Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe
-
Size
337KB
-
MD5
04ba193d6fd0f8ffd778b9bacb7cd8f6
-
SHA1
90e9d9540e6f8296404142a2a5698e373920d3da
-
SHA256
cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894
-
SHA512
89c8c5f0a36087ce87975f7333e137a0277c02073e4237f651c03e1c4dfa0a3e137c27a09637f32eb1b5ed69cef4aa43cd5b489a47fac73530edda41d7461bbb
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhd:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4768-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-1596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 404 tbhhtn.exe 2244 pdvpv.exe 4740 9vdpd.exe 1296 7rrrfxl.exe 452 nhbnhh.exe 1136 1lrfrlf.exe 4056 7rrfxrl.exe 2396 1pddv.exe 4328 xllxrlx.exe 4240 nhnnbb.exe 2028 pjjvp.exe 2708 ttbbnb.exe 4516 jdvpd.exe 896 flfxfxr.exe 3896 9hnbnh.exe 4144 vvddd.exe 4780 ntnnnt.exe 3484 dvjvv.exe 4132 rflxlfx.exe 3692 bnbbhh.exe 2000 jvpjp.exe 4460 bbnnnh.exe 3852 dppdp.exe 2112 vppjv.exe 212 rffrffr.exe 4044 vddvj.exe 4564 btnhtn.exe 1372 1vpjj.exe 2676 rllxffr.exe 3696 hhhnhn.exe 3420 jvdvj.exe 2824 lxfxrlr.exe 1752 3lrlxxl.exe 2196 pjdpp.exe 1588 1vvdv.exe 508 xxfrfxl.exe 4220 htbthh.exe 4180 pvjdd.exe 1864 7lrlrrf.exe 1100 ttnnbh.exe 1732 jdjdp.exe 4732 fxfxfxr.exe 4416 rrxrrxr.exe 3468 pdvvp.exe 388 jpvvv.exe 3968 vdjdd.exe 4740 5pdvp.exe 2800 xxfxrlr.exe 1160 xfrrffx.exe 4908 nhhbtn.exe 1000 vppjv.exe 3612 rrllfff.exe 3340 5ttnhh.exe 4056 tthhbt.exe 2396 vpdvp.exe 524 rrrllll.exe 2260 nhhbtn.exe 4240 tbnhbb.exe 4036 pjdvv.exe 372 jvdvv.exe 2268 3lxxxxx.exe 4516 hbtnhh.exe 4944 3hthtt.exe 4336 lllfxxf.exe -
resource yara_rule behavioral2/memory/4768-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-682-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 404 4768 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 83 PID 4768 wrote to memory of 404 4768 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 83 PID 4768 wrote to memory of 404 4768 cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe 83 PID 404 wrote to memory of 2244 404 tbhhtn.exe 84 PID 404 wrote to memory of 2244 404 tbhhtn.exe 84 PID 404 wrote to memory of 2244 404 tbhhtn.exe 84 PID 2244 wrote to memory of 4740 2244 pdvpv.exe 85 PID 2244 wrote to memory of 4740 2244 pdvpv.exe 85 PID 2244 wrote to memory of 4740 2244 pdvpv.exe 85 PID 4740 wrote to memory of 1296 4740 9vdpd.exe 86 PID 4740 wrote to memory of 1296 4740 9vdpd.exe 86 PID 4740 wrote to memory of 1296 4740 9vdpd.exe 86 PID 1296 wrote to memory of 452 1296 7rrrfxl.exe 87 PID 1296 wrote to memory of 452 1296 7rrrfxl.exe 87 PID 1296 wrote to memory of 452 1296 7rrrfxl.exe 87 PID 452 wrote to memory of 1136 452 nhbnhh.exe 88 PID 452 wrote to memory of 1136 452 nhbnhh.exe 88 PID 452 wrote to memory of 1136 452 nhbnhh.exe 88 PID 1136 wrote to memory of 4056 1136 1lrfrlf.exe 89 PID 1136 wrote to memory of 4056 1136 1lrfrlf.exe 89 PID 1136 wrote to memory of 4056 1136 1lrfrlf.exe 89 PID 4056 wrote to memory of 2396 4056 7rrfxrl.exe 90 PID 4056 wrote to memory of 2396 4056 7rrfxrl.exe 90 PID 4056 wrote to memory of 2396 4056 7rrfxrl.exe 90 PID 2396 wrote to memory of 4328 2396 1pddv.exe 91 PID 2396 wrote to memory of 4328 2396 1pddv.exe 91 PID 2396 wrote to memory of 4328 2396 1pddv.exe 91 PID 4328 wrote to memory of 4240 4328 xllxrlx.exe 92 PID 4328 wrote to memory of 4240 4328 xllxrlx.exe 92 PID 4328 wrote to memory of 4240 4328 xllxrlx.exe 92 PID 4240 wrote to memory of 2028 4240 nhnnbb.exe 93 PID 4240 wrote to memory of 2028 4240 nhnnbb.exe 93 PID 4240 wrote to memory of 2028 4240 nhnnbb.exe 93 PID 2028 wrote to memory of 2708 2028 pjjvp.exe 94 PID 2028 wrote to memory of 2708 2028 pjjvp.exe 94 PID 2028 wrote to memory of 2708 2028 pjjvp.exe 94 PID 2708 wrote to memory of 4516 2708 ttbbnb.exe 95 PID 2708 wrote to memory of 4516 2708 ttbbnb.exe 95 PID 2708 wrote to memory of 4516 2708 ttbbnb.exe 95 PID 4516 wrote to memory of 896 4516 jdvpd.exe 96 PID 4516 wrote to memory of 896 4516 jdvpd.exe 96 PID 4516 wrote to memory of 896 4516 jdvpd.exe 96 PID 896 wrote to memory of 3896 896 flfxfxr.exe 97 PID 896 wrote to memory of 3896 896 flfxfxr.exe 97 PID 896 wrote to memory of 3896 896 flfxfxr.exe 97 PID 3896 wrote to memory of 4144 3896 9hnbnh.exe 98 PID 3896 wrote to memory of 4144 3896 9hnbnh.exe 98 PID 3896 wrote to memory of 4144 3896 9hnbnh.exe 98 PID 4144 wrote to memory of 4780 4144 vvddd.exe 99 PID 4144 wrote to memory of 4780 4144 vvddd.exe 99 PID 4144 wrote to memory of 4780 4144 vvddd.exe 99 PID 4780 wrote to memory of 3484 4780 ntnnnt.exe 100 PID 4780 wrote to memory of 3484 4780 ntnnnt.exe 100 PID 4780 wrote to memory of 3484 4780 ntnnnt.exe 100 PID 3484 wrote to memory of 4132 3484 dvjvv.exe 101 PID 3484 wrote to memory of 4132 3484 dvjvv.exe 101 PID 3484 wrote to memory of 4132 3484 dvjvv.exe 101 PID 4132 wrote to memory of 3692 4132 rflxlfx.exe 102 PID 4132 wrote to memory of 3692 4132 rflxlfx.exe 102 PID 4132 wrote to memory of 3692 4132 rflxlfx.exe 102 PID 3692 wrote to memory of 2000 3692 bnbbhh.exe 103 PID 3692 wrote to memory of 2000 3692 bnbbhh.exe 103 PID 3692 wrote to memory of 2000 3692 bnbbhh.exe 103 PID 2000 wrote to memory of 4460 2000 jvpjp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"C:\Users\Admin\AppData\Local\Temp\cef90047963c9cf67e4ee9120c8196c04c6386304ec4f512d0a9ffe8d58a5894.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\tbhhtn.exec:\tbhhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\pdvpv.exec:\pdvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\9vdpd.exec:\9vdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\7rrrfxl.exec:\7rrrfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\nhbnhh.exec:\nhbnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\1lrfrlf.exec:\1lrfrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\7rrfxrl.exec:\7rrfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\1pddv.exec:\1pddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\xllxrlx.exec:\xllxrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\nhnnbb.exec:\nhnnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\pjjvp.exec:\pjjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\ttbbnb.exec:\ttbbnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jdvpd.exec:\jdvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\flfxfxr.exec:\flfxfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\9hnbnh.exec:\9hnbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\vvddd.exec:\vvddd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\ntnnnt.exec:\ntnnnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\dvjvv.exec:\dvjvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\rflxlfx.exec:\rflxlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\bnbbhh.exec:\bnbbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\jvpjp.exec:\jvpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\bbnnnh.exec:\bbnnnh.exe23⤵
- Executes dropped EXE
PID:4460 -
\??\c:\dppdp.exec:\dppdp.exe24⤵
- Executes dropped EXE
PID:3852 -
\??\c:\vppjv.exec:\vppjv.exe25⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rffrffr.exec:\rffrffr.exe26⤵
- Executes dropped EXE
PID:212 -
\??\c:\vddvj.exec:\vddvj.exe27⤵
- Executes dropped EXE
PID:4044 -
\??\c:\btnhtn.exec:\btnhtn.exe28⤵
- Executes dropped EXE
PID:4564 -
\??\c:\1vpjj.exec:\1vpjj.exe29⤵
- Executes dropped EXE
PID:1372 -
\??\c:\rllxffr.exec:\rllxffr.exe30⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hhhnhn.exec:\hhhnhn.exe31⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jvdvj.exec:\jvdvj.exe32⤵
- Executes dropped EXE
PID:3420 -
\??\c:\lxfxrlr.exec:\lxfxrlr.exe33⤵
- Executes dropped EXE
PID:2824 -
\??\c:\3lrlxxl.exec:\3lrlxxl.exe34⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pjdpp.exec:\pjdpp.exe35⤵
- Executes dropped EXE
PID:2196 -
\??\c:\1vvdv.exec:\1vvdv.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe37⤵
- Executes dropped EXE
PID:508 -
\??\c:\htbthh.exec:\htbthh.exe38⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pvjdd.exec:\pvjdd.exe39⤵
- Executes dropped EXE
PID:4180 -
\??\c:\7lrlrrf.exec:\7lrlrrf.exe40⤵
- Executes dropped EXE
PID:1864 -
\??\c:\ttnnbh.exec:\ttnnbh.exe41⤵
- Executes dropped EXE
PID:1100 -
\??\c:\jdjdp.exec:\jdjdp.exe42⤵
- Executes dropped EXE
PID:1732 -
\??\c:\fxfxfxr.exec:\fxfxfxr.exe43⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rrxrrxr.exec:\rrxrrxr.exe44⤵
- Executes dropped EXE
PID:4416 -
\??\c:\pdvvp.exec:\pdvvp.exe45⤵
- Executes dropped EXE
PID:3468 -
\??\c:\jpvvv.exec:\jpvvv.exe46⤵
- Executes dropped EXE
PID:388 -
\??\c:\vdjdd.exec:\vdjdd.exe47⤵
- Executes dropped EXE
PID:3968 -
\??\c:\5pdvp.exec:\5pdvp.exe48⤵
- Executes dropped EXE
PID:4740 -
\??\c:\xxfxrlr.exec:\xxfxrlr.exe49⤵
- Executes dropped EXE
PID:2800 -
\??\c:\xfrrffx.exec:\xfrrffx.exe50⤵
- Executes dropped EXE
PID:1160 -
\??\c:\nhhbtn.exec:\nhhbtn.exe51⤵
- Executes dropped EXE
PID:4908 -
\??\c:\vppjv.exec:\vppjv.exe52⤵
- Executes dropped EXE
PID:1000 -
\??\c:\rrllfff.exec:\rrllfff.exe53⤵
- Executes dropped EXE
PID:3612 -
\??\c:\5ttnhh.exec:\5ttnhh.exe54⤵
- Executes dropped EXE
PID:3340 -
\??\c:\tthhbt.exec:\tthhbt.exe55⤵
- Executes dropped EXE
PID:4056 -
\??\c:\vpdvp.exec:\vpdvp.exe56⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rrrllll.exec:\rrrllll.exe57⤵
- Executes dropped EXE
PID:524 -
\??\c:\nhhbtn.exec:\nhhbtn.exe58⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tbnhbb.exec:\tbnhbb.exe59⤵
- Executes dropped EXE
PID:4240 -
\??\c:\pjdvv.exec:\pjdvv.exe60⤵
- Executes dropped EXE
PID:4036 -
\??\c:\jvdvv.exec:\jvdvv.exe61⤵
- Executes dropped EXE
PID:372 -
\??\c:\3lxxxxx.exec:\3lxxxxx.exe62⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hbtnhh.exec:\hbtnhh.exe63⤵
- Executes dropped EXE
PID:4516 -
\??\c:\3hthtt.exec:\3hthtt.exe64⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lllfxxf.exec:\lllfxxf.exe65⤵
- Executes dropped EXE
PID:4336 -
\??\c:\fffxxxr.exec:\fffxxxr.exe66⤵PID:3716
-
\??\c:\hbtntb.exec:\hbtntb.exe67⤵PID:4624
-
\??\c:\vpdvp.exec:\vpdvp.exe68⤵PID:4144
-
\??\c:\vppjd.exec:\vppjd.exe69⤵PID:1656
-
\??\c:\lxlrrff.exec:\lxlrrff.exe70⤵PID:3484
-
\??\c:\bttthh.exec:\bttthh.exe71⤵PID:3868
-
\??\c:\bttnhh.exec:\bttnhh.exe72⤵PID:1696
-
\??\c:\vjpjd.exec:\vjpjd.exe73⤵PID:4852
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe74⤵PID:2000
-
\??\c:\ttthbn.exec:\ttthbn.exe75⤵PID:3536
-
\??\c:\tnbbtt.exec:\tnbbtt.exe76⤵PID:1828
-
\??\c:\9vvvd.exec:\9vvvd.exe77⤵PID:4900
-
\??\c:\frrlrrl.exec:\frrlrrl.exe78⤵PID:2500
-
\??\c:\lrllffx.exec:\lrllffx.exe79⤵PID:2112
-
\??\c:\vdppj.exec:\vdppj.exe80⤵PID:5116
-
\??\c:\pjjdv.exec:\pjjdv.exe81⤵PID:956
-
\??\c:\xrfrlrr.exec:\xrfrlrr.exe82⤵PID:3576
-
\??\c:\bbhnnb.exec:\bbhnnb.exe83⤵PID:3300
-
\??\c:\1thbtt.exec:\1thbtt.exe84⤵PID:2212
-
\??\c:\vvjjj.exec:\vvjjj.exe85⤵PID:4736
-
\??\c:\xflfxxr.exec:\xflfxxr.exe86⤵PID:4616
-
\??\c:\htthbt.exec:\htthbt.exe87⤵PID:4620
-
\??\c:\btnbnn.exec:\btnbnn.exe88⤵PID:544
-
\??\c:\vjjdp.exec:\vjjdp.exe89⤵PID:2824
-
\??\c:\rxfxxxx.exec:\rxfxxxx.exe90⤵PID:3584
-
\??\c:\5ththb.exec:\5ththb.exe91⤵PID:4752
-
\??\c:\pdpjv.exec:\pdpjv.exe92⤵PID:828
-
\??\c:\jjjdv.exec:\jjjdv.exe93⤵PID:888
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe94⤵PID:3796
-
\??\c:\tnnhhh.exec:\tnnhhh.exe95⤵PID:2728
-
\??\c:\tnntbt.exec:\tnntbt.exe96⤵PID:5048
-
\??\c:\jddpd.exec:\jddpd.exe97⤵PID:1620
-
\??\c:\rrxlrrl.exec:\rrxlrrl.exe98⤵PID:4112
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe99⤵PID:4292
-
\??\c:\tbhtnh.exec:\tbhtnh.exe100⤵PID:1940
-
\??\c:\9vjdv.exec:\9vjdv.exe101⤵PID:3564
-
\??\c:\dppjv.exec:\dppjv.exe102⤵PID:448
-
\??\c:\lxrffxl.exec:\lxrffxl.exe103⤵PID:2560
-
\??\c:\ntbnnh.exec:\ntbnnh.exe104⤵PID:1756
-
\??\c:\pddpd.exec:\pddpd.exe105⤵PID:1264
-
\??\c:\ddjdd.exec:\ddjdd.exe106⤵PID:1200
-
\??\c:\xlxrllf.exec:\xlxrllf.exe107⤵PID:1416
-
\??\c:\bnnhtt.exec:\bnnhtt.exe108⤵PID:3976
-
\??\c:\pvvvj.exec:\pvvvj.exe109⤵PID:1000
-
\??\c:\7jjdj.exec:\7jjdj.exe110⤵PID:2104
-
\??\c:\rllxrll.exec:\rllxrll.exe111⤵PID:2424
-
\??\c:\nhbbbb.exec:\nhbbbb.exe112⤵PID:4056
-
\??\c:\jdvdv.exec:\jdvdv.exe113⤵PID:4872
-
\??\c:\lffxlll.exec:\lffxlll.exe114⤵PID:3436
-
\??\c:\lflffxx.exec:\lflffxx.exe115⤵PID:4360
-
\??\c:\9btnbt.exec:\9btnbt.exe116⤵PID:3508
-
\??\c:\5jjdp.exec:\5jjdp.exe117⤵PID:1040
-
\??\c:\frlflfx.exec:\frlflfx.exe118⤵PID:5084
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe119⤵PID:3956
-
\??\c:\tntbhb.exec:\tntbhb.exe120⤵PID:1272
-
\??\c:\nttntt.exec:\nttntt.exe121⤵PID:4848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-