Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe
-
Size
459KB
-
MD5
d64b05071ab0080438a78c78456565fd
-
SHA1
c017f81d2cb3e9ecb2db8faece9a1fcd7bd7cc9e
-
SHA256
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc
-
SHA512
6191500fe8f025850fa0bddd969e29b04c6aee3ef9431dafb71abd32c8ad6a7537c1dbd28445397142c2e8633312a986214b674fb1b78132b9260da19a715cdb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1632-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6116-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5784-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5628-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5880-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5728-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5944-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5748-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5584-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5788-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5216-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5184-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5592-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6072-875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6120-1200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-1661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2912 3lfxllx.exe 6116 dddpd.exe 4880 1ppdd.exe 5784 fxxfrlx.exe 5104 hhnhbt.exe 3812 pjjvj.exe 112 bbhbtn.exe 5628 pjjvj.exe 3420 dvvpd.exe 4516 hhnhbt.exe 5880 ppdvp.exe 4616 vppdv.exe 4800 htthbh.exe 4688 vddvd.exe 3108 frlxxrl.exe 2168 tbnbtt.exe 4676 xlfrllf.exe 4740 3tbbbb.exe 4028 pdvpd.exe 3948 xfllfxr.exe 1716 9hbthb.exe 4908 dvvdp.exe 840 1hhthb.exe 3316 bnbthh.exe 4692 rlffrxl.exe 5952 frxrflx.exe 1940 fxxxrrf.exe 1664 dppjv.exe 5728 dvddd.exe 716 rlflxrl.exe 3060 thhbtn.exe 4072 nbthnh.exe 540 hhntbt.exe 1168 xffrlfx.exe 2696 tnhbnb.exe 368 5dvjd.exe 4008 rrlfxrl.exe 5944 hbtnnh.exe 4868 7bnhbt.exe 5696 ffxlxrf.exe 4228 5rrlfff.exe 5092 bhnbnh.exe 3824 pdjdp.exe 2260 dvdvj.exe 5176 7rxxrrl.exe 6108 pjdvj.exe 5748 xlfxxxf.exe 1736 tbhthb.exe 4160 7pvpd.exe 4016 7pdvp.exe 4476 xlrfrfx.exe 3400 nnnhbt.exe 3840 djjvj.exe 2856 rrxrlfr.exe 5584 nbhttn.exe 1608 djpdv.exe 5788 xlrlxlf.exe 5632 nhhtnb.exe 5004 htbbbt.exe 5024 pvdvv.exe 5692 xrlfrlx.exe 516 httnhh.exe 5888 nnhbtn.exe 5216 vjjdj.exe -
resource yara_rule behavioral2/memory/1632-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6116-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6116-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5784-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5628-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5880-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5728-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5944-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5748-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5584-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5788-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5216-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5532-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5184-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5592-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2912 1632 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 86 PID 1632 wrote to memory of 2912 1632 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 86 PID 1632 wrote to memory of 2912 1632 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 86 PID 2912 wrote to memory of 6116 2912 3lfxllx.exe 87 PID 2912 wrote to memory of 6116 2912 3lfxllx.exe 87 PID 2912 wrote to memory of 6116 2912 3lfxllx.exe 87 PID 6116 wrote to memory of 4880 6116 dddpd.exe 88 PID 6116 wrote to memory of 4880 6116 dddpd.exe 88 PID 6116 wrote to memory of 4880 6116 dddpd.exe 88 PID 4880 wrote to memory of 5784 4880 1ppdd.exe 89 PID 4880 wrote to memory of 5784 4880 1ppdd.exe 89 PID 4880 wrote to memory of 5784 4880 1ppdd.exe 89 PID 5784 wrote to memory of 5104 5784 fxxfrlx.exe 90 PID 5784 wrote to memory of 5104 5784 fxxfrlx.exe 90 PID 5784 wrote to memory of 5104 5784 fxxfrlx.exe 90 PID 5104 wrote to memory of 3812 5104 hhnhbt.exe 91 PID 5104 wrote to memory of 3812 5104 hhnhbt.exe 91 PID 5104 wrote to memory of 3812 5104 hhnhbt.exe 91 PID 3812 wrote to memory of 112 3812 pjjvj.exe 92 PID 3812 wrote to memory of 112 3812 pjjvj.exe 92 PID 3812 wrote to memory of 112 3812 pjjvj.exe 92 PID 112 wrote to memory of 5628 112 bbhbtn.exe 93 PID 112 wrote to memory of 5628 112 bbhbtn.exe 93 PID 112 wrote to memory of 5628 112 bbhbtn.exe 93 PID 5628 wrote to memory of 3420 5628 pjjvj.exe 94 PID 5628 wrote to memory of 3420 5628 pjjvj.exe 94 PID 5628 wrote to memory of 3420 5628 pjjvj.exe 94 PID 3420 wrote to memory of 4516 3420 dvvpd.exe 96 PID 3420 wrote to memory of 4516 3420 dvvpd.exe 96 PID 3420 wrote to memory of 4516 3420 dvvpd.exe 96 PID 4516 wrote to memory of 5880 4516 hhnhbt.exe 97 PID 4516 wrote to memory of 5880 4516 hhnhbt.exe 97 PID 4516 wrote to memory of 5880 4516 hhnhbt.exe 97 PID 5880 wrote to memory of 4616 5880 ppdvp.exe 98 PID 5880 wrote to memory of 4616 5880 ppdvp.exe 98 PID 5880 wrote to memory of 4616 5880 ppdvp.exe 98 PID 4616 wrote to memory of 4800 4616 vppdv.exe 100 PID 4616 wrote to memory of 4800 4616 vppdv.exe 100 PID 4616 wrote to memory of 4800 4616 vppdv.exe 100 PID 4800 wrote to memory of 4688 4800 htthbh.exe 101 PID 4800 wrote to memory of 4688 4800 htthbh.exe 101 PID 4800 wrote to memory of 4688 4800 htthbh.exe 101 PID 4688 wrote to memory of 3108 4688 vddvd.exe 102 PID 4688 wrote to memory of 3108 4688 vddvd.exe 102 PID 4688 wrote to memory of 3108 4688 vddvd.exe 102 PID 3108 wrote to memory of 2168 3108 frlxxrl.exe 103 PID 3108 wrote to memory of 2168 3108 frlxxrl.exe 103 PID 3108 wrote to memory of 2168 3108 frlxxrl.exe 103 PID 2168 wrote to memory of 4676 2168 tbnbtt.exe 104 PID 2168 wrote to memory of 4676 2168 tbnbtt.exe 104 PID 2168 wrote to memory of 4676 2168 tbnbtt.exe 104 PID 4676 wrote to memory of 4740 4676 xlfrllf.exe 105 PID 4676 wrote to memory of 4740 4676 xlfrllf.exe 105 PID 4676 wrote to memory of 4740 4676 xlfrllf.exe 105 PID 4740 wrote to memory of 4028 4740 3tbbbb.exe 106 PID 4740 wrote to memory of 4028 4740 3tbbbb.exe 106 PID 4740 wrote to memory of 4028 4740 3tbbbb.exe 106 PID 4028 wrote to memory of 3948 4028 pdvpd.exe 107 PID 4028 wrote to memory of 3948 4028 pdvpd.exe 107 PID 4028 wrote to memory of 3948 4028 pdvpd.exe 107 PID 3948 wrote to memory of 1716 3948 xfllfxr.exe 108 PID 3948 wrote to memory of 1716 3948 xfllfxr.exe 108 PID 3948 wrote to memory of 1716 3948 xfllfxr.exe 108 PID 1716 wrote to memory of 4908 1716 9hbthb.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\3lfxllx.exec:\3lfxllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\dddpd.exec:\dddpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6116 -
\??\c:\1ppdd.exec:\1ppdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\fxxfrlx.exec:\fxxfrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5784 -
\??\c:\hhnhbt.exec:\hhnhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\pjjvj.exec:\pjjvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\bbhbtn.exec:\bbhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\pjjvj.exec:\pjjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5628 -
\??\c:\dvvpd.exec:\dvvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\hhnhbt.exec:\hhnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\ppdvp.exec:\ppdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5880 -
\??\c:\vppdv.exec:\vppdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\htthbh.exec:\htthbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\vddvd.exec:\vddvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\frlxxrl.exec:\frlxxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\tbnbtt.exec:\tbnbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\xlfrllf.exec:\xlfrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\3tbbbb.exec:\3tbbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\pdvpd.exec:\pdvpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\xfllfxr.exec:\xfllfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\9hbthb.exec:\9hbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\dvvdp.exec:\dvvdp.exe23⤵
- Executes dropped EXE
PID:4908 -
\??\c:\1hhthb.exec:\1hhthb.exe24⤵
- Executes dropped EXE
PID:840 -
\??\c:\bnbthh.exec:\bnbthh.exe25⤵
- Executes dropped EXE
PID:3316 -
\??\c:\rlffrxl.exec:\rlffrxl.exe26⤵
- Executes dropped EXE
PID:4692 -
\??\c:\frxrflx.exec:\frxrflx.exe27⤵
- Executes dropped EXE
PID:5952 -
\??\c:\fxxxrrf.exec:\fxxxrrf.exe28⤵
- Executes dropped EXE
PID:1940 -
\??\c:\dppjv.exec:\dppjv.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\dvddd.exec:\dvddd.exe30⤵
- Executes dropped EXE
PID:5728 -
\??\c:\rlflxrl.exec:\rlflxrl.exe31⤵
- Executes dropped EXE
PID:716 -
\??\c:\thhbtn.exec:\thhbtn.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\nbthnh.exec:\nbthnh.exe33⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hhntbt.exec:\hhntbt.exe34⤵
- Executes dropped EXE
PID:540 -
\??\c:\xffrlfx.exec:\xffrlfx.exe35⤵
- Executes dropped EXE
PID:1168 -
\??\c:\tnhbnb.exec:\tnhbnb.exe36⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5dvjd.exec:\5dvjd.exe37⤵
- Executes dropped EXE
PID:368 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe38⤵
- Executes dropped EXE
PID:4008 -
\??\c:\hbtnnh.exec:\hbtnnh.exe39⤵
- Executes dropped EXE
PID:5944 -
\??\c:\7bnhbt.exec:\7bnhbt.exe40⤵
- Executes dropped EXE
PID:4868 -
\??\c:\ffxlxrf.exec:\ffxlxrf.exe41⤵
- Executes dropped EXE
PID:5696 -
\??\c:\5rrlfff.exec:\5rrlfff.exe42⤵
- Executes dropped EXE
PID:4228 -
\??\c:\bhnbnh.exec:\bhnbnh.exe43⤵
- Executes dropped EXE
PID:5092 -
\??\c:\pdjdp.exec:\pdjdp.exe44⤵
- Executes dropped EXE
PID:3824 -
\??\c:\dvdvj.exec:\dvdvj.exe45⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7rxxrrl.exec:\7rxxrrl.exe46⤵
- Executes dropped EXE
PID:5176 -
\??\c:\pjdvj.exec:\pjdvj.exe47⤵
- Executes dropped EXE
PID:6108 -
\??\c:\xlfxxxf.exec:\xlfxxxf.exe48⤵
- Executes dropped EXE
PID:5748 -
\??\c:\tbhthb.exec:\tbhthb.exe49⤵
- Executes dropped EXE
PID:1736 -
\??\c:\7pvpd.exec:\7pvpd.exe50⤵
- Executes dropped EXE
PID:4160 -
\??\c:\7pdvp.exec:\7pdvp.exe51⤵
- Executes dropped EXE
PID:4016 -
\??\c:\xlrfrfx.exec:\xlrfrfx.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\nnnhbt.exec:\nnnhbt.exe53⤵
- Executes dropped EXE
PID:3400 -
\??\c:\djjvj.exec:\djjvj.exe54⤵
- Executes dropped EXE
PID:3840 -
\??\c:\rrxrlfr.exec:\rrxrlfr.exe55⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nbhttn.exec:\nbhttn.exe56⤵
- Executes dropped EXE
PID:5584 -
\??\c:\djpdv.exec:\djpdv.exe57⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xlrlxlf.exec:\xlrlxlf.exe58⤵
- Executes dropped EXE
PID:5788 -
\??\c:\nhhtnb.exec:\nhhtnb.exe59⤵
- Executes dropped EXE
PID:5632 -
\??\c:\htbbbt.exec:\htbbbt.exe60⤵
- Executes dropped EXE
PID:5004 -
\??\c:\pvdvv.exec:\pvdvv.exe61⤵
- Executes dropped EXE
PID:5024 -
\??\c:\xrlfrlx.exec:\xrlfrlx.exe62⤵
- Executes dropped EXE
PID:5692 -
\??\c:\httnhh.exec:\httnhh.exe63⤵
- Executes dropped EXE
PID:516 -
\??\c:\nnhbtn.exec:\nnhbtn.exe64⤵
- Executes dropped EXE
PID:5888 -
\??\c:\vjjdj.exec:\vjjdj.exe65⤵
- Executes dropped EXE
PID:5216 -
\??\c:\ffrfrrf.exec:\ffrfrrf.exe66⤵PID:5100
-
\??\c:\nhnbbb.exec:\nhnbbb.exe67⤵PID:2424
-
\??\c:\bhbtnh.exec:\bhbtnh.exe68⤵PID:3904
-
\??\c:\5ddpd.exec:\5ddpd.exe69⤵PID:1480
-
\??\c:\rffrfxl.exec:\rffrfxl.exe70⤵PID:4148
-
\??\c:\3bhbhh.exec:\3bhbhh.exe71⤵PID:4580
-
\??\c:\dpvvp.exec:\dpvvp.exe72⤵PID:3920
-
\??\c:\9dvjd.exec:\9dvjd.exe73⤵PID:3048
-
\??\c:\3frfrll.exec:\3frfrll.exe74⤵PID:3056
-
\??\c:\thhbnn.exec:\thhbnn.exe75⤵PID:668
-
\??\c:\5nbthb.exec:\5nbthb.exe76⤵PID:3132
-
\??\c:\jjpvp.exec:\jjpvp.exe77⤵PID:6100
-
\??\c:\lxfrlxr.exec:\lxfrlxr.exe78⤵PID:4372
-
\??\c:\ttbthb.exec:\ttbthb.exe79⤵PID:404
-
\??\c:\1djdv.exec:\1djdv.exe80⤵PID:1400
-
\??\c:\7fxlxxl.exec:\7fxlxxl.exe81⤵PID:512
-
\??\c:\rxllflx.exec:\rxllflx.exe82⤵PID:4520
-
\??\c:\1nbtnh.exec:\1nbtnh.exe83⤵PID:4536
-
\??\c:\dvpdv.exec:\dvpdv.exe84⤵PID:4540
-
\??\c:\xlxlllf.exec:\xlxlllf.exe85⤵
- System Location Discovery: System Language Discovery
PID:4816 -
\??\c:\fflfxrf.exec:\fflfxrf.exe86⤵PID:4404
-
\??\c:\hbtbtb.exec:\hbtbtb.exe87⤵PID:5608
-
\??\c:\3vpjd.exec:\3vpjd.exe88⤵PID:1052
-
\??\c:\jjdvj.exec:\jjdvj.exe89⤵PID:2040
-
\??\c:\lllllxr.exec:\lllllxr.exe90⤵PID:5348
-
\??\c:\hhbnth.exec:\hhbnth.exe91⤵PID:4664
-
\??\c:\jvdvv.exec:\jvdvv.exe92⤵PID:4928
-
\??\c:\7pvpp.exec:\7pvpp.exe93⤵PID:5532
-
\??\c:\1frfxrl.exec:\1frfxrl.exe94⤵PID:4344
-
\??\c:\btthbn.exec:\btthbn.exe95⤵PID:3360
-
\??\c:\pppjv.exec:\pppjv.exe96⤵PID:4784
-
\??\c:\5flllfr.exec:\5flllfr.exe97⤵PID:4872
-
\??\c:\ffxrfxl.exec:\ffxrfxl.exe98⤵PID:1280
-
\??\c:\5ttnhn.exec:\5ttnhn.exe99⤵PID:4692
-
\??\c:\ddjvd.exec:\ddjvd.exe100⤵PID:5624
-
\??\c:\rxlfrfr.exec:\rxlfrfr.exe101⤵PID:2724
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe102⤵PID:2444
-
\??\c:\tbbtnt.exec:\tbbtnt.exe103⤵PID:1664
-
\??\c:\dvvjd.exec:\dvvjd.exe104⤵PID:3252
-
\??\c:\frrfrlf.exec:\frrfrlf.exe105⤵
- System Location Discovery: System Language Discovery
PID:936 -
\??\c:\tnbnhh.exec:\tnbnhh.exe106⤵PID:3652
-
\??\c:\thhbtn.exec:\thhbtn.exe107⤵PID:3060
-
\??\c:\ppvpj.exec:\ppvpj.exe108⤵PID:1612
-
\??\c:\3llfxxl.exec:\3llfxxl.exe109⤵PID:5592
-
\??\c:\xxlxxrr.exec:\xxlxxrr.exe110⤵PID:540
-
\??\c:\7jjvp.exec:\7jjvp.exe111⤵PID:1936
-
\??\c:\5rrfrrf.exec:\5rrfrrf.exe112⤵PID:2696
-
\??\c:\9tnnbn.exec:\9tnnbn.exe113⤵PID:5300
-
\??\c:\htbnhh.exec:\htbnhh.exe114⤵PID:4008
-
\??\c:\5vpdv.exec:\5vpdv.exe115⤵PID:2140
-
\??\c:\frrlflx.exec:\frrlflx.exe116⤵PID:4868
-
\??\c:\nbbthb.exec:\nbbthb.exe117⤵PID:5236
-
\??\c:\tnnhbt.exec:\tnnhbt.exe118⤵PID:5908
-
\??\c:\vjjdv.exec:\vjjdv.exe119⤵PID:4092
-
\??\c:\xrxlxrf.exec:\xrxlxrf.exe120⤵PID:3824
-
\??\c:\9rrlfxr.exec:\9rrlfxr.exe121⤵PID:4144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-