Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe
Resource
win7-20240729-en
7 signatures
120 seconds
General
-
Target
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe
-
Size
454KB
-
MD5
39f67547e416866cb7e717fb5a368e83
-
SHA1
7dc92774d1b7736d20f8f69f2061d30aaa8515d3
-
SHA256
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b
-
SHA512
5eaf981ba02e66cccc6e72c53e83845dec39effd77bd4c50c7e1b3f763bc79abb3e8eb360102dc44c5969d64c3eba24594f55016e54fe4c5a1d8a2f997c06a08
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-1165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-1280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-1666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4356 djppj.exe 3196 rrfxrfr.exe 5048 lrxfxxr.exe 1928 nnhbnn.exe 4348 ddpjd.exe 1044 lffxrrl.exe 1680 lxrllff.exe 1996 btnhbt.exe 3688 1pdvj.exe 1020 rflfxxr.exe 2272 3flfxxx.exe 4068 btnhnh.exe 2076 vjddv.exe 1612 7xrfffx.exe 208 rxfrfxr.exe 4928 tnbbtt.exe 4440 vpvpj.exe 3624 xxxrrll.exe 3068 rfrlfxr.exe 4232 nhhbbb.exe 856 jjpdv.exe 544 rflffxx.exe 2828 rfrrfxx.exe 4700 bntnnn.exe 3908 5dppj.exe 1360 ffrllfl.exe 1712 1ttnhh.exe 2340 5bthbn.exe 2584 pdvpj.exe 2912 ffrllff.exe 4852 tnnhtt.exe 4444 dpvpj.exe 3160 djpjd.exe 1232 xxlflxx.exe 964 3hnhnn.exe 3492 btttnn.exe 4776 jppjj.exe 4036 9rrlfll.exe 100 lfrrrrr.exe 4268 3ttnnn.exe 4580 ppvpp.exe 4916 jdvjp.exe 1564 lxfxffx.exe 4680 hbhbtn.exe 2928 thtnnn.exe 4312 5pjpj.exe 5080 xxxxrrr.exe 4000 rrrlffx.exe 3104 btbtnh.exe 368 vjpjj.exe 4216 xrrrxrx.exe 3724 rlfflrf.exe 1892 hhhntn.exe 4064 pjjvp.exe 4128 frxrlfx.exe 1996 bthntt.exe 1632 pjpjj.exe 1984 vjdjv.exe 2272 rxfxllx.exe 4736 hhthbt.exe 2076 vvdvp.exe 2980 pjjvp.exe 208 5lrrllf.exe 4072 9btnbb.exe -
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-866-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4356 5080 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 83 PID 5080 wrote to memory of 4356 5080 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 83 PID 5080 wrote to memory of 4356 5080 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 83 PID 4356 wrote to memory of 3196 4356 djppj.exe 84 PID 4356 wrote to memory of 3196 4356 djppj.exe 84 PID 4356 wrote to memory of 3196 4356 djppj.exe 84 PID 3196 wrote to memory of 5048 3196 rrfxrfr.exe 85 PID 3196 wrote to memory of 5048 3196 rrfxrfr.exe 85 PID 3196 wrote to memory of 5048 3196 rrfxrfr.exe 85 PID 5048 wrote to memory of 1928 5048 lrxfxxr.exe 86 PID 5048 wrote to memory of 1928 5048 lrxfxxr.exe 86 PID 5048 wrote to memory of 1928 5048 lrxfxxr.exe 86 PID 1928 wrote to memory of 4348 1928 nnhbnn.exe 87 PID 1928 wrote to memory of 4348 1928 nnhbnn.exe 87 PID 1928 wrote to memory of 4348 1928 nnhbnn.exe 87 PID 4348 wrote to memory of 1044 4348 ddpjd.exe 88 PID 4348 wrote to memory of 1044 4348 ddpjd.exe 88 PID 4348 wrote to memory of 1044 4348 ddpjd.exe 88 PID 1044 wrote to memory of 1680 1044 lffxrrl.exe 89 PID 1044 wrote to memory of 1680 1044 lffxrrl.exe 89 PID 1044 wrote to memory of 1680 1044 lffxrrl.exe 89 PID 1680 wrote to memory of 1996 1680 lxrllff.exe 90 PID 1680 wrote to memory of 1996 1680 lxrllff.exe 90 PID 1680 wrote to memory of 1996 1680 lxrllff.exe 90 PID 1996 wrote to memory of 3688 1996 btnhbt.exe 91 PID 1996 wrote to memory of 3688 1996 btnhbt.exe 91 PID 1996 wrote to memory of 3688 1996 btnhbt.exe 91 PID 3688 wrote to memory of 1020 3688 1pdvj.exe 92 PID 3688 wrote to memory of 1020 3688 1pdvj.exe 92 PID 3688 wrote to memory of 1020 3688 1pdvj.exe 92 PID 1020 wrote to memory of 2272 1020 rflfxxr.exe 93 PID 1020 wrote to memory of 2272 1020 rflfxxr.exe 93 PID 1020 wrote to memory of 2272 1020 rflfxxr.exe 93 PID 2272 wrote to memory of 4068 2272 3flfxxx.exe 94 PID 2272 wrote to memory of 4068 2272 3flfxxx.exe 94 PID 2272 wrote to memory of 4068 2272 3flfxxx.exe 94 PID 4068 wrote to memory of 2076 4068 btnhnh.exe 143 PID 4068 wrote to memory of 2076 4068 btnhnh.exe 143 PID 4068 wrote to memory of 2076 4068 btnhnh.exe 143 PID 2076 wrote to memory of 1612 2076 vjddv.exe 96 PID 2076 wrote to memory of 1612 2076 vjddv.exe 96 PID 2076 wrote to memory of 1612 2076 vjddv.exe 96 PID 1612 wrote to memory of 208 1612 7xrfffx.exe 97 PID 1612 wrote to memory of 208 1612 7xrfffx.exe 97 PID 1612 wrote to memory of 208 1612 7xrfffx.exe 97 PID 208 wrote to memory of 4928 208 rxfrfxr.exe 98 PID 208 wrote to memory of 4928 208 rxfrfxr.exe 98 PID 208 wrote to memory of 4928 208 rxfrfxr.exe 98 PID 4928 wrote to memory of 4440 4928 tnbbtt.exe 99 PID 4928 wrote to memory of 4440 4928 tnbbtt.exe 99 PID 4928 wrote to memory of 4440 4928 tnbbtt.exe 99 PID 4440 wrote to memory of 3624 4440 vpvpj.exe 100 PID 4440 wrote to memory of 3624 4440 vpvpj.exe 100 PID 4440 wrote to memory of 3624 4440 vpvpj.exe 100 PID 3624 wrote to memory of 3068 3624 xxxrrll.exe 101 PID 3624 wrote to memory of 3068 3624 xxxrrll.exe 101 PID 3624 wrote to memory of 3068 3624 xxxrrll.exe 101 PID 3068 wrote to memory of 4232 3068 rfrlfxr.exe 102 PID 3068 wrote to memory of 4232 3068 rfrlfxr.exe 102 PID 3068 wrote to memory of 4232 3068 rfrlfxr.exe 102 PID 4232 wrote to memory of 856 4232 nhhbbb.exe 103 PID 4232 wrote to memory of 856 4232 nhhbbb.exe 103 PID 4232 wrote to memory of 856 4232 nhhbbb.exe 103 PID 856 wrote to memory of 544 856 jjpdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe"C:\Users\Admin\AppData\Local\Temp\581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\djppj.exec:\djppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\rrfxrfr.exec:\rrfxrfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\lrxfxxr.exec:\lrxfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\nnhbnn.exec:\nnhbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\ddpjd.exec:\ddpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\lffxrrl.exec:\lffxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\lxrllff.exec:\lxrllff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\btnhbt.exec:\btnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\1pdvj.exec:\1pdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\rflfxxr.exec:\rflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\3flfxxx.exec:\3flfxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\btnhnh.exec:\btnhnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\vjddv.exec:\vjddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\7xrfffx.exec:\7xrfffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\tnbbtt.exec:\tnbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\vpvpj.exec:\vpvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\xxxrrll.exec:\xxxrrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\nhhbbb.exec:\nhhbbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\jjpdv.exec:\jjpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\rflffxx.exec:\rflffxx.exe23⤵
- Executes dropped EXE
PID:544 -
\??\c:\rfrrfxx.exec:\rfrrfxx.exe24⤵
- Executes dropped EXE
PID:2828 -
\??\c:\bntnnn.exec:\bntnnn.exe25⤵
- Executes dropped EXE
PID:4700 -
\??\c:\5dppj.exec:\5dppj.exe26⤵
- Executes dropped EXE
PID:3908 -
\??\c:\ffrllfl.exec:\ffrllfl.exe27⤵
- Executes dropped EXE
PID:1360 -
\??\c:\1ttnhh.exec:\1ttnhh.exe28⤵
- Executes dropped EXE
PID:1712 -
\??\c:\5bthbn.exec:\5bthbn.exe29⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pdvpj.exec:\pdvpj.exe30⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ffrllff.exec:\ffrllff.exe31⤵
- Executes dropped EXE
PID:2912 -
\??\c:\tnnhtt.exec:\tnnhtt.exe32⤵
- Executes dropped EXE
PID:4852 -
\??\c:\dpvpj.exec:\dpvpj.exe33⤵
- Executes dropped EXE
PID:4444 -
\??\c:\djpjd.exec:\djpjd.exe34⤵
- Executes dropped EXE
PID:3160 -
\??\c:\xxlflxx.exec:\xxlflxx.exe35⤵
- Executes dropped EXE
PID:1232 -
\??\c:\3hnhnn.exec:\3hnhnn.exe36⤵
- Executes dropped EXE
PID:964 -
\??\c:\btttnn.exec:\btttnn.exe37⤵
- Executes dropped EXE
PID:3492 -
\??\c:\jppjj.exec:\jppjj.exe38⤵
- Executes dropped EXE
PID:4776 -
\??\c:\9rrlfll.exec:\9rrlfll.exe39⤵
- Executes dropped EXE
PID:4036 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe40⤵
- Executes dropped EXE
PID:100 -
\??\c:\3ttnnn.exec:\3ttnnn.exe41⤵
- Executes dropped EXE
PID:4268 -
\??\c:\ppvpp.exec:\ppvpp.exe42⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jdvjp.exec:\jdvjp.exe43⤵
- Executes dropped EXE
PID:4916 -
\??\c:\lxfxffx.exec:\lxfxffx.exe44⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hbhbtn.exec:\hbhbtn.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\thtnnn.exec:\thtnnn.exe46⤵
- Executes dropped EXE
PID:2928 -
\??\c:\5pjpj.exec:\5pjpj.exe47⤵
- Executes dropped EXE
PID:4312 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe48⤵
- Executes dropped EXE
PID:5080 -
\??\c:\rrrlffx.exec:\rrrlffx.exe49⤵
- Executes dropped EXE
PID:4000 -
\??\c:\btbtnh.exec:\btbtnh.exe50⤵
- Executes dropped EXE
PID:3104 -
\??\c:\vjpjj.exec:\vjpjj.exe51⤵
- Executes dropped EXE
PID:368 -
\??\c:\xrrrxrx.exec:\xrrrxrx.exe52⤵
- Executes dropped EXE
PID:4216 -
\??\c:\rlfflrf.exec:\rlfflrf.exe53⤵
- Executes dropped EXE
PID:3724 -
\??\c:\hhhntn.exec:\hhhntn.exe54⤵
- Executes dropped EXE
PID:1892 -
\??\c:\pjjvp.exec:\pjjvp.exe55⤵
- Executes dropped EXE
PID:4064 -
\??\c:\frxrlfx.exec:\frxrlfx.exe56⤵
- Executes dropped EXE
PID:4128 -
\??\c:\bthntt.exec:\bthntt.exe57⤵
- Executes dropped EXE
PID:1996 -
\??\c:\pjpjj.exec:\pjpjj.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\vjdjv.exec:\vjdjv.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rxfxllx.exec:\rxfxllx.exe60⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hhthbt.exec:\hhthbt.exe61⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vvdvp.exec:\vvdvp.exe62⤵
- Executes dropped EXE
PID:2076 -
\??\c:\pjjvp.exec:\pjjvp.exe63⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5lrrllf.exec:\5lrrllf.exe64⤵
- Executes dropped EXE
PID:208 -
\??\c:\9btnbb.exec:\9btnbb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
\??\c:\5dvvv.exec:\5dvvv.exe66⤵PID:4672
-
\??\c:\vvdvj.exec:\vvdvj.exe67⤵PID:4440
-
\??\c:\fxlffxr.exec:\fxlffxr.exe68⤵PID:708
-
\??\c:\9bbtnn.exec:\9bbtnn.exe69⤵PID:3068
-
\??\c:\vpddv.exec:\vpddv.exe70⤵PID:2092
-
\??\c:\jdjvp.exec:\jdjvp.exe71⤵PID:2164
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe72⤵PID:1356
-
\??\c:\5bbtnt.exec:\5bbtnt.exe73⤵PID:4468
-
\??\c:\vpjjd.exec:\vpjjd.exe74⤵PID:3908
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe75⤵PID:2712
-
\??\c:\nhttbb.exec:\nhttbb.exe76⤵PID:1716
-
\??\c:\7djdv.exec:\7djdv.exe77⤵PID:2624
-
\??\c:\9pjdv.exec:\9pjdv.exe78⤵PID:4840
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe79⤵PID:2932
-
\??\c:\nbnhhh.exec:\nbnhhh.exe80⤵PID:5020
-
\??\c:\ddpjp.exec:\ddpjp.exe81⤵PID:4288
-
\??\c:\lfrfrfr.exec:\lfrfrfr.exe82⤵PID:1860
-
\??\c:\fxlrxrf.exec:\fxlrxrf.exe83⤵PID:3048
-
\??\c:\hntbnn.exec:\hntbnn.exe84⤵PID:536
-
\??\c:\vvpjd.exec:\vvpjd.exe85⤵PID:4776
-
\??\c:\xfrfrfr.exec:\xfrfrfr.exe86⤵PID:4036
-
\??\c:\nnnhnn.exec:\nnnhnn.exe87⤵PID:3060
-
\??\c:\htnhhb.exec:\htnhhb.exe88⤵PID:3188
-
\??\c:\lxxlxxl.exec:\lxxlxxl.exe89⤵PID:3088
-
\??\c:\nthhbb.exec:\nthhbb.exe90⤵PID:1960
-
\??\c:\hbntnb.exec:\hbntnb.exe91⤵PID:3496
-
\??\c:\lflflff.exec:\lflflff.exe92⤵PID:4316
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe93⤵PID:4356
-
\??\c:\hnhhnb.exec:\hnhhnb.exe94⤵PID:4800
-
\??\c:\pvddd.exec:\pvddd.exe95⤵PID:4860
-
\??\c:\5fxxrrr.exec:\5fxxrrr.exe96⤵PID:2944
-
\??\c:\xxxxrlf.exec:\xxxxrlf.exe97⤵PID:4464
-
\??\c:\1httnn.exec:\1httnn.exe98⤵PID:368
-
\??\c:\jjppp.exec:\jjppp.exe99⤵PID:2008
-
\??\c:\nhbtnh.exec:\nhbtnh.exe100⤵PID:4976
-
\??\c:\3djdd.exec:\3djdd.exe101⤵PID:3544
-
\??\c:\frxxrrr.exec:\frxxrrr.exe102⤵PID:1892
-
\??\c:\nthnhn.exec:\nthnhn.exe103⤵PID:1012
-
\??\c:\9vvpp.exec:\9vvpp.exe104⤵PID:676
-
\??\c:\rrllffr.exec:\rrllffr.exe105⤵
- System Location Discovery: System Language Discovery
PID:3720 -
\??\c:\nntthb.exec:\nntthb.exe106⤵PID:3200
-
\??\c:\xrlllxx.exec:\xrlllxx.exe107⤵PID:4068
-
\??\c:\xffxrlf.exec:\xffxrlf.exe108⤵PID:2664
-
\??\c:\dvpjd.exec:\dvpjd.exe109⤵PID:2272
-
\??\c:\xxrrffx.exec:\xxrrffx.exe110⤵PID:1156
-
\??\c:\nhhtnh.exec:\nhhtnh.exe111⤵PID:2044
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe112⤵PID:1020
-
\??\c:\pjjdv.exec:\pjjdv.exe113⤵PID:3700
-
\??\c:\rrffxxr.exec:\rrffxxr.exe114⤵PID:2312
-
\??\c:\vdppj.exec:\vdppj.exe115⤵PID:3992
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe116⤵
- System Location Discovery: System Language Discovery
PID:2024 -
\??\c:\pjppp.exec:\pjppp.exe117⤵PID:384
-
\??\c:\xxfxlll.exec:\xxfxlll.exe118⤵PID:4440
-
\??\c:\9hhbnn.exec:\9hhbnn.exe119⤵PID:1460
-
\??\c:\pjddd.exec:\pjddd.exe120⤵PID:4524
-
\??\c:\1hnhbb.exec:\1hnhbb.exe121⤵PID:508
-
\??\c:\dvvpj.exec:\dvvpj.exe122⤵PID:4548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-