Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe
-
Size
455KB
-
MD5
35807a47b499a8de05d3dd26a04e0020
-
SHA1
c2baaaad0e16bf8fbb5754bc07d38f3d7c2c9735
-
SHA256
6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905
-
SHA512
16c3d53a8ff3ab07f57c0479e27795cb3bdf2932b04b91dd6d6b9692bd6ea28af6d06a9ceb4fdb44e4fbba862c244e800dff2cd8904257e822f1dfbbdff809ee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP8:q7Tc2NYHUrAwfMp3CDP8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1040-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-819-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-1414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1288 dddvp.exe 3712 xllffxr.exe 1168 hnnhbb.exe 4068 thbtth.exe 4480 vjppj.exe 4824 fxffxxr.exe 2760 ttbnht.exe 1084 thhtnb.exe 3096 pdjdd.exe 1920 3pvjd.exe 3596 3fxrllf.exe 4424 jjvjv.exe 620 ntbbtt.exe 1588 hbnbhh.exe 2316 1tbtbh.exe 2756 3ddpp.exe 1992 xllfxxx.exe 2792 lflffxx.exe 1660 httnnn.exe 5072 bbnhbt.exe 4716 1llfxxl.exe 1532 nthnnh.exe 1256 ppjdv.exe 2948 5bhbhh.exe 372 rrfrlrr.exe 4640 pjdvp.exe 4380 rrxxrrr.exe 4476 ppddj.exe 2292 lflfllf.exe 2356 pdjpj.exe 4996 rxffxxr.exe 4856 3nhbbb.exe 1104 hbbhhh.exe 2088 pjpjj.exe 988 9xfxrrr.exe 4256 dvddd.exe 908 lrrrrrr.exe 4732 tnbhtt.exe 3732 xxffxff.exe 4792 7hhbtt.exe 4928 vjpjd.exe 4740 3llllrf.exe 2968 nhbbtb.exe 4896 llfxffl.exe 2320 xfrlffx.exe 3728 bnbnhh.exe 2416 ppdjp.exe 4052 rxflfxx.exe 4100 flxxrlf.exe 4152 tnbtbh.exe 4472 7vjjj.exe 2944 rxxxrrl.exe 536 btnhbb.exe 2116 ddppj.exe 2228 7jjdd.exe 1880 1lrrlll.exe 1424 nhttbb.exe 2056 vpvvv.exe 4916 fxffxxx.exe 964 3tnnhh.exe 1984 jpvpd.exe 3752 vvjdj.exe 2352 fllfffx.exe 1540 nbhbtb.exe -
resource yara_rule behavioral2/memory/1040-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-826-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1040 wrote to memory of 1288 1040 6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe 83 PID 1040 wrote to memory of 1288 1040 6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe 83 PID 1040 wrote to memory of 1288 1040 6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe 83 PID 1288 wrote to memory of 3712 1288 dddvp.exe 84 PID 1288 wrote to memory of 3712 1288 dddvp.exe 84 PID 1288 wrote to memory of 3712 1288 dddvp.exe 84 PID 3712 wrote to memory of 1168 3712 xllffxr.exe 85 PID 3712 wrote to memory of 1168 3712 xllffxr.exe 85 PID 3712 wrote to memory of 1168 3712 xllffxr.exe 85 PID 1168 wrote to memory of 4068 1168 hnnhbb.exe 86 PID 1168 wrote to memory of 4068 1168 hnnhbb.exe 86 PID 1168 wrote to memory of 4068 1168 hnnhbb.exe 86 PID 4068 wrote to memory of 4480 4068 thbtth.exe 87 PID 4068 wrote to memory of 4480 4068 thbtth.exe 87 PID 4068 wrote to memory of 4480 4068 thbtth.exe 87 PID 4480 wrote to memory of 4824 4480 vjppj.exe 88 PID 4480 wrote to memory of 4824 4480 vjppj.exe 88 PID 4480 wrote to memory of 4824 4480 vjppj.exe 88 PID 4824 wrote to memory of 2760 4824 fxffxxr.exe 89 PID 4824 wrote to memory of 2760 4824 fxffxxr.exe 89 PID 4824 wrote to memory of 2760 4824 fxffxxr.exe 89 PID 2760 wrote to memory of 1084 2760 ttbnht.exe 90 PID 2760 wrote to memory of 1084 2760 ttbnht.exe 90 PID 2760 wrote to memory of 1084 2760 ttbnht.exe 90 PID 1084 wrote to memory of 3096 1084 thhtnb.exe 91 PID 1084 wrote to memory of 3096 1084 thhtnb.exe 91 PID 1084 wrote to memory of 3096 1084 thhtnb.exe 91 PID 3096 wrote to memory of 1920 3096 pdjdd.exe 92 PID 3096 wrote to memory of 1920 3096 pdjdd.exe 92 PID 3096 wrote to memory of 1920 3096 pdjdd.exe 92 PID 1920 wrote to memory of 3596 1920 3pvjd.exe 93 PID 1920 wrote to memory of 3596 1920 3pvjd.exe 93 PID 1920 wrote to memory of 3596 1920 3pvjd.exe 93 PID 3596 wrote to memory of 4424 3596 3fxrllf.exe 94 PID 3596 wrote to memory of 4424 3596 3fxrllf.exe 94 PID 3596 wrote to memory of 4424 3596 3fxrllf.exe 94 PID 4424 wrote to memory of 620 4424 jjvjv.exe 95 PID 4424 wrote to memory of 620 4424 jjvjv.exe 95 PID 4424 wrote to memory of 620 4424 jjvjv.exe 95 PID 620 wrote to memory of 1588 620 ntbbtt.exe 96 PID 620 wrote to memory of 1588 620 ntbbtt.exe 96 PID 620 wrote to memory of 1588 620 ntbbtt.exe 96 PID 1588 wrote to memory of 2316 1588 hbnbhh.exe 97 PID 1588 wrote to memory of 2316 1588 hbnbhh.exe 97 PID 1588 wrote to memory of 2316 1588 hbnbhh.exe 97 PID 2316 wrote to memory of 2756 2316 1tbtbh.exe 98 PID 2316 wrote to memory of 2756 2316 1tbtbh.exe 98 PID 2316 wrote to memory of 2756 2316 1tbtbh.exe 98 PID 2756 wrote to memory of 1992 2756 3ddpp.exe 99 PID 2756 wrote to memory of 1992 2756 3ddpp.exe 99 PID 2756 wrote to memory of 1992 2756 3ddpp.exe 99 PID 1992 wrote to memory of 2792 1992 xllfxxx.exe 100 PID 1992 wrote to memory of 2792 1992 xllfxxx.exe 100 PID 1992 wrote to memory of 2792 1992 xllfxxx.exe 100 PID 2792 wrote to memory of 1660 2792 lflffxx.exe 101 PID 2792 wrote to memory of 1660 2792 lflffxx.exe 101 PID 2792 wrote to memory of 1660 2792 lflffxx.exe 101 PID 1660 wrote to memory of 5072 1660 httnnn.exe 102 PID 1660 wrote to memory of 5072 1660 httnnn.exe 102 PID 1660 wrote to memory of 5072 1660 httnnn.exe 102 PID 5072 wrote to memory of 4716 5072 bbnhbt.exe 103 PID 5072 wrote to memory of 4716 5072 bbnhbt.exe 103 PID 5072 wrote to memory of 4716 5072 bbnhbt.exe 103 PID 4716 wrote to memory of 1532 4716 1llfxxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe"C:\Users\Admin\AppData\Local\Temp\6d06474d2f164f14ce276d780052024a3c3273703338ab82c075d040a7089905N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\dddvp.exec:\dddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\xllffxr.exec:\xllffxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\hnnhbb.exec:\hnnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\thbtth.exec:\thbtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\vjppj.exec:\vjppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\fxffxxr.exec:\fxffxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\ttbnht.exec:\ttbnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\thhtnb.exec:\thhtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\3pvjd.exec:\3pvjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\3fxrllf.exec:\3fxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\jjvjv.exec:\jjvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\ntbbtt.exec:\ntbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\hbnbhh.exec:\hbnbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\1tbtbh.exec:\1tbtbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\3ddpp.exec:\3ddpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\xllfxxx.exec:\xllfxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\lflffxx.exec:\lflffxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\httnnn.exec:\httnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\bbnhbt.exec:\bbnhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\1llfxxl.exec:\1llfxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\nthnnh.exec:\nthnnh.exe23⤵
- Executes dropped EXE
PID:1532 -
\??\c:\ppjdv.exec:\ppjdv.exe24⤵
- Executes dropped EXE
PID:1256 -
\??\c:\5bhbhh.exec:\5bhbhh.exe25⤵
- Executes dropped EXE
PID:2948 -
\??\c:\rrfrlrr.exec:\rrfrlrr.exe26⤵
- Executes dropped EXE
PID:372 -
\??\c:\pjdvp.exec:\pjdvp.exe27⤵
- Executes dropped EXE
PID:4640 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe28⤵
- Executes dropped EXE
PID:4380 -
\??\c:\ppddj.exec:\ppddj.exe29⤵
- Executes dropped EXE
PID:4476 -
\??\c:\lflfllf.exec:\lflfllf.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\pdjpj.exec:\pdjpj.exe31⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rxffxxr.exec:\rxffxxr.exe32⤵
- Executes dropped EXE
PID:4996 -
\??\c:\3nhbbb.exec:\3nhbbb.exe33⤵
- Executes dropped EXE
PID:4856 -
\??\c:\hbbhhh.exec:\hbbhhh.exe34⤵
- Executes dropped EXE
PID:1104 -
\??\c:\pjpjj.exec:\pjpjj.exe35⤵
- Executes dropped EXE
PID:2088 -
\??\c:\9xfxrrr.exec:\9xfxrrr.exe36⤵
- Executes dropped EXE
PID:988 -
\??\c:\dvddd.exec:\dvddd.exe37⤵
- Executes dropped EXE
PID:4256 -
\??\c:\lrrrrrr.exec:\lrrrrrr.exe38⤵
- Executes dropped EXE
PID:908 -
\??\c:\tnbhtt.exec:\tnbhtt.exe39⤵
- Executes dropped EXE
PID:4732 -
\??\c:\xxffxff.exec:\xxffxff.exe40⤵
- Executes dropped EXE
PID:3732 -
\??\c:\7hhbtt.exec:\7hhbtt.exe41⤵
- Executes dropped EXE
PID:4792 -
\??\c:\vjpjd.exec:\vjpjd.exe42⤵
- Executes dropped EXE
PID:4928 -
\??\c:\3llllrf.exec:\3llllrf.exe43⤵
- Executes dropped EXE
PID:4740 -
\??\c:\nhbbtb.exec:\nhbbtb.exe44⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jjpjd.exec:\jjpjd.exe45⤵PID:4412
-
\??\c:\llfxffl.exec:\llfxffl.exe46⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xfrlffx.exec:\xfrlffx.exe47⤵
- Executes dropped EXE
PID:2320 -
\??\c:\bnbnhh.exec:\bnbnhh.exe48⤵
- Executes dropped EXE
PID:3728 -
\??\c:\ppdjp.exec:\ppdjp.exe49⤵
- Executes dropped EXE
PID:2416 -
\??\c:\rxflfxx.exec:\rxflfxx.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4052 -
\??\c:\flxxrlf.exec:\flxxrlf.exe51⤵
- Executes dropped EXE
PID:4100 -
\??\c:\tnbtbh.exec:\tnbtbh.exe52⤵
- Executes dropped EXE
PID:4152 -
\??\c:\7vjjj.exec:\7vjjj.exe53⤵
- Executes dropped EXE
PID:4472 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe54⤵
- Executes dropped EXE
PID:2944 -
\??\c:\btnhbb.exec:\btnhbb.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\ddppj.exec:\ddppj.exe56⤵
- Executes dropped EXE
PID:2116 -
\??\c:\7jjdd.exec:\7jjdd.exe57⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1lrrlll.exec:\1lrrlll.exe58⤵
- Executes dropped EXE
PID:1880 -
\??\c:\nhttbb.exec:\nhttbb.exe59⤵
- Executes dropped EXE
PID:1424 -
\??\c:\vpvvv.exec:\vpvvv.exe60⤵
- Executes dropped EXE
PID:2056 -
\??\c:\fxffxxx.exec:\fxffxxx.exe61⤵
- Executes dropped EXE
PID:4916 -
\??\c:\3tnnhh.exec:\3tnnhh.exe62⤵
- Executes dropped EXE
PID:964 -
\??\c:\jpvpd.exec:\jpvpd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\vvjdj.exec:\vvjdj.exe64⤵
- Executes dropped EXE
PID:3752 -
\??\c:\fllfffx.exec:\fllfffx.exe65⤵
- Executes dropped EXE
PID:2352 -
\??\c:\nbhbtb.exec:\nbhbtb.exe66⤵
- Executes dropped EXE
PID:1540 -
\??\c:\pvjdv.exec:\pvjdv.exe67⤵PID:1588
-
\??\c:\ppppp.exec:\ppppp.exe68⤵PID:4192
-
\??\c:\9llfxxx.exec:\9llfxxx.exe69⤵PID:2316
-
\??\c:\nhbbtt.exec:\nhbbtt.exe70⤵PID:1132
-
\??\c:\vjdpd.exec:\vjdpd.exe71⤵PID:1704
-
\??\c:\1ffxxxx.exec:\1ffxxxx.exe72⤵PID:2324
-
\??\c:\lrfxrlr.exec:\lrfxrlr.exe73⤵PID:1660
-
\??\c:\btbbbb.exec:\btbbbb.exe74⤵PID:5072
-
\??\c:\dddvv.exec:\dddvv.exe75⤵PID:4432
-
\??\c:\rxflffx.exec:\rxflffx.exe76⤵PID:1360
-
\??\c:\tbnnnb.exec:\tbnnnb.exe77⤵PID:3372
-
\??\c:\pjjjv.exec:\pjjjv.exe78⤵PID:1256
-
\??\c:\dpvdv.exec:\dpvdv.exe79⤵PID:3972
-
\??\c:\xrrlrrr.exec:\xrrlrrr.exe80⤵PID:3160
-
\??\c:\3bhbtb.exec:\3bhbtb.exe81⤵PID:3048
-
\??\c:\7vdvp.exec:\7vdvp.exe82⤵PID:4208
-
\??\c:\vppjd.exec:\vppjd.exe83⤵PID:3336
-
\??\c:\9xfxrrr.exec:\9xfxrrr.exe84⤵PID:4476
-
\??\c:\thtbhn.exec:\thtbhn.exe85⤵PID:5016
-
\??\c:\nbnhhh.exec:\nbnhhh.exe86⤵PID:3116
-
\??\c:\5pdvp.exec:\5pdvp.exe87⤵PID:3076
-
\??\c:\fxllrrl.exec:\fxllrrl.exe88⤵PID:828
-
\??\c:\nbbttt.exec:\nbbttt.exe89⤵PID:3868
-
\??\c:\7pvvp.exec:\7pvvp.exe90⤵PID:2604
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe91⤵PID:616
-
\??\c:\bbbthh.exec:\bbbthh.exe92⤵PID:4944
-
\??\c:\9pvvp.exec:\9pvvp.exe93⤵PID:5056
-
\??\c:\7pdvp.exec:\7pdvp.exe94⤵PID:4508
-
\??\c:\rlflfff.exec:\rlflfff.exe95⤵PID:548
-
\??\c:\hnhhhb.exec:\hnhhhb.exe96⤵PID:344
-
\??\c:\vdjdv.exec:\vdjdv.exe97⤵PID:4496
-
\??\c:\ffllfxx.exec:\ffllfxx.exe98⤵PID:4404
-
\??\c:\7ffxxll.exec:\7ffxxll.exe99⤵PID:552
-
\??\c:\hnnhbb.exec:\hnnhbb.exe100⤵PID:4740
-
\??\c:\vvjjj.exec:\vvjjj.exe101⤵PID:3028
-
\??\c:\xrxllfx.exec:\xrxllfx.exe102⤵PID:1936
-
\??\c:\nttnhh.exec:\nttnhh.exe103⤵PID:4896
-
\??\c:\3nntnb.exec:\3nntnb.exe104⤵PID:4216
-
\??\c:\7jjjj.exec:\7jjjj.exe105⤵PID:3728
-
\??\c:\fllfxxx.exec:\fllfxxx.exe106⤵PID:2176
-
\??\c:\frxxfrr.exec:\frxxfrr.exe107⤵PID:4052
-
\??\c:\nhnbhh.exec:\nhnbhh.exe108⤵PID:4480
-
\??\c:\pdvpd.exec:\pdvpd.exe109⤵PID:4152
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe110⤵PID:4472
-
\??\c:\1tnnhh.exec:\1tnnhh.exe111⤵PID:1560
-
\??\c:\9pddv.exec:\9pddv.exe112⤵
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\rfrfxrx.exec:\rfrfxrx.exe113⤵PID:2116
-
\??\c:\hhnbnh.exec:\hhnbnh.exe114⤵PID:2228
-
\??\c:\thhhbb.exec:\thhhbb.exe115⤵PID:1940
-
\??\c:\pjvvp.exec:\pjvvp.exe116⤵PID:4048
-
\??\c:\xxrlfxx.exec:\xxrlfxx.exe117⤵PID:2056
-
\??\c:\btnhhb.exec:\btnhhb.exe118⤵PID:4916
-
\??\c:\jdjdv.exec:\jdjdv.exe119⤵PID:964
-
\??\c:\vvvpj.exec:\vvvpj.exe120⤵PID:3176
-
\??\c:\3rrfxfr.exec:\3rrfxfr.exe121⤵PID:3752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-