Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe
-
Size
454KB
-
MD5
93f7a68d88f5780fe0c485e99709a38e
-
SHA1
af128f6dbfdb01b7f7947a57a15b78abe17d8278
-
SHA256
d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e
-
SHA512
7ddc5965457d25aa8cc432def7365744df439f4489eb1c68b9755904cb2a662fc0eade5ee8cea7cc586245a687b83e61eb9916c2b5323a37803b0147e3728ad4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4448-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-925-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4140 vdjvp.exe 2868 frffxxr.exe 3716 jjjjd.exe 3672 vdpjj.exe 4012 tnthbt.exe 3080 djjjd.exe 2272 fllfxlf.exe 4156 7dpjd.exe 1556 lxxlfxr.exe 2388 7vpdv.exe 5076 lxxlrlf.exe 4832 ntbtnn.exe 708 9rrlrxf.exe 2096 bhtnbb.exe 116 jddjv.exe 712 rlxxrrr.exe 2864 bntthh.exe 1776 7pvpp.exe 636 1lrxrll.exe 2508 pddpp.exe 1588 rxfllll.exe 2420 jdjdd.exe 5084 fxfrlfl.exe 2940 nbbnbb.exe 4260 9jjdp.exe 3972 nnnhhh.exe 4608 jjjdv.exe 404 bbhbhh.exe 3528 rlxxrff.exe 3652 7rrxrxr.exe 4772 vvdpj.exe 976 ppjdv.exe 4604 hhhthb.exe 4252 ddppv.exe 4664 xxxxrff.exe 1896 tbnhbt.exe 4480 pjppd.exe 2384 bbtnnn.exe 4572 pvpjd.exe 4120 fllrfff.exe 3844 nbnhhb.exe 2456 tnttnn.exe 4992 jpjjj.exe 2268 llfxrrl.exe 3764 1hnhtn.exe 4580 bnbttt.exe 3036 dvdvj.exe 468 flrlfxx.exe 4140 hbhbtt.exe 4228 htbthh.exe 1500 vvdpd.exe 3728 fxlflfr.exe 3504 3hhhbt.exe 4464 pddvv.exe 3928 vjjvj.exe 2336 xlfrlrf.exe 4440 ttbnhb.exe 1268 jvdvv.exe 3500 3rlfxxr.exe 2332 rlrlrrf.exe 2404 ththtn.exe 1556 dppdp.exe 2696 xrlxfxx.exe 4768 xrxrlfx.exe -
resource yara_rule behavioral2/memory/4448-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-775-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4448 wrote to memory of 4140 4448 d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe 84 PID 4448 wrote to memory of 4140 4448 d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe 84 PID 4448 wrote to memory of 4140 4448 d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe 84 PID 4140 wrote to memory of 2868 4140 vdjvp.exe 85 PID 4140 wrote to memory of 2868 4140 vdjvp.exe 85 PID 4140 wrote to memory of 2868 4140 vdjvp.exe 85 PID 2868 wrote to memory of 3716 2868 frffxxr.exe 86 PID 2868 wrote to memory of 3716 2868 frffxxr.exe 86 PID 2868 wrote to memory of 3716 2868 frffxxr.exe 86 PID 3716 wrote to memory of 3672 3716 jjjjd.exe 87 PID 3716 wrote to memory of 3672 3716 jjjjd.exe 87 PID 3716 wrote to memory of 3672 3716 jjjjd.exe 87 PID 3672 wrote to memory of 4012 3672 vdpjj.exe 88 PID 3672 wrote to memory of 4012 3672 vdpjj.exe 88 PID 3672 wrote to memory of 4012 3672 vdpjj.exe 88 PID 4012 wrote to memory of 3080 4012 tnthbt.exe 89 PID 4012 wrote to memory of 3080 4012 tnthbt.exe 89 PID 4012 wrote to memory of 3080 4012 tnthbt.exe 89 PID 3080 wrote to memory of 2272 3080 djjjd.exe 90 PID 3080 wrote to memory of 2272 3080 djjjd.exe 90 PID 3080 wrote to memory of 2272 3080 djjjd.exe 90 PID 2272 wrote to memory of 4156 2272 fllfxlf.exe 91 PID 2272 wrote to memory of 4156 2272 fllfxlf.exe 91 PID 2272 wrote to memory of 4156 2272 fllfxlf.exe 91 PID 4156 wrote to memory of 1556 4156 7dpjd.exe 92 PID 4156 wrote to memory of 1556 4156 7dpjd.exe 92 PID 4156 wrote to memory of 1556 4156 7dpjd.exe 92 PID 1556 wrote to memory of 2388 1556 lxxlfxr.exe 93 PID 1556 wrote to memory of 2388 1556 lxxlfxr.exe 93 PID 1556 wrote to memory of 2388 1556 lxxlfxr.exe 93 PID 2388 wrote to memory of 5076 2388 7vpdv.exe 94 PID 2388 wrote to memory of 5076 2388 7vpdv.exe 94 PID 2388 wrote to memory of 5076 2388 7vpdv.exe 94 PID 5076 wrote to memory of 4832 5076 lxxlrlf.exe 95 PID 5076 wrote to memory of 4832 5076 lxxlrlf.exe 95 PID 5076 wrote to memory of 4832 5076 lxxlrlf.exe 95 PID 4832 wrote to memory of 708 4832 ntbtnn.exe 96 PID 4832 wrote to memory of 708 4832 ntbtnn.exe 96 PID 4832 wrote to memory of 708 4832 ntbtnn.exe 96 PID 708 wrote to memory of 2096 708 9rrlrxf.exe 97 PID 708 wrote to memory of 2096 708 9rrlrxf.exe 97 PID 708 wrote to memory of 2096 708 9rrlrxf.exe 97 PID 2096 wrote to memory of 116 2096 bhtnbb.exe 98 PID 2096 wrote to memory of 116 2096 bhtnbb.exe 98 PID 2096 wrote to memory of 116 2096 bhtnbb.exe 98 PID 116 wrote to memory of 712 116 jddjv.exe 99 PID 116 wrote to memory of 712 116 jddjv.exe 99 PID 116 wrote to memory of 712 116 jddjv.exe 99 PID 712 wrote to memory of 2864 712 rlxxrrr.exe 100 PID 712 wrote to memory of 2864 712 rlxxrrr.exe 100 PID 712 wrote to memory of 2864 712 rlxxrrr.exe 100 PID 2864 wrote to memory of 1776 2864 bntthh.exe 101 PID 2864 wrote to memory of 1776 2864 bntthh.exe 101 PID 2864 wrote to memory of 1776 2864 bntthh.exe 101 PID 1776 wrote to memory of 636 1776 7pvpp.exe 102 PID 1776 wrote to memory of 636 1776 7pvpp.exe 102 PID 1776 wrote to memory of 636 1776 7pvpp.exe 102 PID 636 wrote to memory of 2508 636 1lrxrll.exe 103 PID 636 wrote to memory of 2508 636 1lrxrll.exe 103 PID 636 wrote to memory of 2508 636 1lrxrll.exe 103 PID 2508 wrote to memory of 1588 2508 pddpp.exe 104 PID 2508 wrote to memory of 1588 2508 pddpp.exe 104 PID 2508 wrote to memory of 1588 2508 pddpp.exe 104 PID 1588 wrote to memory of 2420 1588 rxfllll.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe"C:\Users\Admin\AppData\Local\Temp\d71442e46be50f2e10867f0461bb2c74f0a903bbe1744c4364dfa973fafa645e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\vdjvp.exec:\vdjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\frffxxr.exec:\frffxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\jjjjd.exec:\jjjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\vdpjj.exec:\vdpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\tnthbt.exec:\tnthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\djjjd.exec:\djjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\fllfxlf.exec:\fllfxlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\7dpjd.exec:\7dpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\7vpdv.exec:\7vpdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\lxxlrlf.exec:\lxxlrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\ntbtnn.exec:\ntbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\9rrlrxf.exec:\9rrlrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\bhtnbb.exec:\bhtnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\jddjv.exec:\jddjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\rlxxrrr.exec:\rlxxrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\bntthh.exec:\bntthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\7pvpp.exec:\7pvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\1lrxrll.exec:\1lrxrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\pddpp.exec:\pddpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\rxfllll.exec:\rxfllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\jdjdd.exec:\jdjdd.exe23⤵
- Executes dropped EXE
PID:2420 -
\??\c:\fxfrlfl.exec:\fxfrlfl.exe24⤵
- Executes dropped EXE
PID:5084 -
\??\c:\nbbnbb.exec:\nbbnbb.exe25⤵
- Executes dropped EXE
PID:2940 -
\??\c:\9jjdp.exec:\9jjdp.exe26⤵
- Executes dropped EXE
PID:4260 -
\??\c:\nnnhhh.exec:\nnnhhh.exe27⤵
- Executes dropped EXE
PID:3972 -
\??\c:\jjjdv.exec:\jjjdv.exe28⤵
- Executes dropped EXE
PID:4608 -
\??\c:\bbhbhh.exec:\bbhbhh.exe29⤵
- Executes dropped EXE
PID:404 -
\??\c:\rlxxrff.exec:\rlxxrff.exe30⤵
- Executes dropped EXE
PID:3528 -
\??\c:\7rrxrxr.exec:\7rrxrxr.exe31⤵
- Executes dropped EXE
PID:3652 -
\??\c:\vvdpj.exec:\vvdpj.exe32⤵
- Executes dropped EXE
PID:4772 -
\??\c:\ppjdv.exec:\ppjdv.exe33⤵
- Executes dropped EXE
PID:976 -
\??\c:\hhhthb.exec:\hhhthb.exe34⤵
- Executes dropped EXE
PID:4604 -
\??\c:\ddppv.exec:\ddppv.exe35⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xxxxrff.exec:\xxxxrff.exe36⤵
- Executes dropped EXE
PID:4664 -
\??\c:\tbnhbt.exec:\tbnhbt.exe37⤵
- Executes dropped EXE
PID:1896 -
\??\c:\pjppd.exec:\pjppd.exe38⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bbtnnn.exec:\bbtnnn.exe39⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pvpjd.exec:\pvpjd.exe40⤵
- Executes dropped EXE
PID:4572 -
\??\c:\fllrfff.exec:\fllrfff.exe41⤵
- Executes dropped EXE
PID:4120 -
\??\c:\nbnhhb.exec:\nbnhhb.exe42⤵
- Executes dropped EXE
PID:3844 -
\??\c:\tnttnn.exec:\tnttnn.exe43⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jpjjj.exec:\jpjjj.exe44⤵
- Executes dropped EXE
PID:4992 -
\??\c:\llfxrrl.exec:\llfxrrl.exe45⤵
- Executes dropped EXE
PID:2268 -
\??\c:\1hnhtn.exec:\1hnhtn.exe46⤵
- Executes dropped EXE
PID:3764 -
\??\c:\bnbttt.exec:\bnbttt.exe47⤵
- Executes dropped EXE
PID:4580 -
\??\c:\dvdvj.exec:\dvdvj.exe48⤵
- Executes dropped EXE
PID:3036 -
\??\c:\flrlfxx.exec:\flrlfxx.exe49⤵
- Executes dropped EXE
PID:468 -
\??\c:\hbhbtt.exec:\hbhbtt.exe50⤵
- Executes dropped EXE
PID:4140 -
\??\c:\htbthh.exec:\htbthh.exe51⤵
- Executes dropped EXE
PID:4228 -
\??\c:\vvdpd.exec:\vvdpd.exe52⤵
- Executes dropped EXE
PID:1500 -
\??\c:\fxlflfr.exec:\fxlflfr.exe53⤵
- Executes dropped EXE
PID:3728 -
\??\c:\3hhhbt.exec:\3hhhbt.exe54⤵
- Executes dropped EXE
PID:3504 -
\??\c:\pddvv.exec:\pddvv.exe55⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vjjvj.exec:\vjjvj.exe56⤵
- Executes dropped EXE
PID:3928 -
\??\c:\xlfrlrf.exec:\xlfrlrf.exe57⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ttbnhb.exec:\ttbnhb.exe58⤵
- Executes dropped EXE
PID:4440 -
\??\c:\jvdvv.exec:\jvdvv.exe59⤵
- Executes dropped EXE
PID:1268 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe60⤵
- Executes dropped EXE
PID:3500 -
\??\c:\rlrlrrf.exec:\rlrlrrf.exe61⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ththtn.exec:\ththtn.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\dppdp.exec:\dppdp.exe63⤵
- Executes dropped EXE
PID:1556 -
\??\c:\xrlxfxx.exec:\xrlxfxx.exe64⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe65⤵
- Executes dropped EXE
PID:4768 -
\??\c:\bttnnn.exec:\bttnnn.exe66⤵PID:3112
-
\??\c:\pjpjj.exec:\pjpjj.exe67⤵PID:1300
-
\??\c:\rxlfrrx.exec:\rxlfrrx.exe68⤵PID:4888
-
\??\c:\tnnhtt.exec:\tnnhtt.exe69⤵PID:3304
-
\??\c:\nhhthb.exec:\nhhthb.exe70⤵PID:716
-
\??\c:\pdpdv.exec:\pdpdv.exe71⤵PID:1984
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe72⤵PID:116
-
\??\c:\bhbbbt.exec:\bhbbbt.exe73⤵PID:1852
-
\??\c:\5jpdv.exec:\5jpdv.exe74⤵PID:4016
-
\??\c:\dvpjj.exec:\dvpjj.exe75⤵PID:4000
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe76⤵PID:2212
-
\??\c:\bnttnt.exec:\bnttnt.exe77⤵PID:1448
-
\??\c:\7ppjp.exec:\7ppjp.exe78⤵PID:1472
-
\??\c:\flrllll.exec:\flrllll.exe79⤵PID:1108
-
\??\c:\httnbt.exec:\httnbt.exe80⤵PID:1256
-
\??\c:\ttnhth.exec:\ttnhth.exe81⤵PID:3124
-
\??\c:\dpjdv.exec:\dpjdv.exe82⤵PID:4164
-
\??\c:\rlxrffx.exec:\rlxrffx.exe83⤵PID:456
-
\??\c:\tnnhbb.exec:\tnnhbb.exe84⤵PID:3076
-
\??\c:\jdpvv.exec:\jdpvv.exe85⤵PID:5000
-
\??\c:\xflxllx.exec:\xflxllx.exe86⤵PID:1968
-
\??\c:\bnnbnb.exec:\bnnbnb.exe87⤵PID:4224
-
\??\c:\pddpj.exec:\pddpj.exe88⤵PID:5028
-
\??\c:\vvdvp.exec:\vvdvp.exe89⤵PID:4836
-
\??\c:\rfxfrxl.exec:\rfxfrxl.exe90⤵PID:2208
-
\??\c:\nnbbtb.exec:\nnbbtb.exe91⤵PID:3808
-
\??\c:\bnthtn.exec:\bnthtn.exe92⤵PID:988
-
\??\c:\jppjd.exec:\jppjd.exe93⤵PID:1696
-
\??\c:\xxrxlxx.exec:\xxrxlxx.exe94⤵PID:1548
-
\??\c:\nbhhbb.exec:\nbhhbb.exe95⤵
- System Location Discovery: System Language Discovery
PID:4604 -
\??\c:\1ppvd.exec:\1ppvd.exe96⤵PID:4252
-
\??\c:\lflfxrl.exec:\lflfxrl.exe97⤵PID:4664
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe98⤵PID:1896
-
\??\c:\bhhthb.exec:\bhhthb.exe99⤵
- System Location Discovery: System Language Discovery
PID:1264 -
\??\c:\vvdpv.exec:\vvdpv.exe100⤵PID:60
-
\??\c:\flxrlfx.exec:\flxrlfx.exe101⤵PID:3936
-
\??\c:\bbbhbh.exec:\bbbhbh.exe102⤵PID:4064
-
\??\c:\hbthbt.exec:\hbthbt.exe103⤵PID:2676
-
\??\c:\jppdj.exec:\jppdj.exe104⤵PID:2456
-
\??\c:\rrxfrlf.exec:\rrxfrlf.exe105⤵PID:1628
-
\??\c:\rrxlrlr.exec:\rrxlrlr.exe106⤵PID:1288
-
\??\c:\nnbttt.exec:\nnbttt.exe107⤵PID:3240
-
\??\c:\djpjd.exec:\djpjd.exe108⤵PID:2444
-
\??\c:\vpdvp.exec:\vpdvp.exe109⤵PID:1188
-
\??\c:\lxfrfxx.exec:\lxfrfxx.exe110⤵PID:3248
-
\??\c:\btbtht.exec:\btbtht.exe111⤵PID:4176
-
\??\c:\pddvv.exec:\pddvv.exe112⤵PID:4612
-
\??\c:\ffrlflf.exec:\ffrlflf.exe113⤵PID:2084
-
\??\c:\btthtn.exec:\btthtn.exe114⤵PID:2572
-
\??\c:\tnnhbt.exec:\tnnhbt.exe115⤵PID:3612
-
\??\c:\pdjjd.exec:\pdjjd.exe116⤵PID:3504
-
\??\c:\llrlxrf.exec:\llrlxrf.exe117⤵PID:1564
-
\??\c:\thnhhh.exec:\thnhhh.exe118⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\ntbbnh.exec:\ntbbnh.exe119⤵PID:1608
-
\??\c:\7jjvp.exec:\7jjvp.exe120⤵PID:4440
-
\??\c:\xllxrll.exec:\xllxrll.exe121⤵PID:1268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-