Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
-
Size
454KB
-
MD5
75aa1d13efe8ce777c478382731b8c5f
-
SHA1
8d7bf8d1a58dcb7af52d27ec1b1464148130efe2
-
SHA256
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58
-
SHA512
5230fa37af838d002b7471a5443b8a12bcd1c573f98e28f4a3983017498aa42468bf3a14f4955822445faa6d274ab4b1ac98514397e7758779ac35413aa31c59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4856-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-1228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4088 pjdvv.exe 904 jvdvd.exe 2424 9fffllf.exe 5060 frxrlfx.exe 4904 7ntthb.exe 2680 lrlxxxr.exe 5028 bbbtht.exe 3396 1ffrllx.exe 2924 vdjdv.exe 1576 hnhbnh.exe 1568 fxlxrlf.exe 808 rlfxfrl.exe 4104 7nhhbt.exe 4440 pvvpd.exe 3652 xfrrlfx.exe 1616 nnbntt.exe 4548 7jpjp.exe 4436 lxrxlrl.exe 3464 9tnhtn.exe 2120 1vdpd.exe 412 1vpjp.exe 1000 7lxrfxr.exe 3664 pjvpj.exe 60 lllfllx.exe 1516 nnbnbn.exe 3744 hbhttb.exe 3900 jvvpd.exe 3988 rxrfxrf.exe 4760 tbhbnh.exe 4196 7vvjd.exe 2776 1xlrrfl.exe 3976 ttbnbt.exe 3204 jvjvd.exe 712 lxxrlll.exe 2844 7pvjd.exe 4588 flxlrfl.exe 964 ddjpv.exe 2136 3lrlrlr.exe 952 hbhtth.exe 1424 jvvpp.exe 2948 5ffxxxf.exe 2788 1xxrlff.exe 1892 hhbnth.exe 4656 vppjv.exe 2744 1flfrrf.exe 1840 9lfrlfr.exe 1632 1hhbtt.exe 1932 vjjdj.exe 3736 lxxrfxr.exe 1848 1hbthb.exe 4576 1vpjd.exe 1484 pjjpj.exe 2108 rlxlxrl.exe 1796 tnbbbt.exe 2620 jvjjj.exe 2224 9ppdv.exe 3704 flxlxlx.exe 5060 bbhbhb.exe 1856 jjjjd.exe 4904 vdvpd.exe 3888 lfxlfrf.exe 1808 ttbbtn.exe 944 bnnhtn.exe 1564 vpdpv.exe -
resource yara_rule behavioral2/memory/4856-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-526-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4088 4856 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 84 PID 4856 wrote to memory of 4088 4856 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 84 PID 4856 wrote to memory of 4088 4856 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 84 PID 4088 wrote to memory of 904 4088 pjdvv.exe 85 PID 4088 wrote to memory of 904 4088 pjdvv.exe 85 PID 4088 wrote to memory of 904 4088 pjdvv.exe 85 PID 904 wrote to memory of 2424 904 jvdvd.exe 86 PID 904 wrote to memory of 2424 904 jvdvd.exe 86 PID 904 wrote to memory of 2424 904 jvdvd.exe 86 PID 2424 wrote to memory of 5060 2424 9fffllf.exe 87 PID 2424 wrote to memory of 5060 2424 9fffllf.exe 87 PID 2424 wrote to memory of 5060 2424 9fffllf.exe 87 PID 5060 wrote to memory of 4904 5060 frxrlfx.exe 88 PID 5060 wrote to memory of 4904 5060 frxrlfx.exe 88 PID 5060 wrote to memory of 4904 5060 frxrlfx.exe 88 PID 4904 wrote to memory of 2680 4904 7ntthb.exe 89 PID 4904 wrote to memory of 2680 4904 7ntthb.exe 89 PID 4904 wrote to memory of 2680 4904 7ntthb.exe 89 PID 2680 wrote to memory of 5028 2680 lrlxxxr.exe 90 PID 2680 wrote to memory of 5028 2680 lrlxxxr.exe 90 PID 2680 wrote to memory of 5028 2680 lrlxxxr.exe 90 PID 5028 wrote to memory of 3396 5028 bbbtht.exe 91 PID 5028 wrote to memory of 3396 5028 bbbtht.exe 91 PID 5028 wrote to memory of 3396 5028 bbbtht.exe 91 PID 3396 wrote to memory of 2924 3396 1ffrllx.exe 92 PID 3396 wrote to memory of 2924 3396 1ffrllx.exe 92 PID 3396 wrote to memory of 2924 3396 1ffrllx.exe 92 PID 2924 wrote to memory of 1576 2924 vdjdv.exe 93 PID 2924 wrote to memory of 1576 2924 vdjdv.exe 93 PID 2924 wrote to memory of 1576 2924 vdjdv.exe 93 PID 1576 wrote to memory of 1568 1576 hnhbnh.exe 94 PID 1576 wrote to memory of 1568 1576 hnhbnh.exe 94 PID 1576 wrote to memory of 1568 1576 hnhbnh.exe 94 PID 1568 wrote to memory of 808 1568 fxlxrlf.exe 95 PID 1568 wrote to memory of 808 1568 fxlxrlf.exe 95 PID 1568 wrote to memory of 808 1568 fxlxrlf.exe 95 PID 808 wrote to memory of 4104 808 rlfxfrl.exe 96 PID 808 wrote to memory of 4104 808 rlfxfrl.exe 96 PID 808 wrote to memory of 4104 808 rlfxfrl.exe 96 PID 4104 wrote to memory of 4440 4104 7nhhbt.exe 97 PID 4104 wrote to memory of 4440 4104 7nhhbt.exe 97 PID 4104 wrote to memory of 4440 4104 7nhhbt.exe 97 PID 4440 wrote to memory of 3652 4440 pvvpd.exe 98 PID 4440 wrote to memory of 3652 4440 pvvpd.exe 98 PID 4440 wrote to memory of 3652 4440 pvvpd.exe 98 PID 3652 wrote to memory of 1616 3652 xfrrlfx.exe 99 PID 3652 wrote to memory of 1616 3652 xfrrlfx.exe 99 PID 3652 wrote to memory of 1616 3652 xfrrlfx.exe 99 PID 1616 wrote to memory of 4548 1616 nnbntt.exe 100 PID 1616 wrote to memory of 4548 1616 nnbntt.exe 100 PID 1616 wrote to memory of 4548 1616 nnbntt.exe 100 PID 4548 wrote to memory of 4436 4548 7jpjp.exe 101 PID 4548 wrote to memory of 4436 4548 7jpjp.exe 101 PID 4548 wrote to memory of 4436 4548 7jpjp.exe 101 PID 4436 wrote to memory of 3464 4436 lxrxlrl.exe 102 PID 4436 wrote to memory of 3464 4436 lxrxlrl.exe 102 PID 4436 wrote to memory of 3464 4436 lxrxlrl.exe 102 PID 3464 wrote to memory of 2120 3464 9tnhtn.exe 103 PID 3464 wrote to memory of 2120 3464 9tnhtn.exe 103 PID 3464 wrote to memory of 2120 3464 9tnhtn.exe 103 PID 2120 wrote to memory of 412 2120 1vdpd.exe 104 PID 2120 wrote to memory of 412 2120 1vdpd.exe 104 PID 2120 wrote to memory of 412 2120 1vdpd.exe 104 PID 412 wrote to memory of 1000 412 1vpjp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\pjdvv.exec:\pjdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\jvdvd.exec:\jvdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\9fffllf.exec:\9fffllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\frxrlfx.exec:\frxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\7ntthb.exec:\7ntthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\lrlxxxr.exec:\lrlxxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\bbbtht.exec:\bbbtht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\1ffrllx.exec:\1ffrllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\vdjdv.exec:\vdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\hnhbnh.exec:\hnhbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\fxlxrlf.exec:\fxlxrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\rlfxfrl.exec:\rlfxfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\7nhhbt.exec:\7nhhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\pvvpd.exec:\pvvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\xfrrlfx.exec:\xfrrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\nnbntt.exec:\nnbntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\7jpjp.exec:\7jpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\lxrxlrl.exec:\lxrxlrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\9tnhtn.exec:\9tnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\1vdpd.exec:\1vdpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\1vpjp.exec:\1vpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\7lxrfxr.exec:\7lxrfxr.exe23⤵
- Executes dropped EXE
PID:1000 -
\??\c:\pjvpj.exec:\pjvpj.exe24⤵
- Executes dropped EXE
PID:3664 -
\??\c:\lllfllx.exec:\lllfllx.exe25⤵
- Executes dropped EXE
PID:60 -
\??\c:\nnbnbn.exec:\nnbnbn.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\hbhttb.exec:\hbhttb.exe27⤵
- Executes dropped EXE
PID:3744 -
\??\c:\jvvpd.exec:\jvvpd.exe28⤵
- Executes dropped EXE
PID:3900 -
\??\c:\rxrfxrf.exec:\rxrfxrf.exe29⤵
- Executes dropped EXE
PID:3988 -
\??\c:\tbhbnh.exec:\tbhbnh.exe30⤵
- Executes dropped EXE
PID:4760 -
\??\c:\7vvjd.exec:\7vvjd.exe31⤵
- Executes dropped EXE
PID:4196 -
\??\c:\1xlrrfl.exec:\1xlrrfl.exe32⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ttbnbt.exec:\ttbnbt.exe33⤵
- Executes dropped EXE
PID:3976 -
\??\c:\jvjvd.exec:\jvjvd.exe34⤵
- Executes dropped EXE
PID:3204 -
\??\c:\lxxrlll.exec:\lxxrlll.exe35⤵
- Executes dropped EXE
PID:712 -
\??\c:\7pvjd.exec:\7pvjd.exe36⤵
- Executes dropped EXE
PID:2844 -
\??\c:\flxlrfl.exec:\flxlrfl.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4588 -
\??\c:\ddjpv.exec:\ddjpv.exe38⤵
- Executes dropped EXE
PID:964 -
\??\c:\3lrlrlr.exec:\3lrlrlr.exe39⤵
- Executes dropped EXE
PID:2136 -
\??\c:\hbhtth.exec:\hbhtth.exe40⤵
- Executes dropped EXE
PID:952 -
\??\c:\jvvpp.exec:\jvvpp.exe41⤵
- Executes dropped EXE
PID:1424 -
\??\c:\5ffxxxf.exec:\5ffxxxf.exe42⤵
- Executes dropped EXE
PID:2948 -
\??\c:\1xxrlff.exec:\1xxrlff.exe43⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hhbnth.exec:\hhbnth.exe44⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vppjv.exec:\vppjv.exe45⤵
- Executes dropped EXE
PID:4656 -
\??\c:\1flfrrf.exec:\1flfrrf.exe46⤵
- Executes dropped EXE
PID:2744 -
\??\c:\9lfrlfr.exec:\9lfrlfr.exe47⤵
- Executes dropped EXE
PID:1840 -
\??\c:\1hhbtt.exec:\1hhbtt.exe48⤵
- Executes dropped EXE
PID:1632 -
\??\c:\vjjdj.exec:\vjjdj.exe49⤵
- Executes dropped EXE
PID:1932 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe50⤵
- Executes dropped EXE
PID:3736 -
\??\c:\1hbthb.exec:\1hbthb.exe51⤵
- Executes dropped EXE
PID:1848 -
\??\c:\1vpjd.exec:\1vpjd.exe52⤵
- Executes dropped EXE
PID:4576 -
\??\c:\pjjpj.exec:\pjjpj.exe53⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rlxlxrl.exec:\rlxlxrl.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tnbbbt.exec:\tnbbbt.exe55⤵
- Executes dropped EXE
PID:1796 -
\??\c:\jvjjj.exec:\jvjjj.exe56⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9ppdv.exec:\9ppdv.exe57⤵
- Executes dropped EXE
PID:2224 -
\??\c:\flxlxlx.exec:\flxlxlx.exe58⤵
- Executes dropped EXE
PID:3704 -
\??\c:\bbhbhb.exec:\bbhbhb.exe59⤵
- Executes dropped EXE
PID:5060 -
\??\c:\jjjjd.exec:\jjjjd.exe60⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vdvpd.exec:\vdvpd.exe61⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lfxlfrf.exec:\lfxlfrf.exe62⤵
- Executes dropped EXE
PID:3888 -
\??\c:\ttbbtn.exec:\ttbbtn.exe63⤵
- Executes dropped EXE
PID:1808 -
\??\c:\bnnhtn.exec:\bnnhtn.exe64⤵
- Executes dropped EXE
PID:944 -
\??\c:\vpdpv.exec:\vpdpv.exe65⤵
- Executes dropped EXE
PID:1564 -
\??\c:\frllfxr.exec:\frllfxr.exe66⤵PID:4316
-
\??\c:\htnbnb.exec:\htnbnb.exe67⤵PID:2924
-
\??\c:\dvpdp.exec:\dvpdp.exe68⤵PID:4768
-
\??\c:\1pdvp.exec:\1pdvp.exe69⤵PID:2356
-
\??\c:\rxxrrlf.exec:\rxxrrlf.exe70⤵PID:5064
-
\??\c:\bnnhbb.exec:\bnnhbb.exe71⤵PID:4892
-
\??\c:\vdpjp.exec:\vdpjp.exe72⤵PID:676
-
\??\c:\jpvjv.exec:\jpvjv.exe73⤵PID:1172
-
\??\c:\1rxflxf.exec:\1rxflxf.exe74⤵PID:912
-
\??\c:\5ttnbt.exec:\5ttnbt.exe75⤵PID:64
-
\??\c:\djpdp.exec:\djpdp.exe76⤵PID:3548
-
\??\c:\rxxxlfx.exec:\rxxxlfx.exe77⤵PID:3660
-
\??\c:\xflxxlx.exec:\xflxxlx.exe78⤵PID:2940
-
\??\c:\tnhhnt.exec:\tnhhnt.exe79⤵PID:2708
-
\??\c:\vjjdp.exec:\vjjdp.exe80⤵PID:4628
-
\??\c:\5lrfffx.exec:\5lrfffx.exe81⤵PID:412
-
\??\c:\hhbnbt.exec:\hhbnbt.exe82⤵PID:1664
-
\??\c:\5jjjj.exec:\5jjjj.exe83⤵PID:4344
-
\??\c:\rlxrffx.exec:\rlxrffx.exe84⤵PID:1500
-
\??\c:\thhtnh.exec:\thhtnh.exe85⤵PID:3084
-
\??\c:\tnnhbh.exec:\tnnhbh.exe86⤵PID:916
-
\??\c:\7pjvj.exec:\7pjvj.exe87⤵PID:3836
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe88⤵PID:3816
-
\??\c:\nnhttn.exec:\nnhttn.exe89⤵PID:720
-
\??\c:\nthttn.exec:\nthttn.exe90⤵PID:1768
-
\??\c:\jjpdv.exec:\jjpdv.exe91⤵PID:3308
-
\??\c:\rrrflfx.exec:\rrrflfx.exe92⤵PID:1160
-
\??\c:\bthbnh.exec:\bthbnh.exe93⤵PID:2348
-
\??\c:\hhhnbt.exec:\hhhnbt.exe94⤵PID:4716
-
\??\c:\jpvpp.exec:\jpvpp.exe95⤵PID:2320
-
\??\c:\xxfxxlx.exec:\xxfxxlx.exe96⤵PID:3728
-
\??\c:\bbbntn.exec:\bbbntn.exe97⤵PID:3528
-
\??\c:\jddpv.exec:\jddpv.exe98⤵PID:4472
-
\??\c:\rlfrfxl.exec:\rlfrfxl.exe99⤵PID:1760
-
\??\c:\rllfrrr.exec:\rllfrrr.exe100⤵PID:4912
-
\??\c:\bbhbtt.exec:\bbhbtt.exe101⤵PID:628
-
\??\c:\5ddvp.exec:\5ddvp.exe102⤵PID:1636
-
\??\c:\vjdpv.exec:\vjdpv.exe103⤵PID:964
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe104⤵PID:2136
-
\??\c:\thhnnb.exec:\thhnnb.exe105⤵PID:952
-
\??\c:\jjvpd.exec:\jjvpd.exe106⤵PID:3912
-
\??\c:\xlffrlx.exec:\xlffrlx.exe107⤵PID:4608
-
\??\c:\9nnnhh.exec:\9nnnhh.exe108⤵PID:4908
-
\??\c:\vpjjj.exec:\vpjjj.exe109⤵PID:692
-
\??\c:\vpvjd.exec:\vpvjd.exe110⤵PID:3076
-
\??\c:\lffxrfl.exec:\lffxrfl.exe111⤵PID:2612
-
\??\c:\hnhbtb.exec:\hnhbtb.exe112⤵PID:3120
-
\??\c:\dppdv.exec:\dppdv.exe113⤵PID:548
-
\??\c:\vpjdp.exec:\vpjdp.exe114⤵PID:1572
-
\??\c:\1rrfrrx.exec:\1rrfrrx.exe115⤵PID:5016
-
\??\c:\tttnbh.exec:\tttnbh.exe116⤵PID:3544
-
\??\c:\jdvjj.exec:\jdvjj.exe117⤵PID:1848
-
\??\c:\rfrfxrl.exec:\rfrfxrl.exe118⤵PID:4860
-
\??\c:\7btnbt.exec:\7btnbt.exe119⤵PID:4280
-
\??\c:\7ddpj.exec:\7ddpj.exe120⤵PID:1180
-
\??\c:\jdjdd.exec:\jdjdd.exe121⤵PID:2888
-
\??\c:\rrrlrfx.exec:\rrrlrfx.exe122⤵PID:856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-