of 2904 4612 lfrlllr.exe 102 PID 2904 wrote to memory of 3628 2904 g0262.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe"C:\Users\Admin\AppData\Local\Temp\e6942677472ab45c309246300aab160729f8a767961c65553c9baedcafedccec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\3bbtnh.exec:\3bbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\jpvvp.exec:\jpvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\8682606.exec:\8682606.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bbnhhb.exec:\bbnhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\1vdvp.exec:\1vdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\4204006.exec:\4204006.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\xrxrrrl.exec:\xrxrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\rffrfrx.exec:\rffrfrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\dpvpj.exec:\dpvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\jvvjd.exec:\jvvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\fllfxxr.exec:\fllfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\8266004.exec:\8266004.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524 -
\??\c:\nbnnnh.exec:\nbnnnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\022666.exec:\022666.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\bbnbtt.exec:\bbnbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\1lfxrff.exec:\1lfxrff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\g6266.exec:\g6266.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\i060460.exec:\i060460.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\24660.exec:\24660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\lfrlllr.exec:\lfrlllr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\g0262.exec:\g0262.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\486480.exec:\486480.exe23⤵
- Executes dropped EXE
PID:3628 -
\??\c:\e68660.exec:\e68660.exe24⤵
- Executes dropped EXE
PID:2876 -
\??\c:\7jddd.exec:\7jddd.exe25⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bnnhbb.exec:\bnnhbb.exe26⤵
- Executes dropped EXE
PID:2532 -
\??\c:\624822.exec:\624822.exe27⤵
- Executes dropped EXE
PID:4312 -
\??\c:\9dvpj.exec:\9dvpj.exe28⤵
- Executes dropped EXE
PID:3676 -
\??\c:\frrllff.exec:\frrllff.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\7jvpp.exec:\7jvpp.exe30⤵
- Executes dropped EXE
PID:3444 -
\??\c:\vdjvp.exec:\vdjvp.exe31⤵
- Executes dropped EXE
PID:1344 -
\??\c:\08664.exec:\08664.exe32⤵
- Executes dropped EXE
PID:4180 -
\??\c:\64040.exec:\64040.exe33⤵
- Executes dropped EXE
PID:3176 -
\??\c:\6282264.exec:\6282264.exe34⤵
- Executes dropped EXE
PID:932 -
\??\c:\062660.exec:\062660.exe35⤵
- Executes dropped EXE
PID:1588 -
\??\c:\60604.exec:\60604.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184 -
\??\c:\s0664.exec:\s0664.exe37⤵
- Executes dropped EXE
PID:2984 -
\??\c:\pjjjd.exec:\pjjjd.exe38⤵
- Executes dropped EXE
PID:5104 -
\??\c:\02826.exec:\02826.exe39⤵
- Executes dropped EXE
PID:5032 -
\??\c:\btbhbn.exec:\btbhbn.exe40⤵
- Executes dropped EXE
PID:5060 -
\??\c:\u682666.exec:\u682666.exe41⤵
- Executes dropped EXE
PID:1400 -
\??\c:\frfxxxf.exec:\frfxxxf.exe42⤵
- Executes dropped EXE
PID:1420 -
\??\c:\jdddv.exec:\jdddv.exe43⤵
- Executes dropped EXE
PID:1352 -
\??\c:\082048.exec:\082048.exe44⤵
- Executes dropped EXE
PID:2680 -
\??\c:\c282626.exec:\c282626.exe45⤵
- Executes dropped EXE
PID:4284 -
\??\c:\tnbtbb.exec:\tnbtbb.exe46⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rllxrrl.exec:\rllxrrl.exe47⤵
- Executes dropped EXE
PID:4928 -
\??\c:\vjjpj.exec:\vjjpj.exe48⤵
- Executes dropped EXE
PID:1468 -
\??\c:\i068260.exec:\i068260.exe49⤵
- Executes dropped EXE
PID:1572 -
\??\c:\04404.exec:\04404.exe50⤵
- Executes dropped EXE
PID:4748 -
\??\c:\thtnnn.exec:\thtnnn.exe51⤵
- Executes dropped EXE
PID:3868 -
\??\c:\a0042.exec:\a0042.exe52⤵
- Executes dropped EXE
PID:4660 -
\??\c:\7btnhh.exec:\7btnhh.exe53⤵
- Executes dropped EXE
PID:3204 -
\??\c:\482266.exec:\482266.exe54⤵
- Executes dropped EXE
PID:3460 -
\??\c:\pvppd.exec:\pvppd.exe55⤵
- Executes dropped EXE
PID:1248 -
\??\c:\468824.exec:\468824.exe56⤵
- Executes dropped EXE
PID:2768 -
\??\c:\486622.exec:\486622.exe57⤵
- Executes dropped EXE
PID:3312 -
\??\c:\ntttnh.exec:\ntttnh.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832 -
\??\c:\42604.exec:\42604.exe59⤵
- Executes dropped EXE
PID:1044 -
\??\c:\66604.exec:\66604.exe60⤵
- Executes dropped EXE
PID:3084 -
\??\c:\02826.exec:\02826.exe61⤵
- Executes dropped EXE
PID:224 -
\??\c:\k24244.exec:\k24244.exe62⤵
- Executes dropped EXE
PID:116 -
\??\c:\thhbbb.exec:\thhbbb.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\1flrffl.exec:\1flrffl.exe64⤵
- Executes dropped EXE
PID:4560 -
\??\c:\680426.exec:\680426.exe65⤵
- Executes dropped EXE
PID:1092 -
\??\c:\284482.exec:\284482.exe66⤵PID:2896
-
\??\c:\u822888.exec:\u822888.exe67⤵PID:712
-
\??\c:\m4202.exec:\m4202.exe68⤵PID:1164
-
\??\c:\8886486.exec:\8886486.exe69⤵PID:4116
-
\??\c:\llfrlff.exec:\llfrlff.exe70⤵PID:3104
-
\??\c:\i048266.exec:\i048266.exe71⤵PID:2596
-
\??\c:\llxxffr.exec:\llxxffr.exe72⤵PID:1048
-
\??\c:\m8448.exec:\m8448.exe73⤵
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\u620044.exec:\u620044.exe74⤵PID:444
-
\??\c:\4004848.exec:\4004848.exe75⤵PID:2832
-
\??\c:\26626.exec:\26626.exe76⤵PID:1528
-
\??\c:\02828.exec:\02828.exe77⤵PID:1360
-
\??\c:\4028226.exec:\4028226.exe78⤵PID:2004
-
\??\c:\1xrlxxl.exec:\1xrlxxl.exe79⤵PID:2400
-
\??\c:\6242660.exec:\6242660.exe80⤵PID:4388
-
\??\c:\xrlfllx.exec:\xrlfllx.exe81⤵PID:1192
-
\??\c:\bbhthb.exec:\bbhthb.exe82⤵PID:3560
-
\??\c:\68004.exec:\68004.exe83⤵PID:4716
-
\??\c:\84482.exec:\84482.exe84⤵PID:3840
-
\??\c:\ffrlxfl.exec:\ffrlxfl.exe85⤵PID:4804
-
\??\c:\204822.exec:\204822.exe86⤵PID:1356
-
\??\c:\pjvvp.exec:\pjvvp.exe87⤵PID:1304
-
\??\c:\6682260.exec:\6682260.exe88⤵PID:3512
-
\??\c:\280442.exec:\280442.exe89⤵PID:4808
-
\??\c:\frrlffx.exec:\frrlffx.exe90⤵PID:3176
-
\??\c:\btthbh.exec:\btthbh.exe91⤵PID:3192
-
\??\c:\268226.exec:\268226.exe92⤵PID:884
-
\??\c:\04488.exec:\04488.exe93⤵PID:2280
-
\??\c:\462200.exec:\462200.exe94⤵PID:1184
-
\??\c:\3ntnnn.exec:\3ntnnn.exe95⤵PID:2892
-
\??\c:\86226.exec:\86226.exe96⤵PID:5104
-
\??\c:\08822.exec:\08822.exe97⤵PID:1732
-
\??\c:\jvdvp.exec:\jvdvp.exe98⤵PID:5060
-
\??\c:\e28822.exec:\e28822.exe99⤵PID:3008
-
\??\c:\pjjdd.exec:\pjjdd.exe100⤵PID:1172
-
\??\c:\44466.exec:\44466.exe101⤵PID:2176
-
\??\c:\1hthbt.exec:\1hthbt.exe102⤵PID:1352
-
\??\c:\9xfflrx.exec:\9xfflrx.exe103⤵PID:3228
-
\??\c:\640044.exec:\640044.exe104⤵PID:4284
-
\??\c:\lfflfff.exec:\lfflfff.exe105⤵PID:4104
-
\??\c:\24004.exec:\24004.exe106⤵PID:4176
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe107⤵PID:4992
-
\??\c:\fxffllr.exec:\fxffllr.exe108⤵PID:5028
-
\??\c:\w06000.exec:\w06000.exe109⤵PID:4476
-
\??\c:\g8604.exec:\g8604.exe110⤵PID:4156
-
\??\c:\8662626.exec:\8662626.exe111⤵PID:4564
-
\??\c:\2284400.exec:\2284400.exe112⤵PID:2872
-
\??\c:\60064.exec:\60064.exe113⤵PID:4404
-
\??\c:\g8244.exec:\g8244.exe114⤵PID:3596
-
\??\c:\262600.exec:\262600.exe115⤵PID:1608
-
\??\c:\6866004.exec:\6866004.exe116⤵PID:2436
-
\??\c:\880482.exec:\880482.exe117⤵PID:2504
-
\??\c:\s8668.exec:\s8668.exe118⤵PID:4068
-
\??\c:\bhnhtt.exec:\bhnhtt.exe119⤵PID:4340
-
\??\c:\846644.exec:\846644.exe120⤵PID:3832
-
\??\c:\646202.exec:\646202.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-