Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe
-
Size
454KB
-
MD5
e904337b268b371061a25a51800ba700
-
SHA1
c68e714435603a93e93a1e7ba965fa0b7ff2aa37
-
SHA256
6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055da
-
SHA512
b8a3b149d4b3bb14d115e081c5651415e03ff11a4b1e9b213df874ee13dc276661713b2fccfc683c146c22b407d17b79ac05ac7a24825e1d10b5352f59e794a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1260-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-1469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1260 6060048.exe 1720 9rxlffx.exe 3984 686060.exe 4180 rrlfxrf.exe 756 w20404.exe 4208 hhbttn.exe 5060 thtnhh.exe 3760 7ffxrlx.exe 4648 e42444.exe 4776 5jpvp.exe 3624 00822.exe 1060 jvvpv.exe 2716 626482.exe 1688 6404488.exe 3944 nbbtnh.exe 212 4064826.exe 4404 a0042.exe 1064 6408488.exe 2408 0840482.exe 2320 vjdpd.exe 2680 7pjdp.exe 4964 20408.exe 2272 hnthhh.exe 1628 884260.exe 2092 6488822.exe 2924 frlxrrl.exe 4512 2064488.exe 1240 hnbtbt.exe 1752 xfxrfxl.exe 4752 hhhbhb.exe 2512 pdvpj.exe 2084 lfxrlff.exe 4492 llrxrrl.exe 2012 24608.exe 512 66860.exe 5004 62400.exe 4860 jppdv.exe 2140 u460444.exe 3972 66826.exe 900 866260.exe 1944 266044.exe 2384 o424028.exe 1336 flrrlll.exe 4368 64606.exe 1420 3bbtbb.exe 1332 2260442.exe 1180 tnbntn.exe 3100 5ttnnn.exe 3616 40286.exe 1160 vpvpp.exe 3984 040488.exe 2516 8608884.exe 1608 2864882.exe 3996 2688440.exe 3552 bnthbh.exe 3628 1jjdv.exe 3508 vpdjd.exe 2016 lrxxrll.exe 3964 2408264.exe 4024 rxlxxrr.exe 1068 s4604.exe 2544 200800.exe 3344 tnhhhn.exe 1060 tbhbbb.exe -
resource yara_rule behavioral2/memory/1260-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-722-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w20404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0820042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8628660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 408824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s4644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 780 wrote to memory of 1260 780 6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe 83 PID 780 wrote to memory of 1260 780 6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe 83 PID 780 wrote to memory of 1260 780 6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe 83 PID 1260 wrote to memory of 1720 1260 6060048.exe 84 PID 1260 wrote to memory of 1720 1260 6060048.exe 84 PID 1260 wrote to memory of 1720 1260 6060048.exe 84 PID 1720 wrote to memory of 3984 1720 9rxlffx.exe 85 PID 1720 wrote to memory of 3984 1720 9rxlffx.exe 85 PID 1720 wrote to memory of 3984 1720 9rxlffx.exe 85 PID 3984 wrote to memory of 4180 3984 686060.exe 86 PID 3984 wrote to memory of 4180 3984 686060.exe 86 PID 3984 wrote to memory of 4180 3984 686060.exe 86 PID 4180 wrote to memory of 756 4180 rrlfxrf.exe 87 PID 4180 wrote to memory of 756 4180 rrlfxrf.exe 87 PID 4180 wrote to memory of 756 4180 rrlfxrf.exe 87 PID 756 wrote to memory of 4208 756 w20404.exe 88 PID 756 wrote to memory of 4208 756 w20404.exe 88 PID 756 wrote to memory of 4208 756 w20404.exe 88 PID 4208 wrote to memory of 5060 4208 hhbttn.exe 89 PID 4208 wrote to memory of 5060 4208 hhbttn.exe 89 PID 4208 wrote to memory of 5060 4208 hhbttn.exe 89 PID 5060 wrote to memory of 3760 5060 thtnhh.exe 90 PID 5060 wrote to memory of 3760 5060 thtnhh.exe 90 PID 5060 wrote to memory of 3760 5060 thtnhh.exe 90 PID 3760 wrote to memory of 4648 3760 7ffxrlx.exe 91 PID 3760 wrote to memory of 4648 3760 7ffxrlx.exe 91 PID 3760 wrote to memory of 4648 3760 7ffxrlx.exe 91 PID 4648 wrote to memory of 4776 4648 e42444.exe 92 PID 4648 wrote to memory of 4776 4648 e42444.exe 92 PID 4648 wrote to memory of 4776 4648 e42444.exe 92 PID 4776 wrote to memory of 3624 4776 5jpvp.exe 93 PID 4776 wrote to memory of 3624 4776 5jpvp.exe 93 PID 4776 wrote to memory of 3624 4776 5jpvp.exe 93 PID 3624 wrote to memory of 1060 3624 00822.exe 146 PID 3624 wrote to memory of 1060 3624 00822.exe 146 PID 3624 wrote to memory of 1060 3624 00822.exe 146 PID 1060 wrote to memory of 2716 1060 jvvpv.exe 147 PID 1060 wrote to memory of 2716 1060 jvvpv.exe 147 PID 1060 wrote to memory of 2716 1060 jvvpv.exe 147 PID 2716 wrote to memory of 1688 2716 626482.exe 96 PID 2716 wrote to memory of 1688 2716 626482.exe 96 PID 2716 wrote to memory of 1688 2716 626482.exe 96 PID 1688 wrote to memory of 3944 1688 6404488.exe 97 PID 1688 wrote to memory of 3944 1688 6404488.exe 97 PID 1688 wrote to memory of 3944 1688 6404488.exe 97 PID 3944 wrote to memory of 212 3944 nbbtnh.exe 98 PID 3944 wrote to memory of 212 3944 nbbtnh.exe 98 PID 3944 wrote to memory of 212 3944 nbbtnh.exe 98 PID 212 wrote to memory of 4404 212 4064826.exe 99 PID 212 wrote to memory of 4404 212 4064826.exe 99 PID 212 wrote to memory of 4404 212 4064826.exe 99 PID 4404 wrote to memory of 1064 4404 a0042.exe 152 PID 4404 wrote to memory of 1064 4404 a0042.exe 152 PID 4404 wrote to memory of 1064 4404 a0042.exe 152 PID 1064 wrote to memory of 2408 1064 6408488.exe 101 PID 1064 wrote to memory of 2408 1064 6408488.exe 101 PID 1064 wrote to memory of 2408 1064 6408488.exe 101 PID 2408 wrote to memory of 2320 2408 0840482.exe 102 PID 2408 wrote to memory of 2320 2408 0840482.exe 102 PID 2408 wrote to memory of 2320 2408 0840482.exe 102 PID 2320 wrote to memory of 2680 2320 vjdpd.exe 103 PID 2320 wrote to memory of 2680 2320 vjdpd.exe 103 PID 2320 wrote to memory of 2680 2320 vjdpd.exe 103 PID 2680 wrote to memory of 4964 2680 7pjdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe"C:\Users\Admin\AppData\Local\Temp\6e460b87dfd3a4638f8cca15867eaad48ea1357c3092c80d391aa1462b2055daN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\6060048.exec:\6060048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\9rxlffx.exec:\9rxlffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\686060.exec:\686060.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\rrlfxrf.exec:\rrlfxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\w20404.exec:\w20404.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\hhbttn.exec:\hhbttn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\thtnhh.exec:\thtnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\7ffxrlx.exec:\7ffxrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\e42444.exec:\e42444.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\5jpvp.exec:\5jpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\00822.exec:\00822.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\jvvpv.exec:\jvvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\626482.exec:\626482.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\6404488.exec:\6404488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\nbbtnh.exec:\nbbtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\4064826.exec:\4064826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\a0042.exec:\a0042.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\6408488.exec:\6408488.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\0840482.exec:\0840482.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\vjdpd.exec:\vjdpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\7pjdp.exec:\7pjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\20408.exec:\20408.exe23⤵
- Executes dropped EXE
PID:4964 -
\??\c:\hnthhh.exec:\hnthhh.exe24⤵
- Executes dropped EXE
PID:2272 -
\??\c:\884260.exec:\884260.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\6488822.exec:\6488822.exe26⤵
- Executes dropped EXE
PID:2092 -
\??\c:\frlxrrl.exec:\frlxrrl.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\2064488.exec:\2064488.exe28⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hnbtbt.exec:\hnbtbt.exe29⤵
- Executes dropped EXE
PID:1240 -
\??\c:\xfxrfxl.exec:\xfxrfxl.exe30⤵
- Executes dropped EXE
PID:1752 -
\??\c:\hhhbhb.exec:\hhhbhb.exe31⤵
- Executes dropped EXE
PID:4752 -
\??\c:\pdvpj.exec:\pdvpj.exe32⤵
- Executes dropped EXE
PID:2512 -
\??\c:\lfxrlff.exec:\lfxrlff.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\llrxrrl.exec:\llrxrrl.exe34⤵
- Executes dropped EXE
PID:4492 -
\??\c:\24608.exec:\24608.exe35⤵
- Executes dropped EXE
PID:2012 -
\??\c:\66860.exec:\66860.exe36⤵
- Executes dropped EXE
PID:512 -
\??\c:\62400.exec:\62400.exe37⤵
- Executes dropped EXE
PID:5004 -
\??\c:\jppdv.exec:\jppdv.exe38⤵
- Executes dropped EXE
PID:4860 -
\??\c:\u460444.exec:\u460444.exe39⤵
- Executes dropped EXE
PID:2140 -
\??\c:\66826.exec:\66826.exe40⤵
- Executes dropped EXE
PID:3972 -
\??\c:\866260.exec:\866260.exe41⤵
- Executes dropped EXE
PID:900 -
\??\c:\266044.exec:\266044.exe42⤵
- Executes dropped EXE
PID:1944 -
\??\c:\o424028.exec:\o424028.exe43⤵
- Executes dropped EXE
PID:2384 -
\??\c:\flrrlll.exec:\flrrlll.exe44⤵
- Executes dropped EXE
PID:1336 -
\??\c:\64606.exec:\64606.exe45⤵
- Executes dropped EXE
PID:4368 -
\??\c:\3bbtbb.exec:\3bbtbb.exe46⤵
- Executes dropped EXE
PID:1420 -
\??\c:\2260442.exec:\2260442.exe47⤵
- Executes dropped EXE
PID:1332 -
\??\c:\tnbntn.exec:\tnbntn.exe48⤵
- Executes dropped EXE
PID:1180 -
\??\c:\5ttnnn.exec:\5ttnnn.exe49⤵
- Executes dropped EXE
PID:3100 -
\??\c:\40286.exec:\40286.exe50⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vpvpp.exec:\vpvpp.exe51⤵
- Executes dropped EXE
PID:1160 -
\??\c:\040488.exec:\040488.exe52⤵
- Executes dropped EXE
PID:3984 -
\??\c:\8608884.exec:\8608884.exe53⤵
- Executes dropped EXE
PID:2516 -
\??\c:\2864882.exec:\2864882.exe54⤵
- Executes dropped EXE
PID:1608 -
\??\c:\2688440.exec:\2688440.exe55⤵
- Executes dropped EXE
PID:3996 -
\??\c:\bnthbh.exec:\bnthbh.exe56⤵
- Executes dropped EXE
PID:3552 -
\??\c:\1jjdv.exec:\1jjdv.exe57⤵
- Executes dropped EXE
PID:3628 -
\??\c:\vpdjd.exec:\vpdjd.exe58⤵
- Executes dropped EXE
PID:3508 -
\??\c:\lrxxrll.exec:\lrxxrll.exe59⤵
- Executes dropped EXE
PID:2016 -
\??\c:\2408264.exec:\2408264.exe60⤵
- Executes dropped EXE
PID:3964 -
\??\c:\rxlxxrr.exec:\rxlxxrr.exe61⤵
- Executes dropped EXE
PID:4024 -
\??\c:\s4604.exec:\s4604.exe62⤵
- Executes dropped EXE
PID:1068 -
\??\c:\200800.exec:\200800.exe63⤵
- Executes dropped EXE
PID:2544 -
\??\c:\tnhhhn.exec:\tnhhhn.exe64⤵
- Executes dropped EXE
PID:3344 -
\??\c:\tbhbbb.exec:\tbhbbb.exe65⤵
- Executes dropped EXE
PID:1060 -
\??\c:\pjpjj.exec:\pjpjj.exe66⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\2684028.exec:\2684028.exe67⤵PID:3880
-
\??\c:\htbtnh.exec:\htbtnh.exe68⤵PID:4480
-
\??\c:\8460800.exec:\8460800.exe69⤵PID:1540
-
\??\c:\u666044.exec:\u666044.exe70⤵PID:3660
-
\??\c:\406044.exec:\406044.exe71⤵PID:1064
-
\??\c:\pdpjp.exec:\pdpjp.exe72⤵PID:1464
-
\??\c:\6460448.exec:\6460448.exe73⤵PID:4152
-
\??\c:\2404888.exec:\2404888.exe74⤵PID:3444
-
\??\c:\862604.exec:\862604.exe75⤵PID:4732
-
\??\c:\8422048.exec:\8422048.exe76⤵PID:2532
-
\??\c:\a0826.exec:\a0826.exe77⤵PID:4944
-
\??\c:\88008.exec:\88008.exe78⤵PID:2572
-
\??\c:\5ntnnh.exec:\5ntnnh.exe79⤵PID:852
-
\??\c:\9jjjp.exec:\9jjjp.exe80⤵PID:1376
-
\??\c:\frxrlfx.exec:\frxrlfx.exe81⤵PID:1752
-
\??\c:\bntnbn.exec:\bntnbn.exe82⤵PID:4552
-
\??\c:\pppjd.exec:\pppjd.exe83⤵PID:2548
-
\??\c:\3rxlxxr.exec:\3rxlxxr.exe84⤵PID:5068
-
\??\c:\bnhhbt.exec:\bnhhbt.exe85⤵PID:4880
-
\??\c:\pvdvv.exec:\pvdvv.exe86⤵PID:4868
-
\??\c:\046848.exec:\046848.exe87⤵PID:4728
-
\??\c:\ddddv.exec:\ddddv.exe88⤵PID:4872
-
\??\c:\lxfrrll.exec:\lxfrrll.exe89⤵PID:1492
-
\??\c:\jdjpd.exec:\jdjpd.exe90⤵PID:2704
-
\??\c:\btnhbt.exec:\btnhbt.exe91⤵PID:4856
-
\??\c:\486060.exec:\486060.exe92⤵PID:2000
-
\??\c:\dddvv.exec:\dddvv.exe93⤵PID:2384
-
\??\c:\1ddjd.exec:\1ddjd.exe94⤵PID:2964
-
\??\c:\pvddv.exec:\pvddv.exe95⤵PID:4740
-
\??\c:\fxllxfr.exec:\fxllxfr.exe96⤵PID:4128
-
\??\c:\9hnhhh.exec:\9hnhhh.exe97⤵PID:1772
-
\??\c:\g0682.exec:\g0682.exe98⤵PID:1560
-
\??\c:\82260.exec:\82260.exe99⤵PID:3052
-
\??\c:\8060002.exec:\8060002.exe100⤵PID:3100
-
\??\c:\rfrfllr.exec:\rfrfllr.exe101⤵PID:2872
-
\??\c:\rllfxrl.exec:\rllfxrl.exe102⤵PID:4912
-
\??\c:\262660.exec:\262660.exe103⤵PID:2224
-
\??\c:\i682228.exec:\i682228.exe104⤵PID:2876
-
\??\c:\g4226.exec:\g4226.exe105⤵PID:3668
-
\??\c:\5dpvp.exec:\5dpvp.exe106⤵PID:1460
-
\??\c:\0448604.exec:\0448604.exe107⤵PID:3536
-
\??\c:\m8482.exec:\m8482.exe108⤵PID:1364
-
\??\c:\q42066.exec:\q42066.exe109⤵PID:1840
-
\??\c:\1tbthh.exec:\1tbthh.exe110⤵PID:540
-
\??\c:\btttnh.exec:\btttnh.exe111⤵PID:3892
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe112⤵PID:5108
-
\??\c:\flrlllf.exec:\flrlllf.exe113⤵PID:3960
-
\??\c:\hbhbnb.exec:\hbhbnb.exe114⤵PID:2944
-
\??\c:\rfxrfrl.exec:\rfxrfrl.exe115⤵PID:1168
-
\??\c:\rxffrlx.exec:\rxffrlx.exe116⤵PID:608
-
\??\c:\q28642.exec:\q28642.exe117⤵PID:3568
-
\??\c:\7hnbnh.exec:\7hnbnh.exe118⤵PID:2744
-
\??\c:\tttnhh.exec:\tttnhh.exe119⤵PID:3412
-
\??\c:\66486.exec:\66486.exe120⤵PID:1540
-
\??\c:\4264204.exec:\4264204.exe121⤵PID:4708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-