Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe
-
Size
456KB
-
MD5
b09bdea933a38c902713063913c8ac65
-
SHA1
e348867186116fb2b0aa38a2bc07670b662cf7cd
-
SHA256
dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7
-
SHA512
5a051f3cb8973885999eab3ebf6a09ff49f3d0d39cabb446e3fe4bea441a6094c0fbc6a8e3e6bbb8f5b1ac5d95dcf3089d691090a1e36aedf39d79181678100c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRJ:q7Tc2NYHUrAwfMp3CDRJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3944-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-1517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3944 jjjjj.exe 3896 hthbbb.exe 748 jdjjd.exe 4692 068882.exe 2996 pjvvd.exe 3812 nthbbb.exe 4484 btttbb.exe 4424 w00666.exe 3012 e46048.exe 2644 xflffff.exe 2884 dvddj.exe 556 q24488.exe 4944 44444.exe 4940 6066604.exe 2224 xxrfrll.exe 4108 fffffff.exe 3088 1lrfxxx.exe 2060 ddvpd.exe 1160 4880800.exe 3744 pvdjj.exe 1952 6640004.exe 2156 xfllfff.exe 2776 k06488.exe 4764 ddpdv.exe 4016 5fxflrr.exe 1720 0460400.exe 916 thtttb.exe 2320 djvpd.exe 3620 bthnhh.exe 2112 6286044.exe 208 hhbttn.exe 3828 rlxlrxx.exe 636 rrxfflr.exe 4588 xxrxrff.exe 3616 02044.exe 2084 024666.exe 2808 840444.exe 868 dvvvv.exe 1540 xxlxfxx.exe 1536 48482.exe 1716 ffffflf.exe 3328 pvjjd.exe 1292 bbhbtt.exe 640 1rrlxff.exe 1512 5jjjd.exe 4996 nhhtnh.exe 3468 xrllllr.exe 4408 s2282.exe 3160 lrlxrll.exe 2040 0448660.exe 2792 9bhhbh.exe 4384 m6828.exe 4380 vjpjj.exe 1048 082426.exe 1796 4622200.exe 4568 o206006.exe 4492 4204602.exe 748 xxfxrrl.exe 2140 886666.exe 900 jdvpp.exe 3488 lfxfxfx.exe 432 8288826.exe 3544 rxlfllx.exe 4488 vdjdv.exe -
resource yara_rule behavioral2/memory/3944-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-601-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 004268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 3944 1928 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 83 PID 1928 wrote to memory of 3944 1928 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 83 PID 1928 wrote to memory of 3944 1928 dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe 83 PID 3944 wrote to memory of 3896 3944 jjjjj.exe 84 PID 3944 wrote to memory of 3896 3944 jjjjj.exe 84 PID 3944 wrote to memory of 3896 3944 jjjjj.exe 84 PID 3896 wrote to memory of 748 3896 hthbbb.exe 85 PID 3896 wrote to memory of 748 3896 hthbbb.exe 85 PID 3896 wrote to memory of 748 3896 hthbbb.exe 85 PID 748 wrote to memory of 4692 748 jdjjd.exe 86 PID 748 wrote to memory of 4692 748 jdjjd.exe 86 PID 748 wrote to memory of 4692 748 jdjjd.exe 86 PID 4692 wrote to memory of 2996 4692 068882.exe 87 PID 4692 wrote to memory of 2996 4692 068882.exe 87 PID 4692 wrote to memory of 2996 4692 068882.exe 87 PID 2996 wrote to memory of 3812 2996 pjvvd.exe 88 PID 2996 wrote to memory of 3812 2996 pjvvd.exe 88 PID 2996 wrote to memory of 3812 2996 pjvvd.exe 88 PID 3812 wrote to memory of 4484 3812 nthbbb.exe 89 PID 3812 wrote to memory of 4484 3812 nthbbb.exe 89 PID 3812 wrote to memory of 4484 3812 nthbbb.exe 89 PID 4484 wrote to memory of 4424 4484 btttbb.exe 90 PID 4484 wrote to memory of 4424 4484 btttbb.exe 90 PID 4484 wrote to memory of 4424 4484 btttbb.exe 90 PID 4424 wrote to memory of 3012 4424 w00666.exe 91 PID 4424 wrote to memory of 3012 4424 w00666.exe 91 PID 4424 wrote to memory of 3012 4424 w00666.exe 91 PID 3012 wrote to memory of 2644 3012 e46048.exe 92 PID 3012 wrote to memory of 2644 3012 e46048.exe 92 PID 3012 wrote to memory of 2644 3012 e46048.exe 92 PID 2644 wrote to memory of 2884 2644 xflffff.exe 93 PID 2644 wrote to memory of 2884 2644 xflffff.exe 93 PID 2644 wrote to memory of 2884 2644 xflffff.exe 93 PID 2884 wrote to memory of 556 2884 dvddj.exe 94 PID 2884 wrote to memory of 556 2884 dvddj.exe 94 PID 2884 wrote to memory of 556 2884 dvddj.exe 94 PID 556 wrote to memory of 4944 556 q24488.exe 95 PID 556 wrote to memory of 4944 556 q24488.exe 95 PID 556 wrote to memory of 4944 556 q24488.exe 95 PID 4944 wrote to memory of 4940 4944 44444.exe 96 PID 4944 wrote to memory of 4940 4944 44444.exe 96 PID 4944 wrote to memory of 4940 4944 44444.exe 96 PID 4940 wrote to memory of 2224 4940 6066604.exe 97 PID 4940 wrote to memory of 2224 4940 6066604.exe 97 PID 4940 wrote to memory of 2224 4940 6066604.exe 97 PID 2224 wrote to memory of 4108 2224 xxrfrll.exe 98 PID 2224 wrote to memory of 4108 2224 xxrfrll.exe 98 PID 2224 wrote to memory of 4108 2224 xxrfrll.exe 98 PID 4108 wrote to memory of 3088 4108 fffffff.exe 99 PID 4108 wrote to memory of 3088 4108 fffffff.exe 99 PID 4108 wrote to memory of 3088 4108 fffffff.exe 99 PID 3088 wrote to memory of 2060 3088 1lrfxxx.exe 100 PID 3088 wrote to memory of 2060 3088 1lrfxxx.exe 100 PID 3088 wrote to memory of 2060 3088 1lrfxxx.exe 100 PID 2060 wrote to memory of 1160 2060 ddvpd.exe 101 PID 2060 wrote to memory of 1160 2060 ddvpd.exe 101 PID 2060 wrote to memory of 1160 2060 ddvpd.exe 101 PID 1160 wrote to memory of 3744 1160 4880800.exe 102 PID 1160 wrote to memory of 3744 1160 4880800.exe 102 PID 1160 wrote to memory of 3744 1160 4880800.exe 102 PID 3744 wrote to memory of 1952 3744 pvdjj.exe 103 PID 3744 wrote to memory of 1952 3744 pvdjj.exe 103 PID 3744 wrote to memory of 1952 3744 pvdjj.exe 103 PID 1952 wrote to memory of 2156 1952 6640004.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe"C:\Users\Admin\AppData\Local\Temp\dc01656a2360bb96913fe8611c96960b561b00d8ced3aaec3f458c65133e4aa7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\jjjjj.exec:\jjjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\hthbbb.exec:\hthbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\jdjjd.exec:\jdjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\068882.exec:\068882.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\pjvvd.exec:\pjvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\nthbbb.exec:\nthbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\btttbb.exec:\btttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\w00666.exec:\w00666.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\e46048.exec:\e46048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\xflffff.exec:\xflffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\dvddj.exec:\dvddj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\q24488.exec:\q24488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\44444.exec:\44444.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\6066604.exec:\6066604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\xxrfrll.exec:\xxrfrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\fffffff.exec:\fffffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\1lrfxxx.exec:\1lrfxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ddvpd.exec:\ddvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\4880800.exec:\4880800.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\pvdjj.exec:\pvdjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\6640004.exec:\6640004.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\xfllfff.exec:\xfllfff.exe23⤵
- Executes dropped EXE
PID:2156 -
\??\c:\k06488.exec:\k06488.exe24⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ddpdv.exec:\ddpdv.exe25⤵
- Executes dropped EXE
PID:4764 -
\??\c:\5fxflrr.exec:\5fxflrr.exe26⤵
- Executes dropped EXE
PID:4016 -
\??\c:\0460400.exec:\0460400.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\thtttb.exec:\thtttb.exe28⤵
- Executes dropped EXE
PID:916 -
\??\c:\djvpd.exec:\djvpd.exe29⤵
- Executes dropped EXE
PID:2320 -
\??\c:\bthnhh.exec:\bthnhh.exe30⤵
- Executes dropped EXE
PID:3620 -
\??\c:\6286044.exec:\6286044.exe31⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hhbttn.exec:\hhbttn.exe32⤵
- Executes dropped EXE
PID:208 -
\??\c:\rlxlrxx.exec:\rlxlrxx.exe33⤵
- Executes dropped EXE
PID:3828 -
\??\c:\rrxfflr.exec:\rrxfflr.exe34⤵
- Executes dropped EXE
PID:636 -
\??\c:\xxrxrff.exec:\xxrxrff.exe35⤵
- Executes dropped EXE
PID:4588 -
\??\c:\02044.exec:\02044.exe36⤵
- Executes dropped EXE
PID:3616 -
\??\c:\024666.exec:\024666.exe37⤵
- Executes dropped EXE
PID:2084 -
\??\c:\840444.exec:\840444.exe38⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dvvvv.exec:\dvvvv.exe39⤵
- Executes dropped EXE
PID:868 -
\??\c:\xxlxfxx.exec:\xxlxfxx.exe40⤵
- Executes dropped EXE
PID:1540 -
\??\c:\48482.exec:\48482.exe41⤵
- Executes dropped EXE
PID:1536 -
\??\c:\ffffflf.exec:\ffffflf.exe42⤵
- Executes dropped EXE
PID:1716 -
\??\c:\pvjjd.exec:\pvjjd.exe43⤵
- Executes dropped EXE
PID:3328 -
\??\c:\bbhbtt.exec:\bbhbtt.exe44⤵
- Executes dropped EXE
PID:1292 -
\??\c:\1rrlxff.exec:\1rrlxff.exe45⤵
- Executes dropped EXE
PID:640 -
\??\c:\5jjjd.exec:\5jjjd.exe46⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nhhtnh.exec:\nhhtnh.exe47⤵
- Executes dropped EXE
PID:4996 -
\??\c:\xrllllr.exec:\xrllllr.exe48⤵
- Executes dropped EXE
PID:3468 -
\??\c:\s2282.exec:\s2282.exe49⤵
- Executes dropped EXE
PID:4408 -
\??\c:\lrlxrll.exec:\lrlxrll.exe50⤵
- Executes dropped EXE
PID:3160 -
\??\c:\0448660.exec:\0448660.exe51⤵
- Executes dropped EXE
PID:2040 -
\??\c:\9bhhbh.exec:\9bhhbh.exe52⤵
- Executes dropped EXE
PID:2792 -
\??\c:\m6828.exec:\m6828.exe53⤵
- Executes dropped EXE
PID:4384 -
\??\c:\tnbtnh.exec:\tnbtnh.exe54⤵PID:4444
-
\??\c:\vjpjj.exec:\vjpjj.exe55⤵
- Executes dropped EXE
PID:4380 -
\??\c:\082426.exec:\082426.exe56⤵
- Executes dropped EXE
PID:1048 -
\??\c:\4622200.exec:\4622200.exe57⤵
- Executes dropped EXE
PID:1796 -
\??\c:\o206006.exec:\o206006.exe58⤵
- Executes dropped EXE
PID:4568 -
\??\c:\4204602.exec:\4204602.exe59⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe60⤵
- Executes dropped EXE
PID:748 -
\??\c:\886666.exec:\886666.exe61⤵
- Executes dropped EXE
PID:2140 -
\??\c:\jdvpp.exec:\jdvpp.exe62⤵
- Executes dropped EXE
PID:900 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe63⤵
- Executes dropped EXE
PID:3488 -
\??\c:\8288826.exec:\8288826.exe64⤵
- Executes dropped EXE
PID:432 -
\??\c:\rxlfllx.exec:\rxlfllx.exe65⤵
- Executes dropped EXE
PID:3544 -
\??\c:\vdjdv.exec:\vdjdv.exe66⤵
- Executes dropped EXE
PID:4488 -
\??\c:\26004.exec:\26004.exe67⤵PID:2644
-
\??\c:\4880444.exec:\4880444.exe68⤵PID:2884
-
\??\c:\6080426.exec:\6080426.exe69⤵PID:2212
-
\??\c:\022604.exec:\022604.exe70⤵PID:3728
-
\??\c:\0248224.exec:\0248224.exe71⤵PID:3444
-
\??\c:\nnhhth.exec:\nnhhth.exe72⤵PID:4696
-
\??\c:\flxxrrx.exec:\flxxrrx.exe73⤵PID:4044
-
\??\c:\6026600.exec:\6026600.exe74⤵PID:2396
-
\??\c:\4060440.exec:\4060440.exe75⤵PID:2352
-
\??\c:\862666.exec:\862666.exe76⤵PID:4264
-
\??\c:\ntnhbh.exec:\ntnhbh.exe77⤵PID:2372
-
\??\c:\tnbbhn.exec:\tnbbhn.exe78⤵PID:2072
-
\??\c:\frrrxrl.exec:\frrrxrl.exe79⤵PID:3476
-
\??\c:\llxxrrl.exec:\llxxrrl.exe80⤵PID:1588
-
\??\c:\dpddd.exec:\dpddd.exe81⤵PID:4224
-
\??\c:\2644280.exec:\2644280.exe82⤵PID:4852
-
\??\c:\4862622.exec:\4862622.exe83⤵
- System Location Discovery: System Language Discovery
PID:4016 -
\??\c:\064822.exec:\064822.exe84⤵PID:3864
-
\??\c:\04482.exec:\04482.exe85⤵PID:2108
-
\??\c:\2286046.exec:\2286046.exe86⤵PID:3640
-
\??\c:\6048226.exec:\6048226.exe87⤵PID:4988
-
\??\c:\lrxxllr.exec:\lrxxllr.exe88⤵PID:4296
-
\??\c:\xllfffr.exec:\xllfffr.exe89⤵PID:4976
-
\??\c:\680488.exec:\680488.exe90⤵PID:3388
-
\??\c:\040606.exec:\040606.exe91⤵PID:2408
-
\??\c:\vdjpp.exec:\vdjpp.exe92⤵PID:3428
-
\??\c:\ffrfrrr.exec:\ffrfrrr.exe93⤵PID:4828
-
\??\c:\bbbnbn.exec:\bbbnbn.exe94⤵PID:372
-
\??\c:\422266.exec:\422266.exe95⤵PID:1068
-
\??\c:\486662.exec:\486662.exe96⤵PID:2864
-
\??\c:\jdvpp.exec:\jdvpp.exe97⤵PID:4536
-
\??\c:\00866.exec:\00866.exe98⤵PID:3972
-
\??\c:\tbhnnn.exec:\tbhnnn.exe99⤵PID:1084
-
\??\c:\48606.exec:\48606.exe100⤵PID:3684
-
\??\c:\666808.exec:\666808.exe101⤵PID:3832
-
\??\c:\4248228.exec:\4248228.exe102⤵PID:4620
-
\??\c:\9flllrr.exec:\9flllrr.exe103⤵PID:4864
-
\??\c:\26600.exec:\26600.exe104⤵PID:2476
-
\??\c:\ddpjd.exec:\ddpjd.exe105⤵PID:4360
-
\??\c:\46882.exec:\46882.exe106⤵PID:3224
-
\??\c:\26666.exec:\26666.exe107⤵PID:1712
-
\??\c:\nbnnhn.exec:\nbnnhn.exe108⤵PID:4524
-
\??\c:\5lrxxff.exec:\5lrxxff.exe109⤵PID:3896
-
\??\c:\nnnbhn.exec:\nnnbhn.exe110⤵PID:2508
-
\??\c:\jjvpp.exec:\jjvpp.exe111⤵PID:1136
-
\??\c:\u284440.exec:\u284440.exe112⤵PID:3936
-
\??\c:\82004.exec:\82004.exe113⤵PID:4772
-
\??\c:\006688.exec:\006688.exe114⤵PID:3660
-
\??\c:\rfllffx.exec:\rfllffx.exe115⤵PID:1052
-
\??\c:\frxffll.exec:\frxffll.exe116⤵PID:3840
-
\??\c:\thnntb.exec:\thnntb.exe117⤵PID:4100
-
\??\c:\dvvpd.exec:\dvvpd.exe118⤵PID:872
-
\??\c:\nhbbnn.exec:\nhbbnn.exe119⤵PID:2332
-
\??\c:\jjpvd.exec:\jjpvd.exe120⤵PID:1204
-
\??\c:\hbttnt.exec:\hbttnt.exe121⤵PID:4104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-