Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe
-
Size
458KB
-
MD5
0b6a803003055ab4909f395fe5850e9c
-
SHA1
004d519293df979ef5c3a5ee73f65f004603f316
-
SHA256
4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65
-
SHA512
99b39b87a7b9aefd456b78bcd464a16b88f1fe2df0a09ace9fa5567c9ccefd1fe12f99baea48af5760dafc82dc7066be8f2600753cc1d8b36e8ab6e874ccbd47
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5812-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5568-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6052-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5948-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5924-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5600-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6096-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5352-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6100-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5768-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6032-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5684-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5584-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5924-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5304-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5776-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6004-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5344-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5948-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-1625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5568 7rfrxll.exe 2400 pdjdj.exe 4256 vvvjp.exe 6052 1rxfrlx.exe 4228 9xfrfrl.exe 1044 pvjdp.exe 440 1xrfrrf.exe 2160 nththt.exe 2504 pvjdv.exe 5948 9rfrlff.exe 5372 vvpdp.exe 5924 nbbbtt.exe 4400 dvpjv.exe 4412 jdvjv.exe 4480 1llrrff.exe 4432 pdvjv.exe 2864 xlxxlxl.exe 5600 dpppd.exe 4588 hnnbnh.exe 3912 3ddvj.exe 968 btthth.exe 60 5ttnbb.exe 2520 llfxrfx.exe 2292 thbntn.exe 5360 jvpvj.exe 5076 vpjvd.exe 2256 xrlxxrr.exe 1264 5hhnnh.exe 1724 fxxfrlx.exe 2096 bbbnbt.exe 1956 dppvj.exe 1468 ffrfrlx.exe 6096 thhtbt.exe 1884 1vvjd.exe 2952 lxlxllx.exe 872 7ttnth.exe 1776 3vvjp.exe 1200 vjdpd.exe 3220 frrfrll.exe 3568 tttbnb.exe 5352 7dvdj.exe 2812 ddpdp.exe 3048 7xrxlfr.exe 2956 tbtnbt.exe 4940 1dvjp.exe 6100 lxlrffx.exe 2388 3rrrlxl.exe 2184 bnhthh.exe 5148 9vdpj.exe 720 dpjpd.exe 2112 3xlxlxl.exe 3312 5bbbbt.exe 5768 bbbnnb.exe 3288 ddjvp.exe 1576 lrlxlfx.exe 5660 hhbnht.exe 3548 3nhtnh.exe 916 1vvjj.exe 6032 frxlxlx.exe 4808 3lrxlxl.exe 640 thntbt.exe 3596 ppjdp.exe 1056 3fxxfxx.exe 3452 tbnbnt.exe -
resource yara_rule behavioral2/memory/5812-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5568-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6052-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5948-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5948-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5924-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5600-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6096-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5352-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6100-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5768-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6032-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5684-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5584-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5924-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5304-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5776-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6004-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5344-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5948-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-751-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5812 wrote to memory of 5568 5812 4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe 87 PID 5812 wrote to memory of 5568 5812 4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe 87 PID 5812 wrote to memory of 5568 5812 4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe 87 PID 5568 wrote to memory of 2400 5568 7rfrxll.exe 88 PID 5568 wrote to memory of 2400 5568 7rfrxll.exe 88 PID 5568 wrote to memory of 2400 5568 7rfrxll.exe 88 PID 2400 wrote to memory of 4256 2400 pdjdj.exe 89 PID 2400 wrote to memory of 4256 2400 pdjdj.exe 89 PID 2400 wrote to memory of 4256 2400 pdjdj.exe 89 PID 4256 wrote to memory of 6052 4256 vvvjp.exe 90 PID 4256 wrote to memory of 6052 4256 vvvjp.exe 90 PID 4256 wrote to memory of 6052 4256 vvvjp.exe 90 PID 6052 wrote to memory of 4228 6052 1rxfrlx.exe 91 PID 6052 wrote to memory of 4228 6052 1rxfrlx.exe 91 PID 6052 wrote to memory of 4228 6052 1rxfrlx.exe 91 PID 4228 wrote to memory of 1044 4228 9xfrfrl.exe 92 PID 4228 wrote to memory of 1044 4228 9xfrfrl.exe 92 PID 4228 wrote to memory of 1044 4228 9xfrfrl.exe 92 PID 1044 wrote to memory of 440 1044 pvjdp.exe 93 PID 1044 wrote to memory of 440 1044 pvjdp.exe 93 PID 1044 wrote to memory of 440 1044 pvjdp.exe 93 PID 440 wrote to memory of 2160 440 1xrfrrf.exe 94 PID 440 wrote to memory of 2160 440 1xrfrrf.exe 94 PID 440 wrote to memory of 2160 440 1xrfrrf.exe 94 PID 2160 wrote to memory of 2504 2160 nththt.exe 95 PID 2160 wrote to memory of 2504 2160 nththt.exe 95 PID 2160 wrote to memory of 2504 2160 nththt.exe 95 PID 2504 wrote to memory of 5948 2504 pvjdv.exe 96 PID 2504 wrote to memory of 5948 2504 pvjdv.exe 96 PID 2504 wrote to memory of 5948 2504 pvjdv.exe 96 PID 5948 wrote to memory of 5372 5948 9rfrlff.exe 97 PID 5948 wrote to memory of 5372 5948 9rfrlff.exe 97 PID 5948 wrote to memory of 5372 5948 9rfrlff.exe 97 PID 5372 wrote to memory of 5924 5372 vvpdp.exe 98 PID 5372 wrote to memory of 5924 5372 vvpdp.exe 98 PID 5372 wrote to memory of 5924 5372 vvpdp.exe 98 PID 5924 wrote to memory of 4400 5924 nbbbtt.exe 99 PID 5924 wrote to memory of 4400 5924 nbbbtt.exe 99 PID 5924 wrote to memory of 4400 5924 nbbbtt.exe 99 PID 4400 wrote to memory of 4412 4400 dvpjv.exe 100 PID 4400 wrote to memory of 4412 4400 dvpjv.exe 100 PID 4400 wrote to memory of 4412 4400 dvpjv.exe 100 PID 4412 wrote to memory of 4480 4412 jdvjv.exe 102 PID 4412 wrote to memory of 4480 4412 jdvjv.exe 102 PID 4412 wrote to memory of 4480 4412 jdvjv.exe 102 PID 4480 wrote to memory of 4432 4480 1llrrff.exe 104 PID 4480 wrote to memory of 4432 4480 1llrrff.exe 104 PID 4480 wrote to memory of 4432 4480 1llrrff.exe 104 PID 4432 wrote to memory of 2864 4432 pdvjv.exe 105 PID 4432 wrote to memory of 2864 4432 pdvjv.exe 105 PID 4432 wrote to memory of 2864 4432 pdvjv.exe 105 PID 2864 wrote to memory of 5600 2864 xlxxlxl.exe 107 PID 2864 wrote to memory of 5600 2864 xlxxlxl.exe 107 PID 2864 wrote to memory of 5600 2864 xlxxlxl.exe 107 PID 5600 wrote to memory of 4588 5600 dpppd.exe 108 PID 5600 wrote to memory of 4588 5600 dpppd.exe 108 PID 5600 wrote to memory of 4588 5600 dpppd.exe 108 PID 4588 wrote to memory of 3912 4588 hnnbnh.exe 109 PID 4588 wrote to memory of 3912 4588 hnnbnh.exe 109 PID 4588 wrote to memory of 3912 4588 hnnbnh.exe 109 PID 3912 wrote to memory of 968 3912 3ddvj.exe 110 PID 3912 wrote to memory of 968 3912 3ddvj.exe 110 PID 3912 wrote to memory of 968 3912 3ddvj.exe 110 PID 968 wrote to memory of 60 968 btthth.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe"C:\Users\Admin\AppData\Local\Temp\4cf6e207498ffdebe0da0c3748b5c27dd91e019ae159cb65bc2eea7878ee7e65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5812 -
\??\c:\7rfrxll.exec:\7rfrxll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5568 -
\??\c:\pdjdj.exec:\pdjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\vvvjp.exec:\vvvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\1rxfrlx.exec:\1rxfrlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6052 -
\??\c:\9xfrfrl.exec:\9xfrfrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\pvjdp.exec:\pvjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\1xrfrrf.exec:\1xrfrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\nththt.exec:\nththt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\pvjdv.exec:\pvjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\9rfrlff.exec:\9rfrlff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5948 -
\??\c:\vvpdp.exec:\vvpdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5372 -
\??\c:\nbbbtt.exec:\nbbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5924 -
\??\c:\dvpjv.exec:\dvpjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\jdvjv.exec:\jdvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\1llrrff.exec:\1llrrff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\pdvjv.exec:\pdvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\xlxxlxl.exec:\xlxxlxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\dpppd.exec:\dpppd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5600 -
\??\c:\hnnbnh.exec:\hnnbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\3ddvj.exec:\3ddvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\btthth.exec:\btthth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\5ttnbb.exec:\5ttnbb.exe23⤵
- Executes dropped EXE
PID:60 -
\??\c:\llfxrfx.exec:\llfxrfx.exe24⤵
- Executes dropped EXE
PID:2520 -
\??\c:\thbntn.exec:\thbntn.exe25⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jvpvj.exec:\jvpvj.exe26⤵
- Executes dropped EXE
PID:5360 -
\??\c:\vpjvd.exec:\vpjvd.exe27⤵
- Executes dropped EXE
PID:5076 -
\??\c:\xrlxxrr.exec:\xrlxxrr.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5hhnnh.exec:\5hhnnh.exe29⤵
- Executes dropped EXE
PID:1264 -
\??\c:\fxxfrlx.exec:\fxxfrlx.exe30⤵
- Executes dropped EXE
PID:1724 -
\??\c:\bbbnbt.exec:\bbbnbt.exe31⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dppvj.exec:\dppvj.exe32⤵
- Executes dropped EXE
PID:1956 -
\??\c:\ffrfrlx.exec:\ffrfrlx.exe33⤵
- Executes dropped EXE
PID:1468 -
\??\c:\thhtbt.exec:\thhtbt.exe34⤵
- Executes dropped EXE
PID:6096 -
\??\c:\1vvjd.exec:\1vvjd.exe35⤵
- Executes dropped EXE
PID:1884 -
\??\c:\lxlxllx.exec:\lxlxllx.exe36⤵
- Executes dropped EXE
PID:2952 -
\??\c:\7ttnth.exec:\7ttnth.exe37⤵
- Executes dropped EXE
PID:872 -
\??\c:\3vvjp.exec:\3vvjp.exe38⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vjdpd.exec:\vjdpd.exe39⤵
- Executes dropped EXE
PID:1200 -
\??\c:\frrfrll.exec:\frrfrll.exe40⤵
- Executes dropped EXE
PID:3220 -
\??\c:\tttbnb.exec:\tttbnb.exe41⤵
- Executes dropped EXE
PID:3568 -
\??\c:\7dvdj.exec:\7dvdj.exe42⤵
- Executes dropped EXE
PID:5352 -
\??\c:\ddpdp.exec:\ddpdp.exe43⤵
- Executes dropped EXE
PID:2812 -
\??\c:\7xrxlfr.exec:\7xrxlfr.exe44⤵
- Executes dropped EXE
PID:3048 -
\??\c:\tbtnbt.exec:\tbtnbt.exe45⤵
- Executes dropped EXE
PID:2956 -
\??\c:\1dvjp.exec:\1dvjp.exe46⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lxlrffx.exec:\lxlrffx.exe47⤵
- Executes dropped EXE
PID:6100 -
\??\c:\3rrrlxl.exec:\3rrrlxl.exe48⤵
- Executes dropped EXE
PID:2388 -
\??\c:\bnhthh.exec:\bnhthh.exe49⤵
- Executes dropped EXE
PID:2184 -
\??\c:\9vdpj.exec:\9vdpj.exe50⤵
- Executes dropped EXE
PID:5148 -
\??\c:\dpjpd.exec:\dpjpd.exe51⤵
- Executes dropped EXE
PID:720 -
\??\c:\3xlxlxl.exec:\3xlxlxl.exe52⤵
- Executes dropped EXE
PID:2112 -
\??\c:\5bbbbt.exec:\5bbbbt.exe53⤵
- Executes dropped EXE
PID:3312 -
\??\c:\bbbnnb.exec:\bbbnnb.exe54⤵
- Executes dropped EXE
PID:5768 -
\??\c:\ddjvp.exec:\ddjvp.exe55⤵
- Executes dropped EXE
PID:3288 -
\??\c:\lrlxlfx.exec:\lrlxlfx.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\hhbnht.exec:\hhbnht.exe57⤵
- Executes dropped EXE
PID:5660 -
\??\c:\3nhtnh.exec:\3nhtnh.exe58⤵
- Executes dropped EXE
PID:3548 -
\??\c:\1vvjj.exec:\1vvjj.exe59⤵
- Executes dropped EXE
PID:916 -
\??\c:\frxlxlx.exec:\frxlxlx.exe60⤵
- Executes dropped EXE
PID:6032 -
\??\c:\3lrxlxl.exec:\3lrxlxl.exe61⤵
- Executes dropped EXE
PID:4808 -
\??\c:\thntbt.exec:\thntbt.exe62⤵
- Executes dropped EXE
PID:640 -
\??\c:\ppjdp.exec:\ppjdp.exe63⤵
- Executes dropped EXE
PID:3596 -
\??\c:\3fxxfxx.exec:\3fxxfxx.exe64⤵
- Executes dropped EXE
PID:1056 -
\??\c:\tbnbnt.exec:\tbnbnt.exe65⤵
- Executes dropped EXE
PID:3452 -
\??\c:\bnhbht.exec:\bnhbht.exe66⤵PID:5124
-
\??\c:\jddjv.exec:\jddjv.exe67⤵PID:3828
-
\??\c:\7rfrfxl.exec:\7rfrfxl.exe68⤵PID:5808
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe69⤵PID:4280
-
\??\c:\1ththb.exec:\1ththb.exe70⤵PID:2360
-
\??\c:\5hbntt.exec:\5hbntt.exe71⤵PID:4964
-
\??\c:\pjdpp.exec:\pjdpp.exe72⤵PID:2396
-
\??\c:\rrrrrff.exec:\rrrrrff.exe73⤵PID:5568
-
\??\c:\xlfxlrf.exec:\xlfxlrf.exe74⤵PID:1188
-
\??\c:\tbhbtn.exec:\tbhbtn.exe75⤵PID:4900
-
\??\c:\vjjvd.exec:\vjjvd.exe76⤵PID:380
-
\??\c:\5dvpd.exec:\5dvpd.exe77⤵PID:4744
-
\??\c:\llllrfx.exec:\llllrfx.exe78⤵PID:2924
-
\??\c:\hhthtn.exec:\hhthtn.exe79⤵PID:3108
-
\??\c:\nbnbnb.exec:\nbnbnb.exe80⤵PID:2612
-
\??\c:\pdjvj.exec:\pdjvj.exe81⤵PID:3896
-
\??\c:\1llxlfr.exec:\1llxlfr.exe82⤵PID:5668
-
\??\c:\hnnhth.exec:\hnnhth.exe83⤵PID:5684
-
\??\c:\pdjvv.exec:\pdjvv.exe84⤵PID:5036
-
\??\c:\pddpd.exec:\pddpd.exe85⤵PID:5584
-
\??\c:\llrxxrl.exec:\llrxxrl.exe86⤵PID:5372
-
\??\c:\xllxrrf.exec:\xllxrrf.exe87⤵PID:5924
-
\??\c:\thhtnb.exec:\thhtnb.exe88⤵PID:4460
-
\??\c:\1pjvj.exec:\1pjvj.exe89⤵PID:4644
-
\??\c:\djjvj.exec:\djjvj.exe90⤵PID:4552
-
\??\c:\rflxlxl.exec:\rflxlxl.exe91⤵PID:4544
-
\??\c:\7tnhtn.exec:\7tnhtn.exe92⤵PID:5144
-
\??\c:\hnbbbb.exec:\hnbbbb.exe93⤵PID:4512
-
\??\c:\pdpdp.exec:\pdpdp.exe94⤵PID:5304
-
\??\c:\vdvjv.exec:\vdvjv.exe95⤵PID:5048
-
\??\c:\hbnhbt.exec:\hbnhbt.exe96⤵PID:4616
-
\??\c:\tnhtnh.exec:\tnhtnh.exe97⤵PID:928
-
\??\c:\pjppj.exec:\pjppj.exe98⤵PID:632
-
\??\c:\pvvjd.exec:\pvvjd.exe99⤵PID:3912
-
\??\c:\flrffll.exec:\flrffll.exe100⤵PID:3864
-
\??\c:\nhthtn.exec:\nhthtn.exe101⤵PID:1556
-
\??\c:\7hhtbt.exec:\7hhtbt.exe102⤵PID:2152
-
\??\c:\vjjjd.exec:\vjjjd.exe103⤵PID:2220
-
\??\c:\flrlrll.exec:\flrlrll.exe104⤵PID:5152
-
\??\c:\9xllxrf.exec:\9xllxrf.exe105⤵PID:5360
-
\??\c:\bhhtbn.exec:\bhhtbn.exe106⤵PID:1424
-
\??\c:\pjvpd.exec:\pjvpd.exe107⤵PID:5448
-
\??\c:\pvpdp.exec:\pvpdp.exe108⤵PID:5452
-
\??\c:\fxxfrrl.exec:\fxxfrrl.exe109⤵PID:2256
-
\??\c:\btnthb.exec:\btnthb.exe110⤵PID:1264
-
\??\c:\hhhhnh.exec:\hhhhnh.exe111⤵PID:1724
-
\??\c:\1pdpd.exec:\1pdpd.exe112⤵PID:6084
-
\??\c:\vjpdv.exec:\vjpdv.exe113⤵PID:860
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe114⤵PID:3892
-
\??\c:\tbnhtn.exec:\tbnhtn.exe115⤵PID:3020
-
\??\c:\nbbnhb.exec:\nbbnhb.exe116⤵PID:2836
-
\??\c:\jppjv.exec:\jppjv.exe117⤵PID:4112
-
\??\c:\lxfrlxx.exec:\lxfrlxx.exe118⤵PID:1012
-
\??\c:\7rllxrf.exec:\7rllxrf.exe119⤵PID:4144
-
\??\c:\thtthn.exec:\thtthn.exe120⤵PID:5476
-
\??\c:\tbhbbn.exec:\tbhbbn.exe121⤵PID:5136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-