Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe
-
Size
455KB
-
MD5
dc0da22179df1a8de55c36c1449a4290
-
SHA1
0899d882b6d5e95197a552ec4e2f46a669e3aa67
-
SHA256
6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157
-
SHA512
7a1dde82ab034a2ab0a4130e93d9136dddbe663e4a34b7fc16a43c683061afee75906a95155284e4985ed8ea5f50831852c917e1b7fb78a676dcee9b3027374d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2420-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5044 8806682.exe 4000 ddjvd.exe 2372 0862660.exe 5088 nhhnhh.exe 544 g6606.exe 3464 8482620.exe 4904 60600.exe 2232 c626600.exe 2988 fxlffxr.exe 4804 4680224.exe 1888 thnbnt.exe 4884 04044.exe 2600 60004.exe 3924 06604.exe 1568 vpppj.exe 2108 046804.exe 1128 vpddj.exe 1288 80226.exe 1088 84404.exe 4972 7lfxfrx.exe 3404 m2822.exe 4976 xrrfxrl.exe 2336 46844.exe 212 c482626.exe 1432 u642288.exe 5040 4622004.exe 5056 024488.exe 336 840444.exe 2180 0804004.exe 4436 7lrlrxf.exe 4984 dvjjj.exe 2192 thnhhh.exe 912 thhhhh.exe 3936 08644.exe 1860 820400.exe 4392 pppdd.exe 2476 6688222.exe 1200 ddvdj.exe 2540 4848484.exe 4288 lxlrxrf.exe 3628 vdpjj.exe 2492 680628.exe 4856 2662668.exe 2588 2882604.exe 4400 rlxrfxr.exe 3452 28066.exe 4520 2064044.exe 4468 i204440.exe 2388 jdjdv.exe 4328 bbtttn.exe 1268 80288.exe 1264 rxrxlxr.exe 428 5jddp.exe 408 dvpvp.exe 5088 86600.exe 984 5pvpp.exe 464 q46046.exe 3160 40246.exe 1508 rrfxrfr.exe 4928 8626224.exe 2932 a4826.exe 1812 tnnnbb.exe 4324 lfxrrlr.exe 4344 1lfxrrl.exe -
resource yara_rule behavioral2/memory/5044-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-776-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4620448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 5044 2420 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 83 PID 2420 wrote to memory of 5044 2420 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 83 PID 2420 wrote to memory of 5044 2420 6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe 83 PID 5044 wrote to memory of 4000 5044 8806682.exe 84 PID 5044 wrote to memory of 4000 5044 8806682.exe 84 PID 5044 wrote to memory of 4000 5044 8806682.exe 84 PID 4000 wrote to memory of 2372 4000 ddjvd.exe 85 PID 4000 wrote to memory of 2372 4000 ddjvd.exe 85 PID 4000 wrote to memory of 2372 4000 ddjvd.exe 85 PID 2372 wrote to memory of 5088 2372 0862660.exe 86 PID 2372 wrote to memory of 5088 2372 0862660.exe 86 PID 2372 wrote to memory of 5088 2372 0862660.exe 86 PID 5088 wrote to memory of 544 5088 nhhnhh.exe 87 PID 5088 wrote to memory of 544 5088 nhhnhh.exe 87 PID 5088 wrote to memory of 544 5088 nhhnhh.exe 87 PID 544 wrote to memory of 3464 544 g6606.exe 88 PID 544 wrote to memory of 3464 544 g6606.exe 88 PID 544 wrote to memory of 3464 544 g6606.exe 88 PID 3464 wrote to memory of 4904 3464 8482620.exe 89 PID 3464 wrote to memory of 4904 3464 8482620.exe 89 PID 3464 wrote to memory of 4904 3464 8482620.exe 89 PID 4904 wrote to memory of 2232 4904 60600.exe 90 PID 4904 wrote to memory of 2232 4904 60600.exe 90 PID 4904 wrote to memory of 2232 4904 60600.exe 90 PID 2232 wrote to memory of 2988 2232 c626600.exe 91 PID 2232 wrote to memory of 2988 2232 c626600.exe 91 PID 2232 wrote to memory of 2988 2232 c626600.exe 91 PID 2988 wrote to memory of 4804 2988 fxlffxr.exe 92 PID 2988 wrote to memory of 4804 2988 fxlffxr.exe 92 PID 2988 wrote to memory of 4804 2988 fxlffxr.exe 92 PID 4804 wrote to memory of 1888 4804 4680224.exe 93 PID 4804 wrote to memory of 1888 4804 4680224.exe 93 PID 4804 wrote to memory of 1888 4804 4680224.exe 93 PID 1888 wrote to memory of 4884 1888 thnbnt.exe 94 PID 1888 wrote to memory of 4884 1888 thnbnt.exe 94 PID 1888 wrote to memory of 4884 1888 thnbnt.exe 94 PID 4884 wrote to memory of 2600 4884 04044.exe 95 PID 4884 wrote to memory of 2600 4884 04044.exe 95 PID 4884 wrote to memory of 2600 4884 04044.exe 95 PID 2600 wrote to memory of 3924 2600 60004.exe 96 PID 2600 wrote to memory of 3924 2600 60004.exe 96 PID 2600 wrote to memory of 3924 2600 60004.exe 96 PID 3924 wrote to memory of 1568 3924 06604.exe 97 PID 3924 wrote to memory of 1568 3924 06604.exe 97 PID 3924 wrote to memory of 1568 3924 06604.exe 97 PID 1568 wrote to memory of 2108 1568 vpppj.exe 98 PID 1568 wrote to memory of 2108 1568 vpppj.exe 98 PID 1568 wrote to memory of 2108 1568 vpppj.exe 98 PID 2108 wrote to memory of 1128 2108 046804.exe 99 PID 2108 wrote to memory of 1128 2108 046804.exe 99 PID 2108 wrote to memory of 1128 2108 046804.exe 99 PID 1128 wrote to memory of 1288 1128 vpddj.exe 100 PID 1128 wrote to memory of 1288 1128 vpddj.exe 100 PID 1128 wrote to memory of 1288 1128 vpddj.exe 100 PID 1288 wrote to memory of 1088 1288 80226.exe 101 PID 1288 wrote to memory of 1088 1288 80226.exe 101 PID 1288 wrote to memory of 1088 1288 80226.exe 101 PID 1088 wrote to memory of 4972 1088 84404.exe 102 PID 1088 wrote to memory of 4972 1088 84404.exe 102 PID 1088 wrote to memory of 4972 1088 84404.exe 102 PID 4972 wrote to memory of 3404 4972 7lfxfrx.exe 103 PID 4972 wrote to memory of 3404 4972 7lfxfrx.exe 103 PID 4972 wrote to memory of 3404 4972 7lfxfrx.exe 103 PID 3404 wrote to memory of 4976 3404 m2822.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe"C:\Users\Admin\AppData\Local\Temp\6bcc05e6fed972f2aaed83abe12fba4f9986f6e8ba979758bcf3074776ab9157N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\8806682.exec:\8806682.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\ddjvd.exec:\ddjvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\0862660.exec:\0862660.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\nhhnhh.exec:\nhhnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\g6606.exec:\g6606.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\8482620.exec:\8482620.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\60600.exec:\60600.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\c626600.exec:\c626600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\fxlffxr.exec:\fxlffxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\4680224.exec:\4680224.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\thnbnt.exec:\thnbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\04044.exec:\04044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\60004.exec:\60004.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\06604.exec:\06604.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\vpppj.exec:\vpppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\046804.exec:\046804.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\vpddj.exec:\vpddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\80226.exec:\80226.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\84404.exec:\84404.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\7lfxfrx.exec:\7lfxfrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\m2822.exec:\m2822.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe23⤵
- Executes dropped EXE
PID:4976 -
\??\c:\46844.exec:\46844.exe24⤵
- Executes dropped EXE
PID:2336 -
\??\c:\c482626.exec:\c482626.exe25⤵
- Executes dropped EXE
PID:212 -
\??\c:\u642288.exec:\u642288.exe26⤵
- Executes dropped EXE
PID:1432 -
\??\c:\4622004.exec:\4622004.exe27⤵
- Executes dropped EXE
PID:5040 -
\??\c:\024488.exec:\024488.exe28⤵
- Executes dropped EXE
PID:5056 -
\??\c:\840444.exec:\840444.exe29⤵
- Executes dropped EXE
PID:336 -
\??\c:\0804004.exec:\0804004.exe30⤵
- Executes dropped EXE
PID:2180 -
\??\c:\7lrlrxf.exec:\7lrlrxf.exe31⤵
- Executes dropped EXE
PID:4436 -
\??\c:\dvjjj.exec:\dvjjj.exe32⤵
- Executes dropped EXE
PID:4984 -
\??\c:\thnhhh.exec:\thnhhh.exe33⤵
- Executes dropped EXE
PID:2192 -
\??\c:\thhhhh.exec:\thhhhh.exe34⤵
- Executes dropped EXE
PID:912 -
\??\c:\08644.exec:\08644.exe35⤵
- Executes dropped EXE
PID:3936 -
\??\c:\820400.exec:\820400.exe36⤵
- Executes dropped EXE
PID:1860 -
\??\c:\pppdd.exec:\pppdd.exe37⤵
- Executes dropped EXE
PID:4392 -
\??\c:\6688222.exec:\6688222.exe38⤵
- Executes dropped EXE
PID:2476 -
\??\c:\ddvdj.exec:\ddvdj.exe39⤵
- Executes dropped EXE
PID:1200 -
\??\c:\4848484.exec:\4848484.exe40⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lxlrxrf.exec:\lxlrxrf.exe41⤵
- Executes dropped EXE
PID:4288 -
\??\c:\vdpjj.exec:\vdpjj.exe42⤵
- Executes dropped EXE
PID:3628 -
\??\c:\680628.exec:\680628.exe43⤵
- Executes dropped EXE
PID:2492 -
\??\c:\2662668.exec:\2662668.exe44⤵
- Executes dropped EXE
PID:4856 -
\??\c:\2882604.exec:\2882604.exe45⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe46⤵
- Executes dropped EXE
PID:4400 -
\??\c:\28066.exec:\28066.exe47⤵
- Executes dropped EXE
PID:3452 -
\??\c:\2064044.exec:\2064044.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\i204440.exec:\i204440.exe49⤵
- Executes dropped EXE
PID:4468 -
\??\c:\jdjdv.exec:\jdjdv.exe50⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bbtttn.exec:\bbtttn.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\80288.exec:\80288.exe52⤵
- Executes dropped EXE
PID:1268 -
\??\c:\rxrxlxr.exec:\rxrxlxr.exe53⤵
- Executes dropped EXE
PID:1264 -
\??\c:\5jddp.exec:\5jddp.exe54⤵
- Executes dropped EXE
PID:428 -
\??\c:\dvpvp.exec:\dvpvp.exe55⤵
- Executes dropped EXE
PID:408 -
\??\c:\86600.exec:\86600.exe56⤵
- Executes dropped EXE
PID:5088 -
\??\c:\5pvpp.exec:\5pvpp.exe57⤵
- Executes dropped EXE
PID:984 -
\??\c:\q46046.exec:\q46046.exe58⤵
- Executes dropped EXE
PID:464 -
\??\c:\40246.exec:\40246.exe59⤵
- Executes dropped EXE
PID:3160 -
\??\c:\rrfxrfr.exec:\rrfxrfr.exe60⤵
- Executes dropped EXE
PID:1508 -
\??\c:\8626224.exec:\8626224.exe61⤵
- Executes dropped EXE
PID:4928 -
\??\c:\a4826.exec:\a4826.exe62⤵
- Executes dropped EXE
PID:2932 -
\??\c:\tnnnbb.exec:\tnnnbb.exe63⤵
- Executes dropped EXE
PID:1812 -
\??\c:\lfxrrlr.exec:\lfxrrlr.exe64⤵
- Executes dropped EXE
PID:4324 -
\??\c:\1lfxrrl.exec:\1lfxrrl.exe65⤵
- Executes dropped EXE
PID:4344 -
\??\c:\208808.exec:\208808.exe66⤵PID:3836
-
\??\c:\424828.exec:\424828.exe67⤵PID:3588
-
\??\c:\6064004.exec:\6064004.exe68⤵PID:2064
-
\??\c:\pjvvd.exec:\pjvvd.exe69⤵PID:4836
-
\??\c:\vjvpj.exec:\vjvpj.exe70⤵PID:2324
-
\??\c:\084826.exec:\084826.exe71⤵PID:648
-
\??\c:\1bhhhn.exec:\1bhhhn.exe72⤵PID:3212
-
\??\c:\680804.exec:\680804.exe73⤵PID:3204
-
\??\c:\xlrrfxx.exec:\xlrrfxx.exe74⤵PID:1400
-
\??\c:\2848482.exec:\2848482.exe75⤵PID:2144
-
\??\c:\5pppj.exec:\5pppj.exe76⤵PID:2760
-
\??\c:\60820.exec:\60820.exe77⤵PID:3988
-
\??\c:\ddpvp.exec:\ddpvp.exe78⤵PID:3316
-
\??\c:\lrxrrll.exec:\lrxrrll.exe79⤵PID:888
-
\??\c:\64040.exec:\64040.exe80⤵PID:2348
-
\??\c:\600400.exec:\600400.exe81⤵PID:1748
-
\??\c:\0046604.exec:\0046604.exe82⤵PID:4976
-
\??\c:\vvjpj.exec:\vvjpj.exe83⤵PID:2336
-
\??\c:\64822.exec:\64822.exe84⤵PID:220
-
\??\c:\0060488.exec:\0060488.exe85⤵PID:3048
-
\??\c:\hhnhhb.exec:\hhnhhb.exe86⤵PID:1432
-
\??\c:\8288688.exec:\8288688.exe87⤵PID:5040
-
\??\c:\6804488.exec:\6804488.exe88⤵PID:4104
-
\??\c:\u622042.exec:\u622042.exe89⤵PID:1220
-
\??\c:\600848.exec:\600848.exe90⤵PID:2316
-
\??\c:\4660462.exec:\4660462.exe91⤵PID:768
-
\??\c:\688046.exec:\688046.exe92⤵PID:4752
-
\??\c:\pdpjp.exec:\pdpjp.exe93⤵PID:4476
-
\??\c:\tnnhhh.exec:\tnnhhh.exe94⤵PID:4984
-
\??\c:\xffxllx.exec:\xffxllx.exe95⤵PID:2192
-
\??\c:\nhhhbn.exec:\nhhhbn.exe96⤵PID:1904
-
\??\c:\0264486.exec:\0264486.exe97⤵PID:644
-
\??\c:\e22482.exec:\e22482.exe98⤵PID:4116
-
\??\c:\486224.exec:\486224.exe99⤵PID:2972
-
\??\c:\088088.exec:\088088.exe100⤵PID:3188
-
\??\c:\m6826.exec:\m6826.exe101⤵PID:2596
-
\??\c:\26840.exec:\26840.exe102⤵PID:952
-
\??\c:\lrffrrr.exec:\lrffrrr.exe103⤵PID:4216
-
\??\c:\488888.exec:\488888.exe104⤵PID:3116
-
\??\c:\flfxlrl.exec:\flfxlrl.exe105⤵PID:1156
-
\??\c:\6822824.exec:\6822824.exe106⤵PID:5032
-
\??\c:\044442.exec:\044442.exe107⤵PID:3596
-
\??\c:\vpppp.exec:\vpppp.exe108⤵PID:4484
-
\??\c:\9vvpp.exec:\9vvpp.exe109⤵PID:4372
-
\??\c:\802446.exec:\802446.exe110⤵PID:4380
-
\??\c:\60626.exec:\60626.exe111⤵PID:2420
-
\??\c:\1jdvv.exec:\1jdvv.exe112⤵PID:5052
-
\??\c:\204488.exec:\204488.exe113⤵PID:3360
-
\??\c:\fxrrrrx.exec:\fxrrrrx.exe114⤵PID:1040
-
\??\c:\3nhbtb.exec:\3nhbtb.exe115⤵PID:2056
-
\??\c:\bthnnb.exec:\bthnnb.exe116⤵PID:1160
-
\??\c:\4246420.exec:\4246420.exe117⤵PID:4516
-
\??\c:\5frlrrx.exec:\5frlrrx.exe118⤵PID:3084
-
\??\c:\4844006.exec:\4844006.exe119⤵PID:5088
-
\??\c:\hnbbhh.exec:\hnbbhh.exe120⤵PID:5092
-
\??\c:\hbnhbb.exec:\hbnhbb.exe121⤵PID:2164
-
\??\c:\nthnth.exec:\nthnth.exe122⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-