Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe
-
Size
454KB
-
MD5
8eefee70680d2e00d3eef3bcfa2e723b
-
SHA1
54b1ef2a8185fd618e5b5f866bfa107f6435995e
-
SHA256
6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553
-
SHA512
395b3d607ff535e17024cbb09cf8817412b854783ade6dd49438cbae60e5979d991bc2a551d814ce460e897f44bc055dada59bd30e3428bf945ffc5bfa212544
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4964 bbbnbn.exe 1548 a0486.exe 3376 hththt.exe 3148 ttttbt.exe 4708 80240.exe 1940 tnnbhb.exe 1332 xlxrlrr.exe 724 i080608.exe 1852 vjpdd.exe 2560 lxlxlfr.exe 116 42228.exe 1700 djdpd.exe 4432 82268.exe 4812 lfxlrrr.exe 4484 88208.exe 4132 pdvjj.exe 4560 lxrflfr.exe 4784 frrxlfr.exe 1292 xfxlxrx.exe 4308 2042042.exe 2844 20608.exe 5044 c880864.exe 4624 1ddpd.exe 1128 462248.exe 2288 3lxrlfx.exe 1688 088082.exe 1396 828082.exe 1916 64420.exe 2472 hhhtbt.exe 2116 xxxlrlx.exe 4424 vjdjv.exe 3492 5fflxrf.exe 4140 jjpjp.exe 2180 4886042.exe 800 80086.exe 2028 888202.exe 2692 rfxlrlx.exe 3720 tbbnbt.exe 4972 6664208.exe 3608 jvjdp.exe 4628 4220480.exe 2896 vjjdp.exe 4616 62420.exe 3220 k44204.exe 4844 0044266.exe 1776 644826.exe 4564 llrfrlf.exe 3496 4246264.exe 2848 pvvjv.exe 1248 frlfrfx.exe 3432 8886488.exe 1896 vpjjv.exe 3292 0842646.exe 4652 o280646.exe 5024 vdpdp.exe 3692 00680.exe 2624 466486.exe 2300 fffrxrf.exe 1624 rrxlxrf.exe 4124 0822086.exe 4248 vvvpd.exe 4812 k00804.exe 4888 dddjv.exe 4132 428200.exe -
resource yara_rule behavioral2/memory/2992-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-719-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4860882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4006442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k64888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0620826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c880864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 4964 2992 6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe 83 PID 2992 wrote to memory of 4964 2992 6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe 83 PID 2992 wrote to memory of 4964 2992 6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe 83 PID 4964 wrote to memory of 1548 4964 bbbnbn.exe 84 PID 4964 wrote to memory of 1548 4964 bbbnbn.exe 84 PID 4964 wrote to memory of 1548 4964 bbbnbn.exe 84 PID 1548 wrote to memory of 3376 1548 a0486.exe 85 PID 1548 wrote to memory of 3376 1548 a0486.exe 85 PID 1548 wrote to memory of 3376 1548 a0486.exe 85 PID 3376 wrote to memory of 3148 3376 hththt.exe 86 PID 3376 wrote to memory of 3148 3376 hththt.exe 86 PID 3376 wrote to memory of 3148 3376 hththt.exe 86 PID 3148 wrote to memory of 4708 3148 ttttbt.exe 87 PID 3148 wrote to memory of 4708 3148 ttttbt.exe 87 PID 3148 wrote to memory of 4708 3148 ttttbt.exe 87 PID 4708 wrote to memory of 1940 4708 80240.exe 88 PID 4708 wrote to memory of 1940 4708 80240.exe 88 PID 4708 wrote to memory of 1940 4708 80240.exe 88 PID 1940 wrote to memory of 1332 1940 tnnbhb.exe 89 PID 1940 wrote to memory of 1332 1940 tnnbhb.exe 89 PID 1940 wrote to memory of 1332 1940 tnnbhb.exe 89 PID 1332 wrote to memory of 724 1332 xlxrlrr.exe 90 PID 1332 wrote to memory of 724 1332 xlxrlrr.exe 90 PID 1332 wrote to memory of 724 1332 xlxrlrr.exe 90 PID 724 wrote to memory of 1852 724 i080608.exe 91 PID 724 wrote to memory of 1852 724 i080608.exe 91 PID 724 wrote to memory of 1852 724 i080608.exe 91 PID 1852 wrote to memory of 2560 1852 vjpdd.exe 92 PID 1852 wrote to memory of 2560 1852 vjpdd.exe 92 PID 1852 wrote to memory of 2560 1852 vjpdd.exe 92 PID 2560 wrote to memory of 116 2560 lxlxlfr.exe 93 PID 2560 wrote to memory of 116 2560 lxlxlfr.exe 93 PID 2560 wrote to memory of 116 2560 lxlxlfr.exe 93 PID 116 wrote to memory of 1700 116 42228.exe 94 PID 116 wrote to memory of 1700 116 42228.exe 94 PID 116 wrote to memory of 1700 116 42228.exe 94 PID 1700 wrote to memory of 4432 1700 djdpd.exe 95 PID 1700 wrote to memory of 4432 1700 djdpd.exe 95 PID 1700 wrote to memory of 4432 1700 djdpd.exe 95 PID 4432 wrote to memory of 4812 4432 82268.exe 96 PID 4432 wrote to memory of 4812 4432 82268.exe 96 PID 4432 wrote to memory of 4812 4432 82268.exe 96 PID 4812 wrote to memory of 4484 4812 lfxlrrr.exe 97 PID 4812 wrote to memory of 4484 4812 lfxlrrr.exe 97 PID 4812 wrote to memory of 4484 4812 lfxlrrr.exe 97 PID 4484 wrote to memory of 4132 4484 88208.exe 98 PID 4484 wrote to memory of 4132 4484 88208.exe 98 PID 4484 wrote to memory of 4132 4484 88208.exe 98 PID 4132 wrote to memory of 4560 4132 pdvjj.exe 99 PID 4132 wrote to memory of 4560 4132 pdvjj.exe 99 PID 4132 wrote to memory of 4560 4132 pdvjj.exe 99 PID 4560 wrote to memory of 4784 4560 lxrflfr.exe 100 PID 4560 wrote to memory of 4784 4560 lxrflfr.exe 100 PID 4560 wrote to memory of 4784 4560 lxrflfr.exe 100 PID 4784 wrote to memory of 1292 4784 frrxlfr.exe 101 PID 4784 wrote to memory of 1292 4784 frrxlfr.exe 101 PID 4784 wrote to memory of 1292 4784 frrxlfr.exe 101 PID 1292 wrote to memory of 4308 1292 xfxlxrx.exe 102 PID 1292 wrote to memory of 4308 1292 xfxlxrx.exe 102 PID 1292 wrote to memory of 4308 1292 xfxlxrx.exe 102 PID 4308 wrote to memory of 2844 4308 2042042.exe 103 PID 4308 wrote to memory of 2844 4308 2042042.exe 103 PID 4308 wrote to memory of 2844 4308 2042042.exe 103 PID 2844 wrote to memory of 5044 2844 20608.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe"C:\Users\Admin\AppData\Local\Temp\6b365fc99b26fdb51801ec770d2536319269834be5bcfabdcb6f3afdd1b82553.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\bbbnbn.exec:\bbbnbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\a0486.exec:\a0486.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\hththt.exec:\hththt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\ttttbt.exec:\ttttbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\80240.exec:\80240.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\tnnbhb.exec:\tnnbhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\xlxrlrr.exec:\xlxrlrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\i080608.exec:\i080608.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\vjpdd.exec:\vjpdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\lxlxlfr.exec:\lxlxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\42228.exec:\42228.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\djdpd.exec:\djdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\82268.exec:\82268.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\lfxlrrr.exec:\lfxlrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\88208.exec:\88208.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\pdvjj.exec:\pdvjj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\lxrflfr.exec:\lxrflfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\frrxlfr.exec:\frrxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\xfxlxrx.exec:\xfxlxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\2042042.exec:\2042042.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\20608.exec:\20608.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\c880864.exec:\c880864.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\1ddpd.exec:\1ddpd.exe24⤵
- Executes dropped EXE
PID:4624 -
\??\c:\462248.exec:\462248.exe25⤵
- Executes dropped EXE
PID:1128 -
\??\c:\3lxrlfx.exec:\3lxrlfx.exe26⤵
- Executes dropped EXE
PID:2288 -
\??\c:\088082.exec:\088082.exe27⤵
- Executes dropped EXE
PID:1688 -
\??\c:\828082.exec:\828082.exe28⤵
- Executes dropped EXE
PID:1396 -
\??\c:\64420.exec:\64420.exe29⤵
- Executes dropped EXE
PID:1916 -
\??\c:\hhhtbt.exec:\hhhtbt.exe30⤵
- Executes dropped EXE
PID:2472 -
\??\c:\xxxlrlx.exec:\xxxlrlx.exe31⤵
- Executes dropped EXE
PID:2116 -
\??\c:\vjdjv.exec:\vjdjv.exe32⤵
- Executes dropped EXE
PID:4424 -
\??\c:\5fflxrf.exec:\5fflxrf.exe33⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jjpjp.exec:\jjpjp.exe34⤵
- Executes dropped EXE
PID:4140 -
\??\c:\4886042.exec:\4886042.exe35⤵
- Executes dropped EXE
PID:2180 -
\??\c:\80086.exec:\80086.exe36⤵
- Executes dropped EXE
PID:800 -
\??\c:\888202.exec:\888202.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\rfxlrlx.exec:\rfxlrlx.exe38⤵
- Executes dropped EXE
PID:2692 -
\??\c:\tbbnbt.exec:\tbbnbt.exe39⤵
- Executes dropped EXE
PID:3720 -
\??\c:\6664208.exec:\6664208.exe40⤵
- Executes dropped EXE
PID:4972 -
\??\c:\jvjdp.exec:\jvjdp.exe41⤵
- Executes dropped EXE
PID:3608 -
\??\c:\4220480.exec:\4220480.exe42⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vjjdp.exec:\vjjdp.exe43⤵
- Executes dropped EXE
PID:2896 -
\??\c:\62420.exec:\62420.exe44⤵
- Executes dropped EXE
PID:4616 -
\??\c:\k44204.exec:\k44204.exe45⤵
- Executes dropped EXE
PID:3220 -
\??\c:\0044266.exec:\0044266.exe46⤵
- Executes dropped EXE
PID:4844 -
\??\c:\644826.exec:\644826.exe47⤵
- Executes dropped EXE
PID:1776 -
\??\c:\llrfrlf.exec:\llrfrlf.exe48⤵
- Executes dropped EXE
PID:4564 -
\??\c:\4246264.exec:\4246264.exe49⤵
- Executes dropped EXE
PID:3496 -
\??\c:\pvvjv.exec:\pvvjv.exe50⤵
- Executes dropped EXE
PID:2848 -
\??\c:\frlfrfx.exec:\frlfrfx.exe51⤵
- Executes dropped EXE
PID:1248 -
\??\c:\8886488.exec:\8886488.exe52⤵
- Executes dropped EXE
PID:3432 -
\??\c:\vpjjv.exec:\vpjjv.exe53⤵
- Executes dropped EXE
PID:1896 -
\??\c:\0842646.exec:\0842646.exe54⤵
- Executes dropped EXE
PID:3292 -
\??\c:\o280646.exec:\o280646.exe55⤵
- Executes dropped EXE
PID:4652 -
\??\c:\vdpdp.exec:\vdpdp.exe56⤵
- Executes dropped EXE
PID:5024 -
\??\c:\00680.exec:\00680.exe57⤵
- Executes dropped EXE
PID:3692 -
\??\c:\466486.exec:\466486.exe58⤵
- Executes dropped EXE
PID:2624 -
\??\c:\fffrxrf.exec:\fffrxrf.exe59⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe60⤵
- Executes dropped EXE
PID:1624 -
\??\c:\0822086.exec:\0822086.exe61⤵
- Executes dropped EXE
PID:4124 -
\??\c:\vvvpd.exec:\vvvpd.exe62⤵
- Executes dropped EXE
PID:4248 -
\??\c:\k00804.exec:\k00804.exe63⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dddjv.exec:\dddjv.exe64⤵
- Executes dropped EXE
PID:4888 -
\??\c:\428200.exec:\428200.exe65⤵
- Executes dropped EXE
PID:4132 -
\??\c:\3ddpj.exec:\3ddpj.exe66⤵PID:1632
-
\??\c:\nhhbhh.exec:\nhhbhh.exe67⤵PID:5112
-
\??\c:\btnhtn.exec:\btnhtn.exe68⤵PID:3648
-
\??\c:\rrlxlxr.exec:\rrlxlxr.exe69⤵PID:4364
-
\??\c:\rflxlrf.exec:\rflxlrf.exe70⤵PID:4220
-
\??\c:\s2220.exec:\s2220.exe71⤵
- System Location Discovery: System Language Discovery
PID:3904 -
\??\c:\xrllflx.exec:\xrllflx.exe72⤵PID:3332
-
\??\c:\4008046.exec:\4008046.exe73⤵PID:1788
-
\??\c:\5vpvj.exec:\5vpvj.exe74⤵PID:1336
-
\??\c:\80608.exec:\80608.exe75⤵PID:4624
-
\??\c:\u060426.exec:\u060426.exe76⤵PID:4024
-
\??\c:\1hhbnn.exec:\1hhbnn.exe77⤵PID:2644
-
\??\c:\2280864.exec:\2280864.exe78⤵PID:3488
-
\??\c:\5vpvd.exec:\5vpvd.exe79⤵PID:1380
-
\??\c:\84420.exec:\84420.exe80⤵PID:1840
-
\??\c:\20222.exec:\20222.exe81⤵PID:640
-
\??\c:\64082.exec:\64082.exe82⤵PID:2408
-
\??\c:\64444.exec:\64444.exe83⤵PID:2116
-
\??\c:\rxxrxxr.exec:\rxxrxxr.exe84⤵PID:2492
-
\??\c:\lxfrlff.exec:\lxfrlff.exe85⤵PID:4424
-
\??\c:\dpppd.exec:\dpppd.exe86⤵PID:2420
-
\??\c:\jdvjv.exec:\jdvjv.exe87⤵PID:4688
-
\??\c:\6642608.exec:\6642608.exe88⤵PID:3888
-
\??\c:\i664604.exec:\i664604.exe89⤵PID:3120
-
\??\c:\rllxlxl.exec:\rllxlxl.exe90⤵PID:3556
-
\??\c:\hbhtht.exec:\hbhtht.exe91⤵PID:2028
-
\??\c:\244648.exec:\244648.exe92⤵PID:4192
-
\??\c:\20200.exec:\20200.exe93⤵PID:1036
-
\??\c:\400202.exec:\400202.exe94⤵PID:2256
-
\??\c:\422086.exec:\422086.exe95⤵PID:2912
-
\??\c:\222026.exec:\222026.exe96⤵PID:4580
-
\??\c:\4442042.exec:\4442042.exe97⤵PID:2004
-
\??\c:\ffffrlf.exec:\ffffrlf.exe98⤵PID:3092
-
\??\c:\pvpdv.exec:\pvpdv.exe99⤵PID:4532
-
\??\c:\5hbhnh.exec:\5hbhnh.exe100⤵PID:3408
-
\??\c:\lxfrrrf.exec:\lxfrrrf.exe101⤵PID:3148
-
\??\c:\k66820.exec:\k66820.exe102⤵PID:4204
-
\??\c:\6420086.exec:\6420086.exe103⤵PID:4584
-
\??\c:\3djjj.exec:\3djjj.exe104⤵PID:3620
-
\??\c:\lrlxfxl.exec:\lrlxfxl.exe105⤵PID:3784
-
\??\c:\jdvjp.exec:\jdvjp.exe106⤵PID:3296
-
\??\c:\k86460.exec:\k86460.exe107⤵PID:3400
-
\??\c:\rlrflfr.exec:\rlrflfr.exe108⤵PID:2372
-
\??\c:\xlrlxlx.exec:\xlrlxlx.exe109⤵PID:3012
-
\??\c:\9llfrrf.exec:\9llfrrf.exe110⤵PID:1536
-
\??\c:\rxfrfrf.exec:\rxfrfrf.exe111⤵PID:3216
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe112⤵PID:4444
-
\??\c:\22426.exec:\22426.exe113⤵PID:5024
-
\??\c:\884682.exec:\884682.exe114⤵PID:2856
-
\??\c:\8448642.exec:\8448642.exe115⤵PID:4780
-
\??\c:\62264.exec:\62264.exe116⤵PID:3584
-
\??\c:\pjpvj.exec:\pjpvj.exe117⤵PID:2296
-
\??\c:\vjdjv.exec:\vjdjv.exe118⤵PID:4740
-
\??\c:\fflfflf.exec:\fflfflf.exe119⤵PID:4244
-
\??\c:\80642.exec:\80642.exe120⤵PID:4092
-
\??\c:\s0486.exec:\s0486.exe121⤵PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-