Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe
-
Size
455KB
-
MD5
561c25565682e0de06e06bb2118474f0
-
SHA1
a5850a4b91e09a9bcaee11de23c602c870387735
-
SHA256
7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32f
-
SHA512
fa5b2e3f3d9a4a57b421e477bebe7ce861e6d28bc515df9136b0e9bc1c6b0bf50c1c386f541040c2851c24825fb6405c4c2b589482b5da84f348673cfcb79c29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbel8:q7Tc2NYHUrAwfMp3CDl8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-1150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3860 ntbttt.exe 868 pdjjd.exe 3480 jdvdj.exe 2616 frxrrrr.exe 2164 rlrllll.exe 4060 lxrrllr.exe 2636 xxrxrxr.exe 3368 flfxxxx.exe 2252 fflfflf.exe 3120 hbtttb.exe 1416 rlrlffx.exe 2416 llxrxxr.exe 2152 btnhhh.exe 2704 vdppp.exe 4992 9rrlxlr.exe 4368 3jdpv.exe 3960 bbhbnn.exe 2492 frxrrrr.exe 1628 hbhtnn.exe 1984 dvddp.exe 4004 pjjjv.exe 4588 5ntthh.exe 5112 vjvvp.exe 3088 1pppj.exe 2172 rxffxfl.exe 1568 lfllffl.exe 4260 vjpjd.exe 3824 hhttnn.exe 924 ffxrxrx.exe 776 fxffxxx.exe 4436 hbhhbh.exe 1664 dvdvp.exe 1368 bhnhhn.exe 1800 jdppv.exe 1804 rrrfrrl.exe 3688 bhttnn.exe 1456 djdvv.exe 532 xfrrllf.exe 1960 1bhnhh.exe 3496 nhhbtt.exe 1992 djvpp.exe 712 5lxxffr.exe 4856 bnnhhh.exe 644 tnbnbt.exe 2956 dvddd.exe 4432 llxrllx.exe 536 hntnnn.exe 1152 nbhthh.exe 692 ddvvp.exe 388 frxrrrl.exe 1572 nntntt.exe 1640 jjdvd.exe 1580 xlllffx.exe 3780 lffxrlf.exe 3480 jvdvv.exe 3856 dvjdd.exe 2616 rrxxrxl.exe 2592 rffrllf.exe 32 bntnhh.exe 4596 1ddvp.exe 728 5xfxrxr.exe 4572 btttbb.exe 4320 nhnnhn.exe 4308 ddjdv.exe -
resource yara_rule behavioral2/memory/1408-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-849-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 3860 1408 7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe 83 PID 1408 wrote to memory of 3860 1408 7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe 83 PID 1408 wrote to memory of 3860 1408 7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe 83 PID 3860 wrote to memory of 868 3860 ntbttt.exe 84 PID 3860 wrote to memory of 868 3860 ntbttt.exe 84 PID 3860 wrote to memory of 868 3860 ntbttt.exe 84 PID 868 wrote to memory of 3480 868 pdjjd.exe 85 PID 868 wrote to memory of 3480 868 pdjjd.exe 85 PID 868 wrote to memory of 3480 868 pdjjd.exe 85 PID 3480 wrote to memory of 2616 3480 jdvdj.exe 86 PID 3480 wrote to memory of 2616 3480 jdvdj.exe 86 PID 3480 wrote to memory of 2616 3480 jdvdj.exe 86 PID 2616 wrote to memory of 2164 2616 frxrrrr.exe 87 PID 2616 wrote to memory of 2164 2616 frxrrrr.exe 87 PID 2616 wrote to memory of 2164 2616 frxrrrr.exe 87 PID 2164 wrote to memory of 4060 2164 rlrllll.exe 88 PID 2164 wrote to memory of 4060 2164 rlrllll.exe 88 PID 2164 wrote to memory of 4060 2164 rlrllll.exe 88 PID 4060 wrote to memory of 2636 4060 lxrrllr.exe 89 PID 4060 wrote to memory of 2636 4060 lxrrllr.exe 89 PID 4060 wrote to memory of 2636 4060 lxrrllr.exe 89 PID 2636 wrote to memory of 3368 2636 xxrxrxr.exe 90 PID 2636 wrote to memory of 3368 2636 xxrxrxr.exe 90 PID 2636 wrote to memory of 3368 2636 xxrxrxr.exe 90 PID 3368 wrote to memory of 2252 3368 flfxxxx.exe 91 PID 3368 wrote to memory of 2252 3368 flfxxxx.exe 91 PID 3368 wrote to memory of 2252 3368 flfxxxx.exe 91 PID 2252 wrote to memory of 3120 2252 fflfflf.exe 92 PID 2252 wrote to memory of 3120 2252 fflfflf.exe 92 PID 2252 wrote to memory of 3120 2252 fflfflf.exe 92 PID 3120 wrote to memory of 1416 3120 hbtttb.exe 93 PID 3120 wrote to memory of 1416 3120 hbtttb.exe 93 PID 3120 wrote to memory of 1416 3120 hbtttb.exe 93 PID 1416 wrote to memory of 2416 1416 rlrlffx.exe 94 PID 1416 wrote to memory of 2416 1416 rlrlffx.exe 94 PID 1416 wrote to memory of 2416 1416 rlrlffx.exe 94 PID 2416 wrote to memory of 2152 2416 llxrxxr.exe 95 PID 2416 wrote to memory of 2152 2416 llxrxxr.exe 95 PID 2416 wrote to memory of 2152 2416 llxrxxr.exe 95 PID 2152 wrote to memory of 2704 2152 btnhhh.exe 96 PID 2152 wrote to memory of 2704 2152 btnhhh.exe 96 PID 2152 wrote to memory of 2704 2152 btnhhh.exe 96 PID 2704 wrote to memory of 4992 2704 vdppp.exe 97 PID 2704 wrote to memory of 4992 2704 vdppp.exe 97 PID 2704 wrote to memory of 4992 2704 vdppp.exe 97 PID 4992 wrote to memory of 4368 4992 9rrlxlr.exe 98 PID 4992 wrote to memory of 4368 4992 9rrlxlr.exe 98 PID 4992 wrote to memory of 4368 4992 9rrlxlr.exe 98 PID 4368 wrote to memory of 3960 4368 3jdpv.exe 99 PID 4368 wrote to memory of 3960 4368 3jdpv.exe 99 PID 4368 wrote to memory of 3960 4368 3jdpv.exe 99 PID 3960 wrote to memory of 2492 3960 bbhbnn.exe 100 PID 3960 wrote to memory of 2492 3960 bbhbnn.exe 100 PID 3960 wrote to memory of 2492 3960 bbhbnn.exe 100 PID 2492 wrote to memory of 1628 2492 frxrrrr.exe 101 PID 2492 wrote to memory of 1628 2492 frxrrrr.exe 101 PID 2492 wrote to memory of 1628 2492 frxrrrr.exe 101 PID 1628 wrote to memory of 1984 1628 hbhtnn.exe 102 PID 1628 wrote to memory of 1984 1628 hbhtnn.exe 102 PID 1628 wrote to memory of 1984 1628 hbhtnn.exe 102 PID 1984 wrote to memory of 4004 1984 dvddp.exe 103 PID 1984 wrote to memory of 4004 1984 dvddp.exe 103 PID 1984 wrote to memory of 4004 1984 dvddp.exe 103 PID 4004 wrote to memory of 4588 4004 pjjjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe"C:\Users\Admin\AppData\Local\Temp\7621f22429ebf567eed13b7597d6800884383c1ed954a293320b513400d0c32fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\ntbttt.exec:\ntbttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\pdjjd.exec:\pdjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\jdvdj.exec:\jdvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\frxrrrr.exec:\frxrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\rlrllll.exec:\rlrllll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\lxrrllr.exec:\lxrrllr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\xxrxrxr.exec:\xxrxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\flfxxxx.exec:\flfxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\fflfflf.exec:\fflfflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\hbtttb.exec:\hbtttb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\rlrlffx.exec:\rlrlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\llxrxxr.exec:\llxrxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\btnhhh.exec:\btnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\vdppp.exec:\vdppp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\9rrlxlr.exec:\9rrlxlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3jdpv.exec:\3jdpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\bbhbnn.exec:\bbhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\frxrrrr.exec:\frxrrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\hbhtnn.exec:\hbhtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\dvddp.exec:\dvddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\pjjjv.exec:\pjjjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\5ntthh.exec:\5ntthh.exe23⤵
- Executes dropped EXE
PID:4588 -
\??\c:\vjvvp.exec:\vjvvp.exe24⤵
- Executes dropped EXE
PID:5112 -
\??\c:\1pppj.exec:\1pppj.exe25⤵
- Executes dropped EXE
PID:3088 -
\??\c:\rxffxfl.exec:\rxffxfl.exe26⤵
- Executes dropped EXE
PID:2172 -
\??\c:\lfllffl.exec:\lfllffl.exe27⤵
- Executes dropped EXE
PID:1568 -
\??\c:\vjpjd.exec:\vjpjd.exe28⤵
- Executes dropped EXE
PID:4260 -
\??\c:\hhttnn.exec:\hhttnn.exe29⤵
- Executes dropped EXE
PID:3824 -
\??\c:\ffxrxrx.exec:\ffxrxrx.exe30⤵
- Executes dropped EXE
PID:924 -
\??\c:\fxffxxx.exec:\fxffxxx.exe31⤵
- Executes dropped EXE
PID:776 -
\??\c:\hbhhbh.exec:\hbhhbh.exe32⤵
- Executes dropped EXE
PID:4436 -
\??\c:\dvdvp.exec:\dvdvp.exe33⤵
- Executes dropped EXE
PID:1664 -
\??\c:\bhnhhn.exec:\bhnhhn.exe34⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jdppv.exec:\jdppv.exe35⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rrrfrrl.exec:\rrrfrrl.exe36⤵
- Executes dropped EXE
PID:1804 -
\??\c:\bhttnn.exec:\bhttnn.exe37⤵
- Executes dropped EXE
PID:3688 -
\??\c:\djdvv.exec:\djdvv.exe38⤵
- Executes dropped EXE
PID:1456 -
\??\c:\xfrrllf.exec:\xfrrllf.exe39⤵
- Executes dropped EXE
PID:532 -
\??\c:\1bhnhh.exec:\1bhnhh.exe40⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nhhbtt.exec:\nhhbtt.exe41⤵
- Executes dropped EXE
PID:3496 -
\??\c:\djvpp.exec:\djvpp.exe42⤵
- Executes dropped EXE
PID:1992 -
\??\c:\5lxxffr.exec:\5lxxffr.exe43⤵
- Executes dropped EXE
PID:712 -
\??\c:\bnnhhh.exec:\bnnhhh.exe44⤵
- Executes dropped EXE
PID:4856 -
\??\c:\tnbnbt.exec:\tnbnbt.exe45⤵
- Executes dropped EXE
PID:644 -
\??\c:\dvddd.exec:\dvddd.exe46⤵
- Executes dropped EXE
PID:2956 -
\??\c:\llxrllx.exec:\llxrllx.exe47⤵
- Executes dropped EXE
PID:4432 -
\??\c:\hntnnn.exec:\hntnnn.exe48⤵
- Executes dropped EXE
PID:536 -
\??\c:\nbhthh.exec:\nbhthh.exe49⤵
- Executes dropped EXE
PID:1152 -
\??\c:\ddvvp.exec:\ddvvp.exe50⤵
- Executes dropped EXE
PID:692 -
\??\c:\frxrrrl.exec:\frxrrrl.exe51⤵
- Executes dropped EXE
PID:388 -
\??\c:\nntntt.exec:\nntntt.exe52⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jjdvd.exec:\jjdvd.exe53⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xlllffx.exec:\xlllffx.exe54⤵
- Executes dropped EXE
PID:1580 -
\??\c:\lffxrlf.exec:\lffxrlf.exe55⤵
- Executes dropped EXE
PID:3780 -
\??\c:\jvdvv.exec:\jvdvv.exe56⤵
- Executes dropped EXE
PID:3480 -
\??\c:\dvjdd.exec:\dvjdd.exe57⤵
- Executes dropped EXE
PID:3856 -
\??\c:\rrxxrxl.exec:\rrxxrxl.exe58⤵
- Executes dropped EXE
PID:2616 -
\??\c:\rffrllf.exec:\rffrllf.exe59⤵
- Executes dropped EXE
PID:2592 -
\??\c:\bntnhh.exec:\bntnhh.exe60⤵
- Executes dropped EXE
PID:32 -
\??\c:\1ddvp.exec:\1ddvp.exe61⤵
- Executes dropped EXE
PID:4596 -
\??\c:\5xfxrxr.exec:\5xfxrxr.exe62⤵
- Executes dropped EXE
PID:728 -
\??\c:\btttbb.exec:\btttbb.exe63⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nhnnhn.exec:\nhnnhn.exe64⤵
- Executes dropped EXE
PID:4320 -
\??\c:\ddjdv.exec:\ddjdv.exe65⤵
- Executes dropped EXE
PID:4308 -
\??\c:\rllflll.exec:\rllflll.exe66⤵PID:1424
-
\??\c:\llxxxff.exec:\llxxxff.exe67⤵PID:3608
-
\??\c:\hhbbht.exec:\hhbbht.exe68⤵PID:3420
-
\??\c:\jdjdp.exec:\jdjdp.exe69⤵PID:3876
-
\??\c:\jjvvp.exec:\jjvvp.exe70⤵PID:2724
-
\??\c:\rxrfxxx.exec:\rxrfxxx.exe71⤵PID:2152
-
\??\c:\hbttnn.exec:\hbttnn.exe72⤵PID:1196
-
\??\c:\jjpjj.exec:\jjpjj.exe73⤵PID:4992
-
\??\c:\xlrlffx.exec:\xlrlffx.exe74⤵PID:1712
-
\??\c:\9ttbtt.exec:\9ttbtt.exe75⤵PID:3412
-
\??\c:\tnnhhb.exec:\tnnhhb.exe76⤵PID:3960
-
\??\c:\pjjdv.exec:\pjjdv.exe77⤵PID:1796
-
\??\c:\lrxrfff.exec:\lrxrfff.exe78⤵PID:2820
-
\??\c:\xxlffrl.exec:\xxlffrl.exe79⤵PID:4464
-
\??\c:\tbbbbh.exec:\tbbbbh.exe80⤵PID:4156
-
\??\c:\ppdjp.exec:\ppdjp.exe81⤵PID:2924
-
\??\c:\pdvpd.exec:\pdvpd.exe82⤵PID:2320
-
\??\c:\flllxxr.exec:\flllxxr.exe83⤵PID:5060
-
\??\c:\nnnbbb.exec:\nnnbbb.exe84⤵PID:2264
-
\??\c:\jdjdp.exec:\jdjdp.exe85⤵PID:2196
-
\??\c:\3flrrxx.exec:\3flrrxx.exe86⤵PID:3444
-
\??\c:\fxffllr.exec:\fxffllr.exe87⤵PID:4120
-
\??\c:\9bbtnn.exec:\9bbtnn.exe88⤵PID:4524
-
\??\c:\djjjd.exec:\djjjd.exe89⤵PID:2928
-
\??\c:\vvdvp.exec:\vvdvp.exe90⤵PID:4384
-
\??\c:\lfrlllx.exec:\lfrlllx.exe91⤵PID:4340
-
\??\c:\bbbnhn.exec:\bbbnhn.exe92⤵PID:4316
-
\??\c:\bnhhbb.exec:\bnhhbb.exe93⤵PID:1832
-
\??\c:\jdvvd.exec:\jdvvd.exe94⤵PID:5052
-
\??\c:\lxlfxlf.exec:\lxlfxlf.exe95⤵PID:1800
-
\??\c:\nthbbt.exec:\nthbbt.exe96⤵PID:2180
-
\??\c:\5hnhhh.exec:\5hnhhh.exe97⤵PID:1396
-
\??\c:\vjppj.exec:\vjppj.exe98⤵PID:2272
-
\??\c:\5frrllf.exec:\5frrllf.exe99⤵PID:2220
-
\??\c:\nhnnhh.exec:\nhnnhh.exe100⤵PID:1484
-
\??\c:\djdvp.exec:\djdvp.exe101⤵PID:2680
-
\??\c:\jjpvp.exec:\jjpvp.exe102⤵PID:708
-
\??\c:\lllllll.exec:\lllllll.exe103⤵PID:712
-
\??\c:\htbbbb.exec:\htbbbb.exe104⤵PID:1756
-
\??\c:\vvdpj.exec:\vvdpj.exe105⤵PID:4868
-
\??\c:\pjvpp.exec:\pjvpp.exe106⤵PID:3848
-
\??\c:\xxlfrlr.exec:\xxlfrlr.exe107⤵PID:1060
-
\??\c:\nntnbb.exec:\nntnbb.exe108⤵PID:2768
-
\??\c:\5djdd.exec:\5djdd.exe109⤵PID:956
-
\??\c:\xfffxff.exec:\xfffxff.exe110⤵PID:4472
-
\??\c:\tnbbbb.exec:\tnbbbb.exe111⤵PID:4756
-
\??\c:\bnnnnn.exec:\bnnnnn.exe112⤵PID:1752
-
\??\c:\vpjdd.exec:\vpjdd.exe113⤵PID:4484
-
\??\c:\xlrlffx.exec:\xlrlffx.exe114⤵PID:516
-
\??\c:\rflffxl.exec:\rflffxl.exe115⤵PID:1580
-
\??\c:\hhnttt.exec:\hhnttt.exe116⤵PID:3448
-
\??\c:\pjjjd.exec:\pjjjd.exe117⤵PID:3112
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe118⤵PID:2596
-
\??\c:\bntnhh.exec:\bntnhh.exe119⤵PID:1156
-
\??\c:\htnbth.exec:\htnbth.exe120⤵
- System Location Discovery: System Language Discovery
PID:820 -
\??\c:\jvjdv.exec:\jvjdv.exe121⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-