Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe
-
Size
456KB
-
MD5
ce616d0e95f6bf127c2030a012fb9917
-
SHA1
bab75147e55fbe6770809b9649f6d7011b31425a
-
SHA256
53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c
-
SHA512
bc08ffd51ae34657d972edfc0287e7db058b66f58874b1275723721865c3f9ae990a3c3daa88012b76acf2d72bb5c55683f6fe4863dd3925749e94a59d23a96c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5064-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-1137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-1374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-1486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4288 dpdvv.exe 180 frrrlrx.exe 2180 1xlllfr.exe 1984 jjpdp.exe 536 pvvjv.exe 2160 lrxxxff.exe 1176 tbtbnt.exe 232 hhbbnt.exe 2568 lrflxlf.exe 2740 hhnttb.exe 3376 ttbhhh.exe 4776 9vjdd.exe 1504 vpdjv.exe 3884 fxxxffl.exe 1240 9djjj.exe 2880 5nttth.exe 1640 xrxxxxx.exe 5012 vdddd.exe 1576 9rrrlrr.exe 2272 rrrfrxr.exe 3812 7ffffll.exe 1244 pvddd.exe 4180 rrxxxff.exe 1432 5pdpp.exe 5048 nntnnn.exe 904 vjdvv.exe 1180 hnbbbh.exe 1016 fxlllll.exe 4480 bnbbbh.exe 744 hbtnnt.exe 4296 1djjp.exe 1152 hhnnnt.exe 4380 lxxxxxf.exe 3712 xfxxllx.exe 4792 hhtttb.exe 4404 dpjjj.exe 1956 rrlfrxx.exe 2444 htbhht.exe 2384 pdvvv.exe 3220 5llfxxr.exe 3304 tnbhhn.exe 2324 vvdvv.exe 4752 rxxrrlx.exe 1224 xfffflf.exe 2680 bhnttb.exe 4328 vvjpv.exe 2744 rlrrlrr.exe 1796 9tbbbt.exe 4992 nbnhhh.exe 2400 jpvdj.exe 4052 xrxrrrr.exe 5080 rlxxxfx.exe 3520 nbnnht.exe 4352 dvddv.exe 4344 rlxrrrr.exe 3064 tntttt.exe 3596 vjvvv.exe 2672 jvddd.exe 704 lxllrxr.exe 2784 thtttb.exe 2008 dpvjd.exe 2576 fxxfffl.exe 536 flrlrrx.exe 4960 btnnbh.exe -
resource yara_rule behavioral2/memory/5064-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-1014-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4288 5064 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 82 PID 5064 wrote to memory of 4288 5064 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 82 PID 5064 wrote to memory of 4288 5064 53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe 82 PID 4288 wrote to memory of 180 4288 dpdvv.exe 83 PID 4288 wrote to memory of 180 4288 dpdvv.exe 83 PID 4288 wrote to memory of 180 4288 dpdvv.exe 83 PID 180 wrote to memory of 2180 180 frrrlrx.exe 84 PID 180 wrote to memory of 2180 180 frrrlrx.exe 84 PID 180 wrote to memory of 2180 180 frrrlrx.exe 84 PID 2180 wrote to memory of 1984 2180 1xlllfr.exe 85 PID 2180 wrote to memory of 1984 2180 1xlllfr.exe 85 PID 2180 wrote to memory of 1984 2180 1xlllfr.exe 85 PID 1984 wrote to memory of 536 1984 jjpdp.exe 86 PID 1984 wrote to memory of 536 1984 jjpdp.exe 86 PID 1984 wrote to memory of 536 1984 jjpdp.exe 86 PID 536 wrote to memory of 2160 536 pvvjv.exe 87 PID 536 wrote to memory of 2160 536 pvvjv.exe 87 PID 536 wrote to memory of 2160 536 pvvjv.exe 87 PID 2160 wrote to memory of 1176 2160 lrxxxff.exe 88 PID 2160 wrote to memory of 1176 2160 lrxxxff.exe 88 PID 2160 wrote to memory of 1176 2160 lrxxxff.exe 88 PID 1176 wrote to memory of 232 1176 tbtbnt.exe 89 PID 1176 wrote to memory of 232 1176 tbtbnt.exe 89 PID 1176 wrote to memory of 232 1176 tbtbnt.exe 89 PID 232 wrote to memory of 2568 232 hhbbnt.exe 90 PID 232 wrote to memory of 2568 232 hhbbnt.exe 90 PID 232 wrote to memory of 2568 232 hhbbnt.exe 90 PID 2568 wrote to memory of 2740 2568 lrflxlf.exe 91 PID 2568 wrote to memory of 2740 2568 lrflxlf.exe 91 PID 2568 wrote to memory of 2740 2568 lrflxlf.exe 91 PID 2740 wrote to memory of 3376 2740 hhnttb.exe 92 PID 2740 wrote to memory of 3376 2740 hhnttb.exe 92 PID 2740 wrote to memory of 3376 2740 hhnttb.exe 92 PID 3376 wrote to memory of 4776 3376 ttbhhh.exe 93 PID 3376 wrote to memory of 4776 3376 ttbhhh.exe 93 PID 3376 wrote to memory of 4776 3376 ttbhhh.exe 93 PID 4776 wrote to memory of 1504 4776 9vjdd.exe 94 PID 4776 wrote to memory of 1504 4776 9vjdd.exe 94 PID 4776 wrote to memory of 1504 4776 9vjdd.exe 94 PID 1504 wrote to memory of 3884 1504 vpdjv.exe 95 PID 1504 wrote to memory of 3884 1504 vpdjv.exe 95 PID 1504 wrote to memory of 3884 1504 vpdjv.exe 95 PID 3884 wrote to memory of 1240 3884 fxxxffl.exe 96 PID 3884 wrote to memory of 1240 3884 fxxxffl.exe 96 PID 3884 wrote to memory of 1240 3884 fxxxffl.exe 96 PID 1240 wrote to memory of 2880 1240 9djjj.exe 97 PID 1240 wrote to memory of 2880 1240 9djjj.exe 97 PID 1240 wrote to memory of 2880 1240 9djjj.exe 97 PID 2880 wrote to memory of 1640 2880 5nttth.exe 98 PID 2880 wrote to memory of 1640 2880 5nttth.exe 98 PID 2880 wrote to memory of 1640 2880 5nttth.exe 98 PID 1640 wrote to memory of 5012 1640 xrxxxxx.exe 99 PID 1640 wrote to memory of 5012 1640 xrxxxxx.exe 99 PID 1640 wrote to memory of 5012 1640 xrxxxxx.exe 99 PID 5012 wrote to memory of 1576 5012 vdddd.exe 100 PID 5012 wrote to memory of 1576 5012 vdddd.exe 100 PID 5012 wrote to memory of 1576 5012 vdddd.exe 100 PID 1576 wrote to memory of 2272 1576 9rrrlrr.exe 101 PID 1576 wrote to memory of 2272 1576 9rrrlrr.exe 101 PID 1576 wrote to memory of 2272 1576 9rrrlrr.exe 101 PID 2272 wrote to memory of 3812 2272 rrrfrxr.exe 102 PID 2272 wrote to memory of 3812 2272 rrrfrxr.exe 102 PID 2272 wrote to memory of 3812 2272 rrrfrxr.exe 102 PID 3812 wrote to memory of 1244 3812 7ffffll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe"C:\Users\Admin\AppData\Local\Temp\53e3621d6bc2d03808f36a4a606b162a3d282f3b0aa6a0b9107eac19b65b499c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\dpdvv.exec:\dpdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\frrrlrx.exec:\frrrlrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\1xlllfr.exec:\1xlllfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\jjpdp.exec:\jjpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\pvvjv.exec:\pvvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\lrxxxff.exec:\lrxxxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\tbtbnt.exec:\tbtbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\hhbbnt.exec:\hhbbnt.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\lrflxlf.exec:\lrflxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\hhnttb.exec:\hhnttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ttbhhh.exec:\ttbhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\9vjdd.exec:\9vjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\vpdjv.exec:\vpdjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\fxxxffl.exec:\fxxxffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\9djjj.exec:\9djjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\5nttth.exec:\5nttth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\vdddd.exec:\vdddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\9rrrlrr.exec:\9rrrlrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\rrrfrxr.exec:\rrrfrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\7ffffll.exec:\7ffffll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\pvddd.exec:\pvddd.exe23⤵
- Executes dropped EXE
PID:1244 -
\??\c:\rrxxxff.exec:\rrxxxff.exe24⤵
- Executes dropped EXE
PID:4180 -
\??\c:\5pdpp.exec:\5pdpp.exe25⤵
- Executes dropped EXE
PID:1432 -
\??\c:\nntnnn.exec:\nntnnn.exe26⤵
- Executes dropped EXE
PID:5048 -
\??\c:\vjdvv.exec:\vjdvv.exe27⤵
- Executes dropped EXE
PID:904 -
\??\c:\hnbbbh.exec:\hnbbbh.exe28⤵
- Executes dropped EXE
PID:1180 -
\??\c:\fxlllll.exec:\fxlllll.exe29⤵
- Executes dropped EXE
PID:1016 -
\??\c:\bnbbbh.exec:\bnbbbh.exe30⤵
- Executes dropped EXE
PID:4480 -
\??\c:\hbtnnt.exec:\hbtnnt.exe31⤵
- Executes dropped EXE
PID:744 -
\??\c:\1djjp.exec:\1djjp.exe32⤵
- Executes dropped EXE
PID:4296 -
\??\c:\hhnnnt.exec:\hhnnnt.exe33⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lxxxxxf.exec:\lxxxxxf.exe34⤵
- Executes dropped EXE
PID:4380 -
\??\c:\xfxxllx.exec:\xfxxllx.exe35⤵
- Executes dropped EXE
PID:3712 -
\??\c:\hhtttb.exec:\hhtttb.exe36⤵
- Executes dropped EXE
PID:4792 -
\??\c:\dpjjj.exec:\dpjjj.exe37⤵
- Executes dropped EXE
PID:4404 -
\??\c:\rrlfrxx.exec:\rrlfrxx.exe38⤵
- Executes dropped EXE
PID:1956 -
\??\c:\htbhht.exec:\htbhht.exe39⤵
- Executes dropped EXE
PID:2444 -
\??\c:\pdvvv.exec:\pdvvv.exe40⤵
- Executes dropped EXE
PID:2384 -
\??\c:\5llfxxr.exec:\5llfxxr.exe41⤵
- Executes dropped EXE
PID:3220 -
\??\c:\tnbhhn.exec:\tnbhhn.exe42⤵
- Executes dropped EXE
PID:3304 -
\??\c:\vvdvv.exec:\vvdvv.exe43⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rxxrrlx.exec:\rxxrrlx.exe44⤵
- Executes dropped EXE
PID:4752 -
\??\c:\xfffflf.exec:\xfffflf.exe45⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bhnttb.exec:\bhnttb.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\vvjpv.exec:\vvjpv.exe47⤵
- Executes dropped EXE
PID:4328 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe48⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9tbbbt.exec:\9tbbbt.exe49⤵
- Executes dropped EXE
PID:1796 -
\??\c:\nbnhhh.exec:\nbnhhh.exe50⤵
- Executes dropped EXE
PID:4992 -
\??\c:\jpvdj.exec:\jpvdj.exe51⤵
- Executes dropped EXE
PID:2400 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe52⤵
- Executes dropped EXE
PID:4052 -
\??\c:\rlxxxfx.exec:\rlxxxfx.exe53⤵
- Executes dropped EXE
PID:5080 -
\??\c:\nbnnht.exec:\nbnnht.exe54⤵
- Executes dropped EXE
PID:3520 -
\??\c:\dvddv.exec:\dvddv.exe55⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe56⤵
- Executes dropped EXE
PID:4344 -
\??\c:\tntttt.exec:\tntttt.exe57⤵
- Executes dropped EXE
PID:3064 -
\??\c:\vjvvv.exec:\vjvvv.exe58⤵
- Executes dropped EXE
PID:3596 -
\??\c:\jvddd.exec:\jvddd.exe59⤵
- Executes dropped EXE
PID:2672 -
\??\c:\lxllrxr.exec:\lxllrxr.exe60⤵
- Executes dropped EXE
PID:704 -
\??\c:\thtttb.exec:\thtttb.exe61⤵
- Executes dropped EXE
PID:2784 -
\??\c:\dpvjd.exec:\dpvjd.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxxfffl.exec:\fxxfffl.exe63⤵
- Executes dropped EXE
PID:2576 -
\??\c:\flrlrrx.exec:\flrlrrx.exe64⤵
- Executes dropped EXE
PID:536 -
\??\c:\btnnbh.exec:\btnnbh.exe65⤵
- Executes dropped EXE
PID:4960 -
\??\c:\vpvdv.exec:\vpvdv.exe66⤵PID:2300
-
\??\c:\7rfxrxx.exec:\7rfxrxx.exe67⤵PID:1896
-
\??\c:\9htttt.exec:\9htttt.exe68⤵PID:2732
-
\??\c:\5tbbhn.exec:\5tbbhn.exe69⤵PID:4336
-
\??\c:\ddppd.exec:\ddppd.exe70⤵PID:4256
-
\??\c:\3xfxrxr.exec:\3xfxrxr.exe71⤵PID:3320
-
\??\c:\bbhbbb.exec:\bbhbbb.exe72⤵PID:3996
-
\??\c:\vpvpj.exec:\vpvpj.exe73⤵PID:2740
-
\??\c:\9rxllrr.exec:\9rxllrr.exe74⤵PID:2344
-
\??\c:\3tnnbh.exec:\3tnnbh.exe75⤵PID:1444
-
\??\c:\ddpvv.exec:\ddpvv.exe76⤵PID:4528
-
\??\c:\llrrllr.exec:\llrrllr.exe77⤵PID:1504
-
\??\c:\nnhhtn.exec:\nnhhtn.exe78⤵PID:4604
-
\??\c:\5dvpp.exec:\5dvpp.exe79⤵PID:516
-
\??\c:\3flllxx.exec:\3flllxx.exe80⤵PID:844
-
\??\c:\nntbbh.exec:\nntbbh.exe81⤵PID:1700
-
\??\c:\3dvvd.exec:\3dvvd.exe82⤵PID:8
-
\??\c:\lrlrrfl.exec:\lrlrrfl.exe83⤵PID:2232
-
\??\c:\lrxflrr.exec:\lrxflrr.exe84⤵PID:4872
-
\??\c:\bthnnt.exec:\bthnnt.exe85⤵PID:628
-
\??\c:\ddjjj.exec:\ddjjj.exe86⤵PID:1368
-
\??\c:\1xxxlff.exec:\1xxxlff.exe87⤵PID:4436
-
\??\c:\xrffffx.exec:\xrffffx.exe88⤵PID:1592
-
\??\c:\1tbbtb.exec:\1tbbtb.exe89⤵PID:2860
-
\??\c:\ddjjp.exec:\ddjjp.exe90⤵PID:4472
-
\??\c:\ttbhbb.exec:\ttbhbb.exe91⤵PID:1432
-
\??\c:\hbhbnn.exec:\hbhbnn.exe92⤵PID:4620
-
\??\c:\pppjd.exec:\pppjd.exe93⤵PID:916
-
\??\c:\frrlfxl.exec:\frrlfxl.exe94⤵PID:4860
-
\??\c:\fllfrrx.exec:\fllfrrx.exe95⤵PID:2656
-
\??\c:\nhnntt.exec:\nhnntt.exe96⤵PID:1364
-
\??\c:\vppjv.exec:\vppjv.exe97⤵PID:4244
-
\??\c:\lfrrrff.exec:\lfrrrff.exe98⤵PID:4480
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe99⤵PID:1056
-
\??\c:\btnnhh.exec:\btnnhh.exe100⤵PID:1744
-
\??\c:\3jppj.exec:\3jppj.exe101⤵PID:5016
-
\??\c:\9fllllf.exec:\9fllllf.exe102⤵PID:3940
-
\??\c:\nntnbt.exec:\nntnbt.exe103⤵PID:4360
-
\??\c:\tnhbtt.exec:\tnhbtt.exe104⤵PID:3712
-
\??\c:\vdpjd.exec:\vdpjd.exe105⤵PID:4792
-
\??\c:\5frrrrr.exec:\5frrrrr.exe106⤵PID:4588
-
\??\c:\tbhbbb.exec:\tbhbbb.exe107⤵PID:3920
-
\??\c:\hbbtth.exec:\hbbtth.exe108⤵PID:2384
-
\??\c:\djvpj.exec:\djvpj.exe109⤵PID:2200
-
\??\c:\rlrllll.exec:\rlrllll.exe110⤵
- System Location Discovery: System Language Discovery
PID:3276 -
\??\c:\9bhnhb.exec:\9bhnhb.exe111⤵PID:2844
-
\??\c:\ttbnhh.exec:\ttbnhh.exe112⤵PID:4844
-
\??\c:\dpdpj.exec:\dpdpj.exe113⤵PID:936
-
\??\c:\lffxrrl.exec:\lffxrrl.exe114⤵PID:3056
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe115⤵PID:2400
-
\??\c:\tbbbbt.exec:\tbbbbt.exe116⤵PID:1004
-
\??\c:\jdjdv.exec:\jdjdv.exe117⤵PID:4452
-
\??\c:\lfffxff.exec:\lfffxff.exe118⤵PID:4352
-
\??\c:\tbhhtt.exec:\tbhhtt.exe119⤵PID:2644
-
\??\c:\7vdvv.exec:\7vdvv.exe120⤵PID:4920
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe121⤵PID:3840
-
\??\c:\tntnht.exec:\tntnht.exe122⤵PID:3184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-