Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe
-
Size
456KB
-
MD5
db708eb5b02abd1ef92fec65afc9a970
-
SHA1
747de4aca3a66f6f6f878911234f3c0424e1b408
-
SHA256
68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8c
-
SHA512
d2876a3d93e12ddfbd69b19c507ba1c9627d7daa085136c7f7f506245856bb3ae09f7255bf9a8ebac2eda182e0cf00b19477fc31cef4c598ea9ceb6042ec4aa2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR8:q7Tc2NYHUrAwfMp3CDR8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1216-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-1378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1116 884848.exe 3376 6064204.exe 3564 62842.exe 4384 5djdj.exe 4080 4880640.exe 1096 vpvpv.exe 4932 44042.exe 1192 9bttnb.exe 2764 06628.exe 3640 bbvdvp.exe 876 lxfrrll.exe 4712 dvdpv.exe 1092 1dvjv.exe 3928 64826.exe 696 tnhtnb.exe 1740 ppvjv.exe 4912 66440.exe 4864 dddpd.exe 208 444826.exe 3064 080444.exe 3880 djdpd.exe 3684 4408604.exe 736 vdjpj.exe 4028 rffxlxr.exe 3988 jpvpp.exe 592 lfxrxxl.exe 4460 vvddv.exe 4508 84220.exe 3996 62860.exe 3944 o886042.exe 1452 622608.exe 4600 0848884.exe 4188 20648.exe 4816 08820.exe 1636 604888.exe 764 jdvvd.exe 3924 llxrlfx.exe 4764 4884866.exe 1652 g4040.exe 2952 840826.exe 4316 tbthbn.exe 2452 6426486.exe 2872 jjdjv.exe 1216 btnnbt.exe 1496 pvvpp.exe 4192 426048.exe 3212 1vpvp.exe 4896 1vpdv.exe 3208 088620.exe 4272 604826.exe 3564 48046.exe 3952 5vjdv.exe 4384 20486.exe 216 flxfxxf.exe 2348 2060800.exe 724 nhbtnn.exe 3368 htnbtn.exe 1976 40420.exe 2164 002648.exe 3984 nhnhtt.exe 700 440488.exe 1400 608222.exe 2620 3nhbbb.exe 3648 68428.exe -
resource yara_rule behavioral2/memory/1216-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-978-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2244444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0486224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4024080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k66082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4220484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u464040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1216 wrote to memory of 1116 1216 68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe 83 PID 1216 wrote to memory of 1116 1216 68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe 83 PID 1216 wrote to memory of 1116 1216 68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe 83 PID 1116 wrote to memory of 3376 1116 884848.exe 84 PID 1116 wrote to memory of 3376 1116 884848.exe 84 PID 1116 wrote to memory of 3376 1116 884848.exe 84 PID 3376 wrote to memory of 3564 3376 6064204.exe 85 PID 3376 wrote to memory of 3564 3376 6064204.exe 85 PID 3376 wrote to memory of 3564 3376 6064204.exe 85 PID 3564 wrote to memory of 4384 3564 62842.exe 86 PID 3564 wrote to memory of 4384 3564 62842.exe 86 PID 3564 wrote to memory of 4384 3564 62842.exe 86 PID 4384 wrote to memory of 4080 4384 5djdj.exe 87 PID 4384 wrote to memory of 4080 4384 5djdj.exe 87 PID 4384 wrote to memory of 4080 4384 5djdj.exe 87 PID 4080 wrote to memory of 1096 4080 4880640.exe 88 PID 4080 wrote to memory of 1096 4080 4880640.exe 88 PID 4080 wrote to memory of 1096 4080 4880640.exe 88 PID 1096 wrote to memory of 4932 1096 vpvpv.exe 89 PID 1096 wrote to memory of 4932 1096 vpvpv.exe 89 PID 1096 wrote to memory of 4932 1096 vpvpv.exe 89 PID 4932 wrote to memory of 1192 4932 44042.exe 90 PID 4932 wrote to memory of 1192 4932 44042.exe 90 PID 4932 wrote to memory of 1192 4932 44042.exe 90 PID 1192 wrote to memory of 2764 1192 9bttnb.exe 91 PID 1192 wrote to memory of 2764 1192 9bttnb.exe 91 PID 1192 wrote to memory of 2764 1192 9bttnb.exe 91 PID 2764 wrote to memory of 3640 2764 06628.exe 92 PID 2764 wrote to memory of 3640 2764 06628.exe 92 PID 2764 wrote to memory of 3640 2764 06628.exe 92 PID 3640 wrote to memory of 876 3640 bbvdvp.exe 93 PID 3640 wrote to memory of 876 3640 bbvdvp.exe 93 PID 3640 wrote to memory of 876 3640 bbvdvp.exe 93 PID 876 wrote to memory of 4712 876 lxfrrll.exe 94 PID 876 wrote to memory of 4712 876 lxfrrll.exe 94 PID 876 wrote to memory of 4712 876 lxfrrll.exe 94 PID 4712 wrote to memory of 1092 4712 dvdpv.exe 95 PID 4712 wrote to memory of 1092 4712 dvdpv.exe 95 PID 4712 wrote to memory of 1092 4712 dvdpv.exe 95 PID 1092 wrote to memory of 3928 1092 1dvjv.exe 96 PID 1092 wrote to memory of 3928 1092 1dvjv.exe 96 PID 1092 wrote to memory of 3928 1092 1dvjv.exe 96 PID 3928 wrote to memory of 696 3928 64826.exe 97 PID 3928 wrote to memory of 696 3928 64826.exe 97 PID 3928 wrote to memory of 696 3928 64826.exe 97 PID 696 wrote to memory of 1740 696 tnhtnb.exe 98 PID 696 wrote to memory of 1740 696 tnhtnb.exe 98 PID 696 wrote to memory of 1740 696 tnhtnb.exe 98 PID 1740 wrote to memory of 4912 1740 ppvjv.exe 99 PID 1740 wrote to memory of 4912 1740 ppvjv.exe 99 PID 1740 wrote to memory of 4912 1740 ppvjv.exe 99 PID 4912 wrote to memory of 4864 4912 66440.exe 100 PID 4912 wrote to memory of 4864 4912 66440.exe 100 PID 4912 wrote to memory of 4864 4912 66440.exe 100 PID 4864 wrote to memory of 208 4864 dddpd.exe 101 PID 4864 wrote to memory of 208 4864 dddpd.exe 101 PID 4864 wrote to memory of 208 4864 dddpd.exe 101 PID 208 wrote to memory of 3064 208 444826.exe 102 PID 208 wrote to memory of 3064 208 444826.exe 102 PID 208 wrote to memory of 3064 208 444826.exe 102 PID 3064 wrote to memory of 3880 3064 080444.exe 103 PID 3064 wrote to memory of 3880 3064 080444.exe 103 PID 3064 wrote to memory of 3880 3064 080444.exe 103 PID 3880 wrote to memory of 3684 3880 djdpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe"C:\Users\Admin\AppData\Local\Temp\68636881a425d05f93157ef53f8768e6173608784a18462b22e07d819a367a8cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\884848.exec:\884848.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\6064204.exec:\6064204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\62842.exec:\62842.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\5djdj.exec:\5djdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\4880640.exec:\4880640.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\vpvpv.exec:\vpvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\44042.exec:\44042.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\9bttnb.exec:\9bttnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\06628.exec:\06628.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\bbvdvp.exec:\bbvdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\lxfrrll.exec:\lxfrrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\dvdpv.exec:\dvdpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\1dvjv.exec:\1dvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\64826.exec:\64826.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\tnhtnb.exec:\tnhtnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\ppvjv.exec:\ppvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\66440.exec:\66440.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\dddpd.exec:\dddpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\444826.exec:\444826.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\080444.exec:\080444.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\djdpd.exec:\djdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\4408604.exec:\4408604.exe23⤵
- Executes dropped EXE
PID:3684 -
\??\c:\vdjpj.exec:\vdjpj.exe24⤵
- Executes dropped EXE
PID:736 -
\??\c:\rffxlxr.exec:\rffxlxr.exe25⤵
- Executes dropped EXE
PID:4028 -
\??\c:\jpvpp.exec:\jpvpp.exe26⤵
- Executes dropped EXE
PID:3988 -
\??\c:\lfxrxxl.exec:\lfxrxxl.exe27⤵
- Executes dropped EXE
PID:592 -
\??\c:\vvddv.exec:\vvddv.exe28⤵
- Executes dropped EXE
PID:4460 -
\??\c:\84220.exec:\84220.exe29⤵
- Executes dropped EXE
PID:4508 -
\??\c:\62860.exec:\62860.exe30⤵
- Executes dropped EXE
PID:3996 -
\??\c:\o886042.exec:\o886042.exe31⤵
- Executes dropped EXE
PID:3944 -
\??\c:\622608.exec:\622608.exe32⤵
- Executes dropped EXE
PID:1452 -
\??\c:\0848884.exec:\0848884.exe33⤵
- Executes dropped EXE
PID:4600 -
\??\c:\20648.exec:\20648.exe34⤵
- Executes dropped EXE
PID:4188 -
\??\c:\08820.exec:\08820.exe35⤵
- Executes dropped EXE
PID:4816 -
\??\c:\604888.exec:\604888.exe36⤵
- Executes dropped EXE
PID:1636 -
\??\c:\jdvvd.exec:\jdvvd.exe37⤵
- Executes dropped EXE
PID:764 -
\??\c:\llxrlfx.exec:\llxrlfx.exe38⤵
- Executes dropped EXE
PID:3924 -
\??\c:\4884866.exec:\4884866.exe39⤵
- Executes dropped EXE
PID:4764 -
\??\c:\g4040.exec:\g4040.exe40⤵
- Executes dropped EXE
PID:1652 -
\??\c:\840826.exec:\840826.exe41⤵
- Executes dropped EXE
PID:2952 -
\??\c:\tbthbn.exec:\tbthbn.exe42⤵
- Executes dropped EXE
PID:4316 -
\??\c:\6426486.exec:\6426486.exe43⤵
- Executes dropped EXE
PID:2452 -
\??\c:\jjdjv.exec:\jjdjv.exe44⤵
- Executes dropped EXE
PID:2872 -
\??\c:\btnnbt.exec:\btnnbt.exe45⤵
- Executes dropped EXE
PID:1216 -
\??\c:\pvvpp.exec:\pvvpp.exe46⤵
- Executes dropped EXE
PID:1496 -
\??\c:\426048.exec:\426048.exe47⤵
- Executes dropped EXE
PID:4192 -
\??\c:\1vpvp.exec:\1vpvp.exe48⤵
- Executes dropped EXE
PID:3212 -
\??\c:\1vpdv.exec:\1vpdv.exe49⤵
- Executes dropped EXE
PID:4896 -
\??\c:\088620.exec:\088620.exe50⤵
- Executes dropped EXE
PID:3208 -
\??\c:\604826.exec:\604826.exe51⤵
- Executes dropped EXE
PID:4272 -
\??\c:\48046.exec:\48046.exe52⤵
- Executes dropped EXE
PID:3564 -
\??\c:\5vjdv.exec:\5vjdv.exe53⤵
- Executes dropped EXE
PID:3952 -
\??\c:\20486.exec:\20486.exe54⤵
- Executes dropped EXE
PID:4384 -
\??\c:\flxfxxf.exec:\flxfxxf.exe55⤵
- Executes dropped EXE
PID:216 -
\??\c:\2060800.exec:\2060800.exe56⤵
- Executes dropped EXE
PID:2348 -
\??\c:\nhbtnn.exec:\nhbtnn.exe57⤵
- Executes dropped EXE
PID:724 -
\??\c:\htnbtn.exec:\htnbtn.exe58⤵
- Executes dropped EXE
PID:3368 -
\??\c:\40420.exec:\40420.exe59⤵
- Executes dropped EXE
PID:1976 -
\??\c:\002648.exec:\002648.exe60⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nhnhtt.exec:\nhnhtt.exe61⤵
- Executes dropped EXE
PID:3984 -
\??\c:\440488.exec:\440488.exe62⤵
- Executes dropped EXE
PID:700 -
\??\c:\608222.exec:\608222.exe63⤵
- Executes dropped EXE
PID:1400 -
\??\c:\3nhbbb.exec:\3nhbbb.exe64⤵
- Executes dropped EXE
PID:2620 -
\??\c:\68428.exec:\68428.exe65⤵
- Executes dropped EXE
PID:3648 -
\??\c:\624428.exec:\624428.exe66⤵PID:2944
-
\??\c:\0660826.exec:\0660826.exe67⤵PID:1092
-
\??\c:\7hbtnh.exec:\7hbtnh.exe68⤵PID:4052
-
\??\c:\9hnhhh.exec:\9hnhhh.exe69⤵PID:3964
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe70⤵PID:4308
-
\??\c:\2282882.exec:\2282882.exe71⤵PID:4084
-
\??\c:\bnnhtb.exec:\bnnhtb.exe72⤵PID:2564
-
\??\c:\q46266.exec:\q46266.exe73⤵PID:4904
-
\??\c:\hhhbtt.exec:\hhhbtt.exe74⤵PID:2832
-
\??\c:\80604.exec:\80604.exe75⤵PID:1348
-
\??\c:\3thbhn.exec:\3thbhn.exe76⤵PID:2624
-
\??\c:\7nhtnh.exec:\7nhtnh.exe77⤵PID:3672
-
\??\c:\884262.exec:\884262.exe78⤵PID:3664
-
\??\c:\dvdvj.exec:\dvdvj.exe79⤵PID:3684
-
\??\c:\nhhbhn.exec:\nhhbhn.exe80⤵PID:912
-
\??\c:\88460.exec:\88460.exe81⤵PID:2532
-
\??\c:\thhtbt.exec:\thhtbt.exe82⤵PID:1728
-
\??\c:\604604.exec:\604604.exe83⤵PID:4624
-
\??\c:\u048822.exec:\u048822.exe84⤵PID:4348
-
\??\c:\24048.exec:\24048.exe85⤵PID:3840
-
\??\c:\5llxrrl.exec:\5llxrrl.exe86⤵PID:3940
-
\??\c:\lxxffxx.exec:\lxxffxx.exe87⤵PID:400
-
\??\c:\bnnntt.exec:\bnnntt.exe88⤵PID:5052
-
\??\c:\6604260.exec:\6604260.exe89⤵PID:4324
-
\??\c:\864860.exec:\864860.exe90⤵PID:4000
-
\??\c:\68800.exec:\68800.exe91⤵PID:4004
-
\??\c:\jddvp.exec:\jddvp.exe92⤵PID:916
-
\??\c:\bthhbb.exec:\bthhbb.exe93⤵PID:1100
-
\??\c:\btbttb.exec:\btbttb.exe94⤵PID:780
-
\??\c:\tbtnbt.exec:\tbtnbt.exe95⤵PID:3192
-
\??\c:\xxlfxxl.exec:\xxlfxxl.exe96⤵PID:932
-
\??\c:\5djdv.exec:\5djdv.exe97⤵PID:4816
-
\??\c:\9ppdv.exec:\9ppdv.exe98⤵
- System Location Discovery: System Language Discovery
PID:1636 -
\??\c:\q28648.exec:\q28648.exe99⤵PID:404
-
\??\c:\2008260.exec:\2008260.exe100⤵PID:2268
-
\??\c:\06020.exec:\06020.exe101⤵PID:2232
-
\??\c:\bnbbnn.exec:\bnbbnn.exe102⤵PID:1864
-
\??\c:\8842648.exec:\8842648.exe103⤵PID:2128
-
\??\c:\i400880.exec:\i400880.exe104⤵PID:4356
-
\??\c:\hthbhb.exec:\hthbhb.exe105⤵PID:1856
-
\??\c:\862648.exec:\862648.exe106⤵PID:2824
-
\??\c:\28420.exec:\28420.exe107⤵PID:4952
-
\??\c:\22808.exec:\22808.exe108⤵PID:536
-
\??\c:\fllxrlx.exec:\fllxrlx.exe109⤵PID:556
-
\??\c:\htbtnn.exec:\htbtnn.exe110⤵PID:4512
-
\??\c:\dvvjv.exec:\dvvjv.exe111⤵PID:4452
-
\??\c:\k66082.exec:\k66082.exe112⤵
- System Location Discovery: System Language Discovery
PID:3532 -
\??\c:\vjpdp.exec:\vjpdp.exe113⤵PID:3516
-
\??\c:\tnhbtn.exec:\tnhbtn.exe114⤵PID:3844
-
\??\c:\824822.exec:\824822.exe115⤵PID:3992
-
\??\c:\1dvjv.exec:\1dvjv.exe116⤵PID:4552
-
\??\c:\rlflrxl.exec:\rlflrxl.exe117⤵PID:112
-
\??\c:\862048.exec:\862048.exe118⤵PID:212
-
\??\c:\6666826.exec:\6666826.exe119⤵PID:4556
-
\??\c:\06226.exec:\06226.exe120⤵PID:836
-
\??\c:\pjdvj.exec:\pjdvj.exe121⤵PID:724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-