Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 04:06
Behavioral task
behavioral1
Sample
ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe
-
Size
335KB
-
MD5
aa2d1fef8c45baf299ffb2f4590bc84f
-
SHA1
28c1ef7992db97a47e83aecc3fb3d517fc500e0c
-
SHA256
ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af
-
SHA512
c3c868224eb67c310f5e0ecbba70033b932d178906e9c28bbebc61b0741857bbfba53b62800176968a51ac36235a32336b229af3f14c3430f65f23704ca5ee53
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbev:R4wFHoSHYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4344-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3928-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2404-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/452-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2492-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4924-343-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-610-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-858-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-929-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4400 4628822.exe 3044 3tttnn.exe 1960 vpvpj.exe 940 4648882.exe 3928 fxfxllx.exe 2404 68228.exe 1492 rlxrrlf.exe 4688 006846.exe 4656 djpjd.exe 3520 8042222.exe 3408 llffxxx.exe 3256 tbntbb.exe 4488 8466882.exe 3984 tbbnnh.exe 2148 djpdj.exe 4520 pdvpd.exe 452 jpdvv.exe 4284 nnnhtt.exe 3308 jdpjj.exe 1056 dvjvp.exe 3236 8200608.exe 3816 0662844.exe 1364 frrrfll.exe 2992 260462.exe 1748 bhtnhb.exe 2008 486626.exe 1284 00608.exe 3576 vddpj.exe 3260 00262.exe 4076 lfllxfx.exe 4120 vjdpj.exe 872 26060.exe 1176 tttnbn.exe 1548 nntnht.exe 2772 0864264.exe 2800 xlrlflr.exe 2920 rxfrflf.exe 4248 84608.exe 2492 64608.exe 1296 1fxrffx.exe 2996 6284886.exe 2068 8220820.exe 2776 06004.exe 4796 vvjvd.exe 3472 08484.exe 4416 thnnnh.exe 2364 8000064.exe 4116 288260.exe 2352 06486.exe 3044 0660826.exe 3492 hthtnb.exe 4804 jppdp.exe 2716 pjjvp.exe 752 262260.exe 4228 jdjdj.exe 2732 44008.exe 1484 xllfrll.exe 1148 8000280.exe 3388 i686666.exe 4040 c622604.exe 4756 862600.exe 3660 6020444.exe 1784 2466048.exe 1700 a6608.exe -
resource yara_rule behavioral2/memory/4344-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4344-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d63-9.dat upx behavioral2/memory/4400-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d60-4.dat upx behavioral2/files/0x0008000000023d66-11.dat upx behavioral2/memory/3044-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1960-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d67-19.dat upx behavioral2/memory/940-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3928-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d68-25.dat upx behavioral2/files/0x0007000000023d69-29.dat upx behavioral2/files/0x0007000000023d6a-33.dat upx behavioral2/memory/2404-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d6b-38.dat upx behavioral2/memory/1492-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d6c-43.dat upx behavioral2/memory/4688-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d6d-48.dat upx behavioral2/memory/4656-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d6f-53.dat upx behavioral2/files/0x0007000000023d70-58.dat upx behavioral2/memory/3256-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d71-63.dat upx behavioral2/memory/3520-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d64-67.dat upx behavioral2/files/0x0007000000023d72-71.dat upx behavioral2/files/0x000b000000023c49-77.dat upx behavioral2/memory/4520-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3984-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2148-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d73-82.dat upx behavioral2/memory/4520-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d74-87.dat upx behavioral2/memory/4284-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d75-93.dat upx behavioral2/memory/452-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d76-98.dat upx behavioral2/files/0x0007000000023d77-101.dat upx behavioral2/memory/1056-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3236-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d78-108.dat upx behavioral2/files/0x0007000000023d79-111.dat upx behavioral2/memory/1364-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d7b-121.dat upx behavioral2/memory/1748-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d7c-127.dat upx behavioral2/files/0x0007000000023d7d-132.dat upx behavioral2/memory/2008-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d7a-118.dat upx behavioral2/memory/3816-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000600000001e6af-135.dat upx behavioral2/files/0x000600000001e6b0-139.dat upx behavioral2/memory/3576-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c1c-145.dat upx behavioral2/memory/3260-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000500000001eb56-150.dat upx behavioral2/memory/4120-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4076-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c15-155.dat upx behavioral2/memory/1176-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2772-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2492-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8200608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4344 wrote to memory of 4400 4344 ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe 82 PID 4344 wrote to memory of 4400 4344 ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe 82 PID 4344 wrote to memory of 4400 4344 ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe 82 PID 4400 wrote to memory of 3044 4400 4628822.exe 83 PID 4400 wrote to memory of 3044 4400 4628822.exe 83 PID 4400 wrote to memory of 3044 4400 4628822.exe 83 PID 3044 wrote to memory of 1960 3044 3tttnn.exe 84 PID 3044 wrote to memory of 1960 3044 3tttnn.exe 84 PID 3044 wrote to memory of 1960 3044 3tttnn.exe 84 PID 1960 wrote to memory of 940 1960 vpvpj.exe 85 PID 1960 wrote to memory of 940 1960 vpvpj.exe 85 PID 1960 wrote to memory of 940 1960 vpvpj.exe 85 PID 940 wrote to memory of 3928 940 4648882.exe 87 PID 940 wrote to memory of 3928 940 4648882.exe 87 PID 940 wrote to memory of 3928 940 4648882.exe 87 PID 3928 wrote to memory of 2404 3928 fxfxllx.exe 88 PID 3928 wrote to memory of 2404 3928 fxfxllx.exe 88 PID 3928 wrote to memory of 2404 3928 fxfxllx.exe 88 PID 2404 wrote to memory of 1492 2404 68228.exe 90 PID 2404 wrote to memory of 1492 2404 68228.exe 90 PID 2404 wrote to memory of 1492 2404 68228.exe 90 PID 1492 wrote to memory of 4688 1492 rlxrrlf.exe 91 PID 1492 wrote to memory of 4688 1492 rlxrrlf.exe 91 PID 1492 wrote to memory of 4688 1492 rlxrrlf.exe 91 PID 4688 wrote to memory of 4656 4688 006846.exe 92 PID 4688 wrote to memory of 4656 4688 006846.exe 92 PID 4688 wrote to memory of 4656 4688 006846.exe 92 PID 4656 wrote to memory of 3520 4656 djpjd.exe 93 PID 4656 wrote to memory of 3520 4656 djpjd.exe 93 PID 4656 wrote to memory of 3520 4656 djpjd.exe 93 PID 3520 wrote to memory of 3408 3520 8042222.exe 95 PID 3520 wrote to memory of 3408 3520 8042222.exe 95 PID 3520 wrote to memory of 3408 3520 8042222.exe 95 PID 3408 wrote to memory of 3256 3408 llffxxx.exe 96 PID 3408 wrote to memory of 3256 3408 llffxxx.exe 96 PID 3408 wrote to memory of 3256 3408 llffxxx.exe 96 PID 3256 wrote to memory of 4488 3256 tbntbb.exe 97 PID 3256 wrote to memory of 4488 3256 tbntbb.exe 97 PID 3256 wrote to memory of 4488 3256 tbntbb.exe 97 PID 4488 wrote to memory of 3984 4488 8466882.exe 98 PID 4488 wrote to memory of 3984 4488 8466882.exe 98 PID 4488 wrote to memory of 3984 4488 8466882.exe 98 PID 3984 wrote to memory of 2148 3984 tbbnnh.exe 99 PID 3984 wrote to memory of 2148 3984 tbbnnh.exe 99 PID 3984 wrote to memory of 2148 3984 tbbnnh.exe 99 PID 2148 wrote to memory of 4520 2148 djpdj.exe 100 PID 2148 wrote to memory of 4520 2148 djpdj.exe 100 PID 2148 wrote to memory of 4520 2148 djpdj.exe 100 PID 4520 wrote to memory of 452 4520 pdvpd.exe 101 PID 4520 wrote to memory of 452 4520 pdvpd.exe 101 PID 4520 wrote to memory of 452 4520 pdvpd.exe 101 PID 452 wrote to memory of 4284 452 jpdvv.exe 102 PID 452 wrote to memory of 4284 452 jpdvv.exe 102 PID 452 wrote to memory of 4284 452 jpdvv.exe 102 PID 4284 wrote to memory of 3308 4284 nnnhtt.exe 103 PID 4284 wrote to memory of 3308 4284 nnnhtt.exe 103 PID 4284 wrote to memory of 3308 4284 nnnhtt.exe 103 PID 3308 wrote to memory of 1056 3308 jdpjj.exe 104 PID 3308 wrote to memory of 1056 3308 jdpjj.exe 104 PID 3308 wrote to memory of 1056 3308 jdpjj.exe 104 PID 1056 wrote to memory of 3236 1056 dvjvp.exe 105 PID 1056 wrote to memory of 3236 1056 dvjvp.exe 105 PID 1056 wrote to memory of 3236 1056 dvjvp.exe 105 PID 3236 wrote to memory of 3816 3236 8200608.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe"C:\Users\Admin\AppData\Local\Temp\ad60d556fe5af05a14fd9fab0e3621ec23ad8900e8da62889860a1728d89b4af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\4628822.exec:\4628822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\3tttnn.exec:\3tttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\vpvpj.exec:\vpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\4648882.exec:\4648882.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\fxfxllx.exec:\fxfxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\68228.exec:\68228.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\006846.exec:\006846.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\djpjd.exec:\djpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\8042222.exec:\8042222.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\llffxxx.exec:\llffxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\tbntbb.exec:\tbntbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\8466882.exec:\8466882.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\tbbnnh.exec:\tbbnnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\djpdj.exec:\djpdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\pdvpd.exec:\pdvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jpdvv.exec:\jpdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\nnnhtt.exec:\nnnhtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\jdpjj.exec:\jdpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\dvjvp.exec:\dvjvp.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\8200608.exec:\8200608.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\0662844.exec:\0662844.exe23⤵
- Executes dropped EXE
PID:3816 -
\??\c:\frrrfll.exec:\frrrfll.exe24⤵
- Executes dropped EXE
PID:1364 -
\??\c:\260462.exec:\260462.exe25⤵
- Executes dropped EXE
PID:2992 -
\??\c:\bhtnhb.exec:\bhtnhb.exe26⤵
- Executes dropped EXE
PID:1748 -
\??\c:\486626.exec:\486626.exe27⤵
- Executes dropped EXE
PID:2008 -
\??\c:\00608.exec:\00608.exe28⤵
- Executes dropped EXE
PID:1284 -
\??\c:\vddpj.exec:\vddpj.exe29⤵
- Executes dropped EXE
PID:3576 -
\??\c:\00262.exec:\00262.exe30⤵
- Executes dropped EXE
PID:3260 -
\??\c:\lfllxfx.exec:\lfllxfx.exe31⤵
- Executes dropped EXE
PID:4076 -
\??\c:\vjdpj.exec:\vjdpj.exe32⤵
- Executes dropped EXE
PID:4120 -
\??\c:\26060.exec:\26060.exe33⤵
- Executes dropped EXE
PID:872 -
\??\c:\tttnbn.exec:\tttnbn.exe34⤵
- Executes dropped EXE
PID:1176 -
\??\c:\nntnht.exec:\nntnht.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\0864264.exec:\0864264.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xlrlflr.exec:\xlrlflr.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rxfrflf.exec:\rxfrflf.exe38⤵
- Executes dropped EXE
PID:2920 -
\??\c:\84608.exec:\84608.exe39⤵
- Executes dropped EXE
PID:4248 -
\??\c:\64608.exec:\64608.exe40⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1fxrffx.exec:\1fxrffx.exe41⤵
- Executes dropped EXE
PID:1296 -
\??\c:\6284886.exec:\6284886.exe42⤵
- Executes dropped EXE
PID:2996 -
\??\c:\8220820.exec:\8220820.exe43⤵
- Executes dropped EXE
PID:2068 -
\??\c:\06004.exec:\06004.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vvjvd.exec:\vvjvd.exe45⤵
- Executes dropped EXE
PID:4796 -
\??\c:\08484.exec:\08484.exe46⤵
- Executes dropped EXE
PID:3472 -
\??\c:\thnnnh.exec:\thnnnh.exe47⤵
- Executes dropped EXE
PID:4416 -
\??\c:\8000064.exec:\8000064.exe48⤵
- Executes dropped EXE
PID:2364 -
\??\c:\288260.exec:\288260.exe49⤵
- Executes dropped EXE
PID:4116 -
\??\c:\06486.exec:\06486.exe50⤵
- Executes dropped EXE
PID:2352 -
\??\c:\0660826.exec:\0660826.exe51⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hthtnb.exec:\hthtnb.exe52⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jppdp.exec:\jppdp.exe53⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pjjvp.exec:\pjjvp.exe54⤵
- Executes dropped EXE
PID:2716 -
\??\c:\262260.exec:\262260.exe55⤵
- Executes dropped EXE
PID:752 -
\??\c:\jdjdj.exec:\jdjdj.exe56⤵
- Executes dropped EXE
PID:4228 -
\??\c:\44008.exec:\44008.exe57⤵
- Executes dropped EXE
PID:2732 -
\??\c:\xllfrll.exec:\xllfrll.exe58⤵
- Executes dropped EXE
PID:1484 -
\??\c:\8000280.exec:\8000280.exe59⤵
- Executes dropped EXE
PID:1148 -
\??\c:\i686666.exec:\i686666.exe60⤵
- Executes dropped EXE
PID:3388 -
\??\c:\c622604.exec:\c622604.exe61⤵
- Executes dropped EXE
PID:4040 -
\??\c:\862600.exec:\862600.exe62⤵
- Executes dropped EXE
PID:4756 -
\??\c:\6020444.exec:\6020444.exe63⤵
- Executes dropped EXE
PID:3660 -
\??\c:\2466048.exec:\2466048.exe64⤵
- Executes dropped EXE
PID:1784 -
\??\c:\a6608.exec:\a6608.exe65⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nbtntn.exec:\nbtntn.exe66⤵PID:3676
-
\??\c:\hbbnhb.exec:\hbbnhb.exe67⤵PID:3036
-
\??\c:\86400.exec:\86400.exe68⤵PID:2148
-
\??\c:\nbhbhb.exec:\nbhbhb.exe69⤵PID:2888
-
\??\c:\pdjdv.exec:\pdjdv.exe70⤵PID:4724
-
\??\c:\jvpdj.exec:\jvpdj.exe71⤵PID:4588
-
\??\c:\vdvjv.exec:\vdvjv.exe72⤵PID:4012
-
\??\c:\nbhbhh.exec:\nbhbhh.exe73⤵PID:2044
-
\??\c:\e62260.exec:\e62260.exe74⤵PID:1224
-
\??\c:\bbthtb.exec:\bbthtb.exe75⤵PID:1860
-
\??\c:\42840.exec:\42840.exe76⤵PID:2712
-
\??\c:\ntbnbt.exec:\ntbnbt.exe77⤵PID:2440
-
\??\c:\nhtntt.exec:\nhtntt.exe78⤵PID:3816
-
\??\c:\ddddd.exec:\ddddd.exe79⤵PID:3560
-
\??\c:\nnbnnn.exec:\nnbnnn.exe80⤵PID:2088
-
\??\c:\822260.exec:\822260.exe81⤵PID:1124
-
\??\c:\44826.exec:\44826.exe82⤵PID:2028
-
\??\c:\8662460.exec:\8662460.exe83⤵PID:3524
-
\??\c:\djpvp.exec:\djpvp.exe84⤵PID:632
-
\??\c:\8086228.exec:\8086228.exe85⤵PID:2260
-
\??\c:\626000.exec:\626000.exe86⤵PID:996
-
\??\c:\0626000.exec:\0626000.exe87⤵PID:1772
-
\??\c:\dvjdd.exec:\dvjdd.exe88⤵PID:4332
-
\??\c:\nbhhbh.exec:\nbhhbh.exe89⤵PID:4432
-
\??\c:\046044.exec:\046044.exe90⤵PID:2380
-
\??\c:\8288222.exec:\8288222.exe91⤵PID:1612
-
\??\c:\xfllllf.exec:\xfllllf.exe92⤵
- System Location Discovery: System Language Discovery
PID:4672 -
\??\c:\8400444.exec:\8400444.exe93⤵PID:3996
-
\??\c:\g8606.exec:\g8606.exe94⤵PID:3352
-
\??\c:\6062060.exec:\6062060.exe95⤵PID:712
-
\??\c:\22222.exec:\22222.exe96⤵PID:1908
-
\??\c:\6622266.exec:\6622266.exe97⤵PID:3900
-
\??\c:\xxrxflr.exec:\xxrxflr.exe98⤵PID:1744
-
\??\c:\s2888.exec:\s2888.exe99⤵PID:2800
-
\??\c:\480668.exec:\480668.exe100⤵PID:2920
-
\??\c:\044448.exec:\044448.exe101⤵PID:4248
-
\??\c:\6622666.exec:\6622666.exe102⤵PID:5108
-
\??\c:\fxrfflr.exec:\fxrfflr.exe103⤵PID:1296
-
\??\c:\6800666.exec:\6800666.exe104⤵PID:2996
-
\??\c:\ddpjd.exec:\ddpjd.exe105⤵PID:4576
-
\??\c:\xrxxrrx.exec:\xrxxrrx.exe106⤵PID:3336
-
\??\c:\xxrlllx.exec:\xxrlllx.exe107⤵PID:4296
-
\??\c:\262222.exec:\262222.exe108⤵PID:4280
-
\??\c:\4860222.exec:\4860222.exe109⤵PID:4300
-
\??\c:\822288.exec:\822288.exe110⤵PID:3040
-
\??\c:\fxxxrxx.exec:\fxxxrxx.exe111⤵PID:2120
-
\??\c:\440444.exec:\440444.exe112⤵PID:4924
-
\??\c:\hbhhtt.exec:\hbhhtt.exe113⤵PID:2964
-
\??\c:\062828.exec:\062828.exe114⤵PID:3492
-
\??\c:\nnnnnn.exec:\nnnnnn.exe115⤵PID:940
-
\??\c:\42660.exec:\42660.exe116⤵PID:4168
-
\??\c:\66002.exec:\66002.exe117⤵PID:4708
-
\??\c:\rlffxlf.exec:\rlffxlf.exe118⤵PID:4292
-
\??\c:\htbnhb.exec:\htbnhb.exe119⤵PID:2220
-
\??\c:\62220.exec:\62220.exe120⤵PID:4996
-
\??\c:\866082.exec:\866082.exe121⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-