Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 21:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
Resource
win7-20250207-en
windows7-x64
7 signatures
150 seconds
General
-
Target
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
-
Size
457KB
-
MD5
b0968197740f76cede5c6516cfc99850
-
SHA1
f3b18d0f66cea268bf4322f4b64db1ff5f219723
-
SHA256
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e
-
SHA512
aa1882d7a9caf7c4e257e491dfe86c928748b43cbc3ede271273a212ddd318ef26db728d59e8b72987f343c19ff82c6f43e583e2178e16ea69760523ebf1f976
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3584-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5824-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6128-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5384-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5560-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5144-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5588-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6140-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5376-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6012-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5760-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5664-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5416-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5532-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5296-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5548-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5636-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5132-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5480-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-1308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-1757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-1860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5824 ppjdv.exe 4072 ppdpj.exe 4332 pjpvp.exe 4272 fxxrllf.exe 5296 1hbnhb.exe 3008 nttnbt.exe 756 vvvjd.exe 3764 xrrlfxf.exe 3292 7bttnn.exe 3324 5dvpd.exe 1936 xffxfxx.exe 3524 xxrfxrf.exe 5316 1hbtbb.exe 4580 ddpjv.exe 4712 rrfxllf.exe 4772 pdvpj.exe 1276 xxrfrrf.exe 2464 thhbtn.exe 2792 btthbt.exe 2772 vjjdv.exe 4884 xfrllxr.exe 4980 3pdvp.exe 5028 nnhbnn.exe 4168 5vvjd.exe 1040 xrfxlfx.exe 4056 bbbnnh.exe 5532 dvpjv.exe 2080 lffrfxl.exe 5664 btttbb.exe 5416 dvpjv.exe 3752 xrlllff.exe 920 hbthbb.exe 620 7pvpj.exe 1300 rfxrlfx.exe 2408 thtnhb.exe 1600 pjpdv.exe 1540 xxlfxfx.exe 4020 1lxxfxx.exe 2436 nnthbt.exe 5688 3jjdp.exe 2996 9rfxrlf.exe 4172 nntnhh.exe 5156 9bnhbh.exe 2908 pdvpd.exe 6128 frlfxrl.exe 5760 9bbthb.exe 3952 hbthbt.exe 5384 dvvvp.exe 2520 7rfrllx.exe 5560 1xfrxrr.exe 4568 nbnbnh.exe 724 vvjdv.exe 2516 vjpjv.exe 3312 llxrffx.exe 1036 bttthn.exe 3444 nttntt.exe 2548 xxrxxrl.exe 1836 hnnbnh.exe 5144 btnhtn.exe 3052 dvvpj.exe 3244 ppjpj.exe 4252 llrrlll.exe 1108 hbbbtt.exe 3492 bbthtn.exe -
resource yara_rule behavioral2/memory/3584-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5824-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5664-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6128-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5384-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5560-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5144-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5588-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6140-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5376-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6012-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5760-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5664-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5416-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5532-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5296-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5548-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-739-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3584 wrote to memory of 5824 3584 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 3584 wrote to memory of 5824 3584 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 3584 wrote to memory of 5824 3584 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 5824 wrote to memory of 4072 5824 ppjdv.exe 86 PID 5824 wrote to memory of 4072 5824 ppjdv.exe 86 PID 5824 wrote to memory of 4072 5824 ppjdv.exe 86 PID 4072 wrote to memory of 4332 4072 ppdpj.exe 87 PID 4072 wrote to memory of 4332 4072 ppdpj.exe 87 PID 4072 wrote to memory of 4332 4072 ppdpj.exe 87 PID 4332 wrote to memory of 4272 4332 pjpvp.exe 88 PID 4332 wrote to memory of 4272 4332 pjpvp.exe 88 PID 4332 wrote to memory of 4272 4332 pjpvp.exe 88 PID 4272 wrote to memory of 5296 4272 fxxrllf.exe 89 PID 4272 wrote to memory of 5296 4272 fxxrllf.exe 89 PID 4272 wrote to memory of 5296 4272 fxxrllf.exe 89 PID 5296 wrote to memory of 3008 5296 1hbnhb.exe 90 PID 5296 wrote to memory of 3008 5296 1hbnhb.exe 90 PID 5296 wrote to memory of 3008 5296 1hbnhb.exe 90 PID 3008 wrote to memory of 756 3008 nttnbt.exe 91 PID 3008 wrote to memory of 756 3008 nttnbt.exe 91 PID 3008 wrote to memory of 756 3008 nttnbt.exe 91 PID 756 wrote to memory of 3764 756 vvvjd.exe 92 PID 756 wrote to memory of 3764 756 vvvjd.exe 92 PID 756 wrote to memory of 3764 756 vvvjd.exe 92 PID 3764 wrote to memory of 3292 3764 xrrlfxf.exe 93 PID 3764 wrote to memory of 3292 3764 xrrlfxf.exe 93 PID 3764 wrote to memory of 3292 3764 xrrlfxf.exe 93 PID 3292 wrote to memory of 3324 3292 7bttnn.exe 95 PID 3292 wrote to memory of 3324 3292 7bttnn.exe 95 PID 3292 wrote to memory of 3324 3292 7bttnn.exe 95 PID 3324 wrote to memory of 1936 3324 5dvpd.exe 96 PID 3324 wrote to memory of 1936 3324 5dvpd.exe 96 PID 3324 wrote to memory of 1936 3324 5dvpd.exe 96 PID 1936 wrote to memory of 3524 1936 xffxfxx.exe 97 PID 1936 wrote to memory of 3524 1936 xffxfxx.exe 97 PID 1936 wrote to memory of 3524 1936 xffxfxx.exe 97 PID 3524 wrote to memory of 5316 3524 xxrfxrf.exe 98 PID 3524 wrote to memory of 5316 3524 xxrfxrf.exe 98 PID 3524 wrote to memory of 5316 3524 xxrfxrf.exe 98 PID 5316 wrote to memory of 4580 5316 1hbtbb.exe 99 PID 5316 wrote to memory of 4580 5316 1hbtbb.exe 99 PID 5316 wrote to memory of 4580 5316 1hbtbb.exe 99 PID 4580 wrote to memory of 4712 4580 ddpjv.exe 101 PID 4580 wrote to memory of 4712 4580 ddpjv.exe 101 PID 4580 wrote to memory of 4712 4580 ddpjv.exe 101 PID 4712 wrote to memory of 4772 4712 rrfxllf.exe 102 PID 4712 wrote to memory of 4772 4712 rrfxllf.exe 102 PID 4712 wrote to memory of 4772 4712 rrfxllf.exe 102 PID 4772 wrote to memory of 1276 4772 pdvpj.exe 103 PID 4772 wrote to memory of 1276 4772 pdvpj.exe 103 PID 4772 wrote to memory of 1276 4772 pdvpj.exe 103 PID 1276 wrote to memory of 2464 1276 xxrfrrf.exe 104 PID 1276 wrote to memory of 2464 1276 xxrfrrf.exe 104 PID 1276 wrote to memory of 2464 1276 xxrfrrf.exe 104 PID 2464 wrote to memory of 2792 2464 thhbtn.exe 106 PID 2464 wrote to memory of 2792 2464 thhbtn.exe 106 PID 2464 wrote to memory of 2792 2464 thhbtn.exe 106 PID 2792 wrote to memory of 2772 2792 btthbt.exe 107 PID 2792 wrote to memory of 2772 2792 btthbt.exe 107 PID 2792 wrote to memory of 2772 2792 btthbt.exe 107 PID 2772 wrote to memory of 4884 2772 vjjdv.exe 108 PID 2772 wrote to memory of 4884 2772 vjjdv.exe 108 PID 2772 wrote to memory of 4884 2772 vjjdv.exe 108 PID 4884 wrote to memory of 4980 4884 xfrllxr.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\ppjdv.exec:\ppjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5824 -
\??\c:\ppdpj.exec:\ppdpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\pjpvp.exec:\pjpvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\fxxrllf.exec:\fxxrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\1hbnhb.exec:\1hbnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5296 -
\??\c:\nttnbt.exec:\nttnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\vvvjd.exec:\vvvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\xrrlfxf.exec:\xrrlfxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\7bttnn.exec:\7bttnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\5dvpd.exec:\5dvpd.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\xffxfxx.exec:\xffxfxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\1hbtbb.exec:\1hbtbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5316 -
\??\c:\ddpjv.exec:\ddpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\rrfxllf.exec:\rrfxllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\pdvpj.exec:\pdvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\xxrfrrf.exec:\xxrfrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\thhbtn.exec:\thhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\btthbt.exec:\btthbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\vjjdv.exec:\vjjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\xfrllxr.exec:\xfrllxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\3pdvp.exec:\3pdvp.exe23⤵
- Executes dropped EXE
PID:4980 -
\??\c:\nnhbnn.exec:\nnhbnn.exe24⤵
- Executes dropped EXE
PID:5028 -
\??\c:\5vvjd.exec:\5vvjd.exe25⤵
- Executes dropped EXE
PID:4168 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe26⤵
- Executes dropped EXE
PID:1040 -
\??\c:\bbbnnh.exec:\bbbnnh.exe27⤵
- Executes dropped EXE
PID:4056 -
\??\c:\dvpjv.exec:\dvpjv.exe28⤵
- Executes dropped EXE
PID:5532 -
\??\c:\lffrfxl.exec:\lffrfxl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\btttbb.exec:\btttbb.exe30⤵
- Executes dropped EXE
PID:5664 -
\??\c:\dvpjv.exec:\dvpjv.exe31⤵
- Executes dropped EXE
PID:5416 -
\??\c:\xrlllff.exec:\xrlllff.exe32⤵
- Executes dropped EXE
PID:3752 -
\??\c:\hbthbb.exec:\hbthbb.exe33⤵
- Executes dropped EXE
PID:920 -
\??\c:\7pvpj.exec:\7pvpj.exe34⤵
- Executes dropped EXE
PID:620 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe35⤵
- Executes dropped EXE
PID:1300 -
\??\c:\thtnhb.exec:\thtnhb.exe36⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pjpdv.exec:\pjpdv.exe37⤵
- Executes dropped EXE
PID:1600 -
\??\c:\xxlfxfx.exec:\xxlfxfx.exe38⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1lxxfxx.exec:\1lxxfxx.exe39⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nnthbt.exec:\nnthbt.exe40⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3jjdp.exec:\3jjdp.exe41⤵
- Executes dropped EXE
PID:5688 -
\??\c:\9rfxrlf.exec:\9rfxrlf.exe42⤵
- Executes dropped EXE
PID:2996 -
\??\c:\nntnhh.exec:\nntnhh.exe43⤵
- Executes dropped EXE
PID:4172 -
\??\c:\9bnhbh.exec:\9bnhbh.exe44⤵
- Executes dropped EXE
PID:5156 -
\??\c:\pdvpd.exec:\pdvpd.exe45⤵
- Executes dropped EXE
PID:2908 -
\??\c:\frlfxrl.exec:\frlfxrl.exe46⤵
- Executes dropped EXE
PID:6128 -
\??\c:\9bbthb.exec:\9bbthb.exe47⤵
- Executes dropped EXE
PID:5760 -
\??\c:\hbthbt.exec:\hbthbt.exe48⤵
- Executes dropped EXE
PID:3952 -
\??\c:\dvvvp.exec:\dvvvp.exe49⤵
- Executes dropped EXE
PID:5384 -
\??\c:\7rfrllx.exec:\7rfrllx.exe50⤵
- Executes dropped EXE
PID:2520 -
\??\c:\1xfrxrr.exec:\1xfrxrr.exe51⤵
- Executes dropped EXE
PID:5560 -
\??\c:\nbnbnh.exec:\nbnbnh.exe52⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vvjdv.exec:\vvjdv.exe53⤵
- Executes dropped EXE
PID:724 -
\??\c:\vjpjv.exec:\vjpjv.exe54⤵
- Executes dropped EXE
PID:2516 -
\??\c:\llxrffx.exec:\llxrffx.exe55⤵
- Executes dropped EXE
PID:3312 -
\??\c:\bttthn.exec:\bttthn.exe56⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nttntt.exec:\nttntt.exe57⤵
- Executes dropped EXE
PID:3444 -
\??\c:\xxrxxrl.exec:\xxrxxrl.exe58⤵
- Executes dropped EXE
PID:2548 -
\??\c:\hnnbnh.exec:\hnnbnh.exe59⤵
- Executes dropped EXE
PID:1836 -
\??\c:\btnhtn.exec:\btnhtn.exe60⤵
- Executes dropped EXE
PID:5144 -
\??\c:\dvvpj.exec:\dvvpj.exe61⤵
- Executes dropped EXE
PID:3052 -
\??\c:\ppjpj.exec:\ppjpj.exe62⤵
- Executes dropped EXE
PID:3244 -
\??\c:\llrrlll.exec:\llrrlll.exe63⤵
- Executes dropped EXE
PID:4252 -
\??\c:\hbbbtt.exec:\hbbbtt.exe64⤵
- Executes dropped EXE
PID:1108 -
\??\c:\bbthtn.exec:\bbthtn.exe65⤵
- Executes dropped EXE
PID:3492 -
\??\c:\ppjdp.exec:\ppjdp.exe66⤵PID:1516
-
\??\c:\7jjdp.exec:\7jjdp.exe67⤵PID:4440
-
\??\c:\rrrrffr.exec:\rrrrffr.exe68⤵PID:4348
-
\??\c:\llfffll.exec:\llfffll.exe69⤵PID:5588
-
\??\c:\bbbnnh.exec:\bbbnnh.exe70⤵PID:3468
-
\??\c:\pdpjd.exec:\pdpjd.exe71⤵PID:208
-
\??\c:\ddjvj.exec:\ddjvj.exe72⤵PID:4332
-
\??\c:\rllffff.exec:\rllffff.exe73⤵PID:4352
-
\??\c:\bbbttn.exec:\bbbttn.exe74⤵PID:3084
-
\??\c:\3hhthb.exec:\3hhthb.exe75⤵PID:1016
-
\??\c:\jjpvj.exec:\jjpvj.exe76⤵PID:5708
-
\??\c:\7rrlflx.exec:\7rrlflx.exe77⤵PID:3788
-
\??\c:\rrrrrrx.exec:\rrrrrrx.exe78⤵PID:3800
-
\??\c:\9ttnhh.exec:\9ttnhh.exe79⤵PID:1404
-
\??\c:\3ppjd.exec:\3ppjd.exe80⤵PID:3852
-
\??\c:\jpjdv.exec:\jpjdv.exe81⤵PID:4396
-
\??\c:\llffxxr.exec:\llffxxr.exe82⤵PID:2484
-
\??\c:\3rlxlfx.exec:\3rlxlfx.exe83⤵PID:4584
-
\??\c:\tbbtnn.exec:\tbbtnn.exe84⤵PID:5172
-
\??\c:\bbhhnn.exec:\bbhhnn.exe85⤵PID:4744
-
\??\c:\1jdpd.exec:\1jdpd.exe86⤵PID:4796
-
\??\c:\llfrlff.exec:\llfrlff.exe87⤵PID:3968
-
\??\c:\lrrrfxx.exec:\lrrrfxx.exe88⤵PID:4724
-
\??\c:\hnhhhh.exec:\hnhhhh.exe89⤵PID:6140
-
\??\c:\7pjdv.exec:\7pjdv.exe90⤵
- System Location Discovery: System Language Discovery
PID:1276 -
\??\c:\jjjjj.exec:\jjjjj.exe91⤵PID:6012
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe92⤵PID:508
-
\??\c:\xrrllff.exec:\xrrllff.exe93⤵PID:5896
-
\??\c:\nnnbbb.exec:\nnnbbb.exe94⤵PID:4868
-
\??\c:\pvvvd.exec:\pvvvd.exe95⤵PID:4928
-
\??\c:\5vjpp.exec:\5vjpp.exe96⤵PID:2932
-
\??\c:\lrllxrf.exec:\lrllxrf.exe97⤵PID:552
-
\??\c:\9lfxllx.exec:\9lfxllx.exe98⤵PID:5096
-
\??\c:\bnhnhn.exec:\bnhnhn.exe99⤵PID:1264
-
\??\c:\vvvpp.exec:\vvvpp.exe100⤵PID:4848
-
\??\c:\jdpvv.exec:\jdpvv.exe101⤵PID:2700
-
\??\c:\xrrlrlf.exec:\xrrlrlf.exe102⤵PID:4044
-
\??\c:\rffrfxl.exec:\rffrfxl.exe103⤵PID:396
-
\??\c:\7tbtnb.exec:\7tbtnb.exe104⤵PID:4124
-
\??\c:\tbnbnh.exec:\tbnbnh.exe105⤵PID:812
-
\??\c:\vddvp.exec:\vddvp.exe106⤵PID:2860
-
\??\c:\ffrffll.exec:\ffrffll.exe107⤵PID:628
-
\??\c:\hhnhtb.exec:\hhnhtb.exe108⤵PID:876
-
\??\c:\dvpjd.exec:\dvpjd.exe109⤵PID:848
-
\??\c:\7dvpp.exec:\7dvpp.exe110⤵PID:1148
-
\??\c:\rxxrllf.exec:\rxxrllf.exe111⤵PID:424
-
\??\c:\hnbtnn.exec:\hnbtnn.exe112⤵PID:3756
-
\??\c:\3bhhbh.exec:\3bhhbh.exe113⤵PID:1244
-
\??\c:\3dvpj.exec:\3dvpj.exe114⤵PID:1076
-
\??\c:\lllffxf.exec:\lllffxf.exe115⤵PID:3068
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe116⤵PID:4012
-
\??\c:\ttnnhh.exec:\ttnnhh.exe117⤵PID:1612
-
\??\c:\7jpjd.exec:\7jpjd.exe118⤵PID:4436
-
\??\c:\lrrllxx.exec:\lrrllxx.exe119⤵PID:3592
-
\??\c:\7bhbnn.exec:\7bhbnn.exe120⤵PID:3908
-
\??\c:\nnhnnt.exec:\nnhnnt.exe121⤵PID:2320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-