Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe
-
Size
454KB
-
MD5
69de2ccc40fe836f46b5fae2ae0be430
-
SHA1
8cf717c813d6fade774d81780f442da89a413215
-
SHA256
5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795
-
SHA512
873335c56886fedf0615f0add68c0499b83ba36674306494f7301ad63094bb30cf9bd21b9cf19f1e30edb20cac91065badcb7df046deacadb3538d1318e9e9b1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetq:q7Tc2NYHUrAwfMp3CDtq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1068-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-1036-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1088-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-1156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-1208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1068 7djjd.exe 4944 5rlxrrf.exe 3536 jdpdv.exe 2748 xrrlxxr.exe 548 fllffrl.exe 464 vjpdv.exe 3596 rrxxfll.exe 3828 pvpjp.exe 3556 btnhhh.exe 2568 rlllffx.exe 1624 vddpj.exe 1960 1rllfff.exe 2732 nthhbb.exe 932 rflfffx.exe 2292 vpjdd.exe 2900 hhbbtn.exe 4580 xrxrxrl.exe 3748 pvpjd.exe 3564 vjpjd.exe 2072 lrfrxlf.exe 3592 hhhnht.exe 3320 ppvpp.exe 1568 5vvvv.exe 4524 nhhbbb.exe 2844 dvvjj.exe 5028 nhtbhh.exe 2904 jdjjd.exe 2068 1bhhbh.exe 3108 hnbbbb.exe 4700 3tbttt.exe 3324 jjjdv.exe 2932 btbtnn.exe 440 hthbtn.exe 1116 lfxrxxl.exe 4060 bnbbtt.exe 2432 tbnhbt.exe 2684 dpvpp.exe 4116 llllrrr.exe 4032 7hhbtt.exe 5072 7jdvj.exe 3192 1xxrllf.exe 3448 tttnnt.exe 2668 vvppj.exe 3952 fffxllf.exe 4020 xrrlffx.exe 2976 hhhhhh.exe 2760 vdjjd.exe 1476 xlfxllf.exe 1380 ntbtnn.exe 4844 dvdvp.exe 1048 3lrlfxx.exe 728 xlrllrr.exe 3428 7tttnn.exe 4948 jvdvv.exe 1704 pjjdv.exe 1940 rllfxrl.exe 2488 tbhbtt.exe 1492 vppjj.exe 4392 1rrrlrl.exe 3864 lffrllf.exe 3400 thtnnn.exe 464 dvjvd.exe 2096 rlrrxxx.exe 2396 lxrllfr.exe -
resource yara_rule behavioral2/memory/1068-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-960-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1384 wrote to memory of 1068 1384 5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe 83 PID 1384 wrote to memory of 1068 1384 5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe 83 PID 1384 wrote to memory of 1068 1384 5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe 83 PID 1068 wrote to memory of 4944 1068 7djjd.exe 84 PID 1068 wrote to memory of 4944 1068 7djjd.exe 84 PID 1068 wrote to memory of 4944 1068 7djjd.exe 84 PID 4944 wrote to memory of 3536 4944 5rlxrrf.exe 85 PID 4944 wrote to memory of 3536 4944 5rlxrrf.exe 85 PID 4944 wrote to memory of 3536 4944 5rlxrrf.exe 85 PID 3536 wrote to memory of 2748 3536 jdpdv.exe 86 PID 3536 wrote to memory of 2748 3536 jdpdv.exe 86 PID 3536 wrote to memory of 2748 3536 jdpdv.exe 86 PID 2748 wrote to memory of 548 2748 xrrlxxr.exe 87 PID 2748 wrote to memory of 548 2748 xrrlxxr.exe 87 PID 2748 wrote to memory of 548 2748 xrrlxxr.exe 87 PID 548 wrote to memory of 464 548 fllffrl.exe 88 PID 548 wrote to memory of 464 548 fllffrl.exe 88 PID 548 wrote to memory of 464 548 fllffrl.exe 88 PID 464 wrote to memory of 3596 464 vjpdv.exe 89 PID 464 wrote to memory of 3596 464 vjpdv.exe 89 PID 464 wrote to memory of 3596 464 vjpdv.exe 89 PID 3596 wrote to memory of 3828 3596 rrxxfll.exe 90 PID 3596 wrote to memory of 3828 3596 rrxxfll.exe 90 PID 3596 wrote to memory of 3828 3596 rrxxfll.exe 90 PID 3828 wrote to memory of 3556 3828 pvpjp.exe 91 PID 3828 wrote to memory of 3556 3828 pvpjp.exe 91 PID 3828 wrote to memory of 3556 3828 pvpjp.exe 91 PID 3556 wrote to memory of 2568 3556 btnhhh.exe 92 PID 3556 wrote to memory of 2568 3556 btnhhh.exe 92 PID 3556 wrote to memory of 2568 3556 btnhhh.exe 92 PID 2568 wrote to memory of 1624 2568 rlllffx.exe 93 PID 2568 wrote to memory of 1624 2568 rlllffx.exe 93 PID 2568 wrote to memory of 1624 2568 rlllffx.exe 93 PID 1624 wrote to memory of 1960 1624 vddpj.exe 94 PID 1624 wrote to memory of 1960 1624 vddpj.exe 94 PID 1624 wrote to memory of 1960 1624 vddpj.exe 94 PID 1960 wrote to memory of 2732 1960 1rllfff.exe 95 PID 1960 wrote to memory of 2732 1960 1rllfff.exe 95 PID 1960 wrote to memory of 2732 1960 1rllfff.exe 95 PID 2732 wrote to memory of 932 2732 nthhbb.exe 96 PID 2732 wrote to memory of 932 2732 nthhbb.exe 96 PID 2732 wrote to memory of 932 2732 nthhbb.exe 96 PID 932 wrote to memory of 2292 932 rflfffx.exe 97 PID 932 wrote to memory of 2292 932 rflfffx.exe 97 PID 932 wrote to memory of 2292 932 rflfffx.exe 97 PID 2292 wrote to memory of 2900 2292 vpjdd.exe 98 PID 2292 wrote to memory of 2900 2292 vpjdd.exe 98 PID 2292 wrote to memory of 2900 2292 vpjdd.exe 98 PID 2900 wrote to memory of 4580 2900 hhbbtn.exe 99 PID 2900 wrote to memory of 4580 2900 hhbbtn.exe 99 PID 2900 wrote to memory of 4580 2900 hhbbtn.exe 99 PID 4580 wrote to memory of 3748 4580 xrxrxrl.exe 100 PID 4580 wrote to memory of 3748 4580 xrxrxrl.exe 100 PID 4580 wrote to memory of 3748 4580 xrxrxrl.exe 100 PID 3748 wrote to memory of 3564 3748 pvpjd.exe 101 PID 3748 wrote to memory of 3564 3748 pvpjd.exe 101 PID 3748 wrote to memory of 3564 3748 pvpjd.exe 101 PID 3564 wrote to memory of 2072 3564 vjpjd.exe 102 PID 3564 wrote to memory of 2072 3564 vjpjd.exe 102 PID 3564 wrote to memory of 2072 3564 vjpjd.exe 102 PID 2072 wrote to memory of 3592 2072 lrfrxlf.exe 103 PID 2072 wrote to memory of 3592 2072 lrfrxlf.exe 103 PID 2072 wrote to memory of 3592 2072 lrfrxlf.exe 103 PID 3592 wrote to memory of 3320 3592 hhhnht.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe"C:\Users\Admin\AppData\Local\Temp\5f400068eec9a92ba67a2f0c221d1af1fcbb855c3fabc0b5f3cb81f8abeed795N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\7djjd.exec:\7djjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\5rlxrrf.exec:\5rlxrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\jdpdv.exec:\jdpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\fllffrl.exec:\fllffrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\vjpdv.exec:\vjpdv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\rrxxfll.exec:\rrxxfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\pvpjp.exec:\pvpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\btnhhh.exec:\btnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\rlllffx.exec:\rlllffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\vddpj.exec:\vddpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\1rllfff.exec:\1rllfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\nthhbb.exec:\nthhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\rflfffx.exec:\rflfffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\vpjdd.exec:\vpjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\hhbbtn.exec:\hhbbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\xrxrxrl.exec:\xrxrxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\pvpjd.exec:\pvpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\vjpjd.exec:\vjpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\lrfrxlf.exec:\lrfrxlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\hhhnht.exec:\hhhnht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\ppvpp.exec:\ppvpp.exe23⤵
- Executes dropped EXE
PID:3320 -
\??\c:\5vvvv.exec:\5vvvv.exe24⤵
- Executes dropped EXE
PID:1568 -
\??\c:\nhhbbb.exec:\nhhbbb.exe25⤵
- Executes dropped EXE
PID:4524 -
\??\c:\dvvjj.exec:\dvvjj.exe26⤵
- Executes dropped EXE
PID:2844 -
\??\c:\nhtbhh.exec:\nhtbhh.exe27⤵
- Executes dropped EXE
PID:5028 -
\??\c:\jdjjd.exec:\jdjjd.exe28⤵
- Executes dropped EXE
PID:2904 -
\??\c:\1bhhbh.exec:\1bhhbh.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\hnbbbb.exec:\hnbbbb.exe30⤵
- Executes dropped EXE
PID:3108 -
\??\c:\3tbttt.exec:\3tbttt.exe31⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jjjdv.exec:\jjjdv.exe32⤵
- Executes dropped EXE
PID:3324 -
\??\c:\btbtnn.exec:\btbtnn.exe33⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hthbtn.exec:\hthbtn.exe34⤵
- Executes dropped EXE
PID:440 -
\??\c:\lfxrxxl.exec:\lfxrxxl.exe35⤵
- Executes dropped EXE
PID:1116 -
\??\c:\bnbbtt.exec:\bnbbtt.exe36⤵
- Executes dropped EXE
PID:4060 -
\??\c:\tbnhbt.exec:\tbnhbt.exe37⤵
- Executes dropped EXE
PID:2432 -
\??\c:\dpvpp.exec:\dpvpp.exe38⤵
- Executes dropped EXE
PID:2684 -
\??\c:\llllrrr.exec:\llllrrr.exe39⤵
- Executes dropped EXE
PID:4116 -
\??\c:\7hhbtt.exec:\7hhbtt.exe40⤵
- Executes dropped EXE
PID:4032 -
\??\c:\7jdvj.exec:\7jdvj.exe41⤵
- Executes dropped EXE
PID:5072 -
\??\c:\1xxrllf.exec:\1xxrllf.exe42⤵
- Executes dropped EXE
PID:3192 -
\??\c:\tttnnt.exec:\tttnnt.exe43⤵
- Executes dropped EXE
PID:3448 -
\??\c:\vvppj.exec:\vvppj.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\fffxllf.exec:\fffxllf.exe45⤵
- Executes dropped EXE
PID:3952 -
\??\c:\xrrlffx.exec:\xrrlffx.exe46⤵
- Executes dropped EXE
PID:4020 -
\??\c:\hhhhhh.exec:\hhhhhh.exe47⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vdjjd.exec:\vdjjd.exe48⤵
- Executes dropped EXE
PID:2760 -
\??\c:\xlfxllf.exec:\xlfxllf.exe49⤵
- Executes dropped EXE
PID:1476 -
\??\c:\ntbtnn.exec:\ntbtnn.exe50⤵
- Executes dropped EXE
PID:1380 -
\??\c:\dvdvp.exec:\dvdvp.exe51⤵
- Executes dropped EXE
PID:4844 -
\??\c:\3lrlfxx.exec:\3lrlfxx.exe52⤵
- Executes dropped EXE
PID:1048 -
\??\c:\xlrllrr.exec:\xlrllrr.exe53⤵
- Executes dropped EXE
PID:728 -
\??\c:\7tttnn.exec:\7tttnn.exe54⤵
- Executes dropped EXE
PID:3428 -
\??\c:\jvdvv.exec:\jvdvv.exe55⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pjjdv.exec:\pjjdv.exe56⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rllfxrl.exec:\rllfxrl.exe57⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tbhbtt.exec:\tbhbtt.exe58⤵
- Executes dropped EXE
PID:2488 -
\??\c:\vppjj.exec:\vppjj.exe59⤵
- Executes dropped EXE
PID:1492 -
\??\c:\1rrrlrl.exec:\1rrrlrl.exe60⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lffrllf.exec:\lffrllf.exe61⤵
- Executes dropped EXE
PID:3864 -
\??\c:\thtnnn.exec:\thtnnn.exe62⤵
- Executes dropped EXE
PID:3400 -
\??\c:\dvjvd.exec:\dvjvd.exe63⤵
- Executes dropped EXE
PID:464 -
\??\c:\rlrrxxx.exec:\rlrrxxx.exe64⤵
- Executes dropped EXE
PID:2096 -
\??\c:\lxrllfr.exec:\lxrllfr.exe65⤵
- Executes dropped EXE
PID:2396 -
\??\c:\5hnhbb.exec:\5hnhbb.exe66⤵PID:2320
-
\??\c:\vppdv.exec:\vppdv.exe67⤵PID:4708
-
\??\c:\jdddv.exec:\jdddv.exe68⤵PID:3936
-
\??\c:\ffrrrrl.exec:\ffrrrrl.exe69⤵PID:3152
-
\??\c:\bntnhb.exec:\bntnhb.exe70⤵PID:3836
-
\??\c:\hnhbnn.exec:\hnhbnn.exe71⤵PID:2724
-
\??\c:\pddvd.exec:\pddvd.exe72⤵PID:2896
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe73⤵PID:4676
-
\??\c:\hbbbtt.exec:\hbbbtt.exe74⤵PID:2516
-
\??\c:\7bbthn.exec:\7bbthn.exe75⤵PID:1644
-
\??\c:\jjvpv.exec:\jjvpv.exe76⤵PID:2700
-
\??\c:\1xllfrx.exec:\1xllfrx.exe77⤵PID:3928
-
\??\c:\fxlffff.exec:\fxlffff.exe78⤵PID:4824
-
\??\c:\tbnnhn.exec:\tbnnhn.exe79⤵PID:2596
-
\??\c:\9pvvj.exec:\9pvvj.exe80⤵PID:1268
-
\??\c:\pdppj.exec:\pdppj.exe81⤵PID:4664
-
\??\c:\xlrrllf.exec:\xlrrllf.exe82⤵PID:3064
-
\??\c:\nthbtt.exec:\nthbtt.exe83⤵PID:5080
-
\??\c:\5nnnhh.exec:\5nnnhh.exe84⤵
- System Location Discovery: System Language Discovery
PID:1052 -
\??\c:\pjjdv.exec:\pjjdv.exe85⤵PID:752
-
\??\c:\ffllxxx.exec:\ffllxxx.exe86⤵PID:2540
-
\??\c:\thhhbt.exec:\thhhbt.exe87⤵PID:2496
-
\??\c:\nnbtnh.exec:\nnbtnh.exe88⤵PID:3876
-
\??\c:\jjpvd.exec:\jjpvd.exe89⤵PID:4364
-
\??\c:\xlrrllf.exec:\xlrrllf.exe90⤵PID:5028
-
\??\c:\lfxrrll.exec:\lfxrrll.exe91⤵PID:3940
-
\??\c:\thtnnn.exec:\thtnnn.exe92⤵PID:4160
-
\??\c:\pdpdj.exec:\pdpdj.exe93⤵PID:4696
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe94⤵PID:3108
-
\??\c:\7fxrllf.exec:\7fxrllf.exe95⤵PID:2964
-
\??\c:\tbhbbt.exec:\tbhbbt.exe96⤵PID:4852
-
\??\c:\pvddp.exec:\pvddp.exe97⤵
- System Location Discovery: System Language Discovery
PID:924 -
\??\c:\frrlrll.exec:\frrlrll.exe98⤵PID:2932
-
\??\c:\bbnnnt.exec:\bbnnnt.exe99⤵PID:4612
-
\??\c:\1nbttt.exec:\1nbttt.exe100⤵PID:604
-
\??\c:\jpvpj.exec:\jpvpj.exe101⤵PID:4060
-
\??\c:\lffxrrl.exec:\lffxrrl.exe102⤵PID:2432
-
\??\c:\hbhbhn.exec:\hbhbhn.exe103⤵PID:2684
-
\??\c:\nhhhbb.exec:\nhhhbb.exe104⤵PID:4116
-
\??\c:\pvpjj.exec:\pvpjj.exe105⤵PID:1296
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe106⤵PID:5024
-
\??\c:\rlrlrrx.exec:\rlrlrrx.exe107⤵PID:3476
-
\??\c:\hbbttt.exec:\hbbttt.exe108⤵PID:4820
-
\??\c:\pdjjd.exec:\pdjjd.exe109⤵PID:4868
-
\??\c:\7rfrrrx.exec:\7rfrrrx.exe110⤵PID:3772
-
\??\c:\bbhnht.exec:\bbhnht.exe111⤵PID:368
-
\??\c:\9bnhbb.exec:\9bnhbb.exe112⤵PID:1728
-
\??\c:\9dvpj.exec:\9dvpj.exe113⤵PID:4084
-
\??\c:\vjpjp.exec:\vjpjp.exe114⤵PID:4548
-
\??\c:\xrlllff.exec:\xrlllff.exe115⤵PID:3244
-
\??\c:\bbnhtt.exec:\bbnhtt.exe116⤵PID:2152
-
\??\c:\hbnhnh.exec:\hbnhnh.exe117⤵PID:2796
-
\??\c:\vjjpp.exec:\vjjpp.exe118⤵PID:1048
-
\??\c:\frfrlfx.exec:\frfrlfx.exe119⤵PID:4896
-
\??\c:\lfllfff.exec:\lfllfff.exe120⤵PID:3428
-
\??\c:\9nhhhh.exec:\9nhhhh.exe121⤵PID:4880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-