Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe
-
Size
453KB
-
MD5
e5c171430cb182203f2645f892699be0
-
SHA1
f79201f99a960fc4869ada10bca51115cd98f641
-
SHA256
6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2dea
-
SHA512
5f716ed8ca716befefaa0e4cf6d735e2e38ad50ab1eedb6aac8ccecd325342a2c0ea3d87df43271e54551d28f4bb70491fe1b50d01117d10faf7924808c381f1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4004-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-1862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3680 6682064.exe 1608 8686262.exe 2096 884260.exe 2180 1ddpv.exe 988 bbnhbt.exe 2448 q42262.exe 3480 2404226.exe 1464 608882.exe 264 jvdvp.exe 3772 vjvpv.exe 232 ddjpj.exe 1844 0082660.exe 2412 2660022.exe 2828 6248220.exe 4176 800462.exe 2080 2688440.exe 2928 bnnhbb.exe 4248 40606.exe 1652 0668884.exe 4436 ffllfff.exe 2160 hthhhn.exe 772 thhbtn.exe 1700 nthbtt.exe 3160 k86482.exe 4592 tbnhbb.exe 1332 06848.exe 5068 e46080.exe 2496 dvvvp.exe 2576 bntnnn.exe 1848 ffrrlrr.exe 2092 frrrrrr.exe 2012 088266.exe 4892 jpdvp.exe 1780 402644.exe 3748 040644.exe 4272 9fxxrxr.exe 1692 2648888.exe 4596 48440.exe 5004 fflfffx.exe 3664 w40822.exe 4004 dpdvd.exe 1316 202048.exe 3924 440822.exe 2728 484822.exe 884 864822.exe 2272 ppdvp.exe 1552 jdppj.exe 2476 24048.exe 1536 xlrrllf.exe 3704 fxxrfxr.exe 4552 jjjdv.exe 3988 rxfxffl.exe 3112 8482604.exe 1936 u882226.exe 3976 xrfxfxr.exe 5112 20046.exe 3508 nnnhbt.exe 2896 422222.exe 3380 lffxrrl.exe 1612 jdjdj.exe 4388 68048.exe 2336 nbbtnn.exe 2100 frxrlll.exe 1952 hbbtnn.exe -
resource yara_rule behavioral2/memory/4004-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-653-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8840662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2826060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0064444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4004 wrote to memory of 3680 4004 6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe 83 PID 4004 wrote to memory of 3680 4004 6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe 83 PID 4004 wrote to memory of 3680 4004 6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe 83 PID 3680 wrote to memory of 1608 3680 6682064.exe 84 PID 3680 wrote to memory of 1608 3680 6682064.exe 84 PID 3680 wrote to memory of 1608 3680 6682064.exe 84 PID 1608 wrote to memory of 2096 1608 8686262.exe 85 PID 1608 wrote to memory of 2096 1608 8686262.exe 85 PID 1608 wrote to memory of 2096 1608 8686262.exe 85 PID 2096 wrote to memory of 2180 2096 884260.exe 86 PID 2096 wrote to memory of 2180 2096 884260.exe 86 PID 2096 wrote to memory of 2180 2096 884260.exe 86 PID 2180 wrote to memory of 988 2180 1ddpv.exe 87 PID 2180 wrote to memory of 988 2180 1ddpv.exe 87 PID 2180 wrote to memory of 988 2180 1ddpv.exe 87 PID 988 wrote to memory of 2448 988 bbnhbt.exe 88 PID 988 wrote to memory of 2448 988 bbnhbt.exe 88 PID 988 wrote to memory of 2448 988 bbnhbt.exe 88 PID 2448 wrote to memory of 3480 2448 q42262.exe 89 PID 2448 wrote to memory of 3480 2448 q42262.exe 89 PID 2448 wrote to memory of 3480 2448 q42262.exe 89 PID 3480 wrote to memory of 1464 3480 2404226.exe 90 PID 3480 wrote to memory of 1464 3480 2404226.exe 90 PID 3480 wrote to memory of 1464 3480 2404226.exe 90 PID 1464 wrote to memory of 264 1464 608882.exe 91 PID 1464 wrote to memory of 264 1464 608882.exe 91 PID 1464 wrote to memory of 264 1464 608882.exe 91 PID 264 wrote to memory of 3772 264 jvdvp.exe 92 PID 264 wrote to memory of 3772 264 jvdvp.exe 92 PID 264 wrote to memory of 3772 264 jvdvp.exe 92 PID 3772 wrote to memory of 232 3772 vjvpv.exe 93 PID 3772 wrote to memory of 232 3772 vjvpv.exe 93 PID 3772 wrote to memory of 232 3772 vjvpv.exe 93 PID 232 wrote to memory of 1844 232 ddjpj.exe 94 PID 232 wrote to memory of 1844 232 ddjpj.exe 94 PID 232 wrote to memory of 1844 232 ddjpj.exe 94 PID 1844 wrote to memory of 2412 1844 0082660.exe 95 PID 1844 wrote to memory of 2412 1844 0082660.exe 95 PID 1844 wrote to memory of 2412 1844 0082660.exe 95 PID 2412 wrote to memory of 2828 2412 2660022.exe 96 PID 2412 wrote to memory of 2828 2412 2660022.exe 96 PID 2412 wrote to memory of 2828 2412 2660022.exe 96 PID 2828 wrote to memory of 4176 2828 6248220.exe 97 PID 2828 wrote to memory of 4176 2828 6248220.exe 97 PID 2828 wrote to memory of 4176 2828 6248220.exe 97 PID 4176 wrote to memory of 2080 4176 800462.exe 98 PID 4176 wrote to memory of 2080 4176 800462.exe 98 PID 4176 wrote to memory of 2080 4176 800462.exe 98 PID 2080 wrote to memory of 2928 2080 2688440.exe 99 PID 2080 wrote to memory of 2928 2080 2688440.exe 99 PID 2080 wrote to memory of 2928 2080 2688440.exe 99 PID 2928 wrote to memory of 4248 2928 bnnhbb.exe 100 PID 2928 wrote to memory of 4248 2928 bnnhbb.exe 100 PID 2928 wrote to memory of 4248 2928 bnnhbb.exe 100 PID 4248 wrote to memory of 1652 4248 40606.exe 101 PID 4248 wrote to memory of 1652 4248 40606.exe 101 PID 4248 wrote to memory of 1652 4248 40606.exe 101 PID 1652 wrote to memory of 4436 1652 0668884.exe 102 PID 1652 wrote to memory of 4436 1652 0668884.exe 102 PID 1652 wrote to memory of 4436 1652 0668884.exe 102 PID 4436 wrote to memory of 2160 4436 ffllfff.exe 103 PID 4436 wrote to memory of 2160 4436 ffllfff.exe 103 PID 4436 wrote to memory of 2160 4436 ffllfff.exe 103 PID 2160 wrote to memory of 772 2160 hthhhn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe"C:\Users\Admin\AppData\Local\Temp\6da97d7d75c0820341ff9a85e1ab9384b1185b1cf0b66ef3745ac9873d4b2deaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\6682064.exec:\6682064.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\8686262.exec:\8686262.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\884260.exec:\884260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\1ddpv.exec:\1ddpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\bbnhbt.exec:\bbnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\q42262.exec:\q42262.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\2404226.exec:\2404226.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\608882.exec:\608882.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\vjvpv.exec:\vjvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\ddjpj.exec:\ddjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\0082660.exec:\0082660.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\2660022.exec:\2660022.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\6248220.exec:\6248220.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\800462.exec:\800462.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\2688440.exec:\2688440.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\bnnhbb.exec:\bnnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\40606.exec:\40606.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\0668884.exec:\0668884.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\ffllfff.exec:\ffllfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\hthhhn.exec:\hthhhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\thhbtn.exec:\thhbtn.exe23⤵
- Executes dropped EXE
PID:772 -
\??\c:\nthbtt.exec:\nthbtt.exe24⤵
- Executes dropped EXE
PID:1700 -
\??\c:\k86482.exec:\k86482.exe25⤵
- Executes dropped EXE
PID:3160 -
\??\c:\tbnhbb.exec:\tbnhbb.exe26⤵
- Executes dropped EXE
PID:4592 -
\??\c:\06848.exec:\06848.exe27⤵
- Executes dropped EXE
PID:1332 -
\??\c:\e46080.exec:\e46080.exe28⤵
- Executes dropped EXE
PID:5068 -
\??\c:\dvvvp.exec:\dvvvp.exe29⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bntnnn.exec:\bntnnn.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ffrrlrr.exec:\ffrrlrr.exe31⤵
- Executes dropped EXE
PID:1848 -
\??\c:\frrrrrr.exec:\frrrrrr.exe32⤵
- Executes dropped EXE
PID:2092 -
\??\c:\088266.exec:\088266.exe33⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jpdvp.exec:\jpdvp.exe34⤵
- Executes dropped EXE
PID:4892 -
\??\c:\402644.exec:\402644.exe35⤵
- Executes dropped EXE
PID:1780 -
\??\c:\040644.exec:\040644.exe36⤵
- Executes dropped EXE
PID:3748 -
\??\c:\9fxxrxr.exec:\9fxxrxr.exe37⤵
- Executes dropped EXE
PID:4272 -
\??\c:\2648888.exec:\2648888.exe38⤵
- Executes dropped EXE
PID:1692 -
\??\c:\48440.exec:\48440.exe39⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fflfffx.exec:\fflfffx.exe40⤵
- Executes dropped EXE
PID:5004 -
\??\c:\w40822.exec:\w40822.exe41⤵
- Executes dropped EXE
PID:3664 -
\??\c:\266600.exec:\266600.exe42⤵PID:640
-
\??\c:\dpdvd.exec:\dpdvd.exe43⤵
- Executes dropped EXE
PID:4004 -
\??\c:\202048.exec:\202048.exe44⤵
- Executes dropped EXE
PID:1316 -
\??\c:\440822.exec:\440822.exe45⤵
- Executes dropped EXE
PID:3924 -
\??\c:\484822.exec:\484822.exe46⤵
- Executes dropped EXE
PID:2728 -
\??\c:\864822.exec:\864822.exe47⤵
- Executes dropped EXE
PID:884 -
\??\c:\ppdvp.exec:\ppdvp.exe48⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jdppj.exec:\jdppj.exe49⤵
- Executes dropped EXE
PID:1552 -
\??\c:\24048.exec:\24048.exe50⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xlrrllf.exec:\xlrrllf.exe51⤵
- Executes dropped EXE
PID:1536 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe52⤵
- Executes dropped EXE
PID:3704 -
\??\c:\jjjdv.exec:\jjjdv.exe53⤵
- Executes dropped EXE
PID:4552 -
\??\c:\rxfxffl.exec:\rxfxffl.exe54⤵
- Executes dropped EXE
PID:3988 -
\??\c:\8482604.exec:\8482604.exe55⤵
- Executes dropped EXE
PID:3112 -
\??\c:\u882226.exec:\u882226.exe56⤵
- Executes dropped EXE
PID:1936 -
\??\c:\xrfxfxr.exec:\xrfxfxr.exe57⤵
- Executes dropped EXE
PID:3976 -
\??\c:\20046.exec:\20046.exe58⤵
- Executes dropped EXE
PID:5112 -
\??\c:\nnnhbt.exec:\nnnhbt.exe59⤵
- Executes dropped EXE
PID:3508 -
\??\c:\422222.exec:\422222.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lffxrrl.exec:\lffxrrl.exe61⤵
- Executes dropped EXE
PID:3380 -
\??\c:\jdjdj.exec:\jdjdj.exe62⤵
- Executes dropped EXE
PID:1612 -
\??\c:\68048.exec:\68048.exe63⤵
- Executes dropped EXE
PID:4388 -
\??\c:\nbbtnn.exec:\nbbtnn.exe64⤵
- Executes dropped EXE
PID:2336 -
\??\c:\frxrlll.exec:\frxrlll.exe65⤵
- Executes dropped EXE
PID:2100 -
\??\c:\hbbtnn.exec:\hbbtnn.exe66⤵
- Executes dropped EXE
PID:1952 -
\??\c:\ntbtnn.exec:\ntbtnn.exe67⤵PID:4044
-
\??\c:\2082222.exec:\2082222.exe68⤵PID:2828
-
\??\c:\8448260.exec:\8448260.exe69⤵PID:2784
-
\??\c:\httnhh.exec:\httnhh.exe70⤵PID:2556
-
\??\c:\lxlxrrl.exec:\lxlxrrl.exe71⤵PID:2080
-
\??\c:\rlxfffl.exec:\rlxfffl.exe72⤵PID:1068
-
\??\c:\80662.exec:\80662.exe73⤵PID:4568
-
\??\c:\668860.exec:\668860.exe74⤵PID:4024
-
\??\c:\btbttn.exec:\btbttn.exe75⤵PID:4860
-
\??\c:\0626004.exec:\0626004.exe76⤵PID:3400
-
\??\c:\64048.exec:\64048.exe77⤵PID:1388
-
\??\c:\vjjpd.exec:\vjjpd.exe78⤵PID:2160
-
\??\c:\5ddpj.exec:\5ddpj.exe79⤵PID:868
-
\??\c:\04200.exec:\04200.exe80⤵PID:5060
-
\??\c:\hhhtnn.exec:\hhhtnn.exe81⤵PID:1220
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe82⤵PID:2392
-
\??\c:\rxffxrl.exec:\rxffxrl.exe83⤵PID:3160
-
\??\c:\5fxxfrl.exec:\5fxxfrl.exe84⤵PID:4536
-
\??\c:\5hbtnn.exec:\5hbtnn.exe85⤵PID:3056
-
\??\c:\xrffllr.exec:\xrffllr.exe86⤵PID:4592
-
\??\c:\tnbtnb.exec:\tnbtnb.exe87⤵PID:4184
-
\??\c:\828260.exec:\828260.exe88⤵PID:1332
-
\??\c:\26220.exec:\26220.exe89⤵PID:3876
-
\??\c:\5tnnhh.exec:\5tnnhh.exe90⤵PID:3484
-
\??\c:\hthbtt.exec:\hthbtt.exe91⤵PID:608
-
\??\c:\nbntnt.exec:\nbntnt.exe92⤵PID:3676
-
\??\c:\fxxfxxf.exec:\fxxfxxf.exe93⤵PID:4480
-
\??\c:\04644.exec:\04644.exe94⤵PID:3176
-
\??\c:\tttttt.exec:\tttttt.exe95⤵PID:2184
-
\??\c:\vvpjd.exec:\vvpjd.exe96⤵
- System Location Discovery: System Language Discovery
PID:1928 -
\??\c:\8282002.exec:\8282002.exe97⤵PID:4452
-
\??\c:\xxllffx.exec:\xxllffx.exe98⤵PID:4036
-
\??\c:\668602.exec:\668602.exe99⤵PID:4468
-
\??\c:\bttnbb.exec:\bttnbb.exe100⤵PID:3528
-
\??\c:\lllfxrr.exec:\lllfxrr.exe101⤵PID:4272
-
\??\c:\808604.exec:\808604.exe102⤵PID:3948
-
\??\c:\fxxrfff.exec:\fxxrfff.exe103⤵PID:1804
-
\??\c:\66882.exec:\66882.exe104⤵PID:1168
-
\??\c:\0482000.exec:\0482000.exe105⤵PID:3664
-
\??\c:\8286004.exec:\8286004.exe106⤵PID:1292
-
\??\c:\tbhhbb.exec:\tbhhbb.exe107⤵PID:3680
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe108⤵PID:4412
-
\??\c:\thtnbt.exec:\thtnbt.exe109⤵PID:4144
-
\??\c:\26604.exec:\26604.exe110⤵PID:1452
-
\??\c:\rllfrll.exec:\rllfrll.exe111⤵PID:2240
-
\??\c:\w06600.exec:\w06600.exe112⤵PID:1428
-
\??\c:\5vdvj.exec:\5vdvj.exe113⤵PID:1492
-
\??\c:\a2200.exec:\a2200.exe114⤵PID:1600
-
\??\c:\jddvv.exec:\jddvv.exe115⤵PID:1360
-
\??\c:\nhntbn.exec:\nhntbn.exe116⤵PID:220
-
\??\c:\0408048.exec:\0408048.exe117⤵PID:4988
-
\??\c:\frrffxx.exec:\frrffxx.exe118⤵PID:1664
-
\??\c:\4682666.exec:\4682666.exe119⤵PID:4400
-
\??\c:\jvpjd.exec:\jvpjd.exe120⤵PID:3988
-
\??\c:\6248222.exec:\6248222.exe121⤵PID:880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-