Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 20:42
Behavioral task
behavioral1
Sample
25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe
-
Size
331KB
-
MD5
909ca9ff2354013fec5adf08cf1e6d1d
-
SHA1
ca2b6a495063a88dee2807b2f3111c463019ab83
-
SHA256
25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f
-
SHA512
6cfe96de4c16ff529b325e65f5cc12855d93333d5a73f44da0441d3e08a0ee5650f28ef2b6fea41d35b83a77af3da1a5172621054238afc48358fd98286e0b9f
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe1:R4wFHoSHYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4576-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2160-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2996-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2724-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/816-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1516-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/376-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1584-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-328-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3268-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/700-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/32-429-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-477-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3340-498-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-539-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-596-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-1390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4688 xxfxfxr.exe 2804 7tbbbh.exe 3744 pddvd.exe 2764 htthbb.exe 3672 rfllfxx.exe 3784 9hnhbt.exe 2224 vvpjd.exe 2928 5hnhbn.exe 4292 jpvpv.exe 2356 vjdpd.exe 408 tbnhhn.exe 1636 9jvdd.exe 1528 dddvj.exe 5052 xflfrrl.exe 1912 xxxrfxr.exe 1676 5bbnhb.exe 3184 ttntnt.exe 3012 vpjvp.exe 4140 7rrlxrx.exe 4912 frlfrrf.exe 3484 bthtnn.exe 2408 pjvpp.exe 3836 lllffff.exe 5060 xfxlxrl.exe 4992 9bnbnb.exe 828 9jjvd.exe 1524 lrfrrrf.exe 2996 1btnth.exe 4684 pjdvj.exe 2160 dpvjv.exe 4516 7xrfxrf.exe 4136 1nhbnh.exe 4572 jdvjv.exe 2136 3rlxfxx.exe 4144 jppdp.exe 1492 rxrlxrf.exe 1824 1dvjv.exe 2724 3jjdp.exe 4592 llrxffr.exe 4920 nhhbth.exe 816 vjvdd.exe 3760 rlfxlfx.exe 460 lffrlfx.exe 1572 nnbthb.exe 1160 3dvdp.exe 4512 dvvjj.exe 5020 5rrfrlr.exe 3068 bbbnbn.exe 3756 ntbhbn.exe 1516 7vpjp.exe 4960 rfllrll.exe 2044 bnnhtn.exe 2948 hhbnbt.exe 632 jdjdp.exe 4808 3xrlrfx.exe 376 5hnbnh.exe 4896 dvpjv.exe 4508 5rrfxxr.exe 1756 frlffff.exe 5032 3hhnbt.exe 3560 jdjdv.exe 1536 pdjpd.exe 3892 5llxlfr.exe 1800 bnbbbn.exe -
resource yara_rule behavioral2/memory/4576-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c05-2.dat upx behavioral2/memory/4576-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4688-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9d-9.dat upx behavioral2/files/0x0007000000023c9e-11.dat upx behavioral2/memory/3744-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2804-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-19.dat upx behavioral2/files/0x0007000000023ca0-23.dat upx behavioral2/memory/2764-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-28.dat upx behavioral2/memory/3672-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-33.dat upx behavioral2/memory/3784-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-38.dat upx behavioral2/files/0x0007000000023ca4-42.dat upx behavioral2/memory/4292-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2928-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-49.dat upx behavioral2/memory/4292-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-60.dat upx behavioral2/files/0x0007000000023cac-77.dat upx behavioral2/memory/1676-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-84.dat upx behavioral2/memory/1912-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-88.dat upx behavioral2/files/0x0007000000023cb0-99.dat upx behavioral2/memory/3484-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-105.dat upx behavioral2/memory/3484-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4912-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-96.dat upx behavioral2/memory/2408-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-111.dat upx behavioral2/files/0x0007000000023cb4-121.dat upx behavioral2/memory/5060-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-124.dat upx behavioral2/memory/4992-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-130.dat upx behavioral2/files/0x0007000000023cb7-134.dat upx behavioral2/files/0x0007000000023cb9-142.dat upx behavioral2/memory/4684-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2160-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-148.dat upx behavioral2/memory/4516-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-153.dat upx behavioral2/files/0x0007000000023cb8-139.dat upx behavioral2/memory/2996-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-116.dat upx behavioral2/files/0x0008000000023c9b-92.dat upx behavioral2/files/0x0007000000023cab-74.dat upx behavioral2/memory/5052-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-69.dat upx behavioral2/files/0x0007000000023ca9-65.dat upx behavioral2/memory/1636-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/408-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2356-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-54.dat upx behavioral2/memory/2136-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4144-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1824-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2724-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4920-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 4688 4576 25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe 82 PID 4576 wrote to memory of 4688 4576 25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe 82 PID 4576 wrote to memory of 4688 4576 25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe 82 PID 4688 wrote to memory of 2804 4688 xxfxfxr.exe 83 PID 4688 wrote to memory of 2804 4688 xxfxfxr.exe 83 PID 4688 wrote to memory of 2804 4688 xxfxfxr.exe 83 PID 2804 wrote to memory of 3744 2804 7tbbbh.exe 84 PID 2804 wrote to memory of 3744 2804 7tbbbh.exe 84 PID 2804 wrote to memory of 3744 2804 7tbbbh.exe 84 PID 3744 wrote to memory of 2764 3744 pddvd.exe 85 PID 3744 wrote to memory of 2764 3744 pddvd.exe 85 PID 3744 wrote to memory of 2764 3744 pddvd.exe 85 PID 2764 wrote to memory of 3672 2764 htthbb.exe 86 PID 2764 wrote to memory of 3672 2764 htthbb.exe 86 PID 2764 wrote to memory of 3672 2764 htthbb.exe 86 PID 3672 wrote to memory of 3784 3672 rfllfxx.exe 87 PID 3672 wrote to memory of 3784 3672 rfllfxx.exe 87 PID 3672 wrote to memory of 3784 3672 rfllfxx.exe 87 PID 3784 wrote to memory of 2224 3784 9hnhbt.exe 88 PID 3784 wrote to memory of 2224 3784 9hnhbt.exe 88 PID 3784 wrote to memory of 2224 3784 9hnhbt.exe 88 PID 2224 wrote to memory of 2928 2224 vvpjd.exe 89 PID 2224 wrote to memory of 2928 2224 vvpjd.exe 89 PID 2224 wrote to memory of 2928 2224 vvpjd.exe 89 PID 2928 wrote to memory of 4292 2928 5hnhbn.exe 90 PID 2928 wrote to memory of 4292 2928 5hnhbn.exe 90 PID 2928 wrote to memory of 4292 2928 5hnhbn.exe 90 PID 4292 wrote to memory of 2356 4292 jpvpv.exe 91 PID 4292 wrote to memory of 2356 4292 jpvpv.exe 91 PID 4292 wrote to memory of 2356 4292 jpvpv.exe 91 PID 2356 wrote to memory of 408 2356 vjdpd.exe 92 PID 2356 wrote to memory of 408 2356 vjdpd.exe 92 PID 2356 wrote to memory of 408 2356 vjdpd.exe 92 PID 408 wrote to memory of 1636 408 tbnhhn.exe 93 PID 408 wrote to memory of 1636 408 tbnhhn.exe 93 PID 408 wrote to memory of 1636 408 tbnhhn.exe 93 PID 1636 wrote to memory of 1528 1636 9jvdd.exe 94 PID 1636 wrote to memory of 1528 1636 9jvdd.exe 94 PID 1636 wrote to memory of 1528 1636 9jvdd.exe 94 PID 1528 wrote to memory of 5052 1528 dddvj.exe 95 PID 1528 wrote to memory of 5052 1528 dddvj.exe 95 PID 1528 wrote to memory of 5052 1528 dddvj.exe 95 PID 5052 wrote to memory of 1912 5052 xflfrrl.exe 96 PID 5052 wrote to memory of 1912 5052 xflfrrl.exe 96 PID 5052 wrote to memory of 1912 5052 xflfrrl.exe 96 PID 1912 wrote to memory of 1676 1912 xxxrfxr.exe 97 PID 1912 wrote to memory of 1676 1912 xxxrfxr.exe 97 PID 1912 wrote to memory of 1676 1912 xxxrfxr.exe 97 PID 1676 wrote to memory of 3184 1676 5bbnhb.exe 98 PID 1676 wrote to memory of 3184 1676 5bbnhb.exe 98 PID 1676 wrote to memory of 3184 1676 5bbnhb.exe 98 PID 3184 wrote to memory of 3012 3184 ttntnt.exe 99 PID 3184 wrote to memory of 3012 3184 ttntnt.exe 99 PID 3184 wrote to memory of 3012 3184 ttntnt.exe 99 PID 3012 wrote to memory of 4140 3012 vpjvp.exe 100 PID 3012 wrote to memory of 4140 3012 vpjvp.exe 100 PID 3012 wrote to memory of 4140 3012 vpjvp.exe 100 PID 4140 wrote to memory of 4912 4140 7rrlxrx.exe 101 PID 4140 wrote to memory of 4912 4140 7rrlxrx.exe 101 PID 4140 wrote to memory of 4912 4140 7rrlxrx.exe 101 PID 4912 wrote to memory of 3484 4912 frlfrrf.exe 102 PID 4912 wrote to memory of 3484 4912 frlfrrf.exe 102 PID 4912 wrote to memory of 3484 4912 frlfrrf.exe 102 PID 3484 wrote to memory of 2408 3484 bthtnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe"C:\Users\Admin\AppData\Local\Temp\25d4eb9349d2a1cc45b10fc268d0ee45ab9803411fc79634f2391e07b5cec70f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\xxfxfxr.exec:\xxfxfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\7tbbbh.exec:\7tbbbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pddvd.exec:\pddvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\htthbb.exec:\htthbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\rfllfxx.exec:\rfllfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\9hnhbt.exec:\9hnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\vvpjd.exec:\vvpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\5hnhbn.exec:\5hnhbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jpvpv.exec:\jpvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\vjdpd.exec:\vjdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\tbnhhn.exec:\tbnhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\9jvdd.exec:\9jvdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\dddvj.exec:\dddvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\xflfrrl.exec:\xflfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\5bbnhb.exec:\5bbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\ttntnt.exec:\ttntnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\vpjvp.exec:\vpjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\7rrlxrx.exec:\7rrlxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\frlfrrf.exec:\frlfrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\bthtnn.exec:\bthtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\pjvpp.exec:\pjvpp.exe23⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lllffff.exec:\lllffff.exe24⤵
- Executes dropped EXE
PID:3836 -
\??\c:\xfxlxrl.exec:\xfxlxrl.exe25⤵
- Executes dropped EXE
PID:5060 -
\??\c:\9bnbnb.exec:\9bnbnb.exe26⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9jjvd.exec:\9jjvd.exe27⤵
- Executes dropped EXE
PID:828 -
\??\c:\lrfrrrf.exec:\lrfrrrf.exe28⤵
- Executes dropped EXE
PID:1524 -
\??\c:\1btnth.exec:\1btnth.exe29⤵
- Executes dropped EXE
PID:2996 -
\??\c:\pjdvj.exec:\pjdvj.exe30⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dpvjv.exec:\dpvjv.exe31⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7xrfxrf.exec:\7xrfxrf.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
\??\c:\1nhbnh.exec:\1nhbnh.exe33⤵
- Executes dropped EXE
PID:4136 -
\??\c:\jdvjv.exec:\jdvjv.exe34⤵
- Executes dropped EXE
PID:4572 -
\??\c:\3rlxfxx.exec:\3rlxfxx.exe35⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jppdp.exec:\jppdp.exe36⤵
- Executes dropped EXE
PID:4144 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe37⤵
- Executes dropped EXE
PID:1492 -
\??\c:\1dvjv.exec:\1dvjv.exe38⤵
- Executes dropped EXE
PID:1824 -
\??\c:\3jjdp.exec:\3jjdp.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\llrxffr.exec:\llrxffr.exe40⤵
- Executes dropped EXE
PID:4592 -
\??\c:\nhhbth.exec:\nhhbth.exe41⤵
- Executes dropped EXE
PID:4920 -
\??\c:\vjvdd.exec:\vjvdd.exe42⤵
- Executes dropped EXE
PID:816 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe43⤵
- Executes dropped EXE
PID:3760 -
\??\c:\lffrlfx.exec:\lffrlfx.exe44⤵
- Executes dropped EXE
PID:460 -
\??\c:\nnbthb.exec:\nnbthb.exe45⤵
- Executes dropped EXE
PID:1572 -
\??\c:\3dvdp.exec:\3dvdp.exe46⤵
- Executes dropped EXE
PID:1160 -
\??\c:\dvvjj.exec:\dvvjj.exe47⤵
- Executes dropped EXE
PID:4512 -
\??\c:\5rrfrlr.exec:\5rrfrlr.exe48⤵
- Executes dropped EXE
PID:5020 -
\??\c:\bbbnbn.exec:\bbbnbn.exe49⤵
- Executes dropped EXE
PID:3068 -
\??\c:\ntbhbn.exec:\ntbhbn.exe50⤵
- Executes dropped EXE
PID:3756 -
\??\c:\7vpjp.exec:\7vpjp.exe51⤵
- Executes dropped EXE
PID:1516 -
\??\c:\rfllrll.exec:\rfllrll.exe52⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bnnhtn.exec:\bnnhtn.exe53⤵
- Executes dropped EXE
PID:2044 -
\??\c:\hhbnbt.exec:\hhbnbt.exe54⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jdjdp.exec:\jdjdp.exe55⤵
- Executes dropped EXE
PID:632 -
\??\c:\3xrlrfx.exec:\3xrlrfx.exe56⤵
- Executes dropped EXE
PID:4808 -
\??\c:\5hnbnh.exec:\5hnbnh.exe57⤵
- Executes dropped EXE
PID:376 -
\??\c:\dvpjv.exec:\dvpjv.exe58⤵
- Executes dropped EXE
PID:4896 -
\??\c:\5rrfxxr.exec:\5rrfxxr.exe59⤵
- Executes dropped EXE
PID:4508 -
\??\c:\frlffff.exec:\frlffff.exe60⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3hhnbt.exec:\3hhnbt.exe61⤵
- Executes dropped EXE
PID:5032 -
\??\c:\jdjdv.exec:\jdjdv.exe62⤵
- Executes dropped EXE
PID:3560 -
\??\c:\pdjpd.exec:\pdjpd.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
\??\c:\5llxlfr.exec:\5llxlfr.exe64⤵
- Executes dropped EXE
PID:3892 -
\??\c:\bnbbbn.exec:\bnbbbn.exe65⤵
- Executes dropped EXE
PID:1800 -
\??\c:\dvvjv.exec:\dvvjv.exe66⤵PID:3236
-
\??\c:\vdjvd.exec:\vdjvd.exe67⤵PID:3304
-
\??\c:\1ffrrll.exec:\1ffrrll.exe68⤵PID:1124
-
\??\c:\htbnbt.exec:\htbnbt.exe69⤵PID:3804
-
\??\c:\pjpjv.exec:\pjpjv.exe70⤵PID:3120
-
\??\c:\7dvpd.exec:\7dvpd.exe71⤵PID:2224
-
\??\c:\xflrxfl.exec:\xflrxfl.exe72⤵PID:560
-
\??\c:\fxrlflf.exec:\fxrlflf.exe73⤵PID:1632
-
\??\c:\hbnhhh.exec:\hbnhhh.exe74⤵PID:700
-
\??\c:\pdjjd.exec:\pdjjd.exe75⤵PID:3060
-
\??\c:\jdjdp.exec:\jdjdp.exe76⤵PID:1584
-
\??\c:\flrlffx.exec:\flrlffx.exe77⤵PID:1708
-
\??\c:\lfllllf.exec:\lfllllf.exe78⤵PID:4380
-
\??\c:\htbtnt.exec:\htbtnt.exe79⤵PID:3092
-
\??\c:\jjjjd.exec:\jjjjd.exe80⤵PID:3964
-
\??\c:\9rrlrff.exec:\9rrlrff.exe81⤵PID:1120
-
\??\c:\rflrlrl.exec:\rflrlrl.exe82⤵PID:644
-
\??\c:\bhtnhh.exec:\bhtnhh.exe83⤵PID:3052
-
\??\c:\tbnnhh.exec:\tbnnhh.exe84⤵PID:1328
-
\??\c:\jdvpv.exec:\jdvpv.exe85⤵PID:4076
-
\??\c:\7djdv.exec:\7djdv.exe86⤵PID:1404
-
\??\c:\xxlrrll.exec:\xxlrrll.exe87⤵PID:1996
-
\??\c:\3bhbhh.exec:\3bhbhh.exe88⤵PID:2972
-
\??\c:\nthtnh.exec:\nthtnh.exe89⤵PID:2800
-
\??\c:\dvpjj.exec:\dvpjj.exe90⤵PID:3524
-
\??\c:\fxfllrr.exec:\fxfllrr.exe91⤵PID:1980
-
\??\c:\1ttntt.exec:\1ttntt.exe92⤵PID:952
-
\??\c:\djvpd.exec:\djvpd.exe93⤵PID:3496
-
\??\c:\dvvpv.exec:\dvvpv.exe94⤵PID:5000
-
\??\c:\fxxfllx.exec:\fxxfllx.exe95⤵PID:5060
-
\??\c:\1rrrrrr.exec:\1rrrrrr.exe96⤵PID:2820
-
\??\c:\7ttnnn.exec:\7ttnnn.exe97⤵PID:1856
-
\??\c:\pjjpj.exec:\pjjpj.exe98⤵PID:668
-
\??\c:\pjppj.exec:\pjppj.exe99⤵PID:2068
-
\??\c:\lffxfff.exec:\lffxfff.exe100⤵PID:4764
-
\??\c:\bthhbn.exec:\bthhbn.exe101⤵PID:3456
-
\??\c:\3tnhtt.exec:\3tnhtt.exe102⤵PID:1764
-
\??\c:\ddvpj.exec:\ddvpj.exe103⤵PID:4468
-
\??\c:\xxxlffx.exec:\xxxlffx.exe104⤵PID:4472
-
\??\c:\tnhhhn.exec:\tnhhhn.exe105⤵PID:2212
-
\??\c:\hbhtnb.exec:\hbhtnb.exe106⤵PID:5024
-
\??\c:\vdjdv.exec:\vdjdv.exe107⤵PID:3340
-
\??\c:\3rrlffx.exec:\3rrlffx.exe108⤵PID:2064
-
\??\c:\lxfxxxf.exec:\lxfxxxf.exe109⤵PID:2040
-
\??\c:\hthbbb.exec:\hthbbb.exe110⤵PID:1416
-
\??\c:\vdjdv.exec:\vdjdv.exe111⤵PID:3268
-
\??\c:\9vvpv.exec:\9vvpv.exe112⤵PID:2300
-
\??\c:\9xxrfff.exec:\9xxrfff.exe113⤵PID:4532
-
\??\c:\ntttnn.exec:\ntttnn.exe114⤵PID:1820
-
\??\c:\7ttnhh.exec:\7ttnhh.exe115⤵PID:2324
-
\??\c:\djddj.exec:\djddj.exe116⤵PID:4844
-
\??\c:\rllfrfr.exec:\rllfrfr.exe117⤵PID:1648
-
\??\c:\5rllrrl.exec:\5rllrrl.exe118⤵PID:2332
-
\??\c:\9hbbtt.exec:\9hbbtt.exe119⤵PID:1656
-
\??\c:\nbhbbb.exec:\nbhbbb.exe120⤵PID:4320
-
\??\c:\1jdvp.exec:\1jdvp.exe121⤵PID:1088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-