Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe
-
Size
456KB
-
MD5
0e54633ab01be2516d87c11197d5f930
-
SHA1
2403878cd8de851a9292042aaf1a651d1bb73246
-
SHA256
5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1
-
SHA512
c10797881ddef16f2738a4561a026d282df16624393d0e35af8e8967389303300c07072084a7982fde333a97cb34cff97766aa5ef22845584024089be5cbccbb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL+:q7Tc2NYHUrAwfMp3CDL+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/776-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4232 3jjvj.exe 744 xrxllff.exe 4932 pjdpj.exe 2772 lxrflfx.exe 3280 btthtn.exe 2056 3ppjd.exe 468 thhtht.exe 4728 lflxrrf.exe 2376 ddpjd.exe 4416 lfxlffx.exe 2764 xrxrfrx.exe 3756 9frrfxr.exe 4984 jvvvv.exe 4956 rrrlfxr.exe 1908 1bhbbt.exe 440 1vvpj.exe 3248 hhnnnt.exe 3536 1jpjp.exe 2436 btbttt.exe 2348 7dvdv.exe 2392 xxxxffl.exe 688 hbhnnn.exe 5112 3pjdp.exe 1568 3xxrlrl.exe 3316 hbhttb.exe 736 tnbthh.exe 4872 rxflffx.exe 4284 btbtnt.exe 4616 fffrlfx.exe 1480 dpvpj.exe 4960 7xfffrr.exe 1168 llfxxrl.exe 1664 pddvp.exe 1572 xlrlffx.exe 4056 tnnnhb.exe 3284 jdvpp.exe 4856 xllxrlx.exe 4292 pdvjv.exe 5060 vppjv.exe 868 lfrffxf.exe 4828 lxfxrlf.exe 1556 btnhbt.exe 4200 1jpjd.exe 3656 xrfxffr.exe 920 htthbt.exe 1376 bhntnh.exe 4448 dppjd.exe 3384 ffxrlrf.exe 4356 9tnhhh.exe 776 pvpdv.exe 436 fflfrlf.exe 180 tbbhnb.exe 1692 dpdpd.exe 5108 dpjvp.exe 3696 tbnbtn.exe 2128 hbhbnh.exe 3796 ppvpd.exe 4376 flxrfxl.exe 1284 nhnhbt.exe 2344 nhtnbb.exe 3012 pjppv.exe 4728 vdjdv.exe 2156 lrxlxxx.exe 488 nntntn.exe -
resource yara_rule behavioral2/memory/776-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-599-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 776 wrote to memory of 4232 776 5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe 83 PID 776 wrote to memory of 4232 776 5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe 83 PID 776 wrote to memory of 4232 776 5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe 83 PID 4232 wrote to memory of 744 4232 3jjvj.exe 84 PID 4232 wrote to memory of 744 4232 3jjvj.exe 84 PID 4232 wrote to memory of 744 4232 3jjvj.exe 84 PID 744 wrote to memory of 4932 744 xrxllff.exe 85 PID 744 wrote to memory of 4932 744 xrxllff.exe 85 PID 744 wrote to memory of 4932 744 xrxllff.exe 85 PID 4932 wrote to memory of 2772 4932 pjdpj.exe 86 PID 4932 wrote to memory of 2772 4932 pjdpj.exe 86 PID 4932 wrote to memory of 2772 4932 pjdpj.exe 86 PID 2772 wrote to memory of 3280 2772 lxrflfx.exe 87 PID 2772 wrote to memory of 3280 2772 lxrflfx.exe 87 PID 2772 wrote to memory of 3280 2772 lxrflfx.exe 87 PID 3280 wrote to memory of 2056 3280 btthtn.exe 88 PID 3280 wrote to memory of 2056 3280 btthtn.exe 88 PID 3280 wrote to memory of 2056 3280 btthtn.exe 88 PID 2056 wrote to memory of 468 2056 3ppjd.exe 89 PID 2056 wrote to memory of 468 2056 3ppjd.exe 89 PID 2056 wrote to memory of 468 2056 3ppjd.exe 89 PID 468 wrote to memory of 4728 468 thhtht.exe 90 PID 468 wrote to memory of 4728 468 thhtht.exe 90 PID 468 wrote to memory of 4728 468 thhtht.exe 90 PID 4728 wrote to memory of 2376 4728 lflxrrf.exe 91 PID 4728 wrote to memory of 2376 4728 lflxrrf.exe 91 PID 4728 wrote to memory of 2376 4728 lflxrrf.exe 91 PID 2376 wrote to memory of 4416 2376 ddpjd.exe 92 PID 2376 wrote to memory of 4416 2376 ddpjd.exe 92 PID 2376 wrote to memory of 4416 2376 ddpjd.exe 92 PID 4416 wrote to memory of 2764 4416 lfxlffx.exe 93 PID 4416 wrote to memory of 2764 4416 lfxlffx.exe 93 PID 4416 wrote to memory of 2764 4416 lfxlffx.exe 93 PID 2764 wrote to memory of 3756 2764 xrxrfrx.exe 94 PID 2764 wrote to memory of 3756 2764 xrxrfrx.exe 94 PID 2764 wrote to memory of 3756 2764 xrxrfrx.exe 94 PID 3756 wrote to memory of 4984 3756 9frrfxr.exe 95 PID 3756 wrote to memory of 4984 3756 9frrfxr.exe 95 PID 3756 wrote to memory of 4984 3756 9frrfxr.exe 95 PID 4984 wrote to memory of 4956 4984 jvvvv.exe 96 PID 4984 wrote to memory of 4956 4984 jvvvv.exe 96 PID 4984 wrote to memory of 4956 4984 jvvvv.exe 96 PID 4956 wrote to memory of 1908 4956 rrrlfxr.exe 97 PID 4956 wrote to memory of 1908 4956 rrrlfxr.exe 97 PID 4956 wrote to memory of 1908 4956 rrrlfxr.exe 97 PID 1908 wrote to memory of 440 1908 1bhbbt.exe 98 PID 1908 wrote to memory of 440 1908 1bhbbt.exe 98 PID 1908 wrote to memory of 440 1908 1bhbbt.exe 98 PID 440 wrote to memory of 3248 440 1vvpj.exe 99 PID 440 wrote to memory of 3248 440 1vvpj.exe 99 PID 440 wrote to memory of 3248 440 1vvpj.exe 99 PID 3248 wrote to memory of 3536 3248 hhnnnt.exe 100 PID 3248 wrote to memory of 3536 3248 hhnnnt.exe 100 PID 3248 wrote to memory of 3536 3248 hhnnnt.exe 100 PID 3536 wrote to memory of 2436 3536 1jpjp.exe 101 PID 3536 wrote to memory of 2436 3536 1jpjp.exe 101 PID 3536 wrote to memory of 2436 3536 1jpjp.exe 101 PID 2436 wrote to memory of 2348 2436 btbttt.exe 102 PID 2436 wrote to memory of 2348 2436 btbttt.exe 102 PID 2436 wrote to memory of 2348 2436 btbttt.exe 102 PID 2348 wrote to memory of 2392 2348 7dvdv.exe 103 PID 2348 wrote to memory of 2392 2348 7dvdv.exe 103 PID 2348 wrote to memory of 2392 2348 7dvdv.exe 103 PID 2392 wrote to memory of 688 2392 xxxxffl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe"C:\Users\Admin\AppData\Local\Temp\5e005dd17f19e509ff4971a970206460fb54236c54d81fbeecddf84e7fa5d8b1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\3jjvj.exec:\3jjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\xrxllff.exec:\xrxllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\pjdpj.exec:\pjdpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\lxrflfx.exec:\lxrflfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\btthtn.exec:\btthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\3ppjd.exec:\3ppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\thhtht.exec:\thhtht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\lflxrrf.exec:\lflxrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\ddpjd.exec:\ddpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\lfxlffx.exec:\lfxlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\xrxrfrx.exec:\xrxrfrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\9frrfxr.exec:\9frrfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\jvvvv.exec:\jvvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\1bhbbt.exec:\1bhbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\1vvpj.exec:\1vvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\hhnnnt.exec:\hhnnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\1jpjp.exec:\1jpjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\btbttt.exec:\btbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\7dvdv.exec:\7dvdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\xxxxffl.exec:\xxxxffl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\hbhnnn.exec:\hbhnnn.exe23⤵
- Executes dropped EXE
PID:688 -
\??\c:\3pjdp.exec:\3pjdp.exe24⤵
- Executes dropped EXE
PID:5112 -
\??\c:\3xxrlrl.exec:\3xxrlrl.exe25⤵
- Executes dropped EXE
PID:1568 -
\??\c:\hbhttb.exec:\hbhttb.exe26⤵
- Executes dropped EXE
PID:3316 -
\??\c:\tnbthh.exec:\tnbthh.exe27⤵
- Executes dropped EXE
PID:736 -
\??\c:\rxflffx.exec:\rxflffx.exe28⤵
- Executes dropped EXE
PID:4872 -
\??\c:\btbtnt.exec:\btbtnt.exe29⤵
- Executes dropped EXE
PID:4284 -
\??\c:\fffrlfx.exec:\fffrlfx.exe30⤵
- Executes dropped EXE
PID:4616 -
\??\c:\dpvpj.exec:\dpvpj.exe31⤵
- Executes dropped EXE
PID:1480 -
\??\c:\7xfffrr.exec:\7xfffrr.exe32⤵
- Executes dropped EXE
PID:4960 -
\??\c:\llfxxrl.exec:\llfxxrl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168 -
\??\c:\pddvp.exec:\pddvp.exe34⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xlrlffx.exec:\xlrlffx.exe35⤵
- Executes dropped EXE
PID:1572 -
\??\c:\tnnnhb.exec:\tnnnhb.exe36⤵
- Executes dropped EXE
PID:4056 -
\??\c:\jdvpp.exec:\jdvpp.exe37⤵
- Executes dropped EXE
PID:3284 -
\??\c:\xllxrlx.exec:\xllxrlx.exe38⤵
- Executes dropped EXE
PID:4856 -
\??\c:\pdvjv.exec:\pdvjv.exe39⤵
- Executes dropped EXE
PID:4292 -
\??\c:\vppjv.exec:\vppjv.exe40⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lfrffxf.exec:\lfrffxf.exe41⤵
- Executes dropped EXE
PID:868 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe42⤵
- Executes dropped EXE
PID:4828 -
\??\c:\btnhbt.exec:\btnhbt.exe43⤵
- Executes dropped EXE
PID:1556 -
\??\c:\1jpjd.exec:\1jpjd.exe44⤵
- Executes dropped EXE
PID:4200 -
\??\c:\xrfxffr.exec:\xrfxffr.exe45⤵
- Executes dropped EXE
PID:3656 -
\??\c:\htthbt.exec:\htthbt.exe46⤵
- Executes dropped EXE
PID:920 -
\??\c:\bhntnh.exec:\bhntnh.exe47⤵
- Executes dropped EXE
PID:1376 -
\??\c:\dppjd.exec:\dppjd.exe48⤵
- Executes dropped EXE
PID:4448 -
\??\c:\ffxrlrf.exec:\ffxrlrf.exe49⤵
- Executes dropped EXE
PID:3384 -
\??\c:\9tnhhh.exec:\9tnhhh.exe50⤵
- Executes dropped EXE
PID:4356 -
\??\c:\pvpdv.exec:\pvpdv.exe51⤵
- Executes dropped EXE
PID:776 -
\??\c:\fflfrlf.exec:\fflfrlf.exe52⤵
- Executes dropped EXE
PID:436 -
\??\c:\tbbhnb.exec:\tbbhnb.exe53⤵
- Executes dropped EXE
PID:180 -
\??\c:\dpdpd.exec:\dpdpd.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\dpjvp.exec:\dpjvp.exe55⤵
- Executes dropped EXE
PID:5108 -
\??\c:\tbnbtn.exec:\tbnbtn.exe56⤵
- Executes dropped EXE
PID:3696 -
\??\c:\hbhbnh.exec:\hbhbnh.exe57⤵
- Executes dropped EXE
PID:2128 -
\??\c:\ppvpd.exec:\ppvpd.exe58⤵
- Executes dropped EXE
PID:3796 -
\??\c:\flxrfxl.exec:\flxrfxl.exe59⤵
- Executes dropped EXE
PID:4376 -
\??\c:\nhnhbt.exec:\nhnhbt.exe60⤵
- Executes dropped EXE
PID:1284 -
\??\c:\nhtnbb.exec:\nhtnbb.exe61⤵
- Executes dropped EXE
PID:2344 -
\??\c:\pjppv.exec:\pjppv.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\vdjdv.exec:\vdjdv.exe63⤵
- Executes dropped EXE
PID:4728 -
\??\c:\lrxlxxx.exec:\lrxlxxx.exe64⤵
- Executes dropped EXE
PID:2156 -
\??\c:\nntntn.exec:\nntntn.exe65⤵
- Executes dropped EXE
PID:488 -
\??\c:\nbbnht.exec:\nbbnht.exe66⤵PID:3800
-
\??\c:\pddvp.exec:\pddvp.exe67⤵PID:4416
-
\??\c:\fxxlfxx.exec:\fxxlfxx.exe68⤵PID:2332
-
\??\c:\3tbttn.exec:\3tbttn.exe69⤵PID:2432
-
\??\c:\hnnhnh.exec:\hnnhnh.exe70⤵PID:764
-
\??\c:\pjvvp.exec:\pjvvp.exe71⤵PID:4984
-
\??\c:\7rrflff.exec:\7rrflff.exe72⤵PID:2788
-
\??\c:\tbbtht.exec:\tbbtht.exe73⤵PID:4036
-
\??\c:\ttthtn.exec:\ttthtn.exe74⤵PID:3508
-
\??\c:\vdjdv.exec:\vdjdv.exe75⤵PID:440
-
\??\c:\1xxfrxr.exec:\1xxfrxr.exe76⤵PID:5008
-
\??\c:\7nnhbh.exec:\7nnhbh.exe77⤵PID:4228
-
\??\c:\tnthnn.exec:\tnthnn.exe78⤵PID:4316
-
\??\c:\jdvdv.exec:\jdvdv.exe79⤵PID:3360
-
\??\c:\frfrfxr.exec:\frfrfxr.exe80⤵PID:4024
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe81⤵PID:5072
-
\??\c:\7hhhbt.exec:\7hhhbt.exe82⤵PID:3232
-
\??\c:\dppdv.exec:\dppdv.exe83⤵PID:3740
-
\??\c:\vppjp.exec:\vppjp.exe84⤵PID:560
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe85⤵PID:1568
-
\??\c:\thhbnn.exec:\thhbnn.exe86⤵PID:2012
-
\??\c:\7dpjv.exec:\7dpjv.exe87⤵PID:3976
-
\??\c:\vjdpd.exec:\vjdpd.exe88⤵PID:844
-
\??\c:\rrxlrll.exec:\rrxlrll.exe89⤵PID:4592
-
\??\c:\btthbt.exec:\btthbt.exe90⤵PID:4872
-
\??\c:\pddvj.exec:\pddvj.exe91⤵PID:4600
-
\??\c:\vdjdj.exec:\vdjdj.exe92⤵PID:2948
-
\??\c:\lffrfll.exec:\lffrfll.exe93⤵PID:984
-
\??\c:\nntthb.exec:\nntthb.exe94⤵PID:1224
-
\??\c:\jvvjd.exec:\jvvjd.exe95⤵PID:2916
-
\??\c:\jvjvj.exec:\jvjvj.exe96⤵PID:1720
-
\??\c:\xrrllll.exec:\xrrllll.exe97⤵PID:2052
-
\??\c:\nhhbnb.exec:\nhhbnb.exe98⤵
- System Location Discovery: System Language Discovery
PID:1824 -
\??\c:\7vjjd.exec:\7vjjd.exe99⤵PID:2312
-
\??\c:\vpdvj.exec:\vpdvj.exe100⤵PID:2776
-
\??\c:\ffrlffl.exec:\ffrlffl.exe101⤵PID:1728
-
\??\c:\thhbnh.exec:\thhbnh.exe102⤵PID:2700
-
\??\c:\tnttbt.exec:\tnttbt.exe103⤵PID:2316
-
\??\c:\jvvjd.exec:\jvvjd.exe104⤵PID:4760
-
\??\c:\9ffxllx.exec:\9ffxllx.exe105⤵PID:1564
-
\??\c:\7rxlfxr.exec:\7rxlfxr.exe106⤵PID:1304
-
\??\c:\nnnhhh.exec:\nnnhhh.exe107⤵PID:768
-
\??\c:\9jjvp.exec:\9jjvp.exe108⤵PID:1704
-
\??\c:\lflffxx.exec:\lflffxx.exe109⤵PID:1516
-
\??\c:\bnnbtt.exec:\bnnbtt.exe110⤵PID:4696
-
\??\c:\hbtnbt.exec:\hbtnbt.exe111⤵PID:1328
-
\??\c:\vvdpd.exec:\vvdpd.exe112⤵PID:3808
-
\??\c:\7lfrffr.exec:\7lfrffr.exe113⤵PID:2724
-
\??\c:\9bnhbn.exec:\9bnhbn.exe114⤵PID:3944
-
\??\c:\9bhtbb.exec:\9bhtbb.exe115⤵PID:4620
-
\??\c:\dpvpp.exec:\dpvpp.exe116⤵PID:952
-
\??\c:\lfxrflf.exec:\lfxrflf.exe117⤵PID:2816
-
\??\c:\btnbnb.exec:\btnbnb.exe118⤵PID:4156
-
\??\c:\nthbtb.exec:\nthbtb.exe119⤵PID:3176
-
\??\c:\vdjvj.exec:\vdjvj.exe120⤵PID:4460
-
\??\c:\3ffrffr.exec:\3ffrffr.exe121⤵PID:3280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-