Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe
-
Size
454KB
-
MD5
739bd19772fe3de80a2b8e1974bacb80
-
SHA1
a7d9e0601d872600566008846ae6d9ec2481ea66
-
SHA256
410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1
-
SHA512
3523567ba3c7c59a97996a12520250de892422d7ff70607d9f4bc21e66c3aaff21611baf01d3f3b909c9f8a4368b9f445fbbc4f2b2bd543b30d573c7bc3907e8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3028-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1544 xrfxrxf.exe 4592 pjdvd.exe 3900 fxxxxxx.exe 4860 bbbhnn.exe 1968 rrxxrxr.exe 2432 5bnhhh.exe 4200 xrrlfll.exe 1132 3nttnn.exe 852 3thbtt.exe 3912 dvvdd.exe 4628 lrrlffx.exe 4560 ddjjd.exe 2104 lrxllrl.exe 4028 7hbbbb.exe 2468 pjpdv.exe 1372 flxrxfl.exe 2516 9dpjp.exe 1016 rflfxxx.exe 4040 nbnntt.exe 4888 tbhbbh.exe 4516 dvdvv.exe 3360 jdjdv.exe 2152 tnhhbn.exe 2732 flxrlll.exe 4528 jdpdj.exe 3236 rrxrxxf.exe 1092 1pvpj.exe 4640 rfrxfff.exe 4944 xrxxrll.exe 908 jddvp.exe 4280 dvdvj.exe 3680 5thhbn.exe 4588 llrrffr.exe 3920 1rxxrxr.exe 760 btnnhh.exe 1640 djddp.exe 1980 lflxrfr.exe 1156 7hnhhh.exe 4556 pjvvv.exe 4372 vjdvv.exe 3540 xxlxrrr.exe 64 5nhbbb.exe 1328 7hbnbb.exe 4708 ppdpp.exe 3728 xrffffr.exe 3716 tnnhtn.exe 2312 jjpjj.exe 4880 fllxrrl.exe 2972 3nnhhn.exe 2680 dvpjd.exe 3016 jdpdv.exe 1020 7xxxrxr.exe 4100 ttbtnh.exe 2280 tbnhbn.exe 1636 pddvp.exe 1884 7xfffll.exe 1588 bthbbt.exe 4544 nbtntn.exe 4792 dddvp.exe 4756 lxfxxrr.exe 4560 tbbnnn.exe 3696 nbthbt.exe 2164 vppjv.exe 3452 rfrlflf.exe -
resource yara_rule behavioral2/memory/3028-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1544 3028 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 83 PID 3028 wrote to memory of 1544 3028 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 83 PID 3028 wrote to memory of 1544 3028 410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe 83 PID 1544 wrote to memory of 4592 1544 xrfxrxf.exe 84 PID 1544 wrote to memory of 4592 1544 xrfxrxf.exe 84 PID 1544 wrote to memory of 4592 1544 xrfxrxf.exe 84 PID 4592 wrote to memory of 3900 4592 pjdvd.exe 85 PID 4592 wrote to memory of 3900 4592 pjdvd.exe 85 PID 4592 wrote to memory of 3900 4592 pjdvd.exe 85 PID 3900 wrote to memory of 4860 3900 fxxxxxx.exe 86 PID 3900 wrote to memory of 4860 3900 fxxxxxx.exe 86 PID 3900 wrote to memory of 4860 3900 fxxxxxx.exe 86 PID 4860 wrote to memory of 1968 4860 bbbhnn.exe 87 PID 4860 wrote to memory of 1968 4860 bbbhnn.exe 87 PID 4860 wrote to memory of 1968 4860 bbbhnn.exe 87 PID 1968 wrote to memory of 2432 1968 rrxxrxr.exe 88 PID 1968 wrote to memory of 2432 1968 rrxxrxr.exe 88 PID 1968 wrote to memory of 2432 1968 rrxxrxr.exe 88 PID 2432 wrote to memory of 4200 2432 5bnhhh.exe 89 PID 2432 wrote to memory of 4200 2432 5bnhhh.exe 89 PID 2432 wrote to memory of 4200 2432 5bnhhh.exe 89 PID 4200 wrote to memory of 1132 4200 xrrlfll.exe 90 PID 4200 wrote to memory of 1132 4200 xrrlfll.exe 90 PID 4200 wrote to memory of 1132 4200 xrrlfll.exe 90 PID 1132 wrote to memory of 852 1132 3nttnn.exe 91 PID 1132 wrote to memory of 852 1132 3nttnn.exe 91 PID 1132 wrote to memory of 852 1132 3nttnn.exe 91 PID 852 wrote to memory of 3912 852 3thbtt.exe 92 PID 852 wrote to memory of 3912 852 3thbtt.exe 92 PID 852 wrote to memory of 3912 852 3thbtt.exe 92 PID 3912 wrote to memory of 4628 3912 dvvdd.exe 93 PID 3912 wrote to memory of 4628 3912 dvvdd.exe 93 PID 3912 wrote to memory of 4628 3912 dvvdd.exe 93 PID 4628 wrote to memory of 4560 4628 lrrlffx.exe 94 PID 4628 wrote to memory of 4560 4628 lrrlffx.exe 94 PID 4628 wrote to memory of 4560 4628 lrrlffx.exe 94 PID 4560 wrote to memory of 2104 4560 ddjjd.exe 95 PID 4560 wrote to memory of 2104 4560 ddjjd.exe 95 PID 4560 wrote to memory of 2104 4560 ddjjd.exe 95 PID 2104 wrote to memory of 4028 2104 lrxllrl.exe 96 PID 2104 wrote to memory of 4028 2104 lrxllrl.exe 96 PID 2104 wrote to memory of 4028 2104 lrxllrl.exe 96 PID 4028 wrote to memory of 2468 4028 7hbbbb.exe 97 PID 4028 wrote to memory of 2468 4028 7hbbbb.exe 97 PID 4028 wrote to memory of 2468 4028 7hbbbb.exe 97 PID 2468 wrote to memory of 1372 2468 pjpdv.exe 98 PID 2468 wrote to memory of 1372 2468 pjpdv.exe 98 PID 2468 wrote to memory of 1372 2468 pjpdv.exe 98 PID 1372 wrote to memory of 2516 1372 flxrxfl.exe 99 PID 1372 wrote to memory of 2516 1372 flxrxfl.exe 99 PID 1372 wrote to memory of 2516 1372 flxrxfl.exe 99 PID 2516 wrote to memory of 1016 2516 9dpjp.exe 100 PID 2516 wrote to memory of 1016 2516 9dpjp.exe 100 PID 2516 wrote to memory of 1016 2516 9dpjp.exe 100 PID 1016 wrote to memory of 4040 1016 rflfxxx.exe 101 PID 1016 wrote to memory of 4040 1016 rflfxxx.exe 101 PID 1016 wrote to memory of 4040 1016 rflfxxx.exe 101 PID 4040 wrote to memory of 4888 4040 nbnntt.exe 102 PID 4040 wrote to memory of 4888 4040 nbnntt.exe 102 PID 4040 wrote to memory of 4888 4040 nbnntt.exe 102 PID 4888 wrote to memory of 4516 4888 tbhbbh.exe 103 PID 4888 wrote to memory of 4516 4888 tbhbbh.exe 103 PID 4888 wrote to memory of 4516 4888 tbhbbh.exe 103 PID 4516 wrote to memory of 3360 4516 dvdvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe"C:\Users\Admin\AppData\Local\Temp\410723e0d8e4faef03e7e992117d21154ed5e3364d13f8d50891abc8b98b69e1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\xrfxrxf.exec:\xrfxrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\pjdvd.exec:\pjdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\bbbhnn.exec:\bbbhnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\5bnhhh.exec:\5bnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\xrrlfll.exec:\xrrlfll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\3nttnn.exec:\3nttnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\3thbtt.exec:\3thbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\dvvdd.exec:\dvvdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\lrrlffx.exec:\lrrlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\ddjjd.exec:\ddjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\lrxllrl.exec:\lrxllrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\7hbbbb.exec:\7hbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\pjpdv.exec:\pjpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\flxrxfl.exec:\flxrxfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\9dpjp.exec:\9dpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\rflfxxx.exec:\rflfxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\nbnntt.exec:\nbnntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\tbhbbh.exec:\tbhbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\dvdvv.exec:\dvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\jdjdv.exec:\jdjdv.exe23⤵
- Executes dropped EXE
PID:3360 -
\??\c:\tnhhbn.exec:\tnhhbn.exe24⤵
- Executes dropped EXE
PID:2152 -
\??\c:\flxrlll.exec:\flxrlll.exe25⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jdpdj.exec:\jdpdj.exe26⤵
- Executes dropped EXE
PID:4528 -
\??\c:\rrxrxxf.exec:\rrxrxxf.exe27⤵
- Executes dropped EXE
PID:3236 -
\??\c:\1pvpj.exec:\1pvpj.exe28⤵
- Executes dropped EXE
PID:1092 -
\??\c:\rfrxfff.exec:\rfrxfff.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4640 -
\??\c:\xrxxrll.exec:\xrxxrll.exe30⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jddvp.exec:\jddvp.exe31⤵
- Executes dropped EXE
PID:908 -
\??\c:\dvdvj.exec:\dvdvj.exe32⤵
- Executes dropped EXE
PID:4280 -
\??\c:\5thhbn.exec:\5thhbn.exe33⤵
- Executes dropped EXE
PID:3680 -
\??\c:\llrrffr.exec:\llrrffr.exe34⤵
- Executes dropped EXE
PID:4588 -
\??\c:\1rxxrxr.exec:\1rxxrxr.exe35⤵
- Executes dropped EXE
PID:3920 -
\??\c:\btnnhh.exec:\btnnhh.exe36⤵
- Executes dropped EXE
PID:760 -
\??\c:\djddp.exec:\djddp.exe37⤵
- Executes dropped EXE
PID:1640 -
\??\c:\lflxrfr.exec:\lflxrfr.exe38⤵
- Executes dropped EXE
PID:1980 -
\??\c:\7hnhhh.exec:\7hnhhh.exe39⤵
- Executes dropped EXE
PID:1156 -
\??\c:\pjvvv.exec:\pjvvv.exe40⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vjdvv.exec:\vjdvv.exe41⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xxlxrrr.exec:\xxlxrrr.exe42⤵
- Executes dropped EXE
PID:3540 -
\??\c:\5nhbbb.exec:\5nhbbb.exe43⤵
- Executes dropped EXE
PID:64 -
\??\c:\7hbnbb.exec:\7hbnbb.exe44⤵
- Executes dropped EXE
PID:1328 -
\??\c:\ppdpp.exec:\ppdpp.exe45⤵
- Executes dropped EXE
PID:4708 -
\??\c:\xrffffr.exec:\xrffffr.exe46⤵
- Executes dropped EXE
PID:3728 -
\??\c:\tnnhtn.exec:\tnnhtn.exe47⤵
- Executes dropped EXE
PID:3716 -
\??\c:\jjpjj.exec:\jjpjj.exe48⤵
- Executes dropped EXE
PID:2312 -
\??\c:\fllxrrl.exec:\fllxrrl.exe49⤵
- Executes dropped EXE
PID:4880 -
\??\c:\3nnhhn.exec:\3nnhhn.exe50⤵
- Executes dropped EXE
PID:2972 -
\??\c:\dvpjd.exec:\dvpjd.exe51⤵
- Executes dropped EXE
PID:2680 -
\??\c:\jdpdv.exec:\jdpdv.exe52⤵
- Executes dropped EXE
PID:3016 -
\??\c:\7xxxrxr.exec:\7xxxrxr.exe53⤵
- Executes dropped EXE
PID:1020 -
\??\c:\ttbtnh.exec:\ttbtnh.exe54⤵
- Executes dropped EXE
PID:4100 -
\??\c:\tbnhbn.exec:\tbnhbn.exe55⤵
- Executes dropped EXE
PID:2280 -
\??\c:\pddvp.exec:\pddvp.exe56⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7xfffll.exec:\7xfffll.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
\??\c:\bthbbt.exec:\bthbbt.exe58⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nbtntn.exec:\nbtntn.exe59⤵
- Executes dropped EXE
PID:4544 -
\??\c:\dddvp.exec:\dddvp.exe60⤵
- Executes dropped EXE
PID:4792 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe61⤵
- Executes dropped EXE
PID:4756 -
\??\c:\tbbnnn.exec:\tbbnnn.exe62⤵
- Executes dropped EXE
PID:4560 -
\??\c:\nbthbt.exec:\nbthbt.exe63⤵
- Executes dropped EXE
PID:3696 -
\??\c:\vppjv.exec:\vppjv.exe64⤵
- Executes dropped EXE
PID:2164 -
\??\c:\rfrlflf.exec:\rfrlflf.exe65⤵
- Executes dropped EXE
PID:3452 -
\??\c:\ntbbhh.exec:\ntbbhh.exe66⤵PID:3840
-
\??\c:\ppvvp.exec:\ppvvp.exe67⤵PID:1532
-
\??\c:\jdjdv.exec:\jdjdv.exe68⤵PID:3556
-
\??\c:\lxfrffx.exec:\lxfrffx.exe69⤵PID:2788
-
\??\c:\3bhbhh.exec:\3bhbhh.exe70⤵PID:3500
-
\??\c:\vdjdv.exec:\vdjdv.exe71⤵PID:4616
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe72⤵PID:3800
-
\??\c:\rfrllll.exec:\rfrllll.exe73⤵PID:4512
-
\??\c:\tnnhbn.exec:\tnnhbn.exe74⤵PID:4908
-
\??\c:\ddvpd.exec:\ddvpd.exe75⤵PID:4228
-
\??\c:\xxlfxxx.exec:\xxlfxxx.exe76⤵PID:3356
-
\??\c:\rrlxxrf.exec:\rrlxxrf.exe77⤵PID:2376
-
\??\c:\3nnhhh.exec:\3nnhhh.exe78⤵PID:2560
-
\??\c:\vpjjd.exec:\vpjjd.exe79⤵PID:3360
-
\??\c:\fxfxxrl.exec:\fxfxxrl.exe80⤵PID:3404
-
\??\c:\nhttnn.exec:\nhttnn.exe81⤵PID:1860
-
\??\c:\nnnnbb.exec:\nnnnbb.exe82⤵PID:416
-
\??\c:\jdjdp.exec:\jdjdp.exe83⤵PID:732
-
\??\c:\lfllfff.exec:\lfllfff.exe84⤵PID:2688
-
\??\c:\bhbnhh.exec:\bhbnhh.exe85⤵PID:680
-
\??\c:\nhttbb.exec:\nhttbb.exe86⤵PID:3260
-
\??\c:\jpvpd.exec:\jpvpd.exe87⤵PID:2820
-
\??\c:\llxrxrl.exec:\llxrxrl.exe88⤵PID:4080
-
\??\c:\thhhtn.exec:\thhhtn.exe89⤵PID:3700
-
\??\c:\ntbttt.exec:\ntbttt.exe90⤵PID:4116
-
\??\c:\jjpjd.exec:\jjpjd.exe91⤵PID:4808
-
\??\c:\fxfrlll.exec:\fxfrlll.exe92⤵PID:3584
-
\??\c:\llrlfff.exec:\llrlfff.exe93⤵PID:2684
-
\??\c:\hnbbnt.exec:\hnbbnt.exe94⤵PID:512
-
\??\c:\vvjdv.exec:\vvjdv.exe95⤵PID:3536
-
\??\c:\frrlfxr.exec:\frrlfxr.exe96⤵PID:4324
-
\??\c:\tnnnnb.exec:\tnnnnb.exe97⤵PID:2120
-
\??\c:\pdjjd.exec:\pdjjd.exe98⤵PID:4076
-
\??\c:\lffrrlr.exec:\lffrrlr.exe99⤵PID:1120
-
\??\c:\tnnhtt.exec:\tnnhtt.exe100⤵PID:1980
-
\??\c:\3btbnt.exec:\3btbnt.exe101⤵PID:4364
-
\??\c:\pjppv.exec:\pjppv.exe102⤵PID:4356
-
\??\c:\xxrlxlf.exec:\xxrlxlf.exe103⤵PID:4372
-
\??\c:\bhbbhb.exec:\bhbbhb.exe104⤵PID:3540
-
\??\c:\bhnnbb.exec:\bhnnbb.exe105⤵PID:2240
-
\??\c:\djpdv.exec:\djpdv.exe106⤵PID:1688
-
\??\c:\xxxlffx.exec:\xxxlffx.exe107⤵PID:3416
-
\??\c:\tnnhtn.exec:\tnnhtn.exe108⤵PID:1652
-
\??\c:\5hbnhb.exec:\5hbnhb.exe109⤵PID:4124
-
\??\c:\llrlxrl.exec:\llrlxrl.exe110⤵PID:3900
-
\??\c:\nbthtn.exec:\nbthtn.exe111⤵PID:4068
-
\??\c:\9vpdv.exec:\9vpdv.exe112⤵PID:4924
-
\??\c:\dvvpp.exec:\dvvpp.exe113⤵PID:768
-
\??\c:\lrfrfxr.exec:\lrfrfxr.exe114⤵PID:1740
-
\??\c:\thhbnh.exec:\thhbnh.exe115⤵PID:100
-
\??\c:\vppdp.exec:\vppdp.exe116⤵PID:4132
-
\??\c:\lrxxrxr.exec:\lrxxrxr.exe117⤵PID:4844
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe118⤵PID:2244
-
\??\c:\hbhbtt.exec:\hbhbtt.exe119⤵PID:2488
-
\??\c:\dvdvp.exec:\dvdvp.exe120⤵PID:2108
-
\??\c:\xrxlxxf.exec:\xrxlxxf.exe121⤵PID:528
-
\??\c:\btbhbn.exec:\btbhbn.exe122⤵PID:216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-