Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe
-
Size
454KB
-
MD5
9df97c5b8a10b0616cd57cf7158d5ea0
-
SHA1
44695dd6ae18283a8a45637c5ce5af4f1cd7d4a1
-
SHA256
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cf
-
SHA512
7b4088811f61c74f4e14e4e9f8e1ecc5235bc597b878ae612726ac02d6282e6da489538c2def36fc5ae818d869ef48836f533d984af48635e82cca2a440b0c58
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/388-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-1177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-1524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3656 bhhbbh.exe 1756 6848448.exe 4000 llxxfff.exe 3116 c804220.exe 3136 ddjjp.exe 4284 e80624.exe 2632 6866284.exe 1672 djvjv.exe 1364 264824.exe 4624 vdjdp.exe 4732 a2460.exe 456 6826048.exe 1432 28024.exe 60 pvdvp.exe 4044 9lrllrr.exe 732 nbtnbt.exe 3992 jdjdd.exe 4788 6244220.exe 2344 o408260.exe 2104 84600.exe 1160 nnhbbt.exe 4656 8422460.exe 1792 3tbttt.exe 2656 9tbbbh.exe 3672 4204040.exe 4796 0248222.exe 4864 842266.exe 4252 m2426.exe 1516 04682.exe 1004 vjjjp.exe 3756 nthhhn.exe 3776 8622666.exe 864 bntbtn.exe 1656 7hbtnn.exe 4900 bttnnn.exe 2180 486082.exe 224 822226.exe 3572 xlfxrrr.exe 1592 424866.exe 3164 084824.exe 4060 vppdd.exe 2916 482266.exe 836 222888.exe 2584 xxxrfff.exe 2460 82088.exe 4576 2620448.exe 3612 84846.exe 436 000448.exe 2612 8482660.exe 2624 624822.exe 1424 ppdvj.exe 748 djvdv.exe 1984 k42682.exe 1076 jvddd.exe 2088 68426.exe 184 3vppj.exe 1296 26604.exe 708 00260.exe 2712 vdjpp.exe 3380 hntnnb.exe 4644 dpvpp.exe 1420 jppvp.exe 4684 htnnhh.exe 5088 08464.exe -
resource yara_rule behavioral2/memory/388-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6266262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 644084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6404428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c424442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 822226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 202620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c424628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i240404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8248000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 3656 388 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 85 PID 388 wrote to memory of 3656 388 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 85 PID 388 wrote to memory of 3656 388 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 85 PID 3656 wrote to memory of 1756 3656 bhhbbh.exe 86 PID 3656 wrote to memory of 1756 3656 bhhbbh.exe 86 PID 3656 wrote to memory of 1756 3656 bhhbbh.exe 86 PID 1756 wrote to memory of 4000 1756 6848448.exe 87 PID 1756 wrote to memory of 4000 1756 6848448.exe 87 PID 1756 wrote to memory of 4000 1756 6848448.exe 87 PID 4000 wrote to memory of 3116 4000 llxxfff.exe 88 PID 4000 wrote to memory of 3116 4000 llxxfff.exe 88 PID 4000 wrote to memory of 3116 4000 llxxfff.exe 88 PID 3116 wrote to memory of 3136 3116 c804220.exe 89 PID 3116 wrote to memory of 3136 3116 c804220.exe 89 PID 3116 wrote to memory of 3136 3116 c804220.exe 89 PID 3136 wrote to memory of 4284 3136 ddjjp.exe 90 PID 3136 wrote to memory of 4284 3136 ddjjp.exe 90 PID 3136 wrote to memory of 4284 3136 ddjjp.exe 90 PID 4284 wrote to memory of 2632 4284 e80624.exe 91 PID 4284 wrote to memory of 2632 4284 e80624.exe 91 PID 4284 wrote to memory of 2632 4284 e80624.exe 91 PID 2632 wrote to memory of 1672 2632 6866284.exe 92 PID 2632 wrote to memory of 1672 2632 6866284.exe 92 PID 2632 wrote to memory of 1672 2632 6866284.exe 92 PID 1672 wrote to memory of 1364 1672 djvjv.exe 93 PID 1672 wrote to memory of 1364 1672 djvjv.exe 93 PID 1672 wrote to memory of 1364 1672 djvjv.exe 93 PID 1364 wrote to memory of 4624 1364 264824.exe 94 PID 1364 wrote to memory of 4624 1364 264824.exe 94 PID 1364 wrote to memory of 4624 1364 264824.exe 94 PID 4624 wrote to memory of 4732 4624 vdjdp.exe 95 PID 4624 wrote to memory of 4732 4624 vdjdp.exe 95 PID 4624 wrote to memory of 4732 4624 vdjdp.exe 95 PID 4732 wrote to memory of 456 4732 a2460.exe 96 PID 4732 wrote to memory of 456 4732 a2460.exe 96 PID 4732 wrote to memory of 456 4732 a2460.exe 96 PID 456 wrote to memory of 1432 456 6826048.exe 97 PID 456 wrote to memory of 1432 456 6826048.exe 97 PID 456 wrote to memory of 1432 456 6826048.exe 97 PID 1432 wrote to memory of 60 1432 28024.exe 98 PID 1432 wrote to memory of 60 1432 28024.exe 98 PID 1432 wrote to memory of 60 1432 28024.exe 98 PID 60 wrote to memory of 4044 60 pvdvp.exe 99 PID 60 wrote to memory of 4044 60 pvdvp.exe 99 PID 60 wrote to memory of 4044 60 pvdvp.exe 99 PID 4044 wrote to memory of 732 4044 9lrllrr.exe 100 PID 4044 wrote to memory of 732 4044 9lrllrr.exe 100 PID 4044 wrote to memory of 732 4044 9lrllrr.exe 100 PID 732 wrote to memory of 3992 732 nbtnbt.exe 101 PID 732 wrote to memory of 3992 732 nbtnbt.exe 101 PID 732 wrote to memory of 3992 732 nbtnbt.exe 101 PID 3992 wrote to memory of 4788 3992 jdjdd.exe 102 PID 3992 wrote to memory of 4788 3992 jdjdd.exe 102 PID 3992 wrote to memory of 4788 3992 jdjdd.exe 102 PID 4788 wrote to memory of 2344 4788 6244220.exe 103 PID 4788 wrote to memory of 2344 4788 6244220.exe 103 PID 4788 wrote to memory of 2344 4788 6244220.exe 103 PID 2344 wrote to memory of 2104 2344 o408260.exe 104 PID 2344 wrote to memory of 2104 2344 o408260.exe 104 PID 2344 wrote to memory of 2104 2344 o408260.exe 104 PID 2104 wrote to memory of 1160 2104 84600.exe 105 PID 2104 wrote to memory of 1160 2104 84600.exe 105 PID 2104 wrote to memory of 1160 2104 84600.exe 105 PID 1160 wrote to memory of 4656 1160 nnhbbt.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe"C:\Users\Admin\AppData\Local\Temp\1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\bhhbbh.exec:\bhhbbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\6848448.exec:\6848448.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\llxxfff.exec:\llxxfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\c804220.exec:\c804220.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\ddjjp.exec:\ddjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\e80624.exec:\e80624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\6866284.exec:\6866284.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\djvjv.exec:\djvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\264824.exec:\264824.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\vdjdp.exec:\vdjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\a2460.exec:\a2460.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\6826048.exec:\6826048.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\28024.exec:\28024.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\pvdvp.exec:\pvdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\9lrllrr.exec:\9lrllrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\nbtnbt.exec:\nbtnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\jdjdd.exec:\jdjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\6244220.exec:\6244220.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\o408260.exec:\o408260.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\84600.exec:\84600.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\nnhbbt.exec:\nnhbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\8422460.exec:\8422460.exe23⤵
- Executes dropped EXE
PID:4656 -
\??\c:\3tbttt.exec:\3tbttt.exe24⤵
- Executes dropped EXE
PID:1792 -
\??\c:\9tbbbh.exec:\9tbbbh.exe25⤵
- Executes dropped EXE
PID:2656 -
\??\c:\4204040.exec:\4204040.exe26⤵
- Executes dropped EXE
PID:3672 -
\??\c:\0248222.exec:\0248222.exe27⤵
- Executes dropped EXE
PID:4796 -
\??\c:\842266.exec:\842266.exe28⤵
- Executes dropped EXE
PID:4864 -
\??\c:\m2426.exec:\m2426.exe29⤵
- Executes dropped EXE
PID:4252 -
\??\c:\04682.exec:\04682.exe30⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vjjjp.exec:\vjjjp.exe31⤵
- Executes dropped EXE
PID:1004 -
\??\c:\nthhhn.exec:\nthhhn.exe32⤵
- Executes dropped EXE
PID:3756 -
\??\c:\8622666.exec:\8622666.exe33⤵
- Executes dropped EXE
PID:3776 -
\??\c:\bntbtn.exec:\bntbtn.exe34⤵
- Executes dropped EXE
PID:864 -
\??\c:\7hbtnn.exec:\7hbtnn.exe35⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bttnnn.exec:\bttnnn.exe36⤵
- Executes dropped EXE
PID:4900 -
\??\c:\486082.exec:\486082.exe37⤵
- Executes dropped EXE
PID:2180 -
\??\c:\822226.exec:\822226.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224 -
\??\c:\xlfxrrr.exec:\xlfxrrr.exe39⤵
- Executes dropped EXE
PID:3572 -
\??\c:\424866.exec:\424866.exe40⤵
- Executes dropped EXE
PID:1592 -
\??\c:\084824.exec:\084824.exe41⤵
- Executes dropped EXE
PID:3164 -
\??\c:\vppdd.exec:\vppdd.exe42⤵
- Executes dropped EXE
PID:4060 -
\??\c:\482266.exec:\482266.exe43⤵
- Executes dropped EXE
PID:2916 -
\??\c:\222888.exec:\222888.exe44⤵
- Executes dropped EXE
PID:836 -
\??\c:\xxxrfff.exec:\xxxrfff.exe45⤵
- Executes dropped EXE
PID:2584 -
\??\c:\82088.exec:\82088.exe46⤵
- Executes dropped EXE
PID:2460 -
\??\c:\2620448.exec:\2620448.exe47⤵
- Executes dropped EXE
PID:4576 -
\??\c:\84846.exec:\84846.exe48⤵
- Executes dropped EXE
PID:3612 -
\??\c:\000448.exec:\000448.exe49⤵
- Executes dropped EXE
PID:436 -
\??\c:\8482660.exec:\8482660.exe50⤵
- Executes dropped EXE
PID:2612 -
\??\c:\624822.exec:\624822.exe51⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ppdvj.exec:\ppdvj.exe52⤵
- Executes dropped EXE
PID:1424 -
\??\c:\djvdv.exec:\djvdv.exe53⤵
- Executes dropped EXE
PID:748 -
\??\c:\k42682.exec:\k42682.exe54⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jvddd.exec:\jvddd.exe55⤵
- Executes dropped EXE
PID:1076 -
\??\c:\68426.exec:\68426.exe56⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3vppj.exec:\3vppj.exe57⤵
- Executes dropped EXE
PID:184 -
\??\c:\26604.exec:\26604.exe58⤵
- Executes dropped EXE
PID:1296 -
\??\c:\00260.exec:\00260.exe59⤵
- Executes dropped EXE
PID:708 -
\??\c:\vdjpp.exec:\vdjpp.exe60⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hntnnb.exec:\hntnnb.exe61⤵
- Executes dropped EXE
PID:3380 -
\??\c:\dpvpp.exec:\dpvpp.exe62⤵
- Executes dropped EXE
PID:4644 -
\??\c:\jppvp.exec:\jppvp.exe63⤵
- Executes dropped EXE
PID:1420 -
\??\c:\htnnhh.exec:\htnnhh.exe64⤵
- Executes dropped EXE
PID:4684 -
\??\c:\08464.exec:\08464.exe65⤵
- Executes dropped EXE
PID:5088 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe66⤵PID:1520
-
\??\c:\i286262.exec:\i286262.exe67⤵PID:3640
-
\??\c:\88886.exec:\88886.exe68⤵PID:716
-
\??\c:\4240826.exec:\4240826.exe69⤵PID:5104
-
\??\c:\bthbth.exec:\bthbth.exe70⤵PID:1588
-
\??\c:\044488.exec:\044488.exe71⤵PID:3992
-
\??\c:\5jdpj.exec:\5jdpj.exe72⤵PID:4676
-
\??\c:\9vppv.exec:\9vppv.exe73⤵PID:2436
-
\??\c:\bbbtnn.exec:\bbbtnn.exe74⤵PID:3704
-
\??\c:\7dppp.exec:\7dppp.exe75⤵PID:2848
-
\??\c:\2688482.exec:\2688482.exe76⤵PID:1160
-
\??\c:\2400444.exec:\2400444.exe77⤵PID:3336
-
\??\c:\1xlxlfl.exec:\1xlxlfl.exe78⤵PID:4808
-
\??\c:\s4208.exec:\s4208.exe79⤵PID:2148
-
\??\c:\tbtttt.exec:\tbtttt.exe80⤵
- System Location Discovery: System Language Discovery
PID:1736 -
\??\c:\26462.exec:\26462.exe81⤵PID:2152
-
\??\c:\e82020.exec:\e82020.exe82⤵PID:2520
-
\??\c:\vdjpp.exec:\vdjpp.exe83⤵PID:2432
-
\??\c:\hhthbn.exec:\hhthbn.exe84⤵PID:5060
-
\??\c:\40226.exec:\40226.exe85⤵PID:2020
-
\??\c:\pjppv.exec:\pjppv.exe86⤵PID:1652
-
\??\c:\9nttnn.exec:\9nttnn.exe87⤵PID:3856
-
\??\c:\ffffxxx.exec:\ffffxxx.exe88⤵PID:1132
-
\??\c:\c662800.exec:\c662800.exe89⤵PID:1168
-
\??\c:\2426482.exec:\2426482.exe90⤵PID:2660
-
\??\c:\7hhbtb.exec:\7hhbtb.exe91⤵PID:4536
-
\??\c:\48482.exec:\48482.exe92⤵PID:2748
-
\??\c:\nnnhhh.exec:\nnnhhh.exe93⤵PID:2616
-
\??\c:\62826.exec:\62826.exe94⤵PID:2268
-
\??\c:\hbttnn.exec:\hbttnn.exe95⤵PID:3648
-
\??\c:\dpvpp.exec:\dpvpp.exe96⤵PID:1512
-
\??\c:\xrfrflr.exec:\xrfrflr.exe97⤵
- System Location Discovery: System Language Discovery
PID:3376 -
\??\c:\hbhhnn.exec:\hbhhnn.exe98⤵PID:2228
-
\??\c:\rrlffff.exec:\rrlffff.exe99⤵PID:4976
-
\??\c:\xrrlfff.exec:\xrrlfff.exe100⤵PID:3164
-
\??\c:\tttthh.exec:\tttthh.exe101⤵PID:4060
-
\??\c:\s8442.exec:\s8442.exe102⤵PID:3764
-
\??\c:\nnnhhh.exec:\nnnhhh.exe103⤵PID:836
-
\??\c:\06464.exec:\06464.exe104⤵PID:2584
-
\??\c:\pjpdp.exec:\pjpdp.exe105⤵PID:4496
-
\??\c:\hbnbht.exec:\hbnbht.exe106⤵PID:1224
-
\??\c:\jjvpv.exec:\jjvpv.exe107⤵PID:3912
-
\??\c:\hnbtbt.exec:\hnbtbt.exe108⤵PID:1092
-
\??\c:\xlfxxfl.exec:\xlfxxfl.exe109⤵PID:2864
-
\??\c:\2840882.exec:\2840882.exe110⤵PID:2208
-
\??\c:\4242688.exec:\4242688.exe111⤵PID:4000
-
\??\c:\6644822.exec:\6644822.exe112⤵PID:1216
-
\??\c:\m4088.exec:\m4088.exe113⤵PID:2496
-
\??\c:\jjppp.exec:\jjppp.exe114⤵PID:2704
-
\??\c:\88482.exec:\88482.exe115⤵PID:4284
-
\??\c:\xfxrlff.exec:\xfxrlff.exe116⤵PID:4588
-
\??\c:\882604.exec:\882604.exe117⤵PID:720
-
\??\c:\ddddd.exec:\ddddd.exe118⤵PID:3480
-
\??\c:\jdvvp.exec:\jdvvp.exe119⤵PID:844
-
\??\c:\480066.exec:\480066.exe120⤵PID:3000
-
\??\c:\024488.exec:\024488.exe121⤵PID:1352
-
\??\c:\4220488.exec:\4220488.exe122⤵PID:4128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-