Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe
-
Size
454KB
-
MD5
2295ecead46ec7a7b200ceeffec735c3
-
SHA1
e384200d341d3c9b866d4f75a5fa78903082159e
-
SHA256
25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc
-
SHA512
d8adb81235cd66f6d18077b7b5548eecdfc4dc81368f4197d1af714cce3a20c873cf0e03c1701a18cc73cdeb9072f0e89c14df2348d02696a38a744a99e92f54
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1524-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-974-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-1268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4440 lrlxxxx.exe 3168 7ppjj.exe 3752 nhnhhb.exe 1416 xlflrxf.exe 4956 nthntb.exe 4504 fffrffr.exe 2940 vddvv.exe 1424 lrlfrfx.exe 4404 nnbnnb.exe 3392 9jdvp.exe 1464 tnthhh.exe 3600 hhthhh.exe 3876 xxllfrl.exe 3224 jvjjd.exe 3320 rrxxxff.exe 2420 nbhhbb.exe 1884 lfrlxfr.exe 2572 jddvp.exe 3564 7ddvv.exe 4516 1pvdd.exe 3308 lxrllfr.exe 2744 vdjpd.exe 4304 xxfffff.exe 2440 btttnn.exe 3340 xxrrxrx.exe 1724 7vvpp.exe 1500 pvvvv.exe 1076 9bbbbb.exe 4728 fxllfll.exe 2540 nbhnbh.exe 320 pdpjj.exe 4048 3flxrrx.exe 1116 7vvjj.exe 956 llrrrrr.exe 2892 5tntnn.exe 1756 9vvpp.exe 1100 rxxxxfx.exe 2180 1bbntt.exe 1780 vdppd.exe 4952 9fxlrfr.exe 1744 1vddd.exe 5116 rxfrrff.exe 1556 hhthbn.exe 2984 pdddd.exe 1240 tntnhh.exe 3744 9hhbtt.exe 508 pdvpp.exe 4832 xxxrrrr.exe 4392 ttnntt.exe 3184 3tbthh.exe 3020 9dvjp.exe 3644 1tnhbb.exe 3168 vpjjd.exe 3316 3llrfrl.exe 1636 9fllflx.exe 1416 tthhnb.exe 3852 jjpjj.exe 4836 1rfffff.exe 1476 bthhbb.exe 2940 vvpjj.exe 2584 1jvpp.exe 4004 lrrllll.exe 4268 tbhbhh.exe 804 5jvvd.exe -
resource yara_rule behavioral2/memory/1524-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-813-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1524 wrote to memory of 4440 1524 25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe 83 PID 1524 wrote to memory of 4440 1524 25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe 83 PID 1524 wrote to memory of 4440 1524 25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe 83 PID 4440 wrote to memory of 3168 4440 lrlxxxx.exe 84 PID 4440 wrote to memory of 3168 4440 lrlxxxx.exe 84 PID 4440 wrote to memory of 3168 4440 lrlxxxx.exe 84 PID 3168 wrote to memory of 3752 3168 7ppjj.exe 85 PID 3168 wrote to memory of 3752 3168 7ppjj.exe 85 PID 3168 wrote to memory of 3752 3168 7ppjj.exe 85 PID 3752 wrote to memory of 1416 3752 nhnhhb.exe 86 PID 3752 wrote to memory of 1416 3752 nhnhhb.exe 86 PID 3752 wrote to memory of 1416 3752 nhnhhb.exe 86 PID 1416 wrote to memory of 4956 1416 xlflrxf.exe 87 PID 1416 wrote to memory of 4956 1416 xlflrxf.exe 87 PID 1416 wrote to memory of 4956 1416 xlflrxf.exe 87 PID 4956 wrote to memory of 4504 4956 nthntb.exe 88 PID 4956 wrote to memory of 4504 4956 nthntb.exe 88 PID 4956 wrote to memory of 4504 4956 nthntb.exe 88 PID 4504 wrote to memory of 2940 4504 fffrffr.exe 89 PID 4504 wrote to memory of 2940 4504 fffrffr.exe 89 PID 4504 wrote to memory of 2940 4504 fffrffr.exe 89 PID 2940 wrote to memory of 1424 2940 vddvv.exe 90 PID 2940 wrote to memory of 1424 2940 vddvv.exe 90 PID 2940 wrote to memory of 1424 2940 vddvv.exe 90 PID 1424 wrote to memory of 4404 1424 lrlfrfx.exe 91 PID 1424 wrote to memory of 4404 1424 lrlfrfx.exe 91 PID 1424 wrote to memory of 4404 1424 lrlfrfx.exe 91 PID 4404 wrote to memory of 3392 4404 nnbnnb.exe 92 PID 4404 wrote to memory of 3392 4404 nnbnnb.exe 92 PID 4404 wrote to memory of 3392 4404 nnbnnb.exe 92 PID 3392 wrote to memory of 1464 3392 9jdvp.exe 93 PID 3392 wrote to memory of 1464 3392 9jdvp.exe 93 PID 3392 wrote to memory of 1464 3392 9jdvp.exe 93 PID 1464 wrote to memory of 3600 1464 tnthhh.exe 94 PID 1464 wrote to memory of 3600 1464 tnthhh.exe 94 PID 1464 wrote to memory of 3600 1464 tnthhh.exe 94 PID 3600 wrote to memory of 3876 3600 hhthhh.exe 95 PID 3600 wrote to memory of 3876 3600 hhthhh.exe 95 PID 3600 wrote to memory of 3876 3600 hhthhh.exe 95 PID 3876 wrote to memory of 3224 3876 xxllfrl.exe 96 PID 3876 wrote to memory of 3224 3876 xxllfrl.exe 96 PID 3876 wrote to memory of 3224 3876 xxllfrl.exe 96 PID 3224 wrote to memory of 3320 3224 jvjjd.exe 97 PID 3224 wrote to memory of 3320 3224 jvjjd.exe 97 PID 3224 wrote to memory of 3320 3224 jvjjd.exe 97 PID 3320 wrote to memory of 2420 3320 rrxxxff.exe 98 PID 3320 wrote to memory of 2420 3320 rrxxxff.exe 98 PID 3320 wrote to memory of 2420 3320 rrxxxff.exe 98 PID 2420 wrote to memory of 1884 2420 nbhhbb.exe 99 PID 2420 wrote to memory of 1884 2420 nbhhbb.exe 99 PID 2420 wrote to memory of 1884 2420 nbhhbb.exe 99 PID 1884 wrote to memory of 2572 1884 lfrlxfr.exe 100 PID 1884 wrote to memory of 2572 1884 lfrlxfr.exe 100 PID 1884 wrote to memory of 2572 1884 lfrlxfr.exe 100 PID 2572 wrote to memory of 3564 2572 jddvp.exe 101 PID 2572 wrote to memory of 3564 2572 jddvp.exe 101 PID 2572 wrote to memory of 3564 2572 jddvp.exe 101 PID 3564 wrote to memory of 4516 3564 7ddvv.exe 102 PID 3564 wrote to memory of 4516 3564 7ddvv.exe 102 PID 3564 wrote to memory of 4516 3564 7ddvv.exe 102 PID 4516 wrote to memory of 3308 4516 1pvdd.exe 103 PID 4516 wrote to memory of 3308 4516 1pvdd.exe 103 PID 4516 wrote to memory of 3308 4516 1pvdd.exe 103 PID 3308 wrote to memory of 2744 3308 lxrllfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe"C:\Users\Admin\AppData\Local\Temp\25f8b6a718607062deb028978519b11d4c8cda8df6a355092e136065dcb84dbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\lrlxxxx.exec:\lrlxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\7ppjj.exec:\7ppjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\nhnhhb.exec:\nhnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\xlflrxf.exec:\xlflrxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\nthntb.exec:\nthntb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\fffrffr.exec:\fffrffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\vddvv.exec:\vddvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\lrlfrfx.exec:\lrlfrfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\nnbnnb.exec:\nnbnnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\9jdvp.exec:\9jdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\tnthhh.exec:\tnthhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\hhthhh.exec:\hhthhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\xxllfrl.exec:\xxllfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\jvjjd.exec:\jvjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\rrxxxff.exec:\rrxxxff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\nbhhbb.exec:\nbhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\lfrlxfr.exec:\lfrlxfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\jddvp.exec:\jddvp.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\7ddvv.exec:\7ddvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\1pvdd.exec:\1pvdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\lxrllfr.exec:\lxrllfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\vdjpd.exec:\vdjpd.exe23⤵
- Executes dropped EXE
PID:2744 -
\??\c:\xxfffff.exec:\xxfffff.exe24⤵
- Executes dropped EXE
PID:4304 -
\??\c:\btttnn.exec:\btttnn.exe25⤵
- Executes dropped EXE
PID:2440 -
\??\c:\xxrrxrx.exec:\xxrrxrx.exe26⤵
- Executes dropped EXE
PID:3340 -
\??\c:\7vvpp.exec:\7vvpp.exe27⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pvvvv.exec:\pvvvv.exe28⤵
- Executes dropped EXE
PID:1500 -
\??\c:\9bbbbb.exec:\9bbbbb.exe29⤵
- Executes dropped EXE
PID:1076 -
\??\c:\fxllfll.exec:\fxllfll.exe30⤵
- Executes dropped EXE
PID:4728 -
\??\c:\nbhnbh.exec:\nbhnbh.exe31⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pdpjj.exec:\pdpjj.exe32⤵
- Executes dropped EXE
PID:320 -
\??\c:\3flxrrx.exec:\3flxrrx.exe33⤵
- Executes dropped EXE
PID:4048 -
\??\c:\7vvjj.exec:\7vvjj.exe34⤵
- Executes dropped EXE
PID:1116 -
\??\c:\llrrrrr.exec:\llrrrrr.exe35⤵
- Executes dropped EXE
PID:956 -
\??\c:\5tntnn.exec:\5tntnn.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9vvpp.exec:\9vvpp.exe37⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rxxxxfx.exec:\rxxxxfx.exe38⤵
- Executes dropped EXE
PID:1100 -
\??\c:\1bbntt.exec:\1bbntt.exe39⤵
- Executes dropped EXE
PID:2180 -
\??\c:\vdppd.exec:\vdppd.exe40⤵
- Executes dropped EXE
PID:1780 -
\??\c:\9fxlrfr.exec:\9fxlrfr.exe41⤵
- Executes dropped EXE
PID:4952 -
\??\c:\1vddd.exec:\1vddd.exe42⤵
- Executes dropped EXE
PID:1744 -
\??\c:\rxfrrff.exec:\rxfrrff.exe43⤵
- Executes dropped EXE
PID:5116 -
\??\c:\hhthbn.exec:\hhthbn.exe44⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pdddd.exec:\pdddd.exe45⤵
- Executes dropped EXE
PID:2984 -
\??\c:\tntnhh.exec:\tntnhh.exe46⤵
- Executes dropped EXE
PID:1240 -
\??\c:\9hhbtt.exec:\9hhbtt.exe47⤵
- Executes dropped EXE
PID:3744 -
\??\c:\pdvpp.exec:\pdvpp.exe48⤵
- Executes dropped EXE
PID:508 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe49⤵
- Executes dropped EXE
PID:4832 -
\??\c:\ttnntt.exec:\ttnntt.exe50⤵
- Executes dropped EXE
PID:4392 -
\??\c:\3tbthh.exec:\3tbthh.exe51⤵
- Executes dropped EXE
PID:3184 -
\??\c:\9dvjp.exec:\9dvjp.exe52⤵
- Executes dropped EXE
PID:3020 -
\??\c:\lrrllll.exec:\lrrllll.exe53⤵PID:860
-
\??\c:\1tnhbb.exec:\1tnhbb.exe54⤵
- Executes dropped EXE
PID:3644 -
\??\c:\vpjjd.exec:\vpjjd.exe55⤵
- Executes dropped EXE
PID:3168 -
\??\c:\3llrfrl.exec:\3llrfrl.exe56⤵
- Executes dropped EXE
PID:3316 -
\??\c:\9fllflx.exec:\9fllflx.exe57⤵
- Executes dropped EXE
PID:1636 -
\??\c:\tthhnb.exec:\tthhnb.exe58⤵
- Executes dropped EXE
PID:1416 -
\??\c:\jjpjj.exec:\jjpjj.exe59⤵
- Executes dropped EXE
PID:3852 -
\??\c:\1rfffff.exec:\1rfffff.exe60⤵
- Executes dropped EXE
PID:4836 -
\??\c:\bthhbb.exec:\bthhbb.exe61⤵
- Executes dropped EXE
PID:1476 -
\??\c:\vvpjj.exec:\vvpjj.exe62⤵
- Executes dropped EXE
PID:2940 -
\??\c:\1jvpp.exec:\1jvpp.exe63⤵
- Executes dropped EXE
PID:2584 -
\??\c:\lrrllll.exec:\lrrllll.exe64⤵
- Executes dropped EXE
PID:4004 -
\??\c:\tbhbhh.exec:\tbhbhh.exe65⤵
- Executes dropped EXE
PID:4268 -
\??\c:\5jvvd.exec:\5jvvd.exe66⤵
- Executes dropped EXE
PID:804 -
\??\c:\vdjjd.exec:\vdjjd.exe67⤵PID:2448
-
\??\c:\xxllrxf.exec:\xxllrxf.exe68⤵PID:3568
-
\??\c:\tbnnhh.exec:\tbnnhh.exe69⤵PID:1832
-
\??\c:\pjvpp.exec:\pjvpp.exe70⤵PID:1952
-
\??\c:\xlrrffx.exec:\xlrrffx.exe71⤵PID:3876
-
\??\c:\btbtbb.exec:\btbtbb.exe72⤵PID:2364
-
\??\c:\fffrfxl.exec:\fffrfxl.exe73⤵PID:1032
-
\??\c:\3xllffx.exec:\3xllffx.exe74⤵PID:4100
-
\??\c:\9bttbb.exec:\9bttbb.exe75⤵PID:4208
-
\??\c:\pjvpj.exec:\pjvpj.exe76⤵PID:852
-
\??\c:\jvddv.exec:\jvddv.exe77⤵PID:3292
-
\??\c:\rrlllll.exec:\rrlllll.exe78⤵PID:2776
-
\??\c:\tbtttt.exec:\tbtttt.exe79⤵PID:3536
-
\??\c:\jjjdd.exec:\jjjdd.exe80⤵PID:4620
-
\??\c:\7pvjp.exec:\7pvjp.exe81⤵PID:1632
-
\??\c:\3xrfxxx.exec:\3xrfxxx.exe82⤵PID:4140
-
\??\c:\bhbtht.exec:\bhbtht.exe83⤵PID:3308
-
\??\c:\9jpdv.exec:\9jpdv.exe84⤵PID:1540
-
\??\c:\xxrxrrl.exec:\xxrxrrl.exe85⤵PID:2972
-
\??\c:\7bbbtb.exec:\7bbbtb.exe86⤵PID:4860
-
\??\c:\7htnhh.exec:\7htnhh.exe87⤵PID:2692
-
\??\c:\jpjdv.exec:\jpjdv.exe88⤵PID:3556
-
\??\c:\9rrlxrx.exec:\9rrlxrx.exe89⤵PID:912
-
\??\c:\bnttnt.exec:\bnttnt.exe90⤵PID:1724
-
\??\c:\1ddvp.exec:\1ddvp.exe91⤵PID:1080
-
\??\c:\3llfrrl.exec:\3llfrrl.exe92⤵PID:2388
-
\??\c:\nbbbtn.exec:\nbbbtn.exe93⤵PID:5048
-
\??\c:\3nbthh.exec:\3nbthh.exe94⤵PID:2872
-
\??\c:\jdppp.exec:\jdppp.exe95⤵PID:3312
-
\??\c:\fflrllf.exec:\fflrllf.exe96⤵PID:216
-
\??\c:\btthnn.exec:\btthnn.exe97⤵PID:4416
-
\??\c:\9pdvj.exec:\9pdvj.exe98⤵PID:3664
-
\??\c:\fxrlllf.exec:\fxrlllf.exe99⤵PID:1116
-
\??\c:\5thbtb.exec:\5thbtb.exe100⤵PID:1444
-
\??\c:\pjjdv.exec:\pjjdv.exe101⤵PID:3252
-
\??\c:\fxfxxrx.exec:\fxfxxrx.exe102⤵PID:3116
-
\??\c:\ttttnn.exec:\ttttnn.exe103⤵PID:316
-
\??\c:\bhnbtn.exec:\bhnbtn.exe104⤵PID:4128
-
\??\c:\ddvpj.exec:\ddvpj.exe105⤵PID:1780
-
\??\c:\llffrfx.exec:\llffrfx.exe106⤵PID:4824
-
\??\c:\nhnhbt.exec:\nhnhbt.exe107⤵PID:2716
-
\??\c:\jdppd.exec:\jdppd.exe108⤵PID:3176
-
\??\c:\ppjjv.exec:\ppjjv.exe109⤵PID:3624
-
\??\c:\xrfxffl.exec:\xrfxffl.exe110⤵PID:452
-
\??\c:\hhbnbt.exec:\hhbnbt.exe111⤵PID:2320
-
\??\c:\djjpp.exec:\djjpp.exe112⤵PID:4768
-
\??\c:\llfxllx.exec:\llfxllx.exe113⤵PID:4444
-
\??\c:\thhhbb.exec:\thhhbb.exe114⤵PID:4388
-
\??\c:\1pvvd.exec:\1pvvd.exe115⤵PID:1740
-
\??\c:\rfxxxrr.exec:\rfxxxrr.exe116⤵PID:3200
-
\??\c:\tntttb.exec:\tntttb.exe117⤵PID:2952
-
\??\c:\bbhbbb.exec:\bbhbbb.exe118⤵PID:3024
-
\??\c:\7pppp.exec:\7pppp.exe119⤵PID:4024
-
\??\c:\9frrlrl.exec:\9frrlrl.exe120⤵PID:3992
-
\??\c:\ttbbtn.exec:\ttbbtn.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-