Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2025, 23:56
Static task
static1
1 signatures
General
-
Target
62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe
-
Size
457KB
-
MD5
b6eabf1d8d029baffd1157a4b3935db2
-
SHA1
0b6804b5951c4d6075d34b8e12e081a027c5cbda
-
SHA256
62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21
-
SHA512
830b4fde8333778ee69cb4bc8b03766efb4feeb5425e3851de69155ed15eace7a6d31bb6ec694d6fd0c577027026172a18084e304e974b1e102dcfc501a2a883
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1v:q7Tc2NYHUrAwfMp3CD1v
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral1/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4176-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5192-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5268-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4240-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3288-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4620-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4848-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5100-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4668-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4688-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4944-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4168-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5232-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5964-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3872-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5512-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4952-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4560-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1468-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4208-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3620-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5744-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5176-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6124-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5516-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3792-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5500-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5136-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3832-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/724-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5504-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4840-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/432-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3556-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3996-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4872-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3212-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3656-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5756-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5128-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5588-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3304-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4568-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5976-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4932-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4748-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5868-1172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4176 lllflxf.exe 5192 1djdv.exe 5268 7vjdd.exe 1664 7llfxxx.exe 4240 ffrfxrl.exe 612 xfffxrl.exe 3288 pvdvp.exe 4620 thnhtt.exe 4596 lfxrrll.exe 4848 7jvdv.exe 4824 jppdp.exe 5100 fllfrrf.exe 1004 hntnhb.exe 4668 xflfxxx.exe 4688 jjpdv.exe 4944 lflfxxr.exe 4168 vdjpp.exe 4988 ddpdd.exe 5232 xlxrlll.exe 5964 ddpjd.exe 5980 nbthtn.exe 3872 xrxrxrr.exe 5512 vdpjd.exe 4952 1fxrlfx.exe 2160 tnhbtt.exe 4140 dpdvp.exe 4660 jvjdp.exe 4560 pdvpj.exe 4072 vvpdp.exe 2828 1jdpj.exe 1468 ppvvp.exe 4208 xlxflxf.exe 1500 xxffxxx.exe 3620 xlfrxrx.exe 3984 tnnhth.exe 4424 vjjvp.exe 3324 pjdvp.exe 2188 rffxrxx.exe 4252 nnhbhb.exe 2308 ttbttt.exe 5744 dvdvp.exe 5176 rrrrfll.exe 5844 1nhhbb.exe 2724 ttbhbb.exe 6124 7jjvj.exe 2924 dvppd.exe 5516 lxlffff.exe 5128 nhbtbb.exe 3792 pjppp.exe 4400 dvdjd.exe 3140 rflfllf.exe 1552 7bnhth.exe 1924 nhhtnn.exe 5156 pdvjd.exe 2248 rffrlll.exe 5852 fxxrfxr.exe 5500 bnthnh.exe 5284 5ddpd.exe 2932 lxxlxrf.exe 4036 fffxrrl.exe 3508 ntthtb.exe 5136 dvddv.exe 1760 lxrlxrl.exe 380 bnnhtn.exe -
resource yara_rule behavioral1/memory/2304-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4176-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5192-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5192-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5268-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4240-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3288-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4620-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4848-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5100-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4668-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4688-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4168-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5232-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5964-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3872-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5512-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4952-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4560-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1468-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4208-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3620-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5744-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5176-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6124-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5516-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3792-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5500-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5136-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3832-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/724-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5504-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4840-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3556-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4872-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3212-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3656-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5756-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5128-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5588-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3304-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4568-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5976-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4932-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4748-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-1056-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5868-1172-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 4176 2304 62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe 85 PID 2304 wrote to memory of 4176 2304 62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe 85 PID 2304 wrote to memory of 4176 2304 62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe 85 PID 4176 wrote to memory of 5192 4176 lllflxf.exe 86 PID 4176 wrote to memory of 5192 4176 lllflxf.exe 86 PID 4176 wrote to memory of 5192 4176 lllflxf.exe 86 PID 5192 wrote to memory of 5268 5192 1djdv.exe 90 PID 5192 wrote to memory of 5268 5192 1djdv.exe 90 PID 5192 wrote to memory of 5268 5192 1djdv.exe 90 PID 5268 wrote to memory of 1664 5268 7vjdd.exe 91 PID 5268 wrote to memory of 1664 5268 7vjdd.exe 91 PID 5268 wrote to memory of 1664 5268 7vjdd.exe 91 PID 1664 wrote to memory of 4240 1664 7llfxxx.exe 92 PID 1664 wrote to memory of 4240 1664 7llfxxx.exe 92 PID 1664 wrote to memory of 4240 1664 7llfxxx.exe 92 PID 4240 wrote to memory of 612 4240 ffrfxrl.exe 93 PID 4240 wrote to memory of 612 4240 ffrfxrl.exe 93 PID 4240 wrote to memory of 612 4240 ffrfxrl.exe 93 PID 612 wrote to memory of 3288 612 xfffxrl.exe 94 PID 612 wrote to memory of 3288 612 xfffxrl.exe 94 PID 612 wrote to memory of 3288 612 xfffxrl.exe 94 PID 3288 wrote to memory of 4620 3288 pvdvp.exe 95 PID 3288 wrote to memory of 4620 3288 pvdvp.exe 95 PID 3288 wrote to memory of 4620 3288 pvdvp.exe 95 PID 4620 wrote to memory of 4596 4620 thnhtt.exe 96 PID 4620 wrote to memory of 4596 4620 thnhtt.exe 96 PID 4620 wrote to memory of 4596 4620 thnhtt.exe 96 PID 4596 wrote to memory of 4848 4596 lfxrrll.exe 97 PID 4596 wrote to memory of 4848 4596 lfxrrll.exe 97 PID 4596 wrote to memory of 4848 4596 lfxrrll.exe 97 PID 4848 wrote to memory of 4824 4848 7jvdv.exe 98 PID 4848 wrote to memory of 4824 4848 7jvdv.exe 98 PID 4848 wrote to memory of 4824 4848 7jvdv.exe 98 PID 4824 wrote to memory of 5100 4824 jppdp.exe 99 PID 4824 wrote to memory of 5100 4824 jppdp.exe 99 PID 4824 wrote to memory of 5100 4824 jppdp.exe 99 PID 5100 wrote to memory of 1004 5100 fllfrrf.exe 100 PID 5100 wrote to memory of 1004 5100 fllfrrf.exe 100 PID 5100 wrote to memory of 1004 5100 fllfrrf.exe 100 PID 1004 wrote to memory of 4668 1004 hntnhb.exe 101 PID 1004 wrote to memory of 4668 1004 hntnhb.exe 101 PID 1004 wrote to memory of 4668 1004 hntnhb.exe 101 PID 4668 wrote to memory of 4688 4668 xflfxxx.exe 102 PID 4668 wrote to memory of 4688 4668 xflfxxx.exe 102 PID 4668 wrote to memory of 4688 4668 xflfxxx.exe 102 PID 4688 wrote to memory of 4944 4688 jjpdv.exe 103 PID 4688 wrote to memory of 4944 4688 jjpdv.exe 103 PID 4688 wrote to memory of 4944 4688 jjpdv.exe 103 PID 4944 wrote to memory of 4168 4944 lflfxxr.exe 104 PID 4944 wrote to memory of 4168 4944 lflfxxr.exe 104 PID 4944 wrote to memory of 4168 4944 lflfxxr.exe 104 PID 4168 wrote to memory of 4988 4168 vdjpp.exe 105 PID 4168 wrote to memory of 4988 4168 vdjpp.exe 105 PID 4168 wrote to memory of 4988 4168 vdjpp.exe 105 PID 4988 wrote to memory of 5232 4988 ddpdd.exe 106 PID 4988 wrote to memory of 5232 4988 ddpdd.exe 106 PID 4988 wrote to memory of 5232 4988 ddpdd.exe 106 PID 5232 wrote to memory of 5964 5232 xlxrlll.exe 107 PID 5232 wrote to memory of 5964 5232 xlxrlll.exe 107 PID 5232 wrote to memory of 5964 5232 xlxrlll.exe 107 PID 5964 wrote to memory of 5980 5964 ddpjd.exe 108 PID 5964 wrote to memory of 5980 5964 ddpjd.exe 108 PID 5964 wrote to memory of 5980 5964 ddpjd.exe 108 PID 5980 wrote to memory of 3872 5980 nbthtn.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe"C:\Users\Admin\AppData\Local\Temp\62299871a1d50c8dd28440f85bd2ab02ee890fa26749a5d55144b4e20ada9c21.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\lllflxf.exec:\lllflxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\1djdv.exec:\1djdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5192 -
\??\c:\7vjdd.exec:\7vjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5268 -
\??\c:\7llfxxx.exec:\7llfxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\ffrfxrl.exec:\ffrfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\xfffxrl.exec:\xfffxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
\??\c:\pvdvp.exec:\pvdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\thnhtt.exec:\thnhtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\lfxrrll.exec:\lfxrrll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7jvdv.exec:\7jvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\jppdp.exec:\jppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\fllfrrf.exec:\fllfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\hntnhb.exec:\hntnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\xflfxxx.exec:\xflfxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\jjpdv.exec:\jjpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\lflfxxr.exec:\lflfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\vdjpp.exec:\vdjpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\ddpdd.exec:\ddpdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\xlxrlll.exec:\xlxrlll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5232 -
\??\c:\ddpjd.exec:\ddpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5964 -
\??\c:\nbthtn.exec:\nbthtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5980 -
\??\c:\xrxrxrr.exec:\xrxrxrr.exe23⤵
- Executes dropped EXE
PID:3872 -
\??\c:\vdpjd.exec:\vdpjd.exe24⤵
- Executes dropped EXE
PID:5512 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe25⤵
- Executes dropped EXE
PID:4952 -
\??\c:\tnhbtt.exec:\tnhbtt.exe26⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dpdvp.exec:\dpdvp.exe27⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jvjdp.exec:\jvjdp.exe28⤵
- Executes dropped EXE
PID:4660 -
\??\c:\pdvpj.exec:\pdvpj.exe29⤵
- Executes dropped EXE
PID:4560 -
\??\c:\vvpdp.exec:\vvpdp.exe30⤵
- Executes dropped EXE
PID:4072 -
\??\c:\1jdpj.exec:\1jdpj.exe31⤵
- Executes dropped EXE
PID:2828 -
\??\c:\ppvvp.exec:\ppvvp.exe32⤵
- Executes dropped EXE
PID:1468 -
\??\c:\xlxflxf.exec:\xlxflxf.exe33⤵
- Executes dropped EXE
PID:4208 -
\??\c:\xxffxxx.exec:\xxffxxx.exe34⤵
- Executes dropped EXE
PID:1500 -
\??\c:\xlfrxrx.exec:\xlfrxrx.exe35⤵
- Executes dropped EXE
PID:3620 -
\??\c:\tnnhth.exec:\tnnhth.exe36⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vjjvp.exec:\vjjvp.exe37⤵
- Executes dropped EXE
PID:4424 -
\??\c:\pjdvp.exec:\pjdvp.exe38⤵
- Executes dropped EXE
PID:3324 -
\??\c:\rffxrxx.exec:\rffxrxx.exe39⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nnhbhb.exec:\nnhbhb.exe40⤵
- Executes dropped EXE
PID:4252 -
\??\c:\ttbttt.exec:\ttbttt.exe41⤵
- Executes dropped EXE
PID:2308 -
\??\c:\dvdvp.exec:\dvdvp.exe42⤵
- Executes dropped EXE
PID:5744 -
\??\c:\rrrrfll.exec:\rrrrfll.exe43⤵
- Executes dropped EXE
PID:5176 -
\??\c:\1nhhbb.exec:\1nhhbb.exe44⤵
- Executes dropped EXE
PID:5844 -
\??\c:\ttbhbb.exec:\ttbhbb.exe45⤵
- Executes dropped EXE
PID:2724 -
\??\c:\7jjvj.exec:\7jjvj.exe46⤵
- Executes dropped EXE
PID:6124 -
\??\c:\dvppd.exec:\dvppd.exe47⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lxlffff.exec:\lxlffff.exe48⤵
- Executes dropped EXE
PID:5516 -
\??\c:\nhbtbb.exec:\nhbtbb.exe49⤵
- Executes dropped EXE
PID:5128 -
\??\c:\pjppp.exec:\pjppp.exe50⤵
- Executes dropped EXE
PID:3792 -
\??\c:\dvdjd.exec:\dvdjd.exe51⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rflfllf.exec:\rflfllf.exe52⤵
- Executes dropped EXE
PID:3140 -
\??\c:\7bnhth.exec:\7bnhth.exe53⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nhhtnn.exec:\nhhtnn.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\pdvjd.exec:\pdvjd.exe55⤵
- Executes dropped EXE
PID:5156 -
\??\c:\rffrlll.exec:\rffrlll.exe56⤵
- Executes dropped EXE
PID:2248 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe57⤵
- Executes dropped EXE
PID:5852 -
\??\c:\bnthnh.exec:\bnthnh.exe58⤵
- Executes dropped EXE
PID:5500 -
\??\c:\5ddpd.exec:\5ddpd.exe59⤵
- Executes dropped EXE
PID:5284 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe60⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fffxrrl.exec:\fffxrrl.exe61⤵
- Executes dropped EXE
PID:4036 -
\??\c:\ntthtb.exec:\ntthtb.exe62⤵
- Executes dropped EXE
PID:3508 -
\??\c:\dvddv.exec:\dvddv.exe63⤵
- Executes dropped EXE
PID:5136 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe64⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bnnhtn.exec:\bnnhtn.exe65⤵
- Executes dropped EXE
PID:380 -
\??\c:\htthtn.exec:\htthtn.exe66⤵PID:5996
-
\??\c:\ddpdp.exec:\ddpdp.exe67⤵PID:3232
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe68⤵PID:4444
-
\??\c:\nbttnn.exec:\nbttnn.exe69⤵PID:4900
-
\??\c:\nhhtnb.exec:\nhhtnb.exe70⤵PID:4340
-
\??\c:\jddvp.exec:\jddvp.exe71⤵PID:3832
-
\??\c:\frrfrlx.exec:\frrfrlx.exe72⤵PID:1208
-
\??\c:\htthnh.exec:\htthnh.exe73⤵PID:928
-
\??\c:\vjjdp.exec:\vjjdp.exe74⤵PID:1348
-
\??\c:\djpdp.exec:\djpdp.exe75⤵PID:880
-
\??\c:\5xxrllf.exec:\5xxrllf.exe76⤵PID:5200
-
\??\c:\3hthtt.exec:\3hthtt.exe77⤵PID:3296
-
\??\c:\ntnhtt.exec:\ntnhtt.exe78⤵PID:116
-
\??\c:\djpjv.exec:\djpjv.exe79⤵PID:4676
-
\??\c:\1xxlfrf.exec:\1xxlfrf.exe80⤵PID:5736
-
\??\c:\frlfrlf.exec:\frlfrlf.exe81⤵PID:4164
-
\??\c:\9htnht.exec:\9htnht.exe82⤵PID:724
-
\??\c:\vjjjp.exec:\vjjjp.exe83⤵PID:5504
-
\??\c:\dppdp.exec:\dppdp.exe84⤵PID:4816
-
\??\c:\fxxlrlf.exec:\fxxlrlf.exe85⤵PID:4840
-
\??\c:\1tbthh.exec:\1tbthh.exe86⤵PID:3276
-
\??\c:\djpdv.exec:\djpdv.exe87⤵PID:4964
-
\??\c:\dvvdv.exec:\dvvdv.exe88⤵PID:4920
-
\??\c:\fxfrrff.exec:\fxfrrff.exe89⤵PID:5660
-
\??\c:\lrflxrx.exec:\lrflxrx.exe90⤵PID:5892
-
\??\c:\nnthbt.exec:\nnthbt.exe91⤵PID:640
-
\??\c:\vjpjd.exec:\vjpjd.exe92⤵
- System Location Discovery: System Language Discovery
PID:4668 -
\??\c:\jddpd.exec:\jddpd.exe93⤵PID:4936
-
\??\c:\lrfrfxl.exec:\lrfrfxl.exe94⤵PID:3372
-
\??\c:\hhhhbt.exec:\hhhhbt.exe95⤵PID:432
-
\??\c:\bhttnt.exec:\bhttnt.exe96⤵PID:6008
-
\??\c:\pvpjd.exec:\pvpjd.exe97⤵PID:5036
-
\??\c:\xxrrlfr.exec:\xxrrlfr.exe98⤵PID:4988
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe99⤵PID:2340
-
\??\c:\nbbnbt.exec:\nbbnbt.exe100⤵PID:5144
-
\??\c:\ntbthn.exec:\ntbthn.exe101⤵PID:4352
-
\??\c:\9vvjv.exec:\9vvjv.exe102⤵PID:4540
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe103⤵PID:3556
-
\??\c:\3rlxrrl.exec:\3rlxrrl.exe104⤵PID:4872
-
\??\c:\tbbnbt.exec:\tbbnbt.exe105⤵PID:3996
-
\??\c:\pvdpj.exec:\pvdpj.exe106⤵PID:3212
-
\??\c:\jdpjv.exec:\jdpjv.exe107⤵PID:3656
-
\??\c:\xxfxllf.exec:\xxfxllf.exe108⤵PID:3248
-
\??\c:\bthtbt.exec:\bthtbt.exe109⤵PID:644
-
\??\c:\jjjdp.exec:\jjjdp.exe110⤵PID:5656
-
\??\c:\rlfxrfx.exec:\rlfxrfx.exe111⤵PID:1364
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe112⤵PID:2856
-
\??\c:\3bbhtn.exec:\3bbhtn.exe113⤵PID:2072
-
\??\c:\pvvjv.exec:\pvvjv.exe114⤵PID:3080
-
\??\c:\jdjdv.exec:\jdjdv.exe115⤵PID:2636
-
\??\c:\fllxrlf.exec:\fllxrlf.exe116⤵PID:2040
-
\??\c:\httnbt.exec:\httnbt.exe117⤵PID:1500
-
\??\c:\7bthhh.exec:\7bthhh.exe118⤵PID:220
-
\??\c:\5ppjp.exec:\5ppjp.exe119⤵PID:3492
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe120⤵PID:3980
-
\??\c:\7xxrlfr.exec:\7xxrlfr.exe121⤵PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-