Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe
-
Size
454KB
-
MD5
5ea2014faa6a77cd2a1e0fe5355f5ac5
-
SHA1
9a333bfa94a204dacdcb4053d1db986340dce54e
-
SHA256
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4
-
SHA512
6a846ef06135d9cf33d660755f338f9f622ffd61085dd7ca0e9c7551141964ea7d874d92cdca3ca6406c683f41b371ccfab8a1183372614c24479902b387b95c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/968-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1148 ffrlxrl.exe 1684 dpdvd.exe 4056 7fxrlll.exe 3052 1nnhhh.exe 4920 nthbnh.exe 3680 pdjdv.exe 1432 llrfrrl.exe 860 rllfxrl.exe 5104 httbtt.exe 3444 vvjdp.exe 4640 rrxxrrl.exe 1124 hbbbbb.exe 3420 pvjdj.exe 776 xfxrlfx.exe 3180 lfrlfff.exe 2144 btthbt.exe 408 7ddvd.exe 468 dvvjd.exe 4832 flrlfxr.exe 4420 9btnhh.exe 4044 jvjdp.exe 3484 pjjdp.exe 3296 rrfxrrl.exe 5016 bbbhhh.exe 1364 hbhbtn.exe 3068 7vdjp.exe 4648 xrxrrll.exe 3556 3lrrxxx.exe 2932 btbbbb.exe 3668 jpddv.exe 2508 ffllfll.exe 5092 fxxxxxx.exe 1848 5bhbbt.exe 2584 7ppdv.exe 2804 jvjdv.exe 3076 rxxxrrr.exe 3544 hbhtnn.exe 2404 btnhtn.exe 1336 vpvpd.exe 228 rllrrrl.exe 1260 rlllfrf.exe 3044 9hhbtb.exe 2088 jpvpp.exe 116 rxrrllr.exe 5088 fffxrlf.exe 4256 bthbhb.exe 1244 jpjpv.exe 1952 vvjdj.exe 3340 lfrlrll.exe 4444 nhnhbb.exe 4724 bntnhh.exe 232 dvdvj.exe 2460 rlrlflf.exe 4844 9bttbh.exe 2620 bbtnhb.exe 3232 5vpjd.exe 4024 xflfxxx.exe 1804 rlllfrr.exe 4952 ttbtnt.exe 548 vjddp.exe 4192 9jvpd.exe 4812 rllfxrr.exe 4452 nhbhht.exe 5020 vjddd.exe -
resource yara_rule behavioral2/memory/968-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 968 wrote to memory of 1148 968 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 82 PID 968 wrote to memory of 1148 968 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 82 PID 968 wrote to memory of 1148 968 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 82 PID 1148 wrote to memory of 1684 1148 ffrlxrl.exe 83 PID 1148 wrote to memory of 1684 1148 ffrlxrl.exe 83 PID 1148 wrote to memory of 1684 1148 ffrlxrl.exe 83 PID 1684 wrote to memory of 4056 1684 dpdvd.exe 84 PID 1684 wrote to memory of 4056 1684 dpdvd.exe 84 PID 1684 wrote to memory of 4056 1684 dpdvd.exe 84 PID 4056 wrote to memory of 3052 4056 7fxrlll.exe 85 PID 4056 wrote to memory of 3052 4056 7fxrlll.exe 85 PID 4056 wrote to memory of 3052 4056 7fxrlll.exe 85 PID 3052 wrote to memory of 4920 3052 1nnhhh.exe 86 PID 3052 wrote to memory of 4920 3052 1nnhhh.exe 86 PID 3052 wrote to memory of 4920 3052 1nnhhh.exe 86 PID 4920 wrote to memory of 3680 4920 nthbnh.exe 151 PID 4920 wrote to memory of 3680 4920 nthbnh.exe 151 PID 4920 wrote to memory of 3680 4920 nthbnh.exe 151 PID 3680 wrote to memory of 1432 3680 pdjdv.exe 88 PID 3680 wrote to memory of 1432 3680 pdjdv.exe 88 PID 3680 wrote to memory of 1432 3680 pdjdv.exe 88 PID 1432 wrote to memory of 860 1432 llrfrrl.exe 89 PID 1432 wrote to memory of 860 1432 llrfrrl.exe 89 PID 1432 wrote to memory of 860 1432 llrfrrl.exe 89 PID 860 wrote to memory of 5104 860 rllfxrl.exe 90 PID 860 wrote to memory of 5104 860 rllfxrl.exe 90 PID 860 wrote to memory of 5104 860 rllfxrl.exe 90 PID 5104 wrote to memory of 3444 5104 httbtt.exe 91 PID 5104 wrote to memory of 3444 5104 httbtt.exe 91 PID 5104 wrote to memory of 3444 5104 httbtt.exe 91 PID 3444 wrote to memory of 4640 3444 vvjdp.exe 92 PID 3444 wrote to memory of 4640 3444 vvjdp.exe 92 PID 3444 wrote to memory of 4640 3444 vvjdp.exe 92 PID 4640 wrote to memory of 1124 4640 rrxxrrl.exe 93 PID 4640 wrote to memory of 1124 4640 rrxxrrl.exe 93 PID 4640 wrote to memory of 1124 4640 rrxxrrl.exe 93 PID 1124 wrote to memory of 3420 1124 hbbbbb.exe 94 PID 1124 wrote to memory of 3420 1124 hbbbbb.exe 94 PID 1124 wrote to memory of 3420 1124 hbbbbb.exe 94 PID 3420 wrote to memory of 776 3420 pvjdj.exe 95 PID 3420 wrote to memory of 776 3420 pvjdj.exe 95 PID 3420 wrote to memory of 776 3420 pvjdj.exe 95 PID 776 wrote to memory of 3180 776 xfxrlfx.exe 96 PID 776 wrote to memory of 3180 776 xfxrlfx.exe 96 PID 776 wrote to memory of 3180 776 xfxrlfx.exe 96 PID 3180 wrote to memory of 2144 3180 lfrlfff.exe 97 PID 3180 wrote to memory of 2144 3180 lfrlfff.exe 97 PID 3180 wrote to memory of 2144 3180 lfrlfff.exe 97 PID 2144 wrote to memory of 408 2144 btthbt.exe 98 PID 2144 wrote to memory of 408 2144 btthbt.exe 98 PID 2144 wrote to memory of 408 2144 btthbt.exe 98 PID 408 wrote to memory of 468 408 7ddvd.exe 99 PID 408 wrote to memory of 468 408 7ddvd.exe 99 PID 408 wrote to memory of 468 408 7ddvd.exe 99 PID 468 wrote to memory of 4832 468 dvvjd.exe 100 PID 468 wrote to memory of 4832 468 dvvjd.exe 100 PID 468 wrote to memory of 4832 468 dvvjd.exe 100 PID 4832 wrote to memory of 4420 4832 flrlfxr.exe 101 PID 4832 wrote to memory of 4420 4832 flrlfxr.exe 101 PID 4832 wrote to memory of 4420 4832 flrlfxr.exe 101 PID 4420 wrote to memory of 4044 4420 9btnhh.exe 102 PID 4420 wrote to memory of 4044 4420 9btnhh.exe 102 PID 4420 wrote to memory of 4044 4420 9btnhh.exe 102 PID 4044 wrote to memory of 3484 4044 jvjdp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe"C:\Users\Admin\AppData\Local\Temp\7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\ffrlxrl.exec:\ffrlxrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\dpdvd.exec:\dpdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\7fxrlll.exec:\7fxrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\1nnhhh.exec:\1nnhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\nthbnh.exec:\nthbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\pdjdv.exec:\pdjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\llrfrrl.exec:\llrfrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\rllfxrl.exec:\rllfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\httbtt.exec:\httbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\vvjdp.exec:\vvjdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\rrxxrrl.exec:\rrxxrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\hbbbbb.exec:\hbbbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\pvjdj.exec:\pvjdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\lfrlfff.exec:\lfrlfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\btthbt.exec:\btthbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\7ddvd.exec:\7ddvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\dvvjd.exec:\dvvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\flrlfxr.exec:\flrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\9btnhh.exec:\9btnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\jvjdp.exec:\jvjdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\pjjdp.exec:\pjjdp.exe23⤵
- Executes dropped EXE
PID:3484 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe24⤵
- Executes dropped EXE
PID:3296 -
\??\c:\bbbhhh.exec:\bbbhhh.exe25⤵
- Executes dropped EXE
PID:5016 -
\??\c:\hbhbtn.exec:\hbhbtn.exe26⤵
- Executes dropped EXE
PID:1364 -
\??\c:\7vdjp.exec:\7vdjp.exe27⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xrxrrll.exec:\xrxrrll.exe28⤵
- Executes dropped EXE
PID:4648 -
\??\c:\3lrrxxx.exec:\3lrrxxx.exe29⤵
- Executes dropped EXE
PID:3556 -
\??\c:\btbbbb.exec:\btbbbb.exe30⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jpddv.exec:\jpddv.exe31⤵
- Executes dropped EXE
PID:3668 -
\??\c:\ffllfll.exec:\ffllfll.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe33⤵
- Executes dropped EXE
PID:5092 -
\??\c:\5bhbbt.exec:\5bhbbt.exe34⤵
- Executes dropped EXE
PID:1848 -
\??\c:\7ppdv.exec:\7ppdv.exe35⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jvjdv.exec:\jvjdv.exe36⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe37⤵
- Executes dropped EXE
PID:3076 -
\??\c:\hbhtnn.exec:\hbhtnn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544 -
\??\c:\btnhtn.exec:\btnhtn.exe39⤵
- Executes dropped EXE
PID:2404 -
\??\c:\vpvpd.exec:\vpvpd.exe40⤵
- Executes dropped EXE
PID:1336 -
\??\c:\rllrrrl.exec:\rllrrrl.exe41⤵
- Executes dropped EXE
PID:228 -
\??\c:\rlllfrf.exec:\rlllfrf.exe42⤵
- Executes dropped EXE
PID:1260 -
\??\c:\9hhbtb.exec:\9hhbtb.exe43⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jpvpp.exec:\jpvpp.exe44⤵
- Executes dropped EXE
PID:2088 -
\??\c:\rxrrllr.exec:\rxrrllr.exe45⤵
- Executes dropped EXE
PID:116 -
\??\c:\fffxrlf.exec:\fffxrlf.exe46⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bthbhb.exec:\bthbhb.exe47⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jpjpv.exec:\jpjpv.exe48⤵
- Executes dropped EXE
PID:1244 -
\??\c:\vvjdj.exec:\vvjdj.exe49⤵
- Executes dropped EXE
PID:1952 -
\??\c:\lfrlrll.exec:\lfrlrll.exe50⤵
- Executes dropped EXE
PID:3340 -
\??\c:\nhnhbb.exec:\nhnhbb.exe51⤵
- Executes dropped EXE
PID:4444 -
\??\c:\bntnhh.exec:\bntnhh.exe52⤵
- Executes dropped EXE
PID:4724 -
\??\c:\dvdvj.exec:\dvdvj.exe53⤵
- Executes dropped EXE
PID:232 -
\??\c:\rlrlflf.exec:\rlrlflf.exe54⤵
- Executes dropped EXE
PID:2460 -
\??\c:\9bttbh.exec:\9bttbh.exe55⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bbtnhb.exec:\bbtnhb.exe56⤵
- Executes dropped EXE
PID:2620 -
\??\c:\5vpjd.exec:\5vpjd.exe57⤵
- Executes dropped EXE
PID:3232 -
\??\c:\xflfxxx.exec:\xflfxxx.exe58⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rlllfrr.exec:\rlllfrr.exe59⤵
- Executes dropped EXE
PID:1804 -
\??\c:\ttbtnt.exec:\ttbtnt.exe60⤵
- Executes dropped EXE
PID:4952 -
\??\c:\vjddp.exec:\vjddp.exe61⤵
- Executes dropped EXE
PID:548 -
\??\c:\9jvpd.exec:\9jvpd.exe62⤵
- Executes dropped EXE
PID:4192 -
\??\c:\rllfxrr.exec:\rllfxrr.exe63⤵
- Executes dropped EXE
PID:4812 -
\??\c:\nhbhht.exec:\nhbhht.exe64⤵
- Executes dropped EXE
PID:4452 -
\??\c:\vjddd.exec:\vjddd.exe65⤵
- Executes dropped EXE
PID:5020 -
\??\c:\djjdv.exec:\djjdv.exe66⤵PID:4916
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe67⤵PID:748
-
\??\c:\bbnnht.exec:\bbnnht.exe68⤵PID:3892
-
\??\c:\vvvpd.exec:\vvvpd.exe69⤵PID:552
-
\??\c:\fxxrffx.exec:\fxxrffx.exe70⤵PID:2268
-
\??\c:\bhbbtt.exec:\bhbbtt.exe71⤵PID:3680
-
\??\c:\xrxxfrr.exec:\xrxxfrr.exe72⤵PID:1220
-
\??\c:\lffxxrl.exec:\lffxxrl.exe73⤵PID:1524
-
\??\c:\nbbnhh.exec:\nbbnhh.exe74⤵PID:4448
-
\??\c:\jvpjv.exec:\jvpjv.exe75⤵PID:1000
-
\??\c:\lffrlff.exec:\lffrlff.exe76⤵PID:3932
-
\??\c:\9hnntt.exec:\9hnntt.exe77⤵PID:3604
-
\??\c:\bnnhbt.exec:\bnnhbt.exe78⤵PID:3460
-
\??\c:\dpvpd.exec:\dpvpd.exe79⤵PID:2028
-
\??\c:\rfrlfff.exec:\rfrlfff.exe80⤵PID:3420
-
\??\c:\9htttn.exec:\9htttn.exe81⤵PID:752
-
\??\c:\jdvpj.exec:\jdvpj.exe82⤵PID:5052
-
\??\c:\xlrrllf.exec:\xlrrllf.exe83⤵PID:2388
-
\??\c:\9btnhn.exec:\9btnhn.exe84⤵PID:4796
-
\??\c:\jddpj.exec:\jddpj.exe85⤵PID:2136
-
\??\c:\frllxxl.exec:\frllxxl.exe86⤵PID:4872
-
\??\c:\hbhbbb.exec:\hbhbbb.exe87⤵PID:3024
-
\??\c:\vdvdd.exec:\vdvdd.exe88⤵PID:2600
-
\??\c:\pjjdd.exec:\pjjdd.exe89⤵PID:4932
-
\??\c:\bhbbbt.exec:\bhbbbt.exe90⤵PID:1364
-
\??\c:\ppjdv.exec:\ppjdv.exe91⤵
- System Location Discovery: System Language Discovery
PID:4076 -
\??\c:\rxxrffx.exec:\rxxrffx.exe92⤵PID:5076
-
\??\c:\hbbtnn.exec:\hbbtnn.exe93⤵PID:4052
-
\??\c:\nbnntn.exec:\nbnntn.exe94⤵PID:4400
-
\??\c:\flrlxxr.exec:\flrlxxr.exe95⤵PID:3844
-
\??\c:\nhtttn.exec:\nhtttn.exe96⤵PID:4472
-
\??\c:\jvdvp.exec:\jvdvp.exe97⤵PID:808
-
\??\c:\xrfxxfx.exec:\xrfxxfx.exe98⤵PID:2912
-
\??\c:\5bbttn.exec:\5bbttn.exe99⤵PID:2804
-
\??\c:\xxrrlrl.exec:\xxrrlrl.exe100⤵PID:3292
-
\??\c:\tnnnhh.exec:\tnnnhh.exe101⤵PID:5112
-
\??\c:\djjdp.exec:\djjdp.exe102⤵PID:1908
-
\??\c:\frfxrrl.exec:\frfxrrl.exe103⤵PID:2052
-
\??\c:\dpjjj.exec:\dpjjj.exe104⤵PID:3580
-
\??\c:\hhbtbb.exec:\hhbtbb.exe105⤵PID:4108
-
\??\c:\vdjdp.exec:\vdjdp.exe106⤵PID:4808
-
\??\c:\rllfxrl.exec:\rllfxrl.exe107⤵PID:4620
-
\??\c:\rxxxrrr.exec:\rxxxrrr.exe108⤵PID:3948
-
\??\c:\vdvpd.exec:\vdvpd.exe109⤵PID:1244
-
\??\c:\nhbttn.exec:\nhbttn.exe110⤵PID:3048
-
\??\c:\lrffllx.exec:\lrffllx.exe111⤵PID:1672
-
\??\c:\5jjpj.exec:\5jjpj.exe112⤵PID:1284
-
\??\c:\7lrrrxx.exec:\7lrrrxx.exe113⤵PID:224
-
\??\c:\ntnhhb.exec:\ntnhhb.exe114⤵PID:232
-
\??\c:\vpdpj.exec:\vpdpj.exe115⤵PID:2460
-
\??\c:\3ttnbn.exec:\3ttnbn.exe116⤵PID:4908
-
\??\c:\rrfxffl.exec:\rrfxffl.exe117⤵PID:2620
-
\??\c:\7tbtbt.exec:\7tbtbt.exe118⤵PID:644
-
\??\c:\1pvpv.exec:\1pvpv.exe119⤵PID:4352
-
\??\c:\jjddp.exec:\jjddp.exe120⤵PID:2344
-
\??\c:\1lrlflf.exec:\1lrlflf.exe121⤵PID:4952
-
\??\c:\tnnnhh.exec:\tnnnhh.exe122⤵PID:452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-