Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe
-
Size
454KB
-
MD5
64489ceab14b7b091ec284e7e96615e0
-
SHA1
e0f2ab59df391bdf7add06ee49855639625ce381
-
SHA256
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2
-
SHA512
8c483b9ae87f6d297eb3cbd5e58b8fdede1f9803f5379715d785a30ed9877ef72cefca3908c3b42142bdefdf7f7ebc1df7de14b2d4eda7f07d20632a63b99b08
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/4316-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2976 dddvp.exe 3584 pjpjd.exe 4072 7jpjd.exe 1620 thnnnn.exe 224 dpvvp.exe 3024 pjddv.exe 232 rfrxxxx.exe 3952 vvvpp.exe 3428 fxffffl.exe 4264 htbthn.exe 3800 5ddvp.exe 3704 rrrrxxr.exe 1636 9xfxxxr.exe 4892 vpvpp.exe 4936 rfllfff.exe 1952 flffxrr.exe 4472 jdjdj.exe 2128 1frlxxl.exe 4492 flrrlll.exe 2124 nnnnhh.exe 2668 dpppp.exe 1964 xlrrlll.exe 4400 lxfxrrl.exe 1728 jvdpp.exe 2052 3rxxxxx.exe 2620 3tnhnn.exe 3664 jdjdv.exe 3744 flrrrrl.exe 4984 xrrlxxx.exe 4508 5pvpp.exe 656 fxxrlll.exe 3180 7nnnhn.exe 3764 bbbhbh.exe 436 5vvvp.exe 5108 9xxrllf.exe 2704 htbtnh.exe 4948 jvjdj.exe 4940 rlxrlfx.exe 3100 bnnnnn.exe 4960 7xxrlrl.exe 4340 rfxxrxr.exe 4676 nntbhh.exe 1352 ppdvv.exe 2976 lrxrllf.exe 3068 bbbthh.exe 4172 jddvj.exe 1620 rllfxxr.exe 4728 rlrllff.exe 244 1ntnhh.exe 3476 jpvvp.exe 2372 djvpj.exe 3912 3xxrllf.exe 1624 tnntnt.exe 4736 btbttn.exe 3428 jdddv.exe 4264 9xllrxf.exe 2776 1nttnn.exe 3800 vdddv.exe 4844 rrlfxxr.exe 2792 llffllr.exe 704 hhtnbb.exe 1160 jvdvp.exe 4160 lxxrlff.exe 972 rxfxrrl.exe -
resource yara_rule behavioral2/memory/4316-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-903-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-1052-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4316 wrote to memory of 2976 4316 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 83 PID 4316 wrote to memory of 2976 4316 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 83 PID 4316 wrote to memory of 2976 4316 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 83 PID 2976 wrote to memory of 3584 2976 dddvp.exe 84 PID 2976 wrote to memory of 3584 2976 dddvp.exe 84 PID 2976 wrote to memory of 3584 2976 dddvp.exe 84 PID 3584 wrote to memory of 4072 3584 pjpjd.exe 85 PID 3584 wrote to memory of 4072 3584 pjpjd.exe 85 PID 3584 wrote to memory of 4072 3584 pjpjd.exe 85 PID 4072 wrote to memory of 1620 4072 7jpjd.exe 86 PID 4072 wrote to memory of 1620 4072 7jpjd.exe 86 PID 4072 wrote to memory of 1620 4072 7jpjd.exe 86 PID 1620 wrote to memory of 224 1620 thnnnn.exe 87 PID 1620 wrote to memory of 224 1620 thnnnn.exe 87 PID 1620 wrote to memory of 224 1620 thnnnn.exe 87 PID 224 wrote to memory of 3024 224 dpvvp.exe 88 PID 224 wrote to memory of 3024 224 dpvvp.exe 88 PID 224 wrote to memory of 3024 224 dpvvp.exe 88 PID 3024 wrote to memory of 232 3024 pjddv.exe 89 PID 3024 wrote to memory of 232 3024 pjddv.exe 89 PID 3024 wrote to memory of 232 3024 pjddv.exe 89 PID 232 wrote to memory of 3952 232 rfrxxxx.exe 90 PID 232 wrote to memory of 3952 232 rfrxxxx.exe 90 PID 232 wrote to memory of 3952 232 rfrxxxx.exe 90 PID 3952 wrote to memory of 3428 3952 vvvpp.exe 91 PID 3952 wrote to memory of 3428 3952 vvvpp.exe 91 PID 3952 wrote to memory of 3428 3952 vvvpp.exe 91 PID 3428 wrote to memory of 4264 3428 fxffffl.exe 92 PID 3428 wrote to memory of 4264 3428 fxffffl.exe 92 PID 3428 wrote to memory of 4264 3428 fxffffl.exe 92 PID 4264 wrote to memory of 3800 4264 htbthn.exe 93 PID 4264 wrote to memory of 3800 4264 htbthn.exe 93 PID 4264 wrote to memory of 3800 4264 htbthn.exe 93 PID 3800 wrote to memory of 3704 3800 5ddvp.exe 94 PID 3800 wrote to memory of 3704 3800 5ddvp.exe 94 PID 3800 wrote to memory of 3704 3800 5ddvp.exe 94 PID 3704 wrote to memory of 1636 3704 rrrrxxr.exe 95 PID 3704 wrote to memory of 1636 3704 rrrrxxr.exe 95 PID 3704 wrote to memory of 1636 3704 rrrrxxr.exe 95 PID 1636 wrote to memory of 4892 1636 9xfxxxr.exe 96 PID 1636 wrote to memory of 4892 1636 9xfxxxr.exe 96 PID 1636 wrote to memory of 4892 1636 9xfxxxr.exe 96 PID 4892 wrote to memory of 4936 4892 vpvpp.exe 97 PID 4892 wrote to memory of 4936 4892 vpvpp.exe 97 PID 4892 wrote to memory of 4936 4892 vpvpp.exe 97 PID 4936 wrote to memory of 1952 4936 rfllfff.exe 98 PID 4936 wrote to memory of 1952 4936 rfllfff.exe 98 PID 4936 wrote to memory of 1952 4936 rfllfff.exe 98 PID 1952 wrote to memory of 4472 1952 flffxrr.exe 99 PID 1952 wrote to memory of 4472 1952 flffxrr.exe 99 PID 1952 wrote to memory of 4472 1952 flffxrr.exe 99 PID 4472 wrote to memory of 2128 4472 jdjdj.exe 100 PID 4472 wrote to memory of 2128 4472 jdjdj.exe 100 PID 4472 wrote to memory of 2128 4472 jdjdj.exe 100 PID 2128 wrote to memory of 4492 2128 1frlxxl.exe 101 PID 2128 wrote to memory of 4492 2128 1frlxxl.exe 101 PID 2128 wrote to memory of 4492 2128 1frlxxl.exe 101 PID 4492 wrote to memory of 2124 4492 flrrlll.exe 102 PID 4492 wrote to memory of 2124 4492 flrrlll.exe 102 PID 4492 wrote to memory of 2124 4492 flrrlll.exe 102 PID 2124 wrote to memory of 2668 2124 nnnnhh.exe 103 PID 2124 wrote to memory of 2668 2124 nnnnhh.exe 103 PID 2124 wrote to memory of 2668 2124 nnnnhh.exe 103 PID 2668 wrote to memory of 1964 2668 dpppp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe"C:\Users\Admin\AppData\Local\Temp\5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\dddvp.exec:\dddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\pjpjd.exec:\pjpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\7jpjd.exec:\7jpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\thnnnn.exec:\thnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\dpvvp.exec:\dpvvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\pjddv.exec:\pjddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\rfrxxxx.exec:\rfrxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\vvvpp.exec:\vvvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\fxffffl.exec:\fxffffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\htbthn.exec:\htbthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\5ddvp.exec:\5ddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\rrrrxxr.exec:\rrrrxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\9xfxxxr.exec:\9xfxxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\vpvpp.exec:\vpvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\rfllfff.exec:\rfllfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\flffxrr.exec:\flffxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\jdjdj.exec:\jdjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\1frlxxl.exec:\1frlxxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\flrrlll.exec:\flrrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\nnnnhh.exec:\nnnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\dpppp.exec:\dpppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xlrrlll.exec:\xlrrlll.exe23⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe24⤵
- Executes dropped EXE
PID:4400 -
\??\c:\jvdpp.exec:\jvdpp.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\3rxxxxx.exec:\3rxxxxx.exe26⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3tnhnn.exec:\3tnhnn.exe27⤵
- Executes dropped EXE
PID:2620 -
\??\c:\jdjdv.exec:\jdjdv.exe28⤵
- Executes dropped EXE
PID:3664 -
\??\c:\flrrrrl.exec:\flrrrrl.exe29⤵
- Executes dropped EXE
PID:3744 -
\??\c:\xrrlxxx.exec:\xrrlxxx.exe30⤵
- Executes dropped EXE
PID:4984 -
\??\c:\5pvpp.exec:\5pvpp.exe31⤵
- Executes dropped EXE
PID:4508 -
\??\c:\fxxrlll.exec:\fxxrlll.exe32⤵
- Executes dropped EXE
PID:656 -
\??\c:\7nnnhn.exec:\7nnnhn.exe33⤵
- Executes dropped EXE
PID:3180 -
\??\c:\bbbhbh.exec:\bbbhbh.exe34⤵
- Executes dropped EXE
PID:3764 -
\??\c:\5vvvp.exec:\5vvvp.exe35⤵
- Executes dropped EXE
PID:436 -
\??\c:\9xxrllf.exec:\9xxrllf.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\htbtnh.exec:\htbtnh.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\jvjdj.exec:\jvjdj.exe38⤵
- Executes dropped EXE
PID:4948 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe39⤵
- Executes dropped EXE
PID:4940 -
\??\c:\bnnnnn.exec:\bnnnnn.exe40⤵
- Executes dropped EXE
PID:3100 -
\??\c:\7xxrlrl.exec:\7xxrlrl.exe41⤵
- Executes dropped EXE
PID:4960 -
\??\c:\rfxxrxr.exec:\rfxxrxr.exe42⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nntbhh.exec:\nntbhh.exe43⤵
- Executes dropped EXE
PID:4676 -
\??\c:\ppdvv.exec:\ppdvv.exe44⤵
- Executes dropped EXE
PID:1352 -
\??\c:\lrxrllf.exec:\lrxrllf.exe45⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bbbthh.exec:\bbbthh.exe46⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jddvj.exec:\jddvj.exe47⤵
- Executes dropped EXE
PID:4172 -
\??\c:\rllfxxr.exec:\rllfxxr.exe48⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rlrllff.exec:\rlrllff.exe49⤵
- Executes dropped EXE
PID:4728 -
\??\c:\1ntnhh.exec:\1ntnhh.exe50⤵
- Executes dropped EXE
PID:244 -
\??\c:\jpvvp.exec:\jpvvp.exe51⤵
- Executes dropped EXE
PID:3476 -
\??\c:\djvpj.exec:\djvpj.exe52⤵
- Executes dropped EXE
PID:2372 -
\??\c:\3xxrllf.exec:\3xxrllf.exe53⤵
- Executes dropped EXE
PID:3912 -
\??\c:\tnntnt.exec:\tnntnt.exe54⤵
- Executes dropped EXE
PID:1624 -
\??\c:\btbttn.exec:\btbttn.exe55⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jdddv.exec:\jdddv.exe56⤵
- Executes dropped EXE
PID:3428 -
\??\c:\9xllrxf.exec:\9xllrxf.exe57⤵
- Executes dropped EXE
PID:4264 -
\??\c:\1nttnn.exec:\1nttnn.exe58⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vdddv.exec:\vdddv.exe59⤵
- Executes dropped EXE
PID:3800 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe60⤵
- Executes dropped EXE
PID:4844 -
\??\c:\llffllr.exec:\llffllr.exe61⤵
- Executes dropped EXE
PID:2792 -
\??\c:\hhtnbb.exec:\hhtnbb.exe62⤵
- Executes dropped EXE
PID:704 -
\??\c:\jvdvp.exec:\jvdvp.exe63⤵
- Executes dropped EXE
PID:1160 -
\??\c:\lxxrlff.exec:\lxxrlff.exe64⤵
- Executes dropped EXE
PID:4160 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe65⤵
- Executes dropped EXE
PID:972 -
\??\c:\btnnbb.exec:\btnnbb.exe66⤵PID:2332
-
\??\c:\dvpvj.exec:\dvpvj.exe67⤵PID:1772
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe68⤵PID:4472
-
\??\c:\ntbnbt.exec:\ntbnbt.exe69⤵PID:4384
-
\??\c:\tnnnhb.exec:\tnnnhb.exe70⤵PID:392
-
\??\c:\xrxrllx.exec:\xrxrllx.exe71⤵PID:4720
-
\??\c:\5ththh.exec:\5ththh.exe72⤵PID:3424
-
\??\c:\jdvvd.exec:\jdvvd.exe73⤵PID:4256
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe74⤵PID:2412
-
\??\c:\frrllff.exec:\frrllff.exe75⤵PID:4104
-
\??\c:\1hhbtn.exec:\1hhbtn.exe76⤵PID:184
-
\??\c:\pjjdd.exec:\pjjdd.exe77⤵PID:4400
-
\??\c:\xfrfxrl.exec:\xfrfxrl.exe78⤵PID:1728
-
\??\c:\frxlfrl.exec:\frxlfrl.exe79⤵PID:4424
-
\??\c:\ttnhbn.exec:\ttnhbn.exe80⤵PID:452
-
\??\c:\dvvjd.exec:\dvvjd.exe81⤵PID:3664
-
\??\c:\lfrlxxx.exec:\lfrlxxx.exe82⤵PID:3052
-
\??\c:\rxfxllf.exec:\rxfxllf.exe83⤵PID:4456
-
\??\c:\tnnbbt.exec:\tnnbbt.exe84⤵PID:980
-
\??\c:\pjvpj.exec:\pjvpj.exe85⤵PID:1432
-
\??\c:\pvdvj.exec:\pvdvj.exe86⤵PID:1968
-
\??\c:\rlxxrfx.exec:\rlxxrfx.exe87⤵PID:656
-
\??\c:\lfrllll.exec:\lfrllll.exe88⤵PID:4772
-
\??\c:\7vdvd.exec:\7vdvd.exe89⤵
- System Location Discovery: System Language Discovery
PID:4468 -
\??\c:\dpvvp.exec:\dpvvp.exe90⤵PID:4688
-
\??\c:\lxfrrxr.exec:\lxfrrxr.exe91⤵PID:1732
-
\??\c:\bnbthh.exec:\bnbthh.exe92⤵PID:1740
-
\??\c:\5bnbth.exec:\5bnbth.exe93⤵PID:2404
-
\??\c:\vppjd.exec:\vppjd.exe94⤵PID:4620
-
\??\c:\flrfrrl.exec:\flrfrrl.exe95⤵PID:2208
-
\??\c:\hhthbn.exec:\hhthbn.exe96⤵PID:3456
-
\??\c:\dddjd.exec:\dddjd.exe97⤵PID:4356
-
\??\c:\rlrlflf.exec:\rlrlflf.exe98⤵PID:4340
-
\??\c:\nhhtnn.exec:\nhhtnn.exe99⤵PID:4676
-
\??\c:\nnthbt.exec:\nnthbt.exe100⤵PID:3856
-
\??\c:\9vvpp.exec:\9vvpp.exe101⤵PID:4652
-
\??\c:\xxrxxxr.exec:\xxrxxxr.exe102⤵PID:3932
-
\??\c:\hthbbt.exec:\hthbbt.exe103⤵PID:3528
-
\??\c:\dpvpp.exec:\dpvpp.exe104⤵PID:4764
-
\??\c:\frrlffx.exec:\frrlffx.exe105⤵PID:1864
-
\??\c:\1bbnhb.exec:\1bbnhb.exe106⤵PID:2104
-
\??\c:\hbnbtb.exec:\hbnbtb.exe107⤵PID:3024
-
\??\c:\lxlxrxr.exec:\lxlxrxr.exe108⤵PID:3508
-
\??\c:\rlllffx.exec:\rlllffx.exe109⤵PID:232
-
\??\c:\bnbhhh.exec:\bnbhhh.exe110⤵PID:3700
-
\??\c:\pjvdv.exec:\pjvdv.exe111⤵PID:5072
-
\??\c:\xflfffx.exec:\xflfffx.exe112⤵PID:1484
-
\??\c:\bthbtn.exec:\bthbtn.exe113⤵PID:3340
-
\??\c:\nhhbnn.exec:\nhhbnn.exe114⤵PID:2688
-
\??\c:\vpdvj.exec:\vpdvj.exe115⤵PID:4368
-
\??\c:\frxfxrr.exec:\frxfxrr.exe116⤵PID:4464
-
\??\c:\httnnn.exec:\httnnn.exe117⤵PID:3116
-
\??\c:\nhbtnn.exec:\nhbtnn.exe118⤵PID:3032
-
\??\c:\pppjd.exec:\pppjd.exe119⤵PID:520
-
\??\c:\rllrfxr.exec:\rllrfxr.exe120⤵PID:2244
-
\??\c:\htnhbt.exec:\htnhbt.exe121⤵PID:5092
-
\??\c:\dvdpj.exec:\dvdpj.exe122⤵PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-