Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 02:54
Behavioral task
behavioral1
Sample
9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe
-
Size
91KB
-
MD5
e998f8d5decef98e24c038c41b59f7e8
-
SHA1
4a0e85ee2e1fd5dfdd74a3273f5a6a8a8a278697
-
SHA256
9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa
-
SHA512
1eaf4a160a7ef1b63f3866debb905861a46332a5770b451038414f08d5e3ca9608eedf5ce53272c56ea2b952e582b47d3a73bcd41e398c171dea91eb98cd2115
-
SSDEEP
1536:8vQBeOGtrYS3srx93UBWfwC6Ggnouy80fg3Cip8iXAsG5M0u5fVBY:8hOmTsF93UYfwC6GIout0fmCiiiXA6Ng
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2812-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4224-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5308-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5164-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5372-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5292-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2868-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3668-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5516-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5540-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/6136-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5960-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5588-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4668-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5468-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5640-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5600-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2292-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3716-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5084-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/900-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4656-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5704-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-534-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5288-604-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1084 ffxxfff.exe 2144 fffxxff.exe 4224 nnnnnn.exe 3296 btttnn.exe 5308 jdjvp.exe 3540 dvdpp.exe 5164 rllflrr.exe 5448 jpvdp.exe 2176 dvjjd.exe 508 fflllrr.exe 5800 1xxxxxx.exe 2544 nhtbbh.exe 3900 ddjpp.exe 2212 jddvd.exe 5372 lxflrrf.exe 5292 nnhnnh.exe 2964 nthhbb.exe 2868 vdvdv.exe 3668 xxrlxxl.exe 2040 nhttnt.exe 4120 hntnbt.exe 5016 dvjdv.exe 3636 pppjv.exe 5516 xffffff.exe 4616 btnhbt.exe 1468 dvpjp.exe 3172 vdppj.exe 5540 lxxrlfx.exe 6136 nbhtbn.exe 5960 pjvpd.exe 5588 fffffxx.exe 536 bnbbtb.exe 2100 1vjjd.exe 4500 rrlllrf.exe 1408 lffxfxx.exe 4084 nbbbbb.exe 5572 bnbtbb.exe 4668 djdpd.exe 2148 frxlfxr.exe 5468 lxxrlff.exe 5640 hbbbnn.exe 2656 vpvjd.exe 544 vjvjv.exe 2568 xrfrrlr.exe 4584 frrrllf.exe 5600 bbthtt.exe 1632 nhhbnn.exe 220 pdddp.exe 640 rllfrrf.exe 5020 llfxfff.exe 4908 nnhhnt.exe 1948 btbbbb.exe 5484 pdvvp.exe 4592 vddvj.exe 1156 1lrlrlr.exe 1240 9lrflrl.exe 5392 nhnnnn.exe 532 btnhtn.exe 5500 dppjd.exe 4624 lffrllx.exe 1968 xfrffff.exe 3344 bnttnh.exe 3428 bttnhh.exe 2292 vjvpv.exe -
resource yara_rule behavioral2/memory/2812-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x001400000001ed5e-3.dat upx behavioral2/memory/2812-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1084-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2144-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bd4-11.dat upx behavioral2/memory/4224-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bd5-18.dat upx behavioral2/files/0x000d000000023bce-10.dat upx behavioral2/files/0x000b000000023bd6-24.dat upx behavioral2/memory/5308-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3296-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bd7-29.dat upx behavioral2/memory/3540-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5308-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bda-35.dat upx behavioral2/files/0x000b000000023bdb-39.dat upx behavioral2/memory/5164-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023be0-44.dat upx behavioral2/files/0x000e000000023be6-48.dat upx behavioral2/memory/2176-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023be7-53.dat upx behavioral2/memory/508-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023be8-58.dat upx behavioral2/files/0x0010000000023bed-62.dat upx behavioral2/memory/2544-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3900-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bf0-67.dat upx behavioral2/files/0x000b000000023bf2-72.dat upx behavioral2/files/0x000b000000023bf8-76.dat upx behavioral2/memory/5372-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bf9-81.dat upx behavioral2/memory/2964-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5292-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c2d-87.dat upx behavioral2/memory/2964-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d1e-92.dat upx behavioral2/memory/2868-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d1f-98.dat upx behavioral2/memory/3668-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2040-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d20-103.dat upx behavioral2/files/0x0007000000023d21-107.dat upx behavioral2/files/0x0007000000023d22-112.dat upx behavioral2/memory/5016-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bcf-116.dat upx behavioral2/memory/3636-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d23-121.dat upx behavioral2/memory/5516-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4616-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d24-126.dat upx behavioral2/files/0x0007000000023d25-132.dat upx behavioral2/memory/1468-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3172-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d26-137.dat upx behavioral2/files/0x0007000000023d2b-142.dat upx behavioral2/files/0x0007000000023d2c-146.dat upx behavioral2/memory/5540-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/6136-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5960-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d30-152.dat upx behavioral2/memory/5588-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d31-157.dat upx behavioral2/memory/2100-165-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 1084 2812 9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe 85 PID 2812 wrote to memory of 1084 2812 9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe 85 PID 2812 wrote to memory of 1084 2812 9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe 85 PID 1084 wrote to memory of 2144 1084 ffxxfff.exe 86 PID 1084 wrote to memory of 2144 1084 ffxxfff.exe 86 PID 1084 wrote to memory of 2144 1084 ffxxfff.exe 86 PID 2144 wrote to memory of 4224 2144 fffxxff.exe 87 PID 2144 wrote to memory of 4224 2144 fffxxff.exe 87 PID 2144 wrote to memory of 4224 2144 fffxxff.exe 87 PID 4224 wrote to memory of 3296 4224 nnnnnn.exe 88 PID 4224 wrote to memory of 3296 4224 nnnnnn.exe 88 PID 4224 wrote to memory of 3296 4224 nnnnnn.exe 88 PID 3296 wrote to memory of 5308 3296 btttnn.exe 89 PID 3296 wrote to memory of 5308 3296 btttnn.exe 89 PID 3296 wrote to memory of 5308 3296 btttnn.exe 89 PID 5308 wrote to memory of 3540 5308 jdjvp.exe 90 PID 5308 wrote to memory of 3540 5308 jdjvp.exe 90 PID 5308 wrote to memory of 3540 5308 jdjvp.exe 90 PID 3540 wrote to memory of 5164 3540 dvdpp.exe 91 PID 3540 wrote to memory of 5164 3540 dvdpp.exe 91 PID 3540 wrote to memory of 5164 3540 dvdpp.exe 91 PID 5164 wrote to memory of 5448 5164 rllflrr.exe 92 PID 5164 wrote to memory of 5448 5164 rllflrr.exe 92 PID 5164 wrote to memory of 5448 5164 rllflrr.exe 92 PID 5448 wrote to memory of 2176 5448 jpvdp.exe 93 PID 5448 wrote to memory of 2176 5448 jpvdp.exe 93 PID 5448 wrote to memory of 2176 5448 jpvdp.exe 93 PID 2176 wrote to memory of 508 2176 dvjjd.exe 94 PID 2176 wrote to memory of 508 2176 dvjjd.exe 94 PID 2176 wrote to memory of 508 2176 dvjjd.exe 94 PID 508 wrote to memory of 5800 508 fflllrr.exe 95 PID 508 wrote to memory of 5800 508 fflllrr.exe 95 PID 508 wrote to memory of 5800 508 fflllrr.exe 95 PID 5800 wrote to memory of 2544 5800 1xxxxxx.exe 96 PID 5800 wrote to memory of 2544 5800 1xxxxxx.exe 96 PID 5800 wrote to memory of 2544 5800 1xxxxxx.exe 96 PID 2544 wrote to memory of 3900 2544 nhtbbh.exe 97 PID 2544 wrote to memory of 3900 2544 nhtbbh.exe 97 PID 2544 wrote to memory of 3900 2544 nhtbbh.exe 97 PID 3900 wrote to memory of 2212 3900 ddjpp.exe 98 PID 3900 wrote to memory of 2212 3900 ddjpp.exe 98 PID 3900 wrote to memory of 2212 3900 ddjpp.exe 98 PID 2212 wrote to memory of 5372 2212 jddvd.exe 100 PID 2212 wrote to memory of 5372 2212 jddvd.exe 100 PID 2212 wrote to memory of 5372 2212 jddvd.exe 100 PID 5372 wrote to memory of 5292 5372 lxflrrf.exe 101 PID 5372 wrote to memory of 5292 5372 lxflrrf.exe 101 PID 5372 wrote to memory of 5292 5372 lxflrrf.exe 101 PID 5292 wrote to memory of 2964 5292 nnhnnh.exe 102 PID 5292 wrote to memory of 2964 5292 nnhnnh.exe 102 PID 5292 wrote to memory of 2964 5292 nnhnnh.exe 102 PID 2964 wrote to memory of 2868 2964 nthhbb.exe 103 PID 2964 wrote to memory of 2868 2964 nthhbb.exe 103 PID 2964 wrote to memory of 2868 2964 nthhbb.exe 103 PID 2868 wrote to memory of 3668 2868 vdvdv.exe 104 PID 2868 wrote to memory of 3668 2868 vdvdv.exe 104 PID 2868 wrote to memory of 3668 2868 vdvdv.exe 104 PID 3668 wrote to memory of 2040 3668 xxrlxxl.exe 105 PID 3668 wrote to memory of 2040 3668 xxrlxxl.exe 105 PID 3668 wrote to memory of 2040 3668 xxrlxxl.exe 105 PID 2040 wrote to memory of 4120 2040 nhttnt.exe 106 PID 2040 wrote to memory of 4120 2040 nhttnt.exe 106 PID 2040 wrote to memory of 4120 2040 nhttnt.exe 106 PID 4120 wrote to memory of 5016 4120 hntnbt.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe"C:\Users\Admin\AppData\Local\Temp\9e20ec5c0fca15d87bf1ab7ac0d25ca9d447decf9f5335c38fca3c4ee6487cfa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\ffxxfff.exec:\ffxxfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\fffxxff.exec:\fffxxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\nnnnnn.exec:\nnnnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\btttnn.exec:\btttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\jdjvp.exec:\jdjvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5308 -
\??\c:\dvdpp.exec:\dvdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\rllflrr.exec:\rllflrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5164 -
\??\c:\jpvdp.exec:\jpvdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5448 -
\??\c:\dvjjd.exec:\dvjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\fflllrr.exec:\fflllrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\1xxxxxx.exec:\1xxxxxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5800 -
\??\c:\nhtbbh.exec:\nhtbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\ddjpp.exec:\ddjpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\jddvd.exec:\jddvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lxflrrf.exec:\lxflrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5372 -
\??\c:\nnhnnh.exec:\nnhnnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5292 -
\??\c:\nthhbb.exec:\nthhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vdvdv.exec:\vdvdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\xxrlxxl.exec:\xxrlxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\nhttnt.exec:\nhttnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\hntnbt.exec:\hntnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\dvjdv.exec:\dvjdv.exe23⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pppjv.exec:\pppjv.exe24⤵
- Executes dropped EXE
PID:3636 -
\??\c:\xffffff.exec:\xffffff.exe25⤵
- Executes dropped EXE
PID:5516 -
\??\c:\btnhbt.exec:\btnhbt.exe26⤵
- Executes dropped EXE
PID:4616 -
\??\c:\dvpjp.exec:\dvpjp.exe27⤵
- Executes dropped EXE
PID:1468 -
\??\c:\vdppj.exec:\vdppj.exe28⤵
- Executes dropped EXE
PID:3172 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe29⤵
- Executes dropped EXE
PID:5540 -
\??\c:\nbhtbn.exec:\nbhtbn.exe30⤵
- Executes dropped EXE
PID:6136 -
\??\c:\pjvpd.exec:\pjvpd.exe31⤵
- Executes dropped EXE
PID:5960 -
\??\c:\fffffxx.exec:\fffffxx.exe32⤵
- Executes dropped EXE
PID:5588 -
\??\c:\bnbbtb.exec:\bnbbtb.exe33⤵
- Executes dropped EXE
PID:536 -
\??\c:\1vjjd.exec:\1vjjd.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rrlllrf.exec:\rrlllrf.exe35⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lffxfxx.exec:\lffxfxx.exe36⤵
- Executes dropped EXE
PID:1408 -
\??\c:\nbbbbb.exec:\nbbbbb.exe37⤵
- Executes dropped EXE
PID:4084 -
\??\c:\bnbtbb.exec:\bnbtbb.exe38⤵
- Executes dropped EXE
PID:5572 -
\??\c:\djdpd.exec:\djdpd.exe39⤵
- Executes dropped EXE
PID:4668 -
\??\c:\frxlfxr.exec:\frxlfxr.exe40⤵
- Executes dropped EXE
PID:2148 -
\??\c:\lxxrlff.exec:\lxxrlff.exe41⤵
- Executes dropped EXE
PID:5468 -
\??\c:\hbbbnn.exec:\hbbbnn.exe42⤵
- Executes dropped EXE
PID:5640 -
\??\c:\vpvjd.exec:\vpvjd.exe43⤵
- Executes dropped EXE
PID:2656 -
\??\c:\vjvjv.exec:\vjvjv.exe44⤵
- Executes dropped EXE
PID:544 -
\??\c:\xrfrrlr.exec:\xrfrrlr.exe45⤵
- Executes dropped EXE
PID:2568 -
\??\c:\frrrllf.exec:\frrrllf.exe46⤵
- Executes dropped EXE
PID:4584 -
\??\c:\bbthtt.exec:\bbthtt.exe47⤵
- Executes dropped EXE
PID:5600 -
\??\c:\nhhbnn.exec:\nhhbnn.exe48⤵
- Executes dropped EXE
PID:1632 -
\??\c:\pdddp.exec:\pdddp.exe49⤵
- Executes dropped EXE
PID:220 -
\??\c:\rllfrrf.exec:\rllfrrf.exe50⤵
- Executes dropped EXE
PID:640 -
\??\c:\llfxfff.exec:\llfxfff.exe51⤵
- Executes dropped EXE
PID:5020 -
\??\c:\nnhhnt.exec:\nnhhnt.exe52⤵
- Executes dropped EXE
PID:4908 -
\??\c:\btbbbb.exec:\btbbbb.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\pdvvp.exec:\pdvvp.exe54⤵
- Executes dropped EXE
PID:5484 -
\??\c:\vddvj.exec:\vddvj.exe55⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1lrlrlr.exec:\1lrlrlr.exe56⤵
- Executes dropped EXE
PID:1156 -
\??\c:\9lrflrl.exec:\9lrflrl.exe57⤵
- Executes dropped EXE
PID:1240 -
\??\c:\nhnnnn.exec:\nhnnnn.exe58⤵
- Executes dropped EXE
PID:5392 -
\??\c:\btnhtn.exec:\btnhtn.exe59⤵
- Executes dropped EXE
PID:532 -
\??\c:\dppjd.exec:\dppjd.exe60⤵
- Executes dropped EXE
PID:5500 -
\??\c:\lffrllx.exec:\lffrllx.exe61⤵
- Executes dropped EXE
PID:4624 -
\??\c:\xfrffff.exec:\xfrffff.exe62⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bnttnh.exec:\bnttnh.exe63⤵
- Executes dropped EXE
PID:3344 -
\??\c:\bttnhh.exec:\bttnhh.exe64⤵
- Executes dropped EXE
PID:3428 -
\??\c:\vjvpv.exec:\vjvpv.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe66⤵PID:4008
-
\??\c:\rlfrfrf.exec:\rlfrfrf.exe67⤵PID:4468
-
\??\c:\nnhbtn.exec:\nnhbtn.exe68⤵PID:1848
-
\??\c:\nhhbnn.exec:\nhhbnn.exe69⤵PID:3956
-
\??\c:\1dpjv.exec:\1dpjv.exe70⤵PID:2032
-
\??\c:\jvvpp.exec:\jvvpp.exe71⤵PID:4552
-
\??\c:\frlrffx.exec:\frlrffx.exe72⤵PID:4004
-
\??\c:\nhhbbn.exec:\nhhbbn.exe73⤵PID:4828
-
\??\c:\hntnbb.exec:\hntnbb.exe74⤵PID:2324
-
\??\c:\vpvjd.exec:\vpvjd.exe75⤵PID:3600
-
\??\c:\dpjjd.exec:\dpjjd.exe76⤵PID:3476
-
\??\c:\lfffrlf.exec:\lfffrlf.exe77⤵PID:1636
-
\??\c:\3fxrffx.exec:\3fxrffx.exe78⤵PID:4764
-
\??\c:\nhnhnn.exec:\nhnhnn.exe79⤵PID:3488
-
\??\c:\bnbtnh.exec:\bnbtnh.exe80⤵PID:4484
-
\??\c:\dvdvp.exec:\dvdvp.exe81⤵PID:4804
-
\??\c:\jdvpp.exec:\jdvpp.exe82⤵PID:3680
-
\??\c:\lflfllr.exec:\lflfllr.exe83⤵PID:4720
-
\??\c:\bthhhn.exec:\bthhhn.exe84⤵PID:1196
-
\??\c:\bhhtnh.exec:\bhhtnh.exe85⤵PID:4088
-
\??\c:\jppjd.exec:\jppjd.exe86⤵PID:4600
-
\??\c:\vjpjp.exec:\vjpjp.exe87⤵PID:4368
-
\??\c:\lrrlffx.exec:\lrrlffx.exe88⤵PID:3992
-
\??\c:\xrrllll.exec:\xrrllll.exe89⤵PID:2892
-
\??\c:\5nnnhh.exec:\5nnnhh.exe90⤵PID:3716
-
\??\c:\htnhbb.exec:\htnhbb.exe91⤵PID:5164
-
\??\c:\jpddd.exec:\jpddd.exe92⤵PID:808
-
\??\c:\9xxrrrl.exec:\9xxrrrl.exe93⤵PID:5284
-
\??\c:\xxfxffx.exec:\xxfxffx.exe94⤵PID:2944
-
\??\c:\thhttn.exec:\thhttn.exe95⤵PID:4312
-
\??\c:\ddvvv.exec:\ddvvv.exe96⤵PID:2768
-
\??\c:\vpjdv.exec:\vpjdv.exe97⤵PID:4924
-
\??\c:\9rlfrlf.exec:\9rlfrlf.exe98⤵PID:2544
-
\??\c:\1lffxxr.exec:\1lffxxr.exe99⤵PID:2832
-
\??\c:\tntbbb.exec:\tntbbb.exe100⤵PID:3900
-
\??\c:\hbhhbt.exec:\hbhhbt.exe101⤵PID:5324
-
\??\c:\vpjdv.exec:\vpjdv.exe102⤵PID:2212
-
\??\c:\jvvdj.exec:\jvvdj.exe103⤵PID:4208
-
\??\c:\xflxllf.exec:\xflxllf.exe104⤵PID:2504
-
\??\c:\frfxrxr.exec:\frfxrxr.exe105⤵PID:5292
-
\??\c:\7ttnhh.exec:\7ttnhh.exe106⤵PID:2224
-
\??\c:\nnhhbt.exec:\nnhhbt.exe107⤵PID:3800
-
\??\c:\pdpjp.exec:\pdpjp.exe108⤵PID:2868
-
\??\c:\xrfxffl.exec:\xrfxffl.exe109⤵PID:4648
-
\??\c:\lfxrrll.exec:\lfxrrll.exe110⤵PID:2040
-
\??\c:\hthhnh.exec:\hthhnh.exe111⤵PID:4812
-
\??\c:\3dpvj.exec:\3dpvj.exe112⤵PID:5820
-
\??\c:\lrlfrrf.exec:\lrlfrrf.exe113⤵PID:3996
-
\??\c:\bbtttt.exec:\bbtttt.exe114⤵PID:5084
-
\??\c:\hnnbtn.exec:\hnnbtn.exe115⤵PID:3636
-
\??\c:\ddjdd.exec:\ddjdd.exe116⤵PID:4396
-
\??\c:\jjjdj.exec:\jjjdj.exe117⤵PID:4612
-
\??\c:\5rlfrrr.exec:\5rlfrrr.exe118⤵PID:5100
-
\??\c:\fxfflll.exec:\fxfflll.exe119⤵PID:800
-
\??\c:\pdvvp.exec:\pdvvp.exe120⤵PID:5424
-
\??\c:\ppvvv.exec:\ppvvv.exe121⤵PID:5204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-