Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 07:45
Behavioral task
behavioral1
Sample
b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe
Resource
win7-20241023-en
windows7-x64
9 signatures
120 seconds
General
-
Target
b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe
-
Size
3.7MB
-
MD5
912ce881dca9e21b61222352b71dc410
-
SHA1
3d8662b837e5b9769ad9d06b7d67f07b27f0c637
-
SHA256
b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76
-
SHA512
b25b18cb208acc49f699602997985e484cb5fd592112b6d558eb6724291129bff8b248b2669f66692fabfa293bcc37bff7d8e368ee2b865cc6f0a079e0916fb3
-
SSDEEP
49152:gCOfN6X5tLLQTg20ITS/PPs/1kS4eKRL/SRsj0Zuur1T75YqVUrmNF98n:U6XLq/qPPslzKx/dJg1ErmN2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/5044-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4068-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3084-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/964-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/596-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3912-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3508-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1564-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/616-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-368-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-430-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-461-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-542-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-549-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-574-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-594-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-647-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-773-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-849-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-859-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-992-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-1712-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2852 2024444.exe 4068 662048.exe 4480 xxxlfxr.exe 1716 djvpj.exe 3988 vdpvj.exe 4140 flrlflf.exe 3928 200044.exe 3084 dpppd.exe 2356 6460448.exe 3752 dvdvd.exe 3636 bbbttt.exe 4372 6066000.exe 3904 jvvpj.exe 756 e80488.exe 4368 u460482.exe 1152 064020.exe 1908 202044.exe 2376 pjdvp.exe 4484 0206660.exe 2496 8400488.exe 1612 226626.exe 964 ddjdv.exe 1976 44868.exe 3588 4844488.exe 4796 42860.exe 4780 6442604.exe 3808 264084.exe 4840 tnhhtt.exe 4280 xllrrxx.exe 4924 48040.exe 1776 464484.exe 2108 1jdvv.exe 4324 pjdpj.exe 940 vvjdv.exe 3420 202262.exe 4920 0820482.exe 2768 m8040.exe 1332 dvdpp.exe 1572 frlxfxr.exe 2372 nhtntt.exe 4468 pddvj.exe 596 xrxrllr.exe 1972 8004268.exe 5084 btnhbt.exe 4328 xlxrxfx.exe 4240 6264268.exe 5044 xrfrllf.exe 384 tthhbt.exe 3912 0008848.exe 1092 04882.exe 4088 lxxllfx.exe 1564 200484.exe 3508 hnnnhn.exe 4492 882866.exe 2160 2084888.exe 3936 lxxrxll.exe 1236 tnbthh.exe 4348 208282.exe 616 008488.exe 3744 6040448.exe 3120 60666.exe 1452 hnnhhh.exe 5060 hbhhhn.exe 2508 vdjdp.exe -
resource yara_rule behavioral2/memory/5044-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c5a-3.dat upx behavioral2/memory/5044-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2852-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-11.dat upx behavioral2/files/0x0008000000023cab-13.dat upx behavioral2/memory/4068-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-22.dat upx behavioral2/memory/4480-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-30.dat upx behavioral2/memory/1716-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-36.dat upx behavioral2/memory/3988-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-41.dat upx behavioral2/memory/4140-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3928-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-47.dat upx behavioral2/files/0x0007000000023cb5-51.dat upx behavioral2/memory/2356-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3084-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3752-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-58.dat upx behavioral2/files/0x0007000000023cb7-65.dat upx behavioral2/memory/3752-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-71.dat upx behavioral2/memory/3636-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4372-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-76.dat upx behavioral2/memory/3904-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-82.dat upx behavioral2/files/0x0007000000023cbb-86.dat upx behavioral2/memory/756-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-94.dat upx behavioral2/files/0x0007000000023cbd-99.dat upx behavioral2/files/0x0007000000023cbe-103.dat upx behavioral2/memory/2376-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-108.dat upx behavioral2/memory/4484-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-114.dat upx behavioral2/files/0x0007000000023cc1-120.dat upx behavioral2/memory/1612-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-127.dat upx behavioral2/files/0x0007000000023cc3-133.dat upx behavioral2/memory/964-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-137.dat upx behavioral2/memory/3588-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-141.dat upx behavioral2/files/0x0007000000023cc6-149.dat upx behavioral2/memory/4796-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-155.dat upx behavioral2/files/0x0007000000023cc8-160.dat upx behavioral2/files/0x0007000000023cc9-165.dat upx behavioral2/memory/4924-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1776-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccb-176.dat upx behavioral2/files/0x0007000000023ccc-183.dat upx behavioral2/memory/4280-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-169.dat upx behavioral2/memory/940-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3420-197-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1572-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2372-214-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/596-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4328-230-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4482048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6264268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 440426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4640268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4222600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c442608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8886826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6288826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 062266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6200004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 028888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2282604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i226004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4888822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0448642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6004260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 808402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 2852 5044 b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe 83 PID 5044 wrote to memory of 2852 5044 b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe 83 PID 5044 wrote to memory of 2852 5044 b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe 83 PID 2852 wrote to memory of 4068 2852 2024444.exe 84 PID 2852 wrote to memory of 4068 2852 2024444.exe 84 PID 2852 wrote to memory of 4068 2852 2024444.exe 84 PID 4068 wrote to memory of 4480 4068 662048.exe 85 PID 4068 wrote to memory of 4480 4068 662048.exe 85 PID 4068 wrote to memory of 4480 4068 662048.exe 85 PID 4480 wrote to memory of 1716 4480 xxxlfxr.exe 86 PID 4480 wrote to memory of 1716 4480 xxxlfxr.exe 86 PID 4480 wrote to memory of 1716 4480 xxxlfxr.exe 86 PID 1716 wrote to memory of 3988 1716 djvpj.exe 87 PID 1716 wrote to memory of 3988 1716 djvpj.exe 87 PID 1716 wrote to memory of 3988 1716 djvpj.exe 87 PID 3988 wrote to memory of 4140 3988 vdpvj.exe 88 PID 3988 wrote to memory of 4140 3988 vdpvj.exe 88 PID 3988 wrote to memory of 4140 3988 vdpvj.exe 88 PID 4140 wrote to memory of 3928 4140 flrlflf.exe 89 PID 4140 wrote to memory of 3928 4140 flrlflf.exe 89 PID 4140 wrote to memory of 3928 4140 flrlflf.exe 89 PID 3928 wrote to memory of 3084 3928 200044.exe 90 PID 3928 wrote to memory of 3084 3928 200044.exe 90 PID 3928 wrote to memory of 3084 3928 200044.exe 90 PID 3084 wrote to memory of 2356 3084 dpppd.exe 91 PID 3084 wrote to memory of 2356 3084 dpppd.exe 91 PID 3084 wrote to memory of 2356 3084 dpppd.exe 91 PID 2356 wrote to memory of 3752 2356 6460448.exe 92 PID 2356 wrote to memory of 3752 2356 6460448.exe 92 PID 2356 wrote to memory of 3752 2356 6460448.exe 92 PID 3752 wrote to memory of 3636 3752 dvdvd.exe 93 PID 3752 wrote to memory of 3636 3752 dvdvd.exe 93 PID 3752 wrote to memory of 3636 3752 dvdvd.exe 93 PID 3636 wrote to memory of 4372 3636 bbbttt.exe 94 PID 3636 wrote to memory of 4372 3636 bbbttt.exe 94 PID 3636 wrote to memory of 4372 3636 bbbttt.exe 94 PID 4372 wrote to memory of 3904 4372 6066000.exe 95 PID 4372 wrote to memory of 3904 4372 6066000.exe 95 PID 4372 wrote to memory of 3904 4372 6066000.exe 95 PID 3904 wrote to memory of 756 3904 jvvpj.exe 96 PID 3904 wrote to memory of 756 3904 jvvpj.exe 96 PID 3904 wrote to memory of 756 3904 jvvpj.exe 96 PID 756 wrote to memory of 4368 756 e80488.exe 98 PID 756 wrote to memory of 4368 756 e80488.exe 98 PID 756 wrote to memory of 4368 756 e80488.exe 98 PID 4368 wrote to memory of 1152 4368 u460482.exe 99 PID 4368 wrote to memory of 1152 4368 u460482.exe 99 PID 4368 wrote to memory of 1152 4368 u460482.exe 99 PID 1152 wrote to memory of 1908 1152 064020.exe 100 PID 1152 wrote to memory of 1908 1152 064020.exe 100 PID 1152 wrote to memory of 1908 1152 064020.exe 100 PID 1908 wrote to memory of 2376 1908 202044.exe 101 PID 1908 wrote to memory of 2376 1908 202044.exe 101 PID 1908 wrote to memory of 2376 1908 202044.exe 101 PID 2376 wrote to memory of 4484 2376 pjdvp.exe 102 PID 2376 wrote to memory of 4484 2376 pjdvp.exe 102 PID 2376 wrote to memory of 4484 2376 pjdvp.exe 102 PID 4484 wrote to memory of 2496 4484 0206660.exe 103 PID 4484 wrote to memory of 2496 4484 0206660.exe 103 PID 4484 wrote to memory of 2496 4484 0206660.exe 103 PID 2496 wrote to memory of 1612 2496 8400488.exe 156 PID 2496 wrote to memory of 1612 2496 8400488.exe 156 PID 2496 wrote to memory of 1612 2496 8400488.exe 156 PID 1612 wrote to memory of 964 1612 226626.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe"C:\Users\Admin\AppData\Local\Temp\b6aee2a4a2858f8c5c9a3045e457ab53da61f16878f5fbf891ed896108a8ea76N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\2024444.exec:\2024444.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\662048.exec:\662048.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\xxxlfxr.exec:\xxxlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\djvpj.exec:\djvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\vdpvj.exec:\vdpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\flrlflf.exec:\flrlflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\200044.exec:\200044.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\dpppd.exec:\dpppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\6460448.exec:\6460448.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\dvdvd.exec:\dvdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\bbbttt.exec:\bbbttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\6066000.exec:\6066000.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\jvvpj.exec:\jvvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\e80488.exec:\e80488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\u460482.exec:\u460482.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\064020.exec:\064020.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\202044.exec:\202044.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\pjdvp.exec:\pjdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\0206660.exec:\0206660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\8400488.exec:\8400488.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\226626.exec:\226626.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\ddjdv.exec:\ddjdv.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:964 -
\??\c:\44868.exec:\44868.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
\??\c:\4844488.exec:\4844488.exe25⤵
- Executes dropped EXE
PID:3588 -
\??\c:\42860.exec:\42860.exe26⤵
- Executes dropped EXE
PID:4796 -
\??\c:\6442604.exec:\6442604.exe27⤵
- Executes dropped EXE
PID:4780 -
\??\c:\264084.exec:\264084.exe28⤵
- Executes dropped EXE
PID:3808 -
\??\c:\tnhhtt.exec:\tnhhtt.exe29⤵
- Executes dropped EXE
PID:4840 -
\??\c:\xllrrxx.exec:\xllrrxx.exe30⤵
- Executes dropped EXE
PID:4280 -
\??\c:\48040.exec:\48040.exe31⤵
- Executes dropped EXE
PID:4924 -
\??\c:\464484.exec:\464484.exe32⤵
- Executes dropped EXE
PID:1776 -
\??\c:\1jdvv.exec:\1jdvv.exe33⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pjdpj.exec:\pjdpj.exe34⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vvjdv.exec:\vvjdv.exe35⤵
- Executes dropped EXE
PID:940 -
\??\c:\202262.exec:\202262.exe36⤵
- Executes dropped EXE
PID:3420 -
\??\c:\0820482.exec:\0820482.exe37⤵
- Executes dropped EXE
PID:4920 -
\??\c:\m8040.exec:\m8040.exe38⤵
- Executes dropped EXE
PID:2768 -
\??\c:\dvdpp.exec:\dvdpp.exe39⤵
- Executes dropped EXE
PID:1332 -
\??\c:\frlxfxr.exec:\frlxfxr.exe40⤵
- Executes dropped EXE
PID:1572 -
\??\c:\nhtntt.exec:\nhtntt.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pddvj.exec:\pddvj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4468 -
\??\c:\xrxrllr.exec:\xrxrllr.exe43⤵
- Executes dropped EXE
PID:596 -
\??\c:\8004268.exec:\8004268.exe44⤵
- Executes dropped EXE
PID:1972 -
\??\c:\btnhbt.exec:\btnhbt.exe45⤵
- Executes dropped EXE
PID:5084 -
\??\c:\xlxrxfx.exec:\xlxrxfx.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4328 -
\??\c:\6264268.exec:\6264268.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240 -
\??\c:\xrfrllf.exec:\xrfrllf.exe48⤵
- Executes dropped EXE
PID:5044 -
\??\c:\tthhbt.exec:\tthhbt.exe49⤵
- Executes dropped EXE
PID:384 -
\??\c:\0008848.exec:\0008848.exe50⤵
- Executes dropped EXE
PID:3912 -
\??\c:\04882.exec:\04882.exe51⤵
- Executes dropped EXE
PID:1092 -
\??\c:\lxxllfx.exec:\lxxllfx.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088 -
\??\c:\200484.exec:\200484.exe53⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hnnnhn.exec:\hnnnhn.exe54⤵
- Executes dropped EXE
PID:3508 -
\??\c:\882866.exec:\882866.exe55⤵
- Executes dropped EXE
PID:4492 -
\??\c:\2084888.exec:\2084888.exe56⤵
- Executes dropped EXE
PID:2160 -
\??\c:\lxxrxll.exec:\lxxrxll.exe57⤵
- Executes dropped EXE
PID:3936 -
\??\c:\tnbthh.exec:\tnbthh.exe58⤵
- Executes dropped EXE
PID:1236 -
\??\c:\208282.exec:\208282.exe59⤵
- Executes dropped EXE
PID:4348 -
\??\c:\008488.exec:\008488.exe60⤵
- Executes dropped EXE
PID:616 -
\??\c:\6040448.exec:\6040448.exe61⤵
- Executes dropped EXE
PID:3744 -
\??\c:\60666.exec:\60666.exe62⤵
- Executes dropped EXE
PID:3120 -
\??\c:\hnnhhh.exec:\hnnhhh.exe63⤵
- Executes dropped EXE
PID:1452 -
\??\c:\hbhhhn.exec:\hbhhhn.exe64⤵
- Executes dropped EXE
PID:5060 -
\??\c:\vdjdp.exec:\vdjdp.exe65⤵
- Executes dropped EXE
PID:2508 -
\??\c:\8084888.exec:\8084888.exe66⤵PID:5008
-
\??\c:\bbnhhn.exec:\bbnhhn.exe67⤵PID:1740
-
\??\c:\44066.exec:\44066.exe68⤵PID:4496
-
\??\c:\1ffxrxr.exec:\1ffxrxr.exe69⤵PID:1612
-
\??\c:\jvvpv.exec:\jvvpv.exe70⤵PID:3948
-
\??\c:\vpdvv.exec:\vpdvv.exe71⤵PID:2904
-
\??\c:\66482.exec:\66482.exe72⤵PID:1964
-
\??\c:\jdvjd.exec:\jdvjd.exe73⤵PID:1524
-
\??\c:\88820.exec:\88820.exe74⤵PID:4456
-
\??\c:\hnnnnh.exec:\hnnnnh.exe75⤵PID:4720
-
\??\c:\600882.exec:\600882.exe76⤵PID:416
-
\??\c:\xllfxrl.exec:\xllfxrl.exe77⤵PID:4076
-
\??\c:\222604.exec:\222604.exe78⤵PID:4964
-
\??\c:\202604.exec:\202604.exe79⤵PID:4736
-
\??\c:\80646.exec:\80646.exe80⤵PID:1348
-
\??\c:\vvjdd.exec:\vvjdd.exe81⤵PID:1756
-
\??\c:\8662660.exec:\8662660.exe82⤵PID:4336
-
\??\c:\40242.exec:\40242.exe83⤵PID:2056
-
\??\c:\frxlxrl.exec:\frxlxrl.exe84⤵PID:4324
-
\??\c:\tntnnb.exec:\tntnnb.exe85⤵PID:940
-
\??\c:\nbnbth.exec:\nbnbth.exe86⤵PID:1540
-
\??\c:\lxfxllx.exec:\lxfxllx.exe87⤵PID:3436
-
\??\c:\0448288.exec:\0448288.exe88⤵PID:2440
-
\??\c:\fxfrffl.exec:\fxfrffl.exe89⤵PID:2192
-
\??\c:\046266.exec:\046266.exe90⤵PID:1600
-
\??\c:\208288.exec:\208288.exe91⤵PID:1752
-
\??\c:\8622244.exec:\8622244.exe92⤵PID:1728
-
\??\c:\84604.exec:\84604.exe93⤵PID:1588
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe94⤵PID:1504
-
\??\c:\862826.exec:\862826.exe95⤵PID:2152
-
\??\c:\lxflfxf.exec:\lxflfxf.exe96⤵PID:1856
-
\??\c:\266488.exec:\266488.exe97⤵PID:5044
-
\??\c:\lxxxllf.exec:\lxxxllf.exe98⤵PID:4236
-
\??\c:\pddvj.exec:\pddvj.exe99⤵
- System Location Discovery: System Language Discovery
PID:4172 -
\??\c:\028266.exec:\028266.exe100⤵PID:4844
-
\??\c:\btbtnn.exec:\btbtnn.exe101⤵PID:4080
-
\??\c:\dddvj.exec:\dddvj.exe102⤵PID:5076
-
\??\c:\2866660.exec:\2866660.exe103⤵PID:1552
-
\??\c:\020624.exec:\020624.exe104⤵PID:4084
-
\??\c:\448488.exec:\448488.exe105⤵PID:1780
-
\??\c:\2260048.exec:\2260048.exe106⤵PID:3480
-
\??\c:\2444044.exec:\2444044.exe107⤵PID:4396
-
\??\c:\4426228.exec:\4426228.exe108⤵PID:3080
-
\??\c:\6484888.exec:\6484888.exe109⤵PID:4348
-
\??\c:\2688226.exec:\2688226.exe110⤵PID:776
-
\??\c:\1bbhbt.exec:\1bbhbt.exe111⤵PID:4028
-
\??\c:\0800448.exec:\0800448.exe112⤵PID:2020
-
\??\c:\nnnbhb.exec:\nnnbhb.exe113⤵PID:3016
-
\??\c:\662482.exec:\662482.exe114⤵PID:2176
-
\??\c:\rxfxffl.exec:\rxfxffl.exe115⤵PID:2792
-
\??\c:\vdvpj.exec:\vdvpj.exe116⤵PID:2400
-
\??\c:\066004.exec:\066004.exe117⤵PID:4092
-
\??\c:\604808.exec:\604808.exe118⤵PID:4532
-
\??\c:\088426.exec:\088426.exe119⤵PID:1964
-
\??\c:\nhbttb.exec:\nhbttb.exe120⤵PID:2736
-
\??\c:\840002.exec:\840002.exe121⤵PID:4456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-