Analysis
-
max time kernel
114s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe
-
Size
456KB
-
MD5
d663d0b24e312b1cf43e709a9f158d10
-
SHA1
823c50891b770f3fa2f961d1e59c79cc0c8e7d69
-
SHA256
60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9
-
SHA512
28bb5f9acf10339785b6a07c032c9881d77b44e2c12b74f2d8268a05d9442d06ae26e2419e161f5731ce4aa26712eff66ed1a5974314eeebd12433b10fc671db
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/668-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-1158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3452 0882660.exe 2852 622462.exe 3148 dpvvp.exe 4992 206044.exe 3500 600482.exe 3320 06820.exe 2172 rllxrlf.exe 1660 hbhhnb.exe 544 m4200.exe 4776 lllfffx.exe 1940 lfxrffx.exe 3628 42220.exe 2260 6006006.exe 3488 5jppj.exe 4884 4486264.exe 5092 dppdv.exe 3192 nbbnhn.exe 2960 htnbbt.exe 1512 3dvpj.exe 3892 dpjdd.exe 1816 btthtb.exe 1136 5jjdp.exe 5104 tnnhbt.exe 432 fxlxrfr.exe 2832 6060042.exe 1640 0882660.exe 3656 4848880.exe 2264 66244.exe 3428 hhbnhb.exe 3324 0400624.exe 932 s4086.exe 532 86220.exe 4984 rlfxfxf.exe 1668 9pdpj.exe 3284 6482048.exe 1972 2066644.exe 4596 468402.exe 2800 46602.exe 2372 frllfff.exe 1468 42286.exe 5076 bnnbhb.exe 3084 ppvjd.exe 4160 q42660.exe 4816 020686.exe 3352 httnhn.exe 4972 q24228.exe 4440 5tbntn.exe 1364 08864.exe 4352 86266.exe 3452 djpjd.exe 3304 pdpdj.exe 1836 48482.exe 2636 80882.exe 2504 262400.exe 2608 hnhnnt.exe 2756 tntnhb.exe 4620 9nhhtt.exe 4776 pjvjj.exe 1940 240064.exe 3628 hbbnhn.exe 2072 jjdvj.exe 2260 1pjvp.exe 4956 thbtth.exe 3288 22204.exe -
resource yara_rule behavioral2/memory/668-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-700-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6844826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u660820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 668 wrote to memory of 3452 668 60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe 83 PID 668 wrote to memory of 3452 668 60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe 83 PID 668 wrote to memory of 3452 668 60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe 83 PID 3452 wrote to memory of 2852 3452 0882660.exe 84 PID 3452 wrote to memory of 2852 3452 0882660.exe 84 PID 3452 wrote to memory of 2852 3452 0882660.exe 84 PID 2852 wrote to memory of 3148 2852 622462.exe 85 PID 2852 wrote to memory of 3148 2852 622462.exe 85 PID 2852 wrote to memory of 3148 2852 622462.exe 85 PID 3148 wrote to memory of 4992 3148 dpvvp.exe 86 PID 3148 wrote to memory of 4992 3148 dpvvp.exe 86 PID 3148 wrote to memory of 4992 3148 dpvvp.exe 86 PID 4992 wrote to memory of 3500 4992 206044.exe 87 PID 4992 wrote to memory of 3500 4992 206044.exe 87 PID 4992 wrote to memory of 3500 4992 206044.exe 87 PID 3500 wrote to memory of 3320 3500 600482.exe 88 PID 3500 wrote to memory of 3320 3500 600482.exe 88 PID 3500 wrote to memory of 3320 3500 600482.exe 88 PID 3320 wrote to memory of 2172 3320 06820.exe 89 PID 3320 wrote to memory of 2172 3320 06820.exe 89 PID 3320 wrote to memory of 2172 3320 06820.exe 89 PID 2172 wrote to memory of 1660 2172 rllxrlf.exe 90 PID 2172 wrote to memory of 1660 2172 rllxrlf.exe 90 PID 2172 wrote to memory of 1660 2172 rllxrlf.exe 90 PID 1660 wrote to memory of 544 1660 hbhhnb.exe 91 PID 1660 wrote to memory of 544 1660 hbhhnb.exe 91 PID 1660 wrote to memory of 544 1660 hbhhnb.exe 91 PID 544 wrote to memory of 4776 544 m4200.exe 140 PID 544 wrote to memory of 4776 544 m4200.exe 140 PID 544 wrote to memory of 4776 544 m4200.exe 140 PID 4776 wrote to memory of 1940 4776 lllfffx.exe 141 PID 4776 wrote to memory of 1940 4776 lllfffx.exe 141 PID 4776 wrote to memory of 1940 4776 lllfffx.exe 141 PID 1940 wrote to memory of 3628 1940 lfxrffx.exe 142 PID 1940 wrote to memory of 3628 1940 lfxrffx.exe 142 PID 1940 wrote to memory of 3628 1940 lfxrffx.exe 142 PID 3628 wrote to memory of 2260 3628 42220.exe 144 PID 3628 wrote to memory of 2260 3628 42220.exe 144 PID 3628 wrote to memory of 2260 3628 42220.exe 144 PID 2260 wrote to memory of 3488 2260 6006006.exe 96 PID 2260 wrote to memory of 3488 2260 6006006.exe 96 PID 2260 wrote to memory of 3488 2260 6006006.exe 96 PID 3488 wrote to memory of 4884 3488 5jppj.exe 97 PID 3488 wrote to memory of 4884 3488 5jppj.exe 97 PID 3488 wrote to memory of 4884 3488 5jppj.exe 97 PID 4884 wrote to memory of 5092 4884 4486264.exe 98 PID 4884 wrote to memory of 5092 4884 4486264.exe 98 PID 4884 wrote to memory of 5092 4884 4486264.exe 98 PID 5092 wrote to memory of 3192 5092 dppdv.exe 99 PID 5092 wrote to memory of 3192 5092 dppdv.exe 99 PID 5092 wrote to memory of 3192 5092 dppdv.exe 99 PID 3192 wrote to memory of 2960 3192 nbbnhn.exe 100 PID 3192 wrote to memory of 2960 3192 nbbnhn.exe 100 PID 3192 wrote to memory of 2960 3192 nbbnhn.exe 100 PID 2960 wrote to memory of 1512 2960 htnbbt.exe 101 PID 2960 wrote to memory of 1512 2960 htnbbt.exe 101 PID 2960 wrote to memory of 1512 2960 htnbbt.exe 101 PID 1512 wrote to memory of 3892 1512 3dvpj.exe 102 PID 1512 wrote to memory of 3892 1512 3dvpj.exe 102 PID 1512 wrote to memory of 3892 1512 3dvpj.exe 102 PID 3892 wrote to memory of 1816 3892 dpjdd.exe 103 PID 3892 wrote to memory of 1816 3892 dpjdd.exe 103 PID 3892 wrote to memory of 1816 3892 dpjdd.exe 103 PID 1816 wrote to memory of 1136 1816 btthtb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe"C:\Users\Admin\AppData\Local\Temp\60d3f71b1465bd8b44fd1d942ae9d4654bd7a1abc9f2c0dd47b268ec0f95deb9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\0882660.exec:\0882660.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\622462.exec:\622462.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\dpvvp.exec:\dpvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\206044.exec:\206044.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\600482.exec:\600482.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\06820.exec:\06820.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\rllxrlf.exec:\rllxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\hbhhnb.exec:\hbhhnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\m4200.exec:\m4200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\lllfffx.exec:\lllfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\lfxrffx.exec:\lfxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\42220.exec:\42220.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\6006006.exec:\6006006.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\5jppj.exec:\5jppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\4486264.exec:\4486264.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\dppdv.exec:\dppdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\nbbnhn.exec:\nbbnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\htnbbt.exec:\htnbbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\3dvpj.exec:\3dvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\dpjdd.exec:\dpjdd.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\btthtb.exec:\btthtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\5jjdp.exec:\5jjdp.exe23⤵
- Executes dropped EXE
PID:1136 -
\??\c:\tnnhbt.exec:\tnnhbt.exe24⤵
- Executes dropped EXE
PID:5104 -
\??\c:\fxlxrfr.exec:\fxlxrfr.exe25⤵
- Executes dropped EXE
PID:432 -
\??\c:\6060042.exec:\6060042.exe26⤵
- Executes dropped EXE
PID:2832 -
\??\c:\0882660.exec:\0882660.exe27⤵
- Executes dropped EXE
PID:1640 -
\??\c:\4848880.exec:\4848880.exe28⤵
- Executes dropped EXE
PID:3656 -
\??\c:\66244.exec:\66244.exe29⤵
- Executes dropped EXE
PID:2264 -
\??\c:\hhbnhb.exec:\hhbnhb.exe30⤵
- Executes dropped EXE
PID:3428 -
\??\c:\0400624.exec:\0400624.exe31⤵
- Executes dropped EXE
PID:3324 -
\??\c:\s4086.exec:\s4086.exe32⤵
- Executes dropped EXE
PID:932 -
\??\c:\86220.exec:\86220.exe33⤵
- Executes dropped EXE
PID:532 -
\??\c:\rlfxfxf.exec:\rlfxfxf.exe34⤵
- Executes dropped EXE
PID:4984 -
\??\c:\9pdpj.exec:\9pdpj.exe35⤵
- Executes dropped EXE
PID:1668 -
\??\c:\6482048.exec:\6482048.exe36⤵
- Executes dropped EXE
PID:3284 -
\??\c:\2066644.exec:\2066644.exe37⤵
- Executes dropped EXE
PID:1972 -
\??\c:\468402.exec:\468402.exe38⤵
- Executes dropped EXE
PID:4596 -
\??\c:\46602.exec:\46602.exe39⤵
- Executes dropped EXE
PID:2800 -
\??\c:\frllfff.exec:\frllfff.exe40⤵
- Executes dropped EXE
PID:2372 -
\??\c:\42286.exec:\42286.exe41⤵
- Executes dropped EXE
PID:1468 -
\??\c:\bnnbhb.exec:\bnnbhb.exe42⤵
- Executes dropped EXE
PID:5076 -
\??\c:\ppvjd.exec:\ppvjd.exe43⤵
- Executes dropped EXE
PID:3084 -
\??\c:\q42660.exec:\q42660.exe44⤵
- Executes dropped EXE
PID:4160 -
\??\c:\020686.exec:\020686.exe45⤵
- Executes dropped EXE
PID:4816 -
\??\c:\httnhn.exec:\httnhn.exe46⤵
- Executes dropped EXE
PID:3352 -
\??\c:\q24228.exec:\q24228.exe47⤵
- Executes dropped EXE
PID:4972 -
\??\c:\5tbntn.exec:\5tbntn.exe48⤵
- Executes dropped EXE
PID:4440 -
\??\c:\08864.exec:\08864.exe49⤵
- Executes dropped EXE
PID:1364 -
\??\c:\86266.exec:\86266.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\djpjd.exec:\djpjd.exe51⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pdpdj.exec:\pdpdj.exe52⤵
- Executes dropped EXE
PID:3304 -
\??\c:\48482.exec:\48482.exe53⤵
- Executes dropped EXE
PID:1836 -
\??\c:\80882.exec:\80882.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\262400.exec:\262400.exe55⤵
- Executes dropped EXE
PID:2504 -
\??\c:\hnhnnt.exec:\hnhnnt.exe56⤵
- Executes dropped EXE
PID:2608 -
\??\c:\tntnhb.exec:\tntnhb.exe57⤵
- Executes dropped EXE
PID:2756 -
\??\c:\9nhhtt.exec:\9nhhtt.exe58⤵
- Executes dropped EXE
PID:4620 -
\??\c:\pjvjj.exec:\pjvjj.exe59⤵
- Executes dropped EXE
PID:4776 -
\??\c:\240064.exec:\240064.exe60⤵
- Executes dropped EXE
PID:1940 -
\??\c:\hbbnhn.exec:\hbbnhn.exe61⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jjdvj.exec:\jjdvj.exe62⤵
- Executes dropped EXE
PID:2072 -
\??\c:\1pjvp.exec:\1pjvp.exe63⤵
- Executes dropped EXE
PID:2260 -
\??\c:\thbtth.exec:\thbtth.exe64⤵
- Executes dropped EXE
PID:4956 -
\??\c:\22204.exec:\22204.exe65⤵
- Executes dropped EXE
PID:3288 -
\??\c:\006482.exec:\006482.exe66⤵PID:5032
-
\??\c:\lrxrrlf.exec:\lrxrrlf.exe67⤵PID:3604
-
\??\c:\jjpjd.exec:\jjpjd.exe68⤵PID:2268
-
\??\c:\u488262.exec:\u488262.exe69⤵PID:4960
-
\??\c:\84048.exec:\84048.exe70⤵PID:2944
-
\??\c:\480480.exec:\480480.exe71⤵PID:1544
-
\??\c:\fllffrr.exec:\fllffrr.exe72⤵PID:2652
-
\??\c:\thnhtt.exec:\thnhtt.exe73⤵PID:4140
-
\??\c:\xfllrxr.exec:\xfllrxr.exe74⤵
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\rllffxx.exec:\rllffxx.exe75⤵PID:2744
-
\??\c:\9nhbbb.exec:\9nhbbb.exe76⤵PID:864
-
\??\c:\hhtttn.exec:\hhtttn.exe77⤵PID:808
-
\??\c:\2008226.exec:\2008226.exe78⤵PID:3676
-
\??\c:\62426.exec:\62426.exe79⤵PID:4760
-
\??\c:\u888226.exec:\u888226.exe80⤵PID:3224
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe81⤵PID:4512
-
\??\c:\4848660.exec:\4848660.exe82⤵PID:2908
-
\??\c:\0284260.exec:\0284260.exe83⤵PID:4412
-
\??\c:\ppdvv.exec:\ppdvv.exe84⤵PID:4044
-
\??\c:\bttnhb.exec:\bttnhb.exe85⤵PID:2380
-
\??\c:\rxrfxrr.exec:\rxrfxrr.exe86⤵PID:4740
-
\??\c:\fxflffx.exec:\fxflffx.exe87⤵PID:4572
-
\??\c:\26644.exec:\26644.exe88⤵PID:1468
-
\??\c:\fllxlfr.exec:\fllxlfr.exe89⤵PID:4684
-
\??\c:\nhnhhb.exec:\nhnhhb.exe90⤵PID:4256
-
\??\c:\djjvj.exec:\djjvj.exe91⤵PID:4416
-
\??\c:\6888240.exec:\6888240.exe92⤵PID:3184
-
\??\c:\406482.exec:\406482.exe93⤵PID:4796
-
\??\c:\nbbtht.exec:\nbbtht.exe94⤵PID:1052
-
\??\c:\9ttnbt.exec:\9ttnbt.exe95⤵PID:2232
-
\??\c:\86488.exec:\86488.exe96⤵PID:4328
-
\??\c:\9jvpd.exec:\9jvpd.exe97⤵PID:668
-
\??\c:\840426.exec:\840426.exe98⤵PID:2852
-
\??\c:\xrfrlrl.exec:\xrfrlrl.exe99⤵PID:3548
-
\??\c:\220064.exec:\220064.exe100⤵PID:2364
-
\??\c:\0244608.exec:\0244608.exe101⤵PID:3048
-
\??\c:\pddvj.exec:\pddvj.exe102⤵PID:3320
-
\??\c:\i208826.exec:\i208826.exe103⤵PID:3868
-
\??\c:\5btnhb.exec:\5btnhb.exe104⤵PID:4792
-
\??\c:\vppdv.exec:\vppdv.exe105⤵PID:5116
-
\??\c:\1nhtth.exec:\1nhtth.exe106⤵PID:544
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe107⤵
- System Location Discovery: System Language Discovery
PID:4776 -
\??\c:\22864.exec:\22864.exe108⤵PID:1940
-
\??\c:\tbhtbb.exec:\tbhtbb.exe109⤵PID:2764
-
\??\c:\1htnbb.exec:\1htnbb.exe110⤵PID:3628
-
\??\c:\6008668.exec:\6008668.exe111⤵PID:1680
-
\??\c:\488260.exec:\488260.exe112⤵PID:2572
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe113⤵PID:2188
-
\??\c:\488208.exec:\488208.exe114⤵PID:4892
-
\??\c:\7ttbnt.exec:\7ttbnt.exe115⤵PID:2960
-
\??\c:\vppdd.exec:\vppdd.exe116⤵PID:1396
-
\??\c:\860088.exec:\860088.exe117⤵
- System Location Discovery: System Language Discovery
PID:1968 -
\??\c:\846448.exec:\846448.exe118⤵PID:1316
-
\??\c:\fflxrll.exec:\fflxrll.exe119⤵PID:1544
-
\??\c:\8460482.exec:\8460482.exe120⤵PID:1244
-
\??\c:\vvdpp.exec:\vvdpp.exe121⤵PID:4332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-