Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe
-
Size
454KB
-
MD5
5da2023f5bd3fc03d3406bd1c62ee9c9
-
SHA1
713e1b2c135d17bca18d91bdd50c32f5c473fe7b
-
SHA256
6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081
-
SHA512
858e424f62eaffeb3cd29fef6fe84466247853725c99495587843e9f484660ab7f3829a1bdf9840f18d839f3e03202a86637b15c94392b913a20bcf57f4a58c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1+:q7Tc2NYHUrAwfMp3CD1+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3184-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-870-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-990-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-1398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1716 pjpjd.exe 4896 vpdvj.exe 556 e44866.exe 3580 bnnnbt.exe 4384 2648426.exe 4888 48086.exe 4808 bnnhbt.exe 1040 06208.exe 4868 xrxxlrl.exe 1192 1jjdv.exe 2820 lxrlxxl.exe 2408 w42468.exe 2940 vjpvv.exe 5072 pjjpp.exe 2728 8048042.exe 4956 pddpv.exe 4036 lrfxxrr.exe 3664 6442084.exe 2176 pvdpd.exe 1860 420204.exe 1868 6464488.exe 3080 lfrrxxl.exe 1728 q02604.exe 4456 06264.exe 2616 5bhttt.exe 540 822644.exe 1060 1lrfxrl.exe 704 e04204.exe 2028 tnnhbt.exe 1936 086482.exe 2756 m0606.exe 3996 vdjvj.exe 3944 3ttnbb.exe 1100 xrxxrlf.exe 1640 64486.exe 2592 lfxlxrl.exe 3652 pdvpv.exe 1152 084866.exe 2864 66860.exe 3924 ttnnhb.exe 2924 htbttt.exe 232 lfrfxrx.exe 2228 20086.exe 1392 206426.exe 2936 00424.exe 4420 808260.exe 2264 e48866.exe 4952 u882604.exe 1900 llxrrlr.exe 1216 vvvpj.exe 4192 6042480.exe 3228 022226.exe 3604 htbttn.exe 2020 bbbbnh.exe 4080 rrxlxrl.exe 1096 ppjdp.exe 112 hnhbnh.exe 3616 0888608.exe 1040 hbtnbb.exe 3368 9jdpj.exe 4100 88088.exe 2052 bnnbnh.exe 3640 htbbbh.exe 5072 xffrlfx.exe -
resource yara_rule behavioral2/memory/3184-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-963-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k00422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8466004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4022600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 466600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 1716 3184 6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe 83 PID 3184 wrote to memory of 1716 3184 6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe 83 PID 3184 wrote to memory of 1716 3184 6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe 83 PID 1716 wrote to memory of 4896 1716 pjpjd.exe 84 PID 1716 wrote to memory of 4896 1716 pjpjd.exe 84 PID 1716 wrote to memory of 4896 1716 pjpjd.exe 84 PID 4896 wrote to memory of 556 4896 vpdvj.exe 85 PID 4896 wrote to memory of 556 4896 vpdvj.exe 85 PID 4896 wrote to memory of 556 4896 vpdvj.exe 85 PID 556 wrote to memory of 3580 556 e44866.exe 86 PID 556 wrote to memory of 3580 556 e44866.exe 86 PID 556 wrote to memory of 3580 556 e44866.exe 86 PID 3580 wrote to memory of 4384 3580 bnnnbt.exe 87 PID 3580 wrote to memory of 4384 3580 bnnnbt.exe 87 PID 3580 wrote to memory of 4384 3580 bnnnbt.exe 87 PID 4384 wrote to memory of 4888 4384 2648426.exe 88 PID 4384 wrote to memory of 4888 4384 2648426.exe 88 PID 4384 wrote to memory of 4888 4384 2648426.exe 88 PID 4888 wrote to memory of 4808 4888 48086.exe 89 PID 4888 wrote to memory of 4808 4888 48086.exe 89 PID 4888 wrote to memory of 4808 4888 48086.exe 89 PID 4808 wrote to memory of 1040 4808 bnnhbt.exe 90 PID 4808 wrote to memory of 1040 4808 bnnhbt.exe 90 PID 4808 wrote to memory of 1040 4808 bnnhbt.exe 90 PID 1040 wrote to memory of 4868 1040 06208.exe 91 PID 1040 wrote to memory of 4868 1040 06208.exe 91 PID 1040 wrote to memory of 4868 1040 06208.exe 91 PID 4868 wrote to memory of 1192 4868 xrxxlrl.exe 92 PID 4868 wrote to memory of 1192 4868 xrxxlrl.exe 92 PID 4868 wrote to memory of 1192 4868 xrxxlrl.exe 92 PID 1192 wrote to memory of 2820 1192 1jjdv.exe 93 PID 1192 wrote to memory of 2820 1192 1jjdv.exe 93 PID 1192 wrote to memory of 2820 1192 1jjdv.exe 93 PID 2820 wrote to memory of 2408 2820 lxrlxxl.exe 94 PID 2820 wrote to memory of 2408 2820 lxrlxxl.exe 94 PID 2820 wrote to memory of 2408 2820 lxrlxxl.exe 94 PID 2408 wrote to memory of 2940 2408 w42468.exe 95 PID 2408 wrote to memory of 2940 2408 w42468.exe 95 PID 2408 wrote to memory of 2940 2408 w42468.exe 95 PID 2940 wrote to memory of 5072 2940 vjpvv.exe 96 PID 2940 wrote to memory of 5072 2940 vjpvv.exe 96 PID 2940 wrote to memory of 5072 2940 vjpvv.exe 96 PID 5072 wrote to memory of 2728 5072 pjjpp.exe 97 PID 5072 wrote to memory of 2728 5072 pjjpp.exe 97 PID 5072 wrote to memory of 2728 5072 pjjpp.exe 97 PID 2728 wrote to memory of 4956 2728 8048042.exe 98 PID 2728 wrote to memory of 4956 2728 8048042.exe 98 PID 2728 wrote to memory of 4956 2728 8048042.exe 98 PID 4956 wrote to memory of 4036 4956 pddpv.exe 99 PID 4956 wrote to memory of 4036 4956 pddpv.exe 99 PID 4956 wrote to memory of 4036 4956 pddpv.exe 99 PID 4036 wrote to memory of 3664 4036 lrfxxrr.exe 100 PID 4036 wrote to memory of 3664 4036 lrfxxrr.exe 100 PID 4036 wrote to memory of 3664 4036 lrfxxrr.exe 100 PID 3664 wrote to memory of 2176 3664 6442084.exe 101 PID 3664 wrote to memory of 2176 3664 6442084.exe 101 PID 3664 wrote to memory of 2176 3664 6442084.exe 101 PID 2176 wrote to memory of 1860 2176 pvdpd.exe 102 PID 2176 wrote to memory of 1860 2176 pvdpd.exe 102 PID 2176 wrote to memory of 1860 2176 pvdpd.exe 102 PID 1860 wrote to memory of 1868 1860 420204.exe 103 PID 1860 wrote to memory of 1868 1860 420204.exe 103 PID 1860 wrote to memory of 1868 1860 420204.exe 103 PID 1868 wrote to memory of 3080 1868 6464488.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe"C:\Users\Admin\AppData\Local\Temp\6cf1958fea405f97276f81e825550dd7dd9d1bb1913801e40ef93ffd8d285081.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\pjpjd.exec:\pjpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\vpdvj.exec:\vpdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\e44866.exec:\e44866.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\bnnnbt.exec:\bnnnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\2648426.exec:\2648426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\48086.exec:\48086.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\bnnhbt.exec:\bnnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\06208.exec:\06208.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\xrxxlrl.exec:\xrxxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\1jjdv.exec:\1jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\lxrlxxl.exec:\lxrlxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\w42468.exec:\w42468.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\vjpvv.exec:\vjpvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pjjpp.exec:\pjjpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\8048042.exec:\8048042.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\pddpv.exec:\pddpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\lrfxxrr.exec:\lrfxxrr.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\6442084.exec:\6442084.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\pvdpd.exec:\pvdpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\420204.exec:\420204.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\6464488.exec:\6464488.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe23⤵
- Executes dropped EXE
PID:3080 -
\??\c:\q02604.exec:\q02604.exe24⤵
- Executes dropped EXE
PID:1728 -
\??\c:\06264.exec:\06264.exe25⤵
- Executes dropped EXE
PID:4456 -
\??\c:\5bhttt.exec:\5bhttt.exe26⤵
- Executes dropped EXE
PID:2616 -
\??\c:\822644.exec:\822644.exe27⤵
- Executes dropped EXE
PID:540 -
\??\c:\1lrfxrl.exec:\1lrfxrl.exe28⤵
- Executes dropped EXE
PID:1060 -
\??\c:\e04204.exec:\e04204.exe29⤵
- Executes dropped EXE
PID:704 -
\??\c:\tnnhbt.exec:\tnnhbt.exe30⤵
- Executes dropped EXE
PID:2028 -
\??\c:\086482.exec:\086482.exe31⤵
- Executes dropped EXE
PID:1936 -
\??\c:\m0606.exec:\m0606.exe32⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vdjvj.exec:\vdjvj.exe33⤵
- Executes dropped EXE
PID:3996 -
\??\c:\3ttnbb.exec:\3ttnbb.exe34⤵
- Executes dropped EXE
PID:3944 -
\??\c:\xrxxrlf.exec:\xrxxrlf.exe35⤵
- Executes dropped EXE
PID:1100 -
\??\c:\64486.exec:\64486.exe36⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe37⤵
- Executes dropped EXE
PID:2592 -
\??\c:\pdvpv.exec:\pdvpv.exe38⤵
- Executes dropped EXE
PID:3652 -
\??\c:\084866.exec:\084866.exe39⤵
- Executes dropped EXE
PID:1152 -
\??\c:\66860.exec:\66860.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ttnnhb.exec:\ttnnhb.exe41⤵
- Executes dropped EXE
PID:3924 -
\??\c:\htbttt.exec:\htbttt.exe42⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lfrfxrx.exec:\lfrfxrx.exe43⤵
- Executes dropped EXE
PID:232 -
\??\c:\20086.exec:\20086.exe44⤵
- Executes dropped EXE
PID:2228 -
\??\c:\206426.exec:\206426.exe45⤵
- Executes dropped EXE
PID:1392 -
\??\c:\00424.exec:\00424.exe46⤵
- Executes dropped EXE
PID:2936 -
\??\c:\808260.exec:\808260.exe47⤵
- Executes dropped EXE
PID:4420 -
\??\c:\e48866.exec:\e48866.exe48⤵
- Executes dropped EXE
PID:2264 -
\??\c:\u882604.exec:\u882604.exe49⤵
- Executes dropped EXE
PID:4952 -
\??\c:\llxrrlr.exec:\llxrrlr.exe50⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vvvpj.exec:\vvvpj.exe51⤵
- Executes dropped EXE
PID:1216 -
\??\c:\6042480.exec:\6042480.exe52⤵
- Executes dropped EXE
PID:4192 -
\??\c:\022226.exec:\022226.exe53⤵
- Executes dropped EXE
PID:3228 -
\??\c:\htbttn.exec:\htbttn.exe54⤵
- Executes dropped EXE
PID:3604 -
\??\c:\bbbbnh.exec:\bbbbnh.exe55⤵
- Executes dropped EXE
PID:2020 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe56⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ppjdp.exec:\ppjdp.exe57⤵
- Executes dropped EXE
PID:1096 -
\??\c:\hnhbnh.exec:\hnhbnh.exe58⤵
- Executes dropped EXE
PID:112 -
\??\c:\0888608.exec:\0888608.exe59⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hbtnbb.exec:\hbtnbb.exe60⤵
- Executes dropped EXE
PID:1040 -
\??\c:\9jdpj.exec:\9jdpj.exe61⤵
- Executes dropped EXE
PID:3368 -
\??\c:\88088.exec:\88088.exe62⤵
- Executes dropped EXE
PID:4100 -
\??\c:\bnnbnh.exec:\bnnbnh.exe63⤵
- Executes dropped EXE
PID:2052 -
\??\c:\htbbbh.exec:\htbbbh.exe64⤵
- Executes dropped EXE
PID:3640 -
\??\c:\xffrlfx.exec:\xffrlfx.exe65⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lffxxxr.exec:\lffxxxr.exe66⤵PID:2728
-
\??\c:\480444.exec:\480444.exe67⤵PID:1092
-
\??\c:\026488.exec:\026488.exe68⤵PID:4108
-
\??\c:\o464888.exec:\o464888.exe69⤵PID:4540
-
\??\c:\4004822.exec:\4004822.exe70⤵PID:3492
-
\??\c:\k46048.exec:\k46048.exe71⤵PID:2568
-
\??\c:\8004826.exec:\8004826.exe72⤵PID:5024
-
\??\c:\6286040.exec:\6286040.exe73⤵PID:3080
-
\??\c:\06826.exec:\06826.exe74⤵PID:4864
-
\??\c:\w20282.exec:\w20282.exe75⤵PID:3840
-
\??\c:\840480.exec:\840480.exe76⤵PID:2200
-
\??\c:\flrflfx.exec:\flrflfx.exe77⤵PID:1060
-
\??\c:\9rxllff.exec:\9rxllff.exe78⤵PID:1464
-
\??\c:\822884.exec:\822884.exe79⤵PID:1912
-
\??\c:\o664264.exec:\o664264.exe80⤵PID:4508
-
\??\c:\3rrfxrl.exec:\3rrfxrl.exe81⤵PID:3980
-
\??\c:\0464488.exec:\0464488.exe82⤵PID:4900
-
\??\c:\7dvjd.exec:\7dvjd.exe83⤵PID:552
-
\??\c:\1jjdd.exec:\1jjdd.exe84⤵PID:2380
-
\??\c:\2246264.exec:\2246264.exe85⤵PID:2292
-
\??\c:\q00860.exec:\q00860.exe86⤵PID:2700
-
\??\c:\jppdv.exec:\jppdv.exe87⤵PID:3652
-
\??\c:\xlrlffx.exec:\xlrlffx.exe88⤵PID:1632
-
\??\c:\9djdv.exec:\9djdv.exe89⤵PID:2864
-
\??\c:\bbbtnh.exec:\bbbtnh.exe90⤵PID:4284
-
\??\c:\fllllll.exec:\fllllll.exe91⤵PID:2228
-
\??\c:\6264826.exec:\6264826.exe92⤵PID:4684
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe93⤵PID:4420
-
\??\c:\288006.exec:\288006.exe94⤵PID:2264
-
\??\c:\082888.exec:\082888.exe95⤵PID:932
-
\??\c:\040884.exec:\040884.exe96⤵PID:1756
-
\??\c:\nbbthh.exec:\nbbthh.exe97⤵PID:2184
-
\??\c:\9bbbtb.exec:\9bbbtb.exe98⤵PID:1652
-
\??\c:\jvppp.exec:\jvppp.exe99⤵PID:4192
-
\??\c:\0044444.exec:\0044444.exe100⤵PID:2128
-
\??\c:\6004444.exec:\6004444.exe101⤵PID:4244
-
\??\c:\1djjd.exec:\1djjd.exe102⤵PID:4328
-
\??\c:\xrrlllf.exec:\xrrlllf.exe103⤵PID:4080
-
\??\c:\ttttbb.exec:\ttttbb.exe104⤵PID:1096
-
\??\c:\jfllf.exec:\jfllf.exe105⤵PID:1380
-
\??\c:\666600.exec:\666600.exe106⤵PID:32
-
\??\c:\jvjpv.exec:\jvjpv.exe107⤵PID:1052
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe108⤵PID:1552
-
\??\c:\tnnnnt.exec:\tnnnnt.exe109⤵PID:2884
-
\??\c:\6060606.exec:\6060606.exe110⤵PID:840
-
\??\c:\202000.exec:\202000.exe111⤵PID:2776
-
\??\c:\82826.exec:\82826.exe112⤵PID:3580
-
\??\c:\q82626.exec:\q82626.exe113⤵PID:456
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe114⤵PID:2888
-
\??\c:\8288222.exec:\8288222.exe115⤵PID:1056
-
\??\c:\8604684.exec:\8604684.exe116⤵PID:4740
-
\??\c:\rlrrxxx.exec:\rlrrxxx.exe117⤵PID:2092
-
\??\c:\8428288.exec:\8428288.exe118⤵PID:3492
-
\??\c:\q06622.exec:\q06622.exe119⤵PID:1044
-
\??\c:\nhttnn.exec:\nhttnn.exe120⤵PID:4880
-
\??\c:\5ppjd.exec:\5ppjd.exe121⤵PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-