Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe
-
Size
454KB
-
MD5
81e3959b60b73d25ac79e22ed38b4b5f
-
SHA1
0735eddf4305b979e8fcd934005d62c22ac41ab6
-
SHA256
e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad
-
SHA512
db79ae6c4af41ae884f90c079702b3680b0ba600752471531255e95f6ee780e680a82d3c1d7f25202f097ef23578297533c139392869f66ec4a98da390ad6e29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2276-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-1094-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-1146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-1352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2224 rrfffff.exe 3136 5pjdv.exe 4284 dppdv.exe 544 5hhbnn.exe 4728 lrfxrrl.exe 3868 frfffxl.exe 464 pjvpv.exe 4460 9xxrlxx.exe 1860 lffxxrr.exe 4844 ntthbb.exe 4376 vvvpj.exe 1212 lxfrlfx.exe 2172 nbhhbt.exe 4024 7dvjd.exe 1712 xffxrll.exe 2868 htbtnn.exe 3928 rxxlfxx.exe 1380 tnnbtt.exe 2176 jjppv.exe 1584 lrflfff.exe 880 rrffrlx.exe 2208 dvvpj.exe 384 lxrxrfx.exe 2596 bnnnhn.exe 4280 rxxrlfx.exe 4120 9rxrllf.exe 3400 jjjjj.exe 3444 5flfxrx.exe 3992 nbhbtn.exe 1572 9djdv.exe 2356 3nnhbb.exe 664 pddvd.exe 4080 1frlffx.exe 4872 3jjdv.exe 1948 nhhhtb.exe 4632 tbtttt.exe 2004 dppjd.exe 4316 fxfxrrr.exe 4680 bbhbhh.exe 3856 ppjdd.exe 4900 frrrlrl.exe 2712 bnthbb.exe 4656 pppvv.exe 4268 ddvvv.exe 1244 xxlxrrl.exe 3532 htbtnh.exe 1764 jvdvp.exe 1064 xlxrrll.exe 728 lxrrrrr.exe 4964 hntnnn.exe 1216 vpdvp.exe 4588 flrlffx.exe 3460 flxrrll.exe 4864 tthbtt.exe 2904 jvpjj.exe 3300 lflrrrl.exe 3688 bbnnnh.exe 908 jvdpj.exe 408 3jpjj.exe 424 xrfrxrx.exe 3508 bbbnhb.exe 3800 pjjdv.exe 4612 frxrllf.exe 1576 tbhbtt.exe -
resource yara_rule behavioral2/memory/2276-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-745-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2224 2276 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 82 PID 2276 wrote to memory of 2224 2276 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 82 PID 2276 wrote to memory of 2224 2276 e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe 82 PID 2224 wrote to memory of 3136 2224 rrfffff.exe 83 PID 2224 wrote to memory of 3136 2224 rrfffff.exe 83 PID 2224 wrote to memory of 3136 2224 rrfffff.exe 83 PID 3136 wrote to memory of 4284 3136 5pjdv.exe 84 PID 3136 wrote to memory of 4284 3136 5pjdv.exe 84 PID 3136 wrote to memory of 4284 3136 5pjdv.exe 84 PID 4284 wrote to memory of 544 4284 dppdv.exe 85 PID 4284 wrote to memory of 544 4284 dppdv.exe 85 PID 4284 wrote to memory of 544 4284 dppdv.exe 85 PID 544 wrote to memory of 4728 544 5hhbnn.exe 86 PID 544 wrote to memory of 4728 544 5hhbnn.exe 86 PID 544 wrote to memory of 4728 544 5hhbnn.exe 86 PID 4728 wrote to memory of 3868 4728 lrfxrrl.exe 87 PID 4728 wrote to memory of 3868 4728 lrfxrrl.exe 87 PID 4728 wrote to memory of 3868 4728 lrfxrrl.exe 87 PID 3868 wrote to memory of 464 3868 frfffxl.exe 88 PID 3868 wrote to memory of 464 3868 frfffxl.exe 88 PID 3868 wrote to memory of 464 3868 frfffxl.exe 88 PID 464 wrote to memory of 4460 464 pjvpv.exe 89 PID 464 wrote to memory of 4460 464 pjvpv.exe 89 PID 464 wrote to memory of 4460 464 pjvpv.exe 89 PID 4460 wrote to memory of 1860 4460 9xxrlxx.exe 90 PID 4460 wrote to memory of 1860 4460 9xxrlxx.exe 90 PID 4460 wrote to memory of 1860 4460 9xxrlxx.exe 90 PID 1860 wrote to memory of 4844 1860 lffxxrr.exe 91 PID 1860 wrote to memory of 4844 1860 lffxxrr.exe 91 PID 1860 wrote to memory of 4844 1860 lffxxrr.exe 91 PID 4844 wrote to memory of 4376 4844 ntthbb.exe 92 PID 4844 wrote to memory of 4376 4844 ntthbb.exe 92 PID 4844 wrote to memory of 4376 4844 ntthbb.exe 92 PID 4376 wrote to memory of 1212 4376 vvvpj.exe 93 PID 4376 wrote to memory of 1212 4376 vvvpj.exe 93 PID 4376 wrote to memory of 1212 4376 vvvpj.exe 93 PID 1212 wrote to memory of 2172 1212 lxfrlfx.exe 94 PID 1212 wrote to memory of 2172 1212 lxfrlfx.exe 94 PID 1212 wrote to memory of 2172 1212 lxfrlfx.exe 94 PID 2172 wrote to memory of 4024 2172 nbhhbt.exe 95 PID 2172 wrote to memory of 4024 2172 nbhhbt.exe 95 PID 2172 wrote to memory of 4024 2172 nbhhbt.exe 95 PID 4024 wrote to memory of 1712 4024 7dvjd.exe 96 PID 4024 wrote to memory of 1712 4024 7dvjd.exe 96 PID 4024 wrote to memory of 1712 4024 7dvjd.exe 96 PID 1712 wrote to memory of 2868 1712 xffxrll.exe 97 PID 1712 wrote to memory of 2868 1712 xffxrll.exe 97 PID 1712 wrote to memory of 2868 1712 xffxrll.exe 97 PID 2868 wrote to memory of 3928 2868 htbtnn.exe 98 PID 2868 wrote to memory of 3928 2868 htbtnn.exe 98 PID 2868 wrote to memory of 3928 2868 htbtnn.exe 98 PID 3928 wrote to memory of 1380 3928 rxxlfxx.exe 99 PID 3928 wrote to memory of 1380 3928 rxxlfxx.exe 99 PID 3928 wrote to memory of 1380 3928 rxxlfxx.exe 99 PID 1380 wrote to memory of 2176 1380 tnnbtt.exe 100 PID 1380 wrote to memory of 2176 1380 tnnbtt.exe 100 PID 1380 wrote to memory of 2176 1380 tnnbtt.exe 100 PID 2176 wrote to memory of 1584 2176 jjppv.exe 101 PID 2176 wrote to memory of 1584 2176 jjppv.exe 101 PID 2176 wrote to memory of 1584 2176 jjppv.exe 101 PID 1584 wrote to memory of 880 1584 lrflfff.exe 102 PID 1584 wrote to memory of 880 1584 lrflfff.exe 102 PID 1584 wrote to memory of 880 1584 lrflfff.exe 102 PID 880 wrote to memory of 2208 880 rrffrlx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe"C:\Users\Admin\AppData\Local\Temp\e95090ef533d9ffe70c817da23c18ec8df17c1c554d3a9eaf05c1f15e24ac1ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\rrfffff.exec:\rrfffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\5pjdv.exec:\5pjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\dppdv.exec:\dppdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\5hhbnn.exec:\5hhbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\frfffxl.exec:\frfffxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\pjvpv.exec:\pjvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\9xxrlxx.exec:\9xxrlxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\lffxxrr.exec:\lffxxrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\ntthbb.exec:\ntthbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\vvvpj.exec:\vvvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\nbhhbt.exec:\nbhhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\7dvjd.exec:\7dvjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\xffxrll.exec:\xffxrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\htbtnn.exec:\htbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rxxlfxx.exec:\rxxlfxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\tnnbtt.exec:\tnnbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\jjppv.exec:\jjppv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\lrflfff.exec:\lrflfff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\rrffrlx.exec:\rrffrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\dvvpj.exec:\dvvpj.exe23⤵
- Executes dropped EXE
PID:2208 -
\??\c:\lxrxrfx.exec:\lxrxrfx.exe24⤵
- Executes dropped EXE
PID:384 -
\??\c:\bnnnhn.exec:\bnnnhn.exe25⤵
- Executes dropped EXE
PID:2596 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe26⤵
- Executes dropped EXE
PID:4280 -
\??\c:\9rxrllf.exec:\9rxrllf.exe27⤵
- Executes dropped EXE
PID:4120 -
\??\c:\jjjjj.exec:\jjjjj.exe28⤵
- Executes dropped EXE
PID:3400 -
\??\c:\5flfxrx.exec:\5flfxrx.exe29⤵
- Executes dropped EXE
PID:3444 -
\??\c:\nbhbtn.exec:\nbhbtn.exe30⤵
- Executes dropped EXE
PID:3992 -
\??\c:\9djdv.exec:\9djdv.exe31⤵
- Executes dropped EXE
PID:1572 -
\??\c:\3nnhbb.exec:\3nnhbb.exe32⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pddvd.exec:\pddvd.exe33⤵
- Executes dropped EXE
PID:664 -
\??\c:\1frlffx.exec:\1frlffx.exe34⤵
- Executes dropped EXE
PID:4080 -
\??\c:\3jjdv.exec:\3jjdv.exe35⤵
- Executes dropped EXE
PID:4872 -
\??\c:\nhhhtb.exec:\nhhhtb.exe36⤵
- Executes dropped EXE
PID:1948 -
\??\c:\tbtttt.exec:\tbtttt.exe37⤵
- Executes dropped EXE
PID:4632 -
\??\c:\dppjd.exec:\dppjd.exe38⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe39⤵
- Executes dropped EXE
PID:4316 -
\??\c:\bbhbhh.exec:\bbhbhh.exe40⤵
- Executes dropped EXE
PID:4680 -
\??\c:\ppjdd.exec:\ppjdd.exe41⤵
- Executes dropped EXE
PID:3856 -
\??\c:\frrrlrl.exec:\frrrlrl.exe42⤵
- Executes dropped EXE
PID:4900 -
\??\c:\bnthbb.exec:\bnthbb.exe43⤵
- Executes dropped EXE
PID:2712 -
\??\c:\pppvv.exec:\pppvv.exe44⤵
- Executes dropped EXE
PID:4656 -
\??\c:\ddvvv.exec:\ddvvv.exe45⤵
- Executes dropped EXE
PID:4268 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe46⤵
- Executes dropped EXE
PID:1244 -
\??\c:\htbtnh.exec:\htbtnh.exe47⤵
- Executes dropped EXE
PID:3532 -
\??\c:\jvdvp.exec:\jvdvp.exe48⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xlxrrll.exec:\xlxrrll.exe49⤵
- Executes dropped EXE
PID:1064 -
\??\c:\lxrrrrr.exec:\lxrrrrr.exe50⤵
- Executes dropped EXE
PID:728 -
\??\c:\hntnnn.exec:\hntnnn.exe51⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vpdvp.exec:\vpdvp.exe52⤵
- Executes dropped EXE
PID:1216 -
\??\c:\flrlffx.exec:\flrlffx.exe53⤵
- Executes dropped EXE
PID:4588 -
\??\c:\flxrrll.exec:\flxrrll.exe54⤵
- Executes dropped EXE
PID:3460 -
\??\c:\tthbtt.exec:\tthbtt.exe55⤵
- Executes dropped EXE
PID:4864 -
\??\c:\jvpjj.exec:\jvpjj.exe56⤵
- Executes dropped EXE
PID:2904 -
\??\c:\lflrrrl.exec:\lflrrrl.exe57⤵
- Executes dropped EXE
PID:3300 -
\??\c:\bbnnnh.exec:\bbnnnh.exe58⤵
- Executes dropped EXE
PID:3688 -
\??\c:\jvdpj.exec:\jvdpj.exe59⤵
- Executes dropped EXE
PID:908 -
\??\c:\3jpjj.exec:\3jpjj.exe60⤵
- Executes dropped EXE
PID:408 -
\??\c:\xrfrxrx.exec:\xrfrxrx.exe61⤵
- Executes dropped EXE
PID:424 -
\??\c:\bbbnhb.exec:\bbbnhb.exe62⤵
- Executes dropped EXE
PID:3508 -
\??\c:\pjjdv.exec:\pjjdv.exe63⤵
- Executes dropped EXE
PID:3800 -
\??\c:\frxrllf.exec:\frxrllf.exe64⤵
- Executes dropped EXE
PID:4612 -
\??\c:\tbhbtt.exec:\tbhbtt.exe65⤵
- Executes dropped EXE
PID:1576 -
\??\c:\pvpjd.exec:\pvpjd.exe66⤵PID:3036
-
\??\c:\fxlfffx.exec:\fxlfffx.exe67⤵PID:4460
-
\??\c:\ntbthn.exec:\ntbthn.exe68⤵PID:1608
-
\??\c:\djpjd.exec:\djpjd.exe69⤵PID:2804
-
\??\c:\xrfxffx.exec:\xrfxffx.exe70⤵PID:4192
-
\??\c:\nhhbtn.exec:\nhhbtn.exe71⤵PID:4060
-
\??\c:\5vvpp.exec:\5vvpp.exe72⤵PID:3676
-
\??\c:\9rxrrlf.exec:\9rxrrlf.exe73⤵PID:220
-
\??\c:\thhtnh.exec:\thhtnh.exe74⤵PID:4860
-
\??\c:\5vjdj.exec:\5vjdj.exe75⤵PID:3668
-
\??\c:\rflfxrl.exec:\rflfxrl.exe76⤵PID:4056
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe77⤵PID:3948
-
\??\c:\bhnhbt.exec:\bhnhbt.exe78⤵PID:2868
-
\??\c:\pjjdv.exec:\pjjdv.exe79⤵PID:1028
-
\??\c:\vvdvv.exec:\vvdvv.exe80⤵PID:4568
-
\??\c:\ttbbhh.exec:\ttbbhh.exe81⤵PID:4944
-
\??\c:\dpvpj.exec:\dpvpj.exe82⤵PID:2176
-
\??\c:\vddjj.exec:\vddjj.exe83⤵PID:3924
-
\??\c:\lfffxxr.exec:\lfffxxr.exe84⤵PID:1480
-
\??\c:\rrrxrrr.exec:\rrrxrrr.exe85⤵PID:3672
-
\??\c:\htbnhb.exec:\htbnhb.exe86⤵PID:3880
-
\??\c:\pjdvd.exec:\pjdvd.exe87⤵PID:2664
-
\??\c:\rlxrxxl.exec:\rlxrxxl.exe88⤵PID:852
-
\??\c:\httttt.exec:\httttt.exe89⤵PID:1440
-
\??\c:\1hnbbb.exec:\1hnbbb.exe90⤵PID:3080
-
\??\c:\ppvpp.exec:\ppvpp.exe91⤵PID:620
-
\??\c:\1lxrfff.exec:\1lxrfff.exe92⤵PID:4180
-
\??\c:\tbnhbt.exec:\tbnhbt.exe93⤵PID:3232
-
\??\c:\1pddd.exec:\1pddd.exe94⤵PID:3360
-
\??\c:\jjpjd.exec:\jjpjd.exe95⤵PID:3992
-
\??\c:\xrrlfff.exec:\xrrlfff.exe96⤵PID:3056
-
\??\c:\xfllffx.exec:\xfllffx.exe97⤵PID:4492
-
\??\c:\dpdjd.exec:\dpdjd.exe98⤵PID:4976
-
\??\c:\lrxxllf.exec:\lrxxllf.exe99⤵PID:184
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe100⤵PID:1284
-
\??\c:\hhhbtt.exec:\hhhbtt.exe101⤵PID:1704
-
\??\c:\jpvpd.exec:\jpvpd.exe102⤵PID:60
-
\??\c:\frxrllf.exec:\frxrllf.exe103⤵PID:428
-
\??\c:\7lrlffx.exec:\7lrlffx.exe104⤵PID:736
-
\??\c:\ttthbh.exec:\ttthbh.exe105⤵PID:4948
-
\??\c:\jpdvp.exec:\jpdvp.exe106⤵PID:3120
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe107⤵PID:4052
-
\??\c:\btnnhh.exec:\btnnhh.exe108⤵PID:1960
-
\??\c:\dppjd.exec:\dppjd.exe109⤵PID:1404
-
\??\c:\rrxxrll.exec:\rrxxrll.exe110⤵PID:3544
-
\??\c:\tnbnhb.exec:\tnbnhb.exe111⤵PID:4620
-
\??\c:\7jppj.exec:\7jppj.exe112⤵PID:4268
-
\??\c:\xflxrll.exec:\xflxrll.exe113⤵PID:1244
-
\??\c:\rfrfxrr.exec:\rfrfxrr.exe114⤵PID:3548
-
\??\c:\9bttnn.exec:\9bttnn.exe115⤵PID:3628
-
\??\c:\pppjd.exec:\pppjd.exe116⤵PID:3188
-
\??\c:\rffxrrl.exec:\rffxrrl.exe117⤵PID:1628
-
\??\c:\nhnhbt.exec:\nhnhbt.exe118⤵PID:4440
-
\??\c:\vjpjd.exec:\vjpjd.exe119⤵PID:3396
-
\??\c:\pjpdp.exec:\pjpdp.exe120⤵PID:4512
-
\??\c:\rllrllr.exec:\rllrllr.exe121⤵PID:2224
-
\??\c:\btbttb.exec:\btbttb.exe122⤵PID:2188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-