Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe
-
Size
454KB
-
MD5
36b624cdfecae57de9bfbb44faa9a37f
-
SHA1
c774e95654a4c3d15034140f43365a4017e2d42e
-
SHA256
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf
-
SHA512
c79d3b73b6ffe10785cee435bf9c550468e1bbfa06840cc1be192f8db84142ca0c7c0a6326545407660d197aae524df58a99be4f3a7e52891049a780b207f1b9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2368-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-51-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2732-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-117-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1668-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1560-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-199-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/936-229-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/3060-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-296-0x0000000076CD0000-0x0000000076DEF000-memory.dmp family_blackmoon behavioral1/memory/1800-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-319-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/276-338-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-346-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2788-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-359-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2840-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-367-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2680-381-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2656-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-670-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1632-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-783-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2448-849-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2080-930-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/568-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-1233-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1852-1259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-1348-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2952-1386-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2368 pppvj.exe 2492 7ffllrr.exe 2292 hbnntb.exe 3068 vpddp.exe 2708 1tbbnt.exe 2732 9dvdj.exe 2076 nhbbbb.exe 2680 vpvvd.exe 2804 jjddp.exe 2632 flrrfxf.exe 2992 1pvvd.exe 1668 dpjjj.exe 1420 bhbnbn.exe 1568 dpdpv.exe 1380 1bnntn.exe 1560 5vvvv.exe 1632 hhbbnn.exe 2004 vvppd.exe 836 xfffllx.exe 2880 1djpp.exe 2088 nhbhnt.exe 264 hhbhtt.exe 1160 ppjpj.exe 936 bthbht.exe 3060 dvdjp.exe 2108 tnnbnn.exe 2124 pdpvp.exe 1780 rrlxflx.exe 1608 pdvvj.exe 576 9rlfrxl.exe 2400 dvpvd.exe 2428 rfxfffl.exe 2152 dvddd.exe 276 vjddp.exe 2504 dvjvj.exe 3008 rfxxfxl.exe 1804 hbtbhn.exe 2788 3tnhnn.exe 2684 3jjjv.exe 1836 rrlrrrx.exe 2840 xrlrrlx.exe 2864 btnntb.exe 2680 3lrrxxl.exe 2656 5lxfxxf.exe 2996 7bnbhh.exe 3016 ppvjv.exe 2016 rlfxflr.exe 1968 5rxxflr.exe 1772 nbhntn.exe 1976 pdpvj.exe 2336 vjvvd.exe 1704 lxfffxl.exe 1472 3rlxxxx.exe 1992 thbntt.exe 1632 jvdjp.exe 1684 3flfxlr.exe 2972 xlxfrrx.exe 592 bbhttt.exe 304 7nnnhn.exe 2240 ppjvj.exe 1088 xxlflfr.exe 480 rrfllfl.exe 1896 hbhbhh.exe 984 5jvjp.exe -
resource yara_rule behavioral1/memory/2368-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1560-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/936-224-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/3060-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-285-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2428-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-296-0x0000000076CD0000-0x0000000076DEF000-memory.dmp upx behavioral1/memory/1800-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-346-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2788-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-670-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1632-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-783-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2952-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-1064-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/616-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-1159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-1233-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1852-1259-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bththh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2368 1620 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 30 PID 1620 wrote to memory of 2368 1620 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 30 PID 1620 wrote to memory of 2368 1620 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 30 PID 1620 wrote to memory of 2368 1620 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 30 PID 2368 wrote to memory of 2492 2368 pppvj.exe 31 PID 2368 wrote to memory of 2492 2368 pppvj.exe 31 PID 2368 wrote to memory of 2492 2368 pppvj.exe 31 PID 2368 wrote to memory of 2492 2368 pppvj.exe 31 PID 2492 wrote to memory of 2292 2492 7ffllrr.exe 32 PID 2492 wrote to memory of 2292 2492 7ffllrr.exe 32 PID 2492 wrote to memory of 2292 2492 7ffllrr.exe 32 PID 2492 wrote to memory of 2292 2492 7ffllrr.exe 32 PID 2292 wrote to memory of 3068 2292 hbnntb.exe 33 PID 2292 wrote to memory of 3068 2292 hbnntb.exe 33 PID 2292 wrote to memory of 3068 2292 hbnntb.exe 33 PID 2292 wrote to memory of 3068 2292 hbnntb.exe 33 PID 3068 wrote to memory of 2708 3068 vpddp.exe 34 PID 3068 wrote to memory of 2708 3068 vpddp.exe 34 PID 3068 wrote to memory of 2708 3068 vpddp.exe 34 PID 3068 wrote to memory of 2708 3068 vpddp.exe 34 PID 2708 wrote to memory of 2732 2708 1tbbnt.exe 35 PID 2708 wrote to memory of 2732 2708 1tbbnt.exe 35 PID 2708 wrote to memory of 2732 2708 1tbbnt.exe 35 PID 2708 wrote to memory of 2732 2708 1tbbnt.exe 35 PID 2732 wrote to memory of 2076 2732 9dvdj.exe 36 PID 2732 wrote to memory of 2076 2732 9dvdj.exe 36 PID 2732 wrote to memory of 2076 2732 9dvdj.exe 36 PID 2732 wrote to memory of 2076 2732 9dvdj.exe 36 PID 2076 wrote to memory of 2680 2076 nhbbbb.exe 37 PID 2076 wrote to memory of 2680 2076 nhbbbb.exe 37 PID 2076 wrote to memory of 2680 2076 nhbbbb.exe 37 PID 2076 wrote to memory of 2680 2076 nhbbbb.exe 37 PID 2680 wrote to memory of 2804 2680 vpvvd.exe 38 PID 2680 wrote to memory of 2804 2680 vpvvd.exe 38 PID 2680 wrote to memory of 2804 2680 vpvvd.exe 38 PID 2680 wrote to memory of 2804 2680 vpvvd.exe 38 PID 2804 wrote to memory of 2632 2804 jjddp.exe 39 PID 2804 wrote to memory of 2632 2804 jjddp.exe 39 PID 2804 wrote to memory of 2632 2804 jjddp.exe 39 PID 2804 wrote to memory of 2632 2804 jjddp.exe 39 PID 2632 wrote to memory of 2992 2632 flrrfxf.exe 40 PID 2632 wrote to memory of 2992 2632 flrrfxf.exe 40 PID 2632 wrote to memory of 2992 2632 flrrfxf.exe 40 PID 2632 wrote to memory of 2992 2632 flrrfxf.exe 40 PID 2992 wrote to memory of 1668 2992 1pvvd.exe 41 PID 2992 wrote to memory of 1668 2992 1pvvd.exe 41 PID 2992 wrote to memory of 1668 2992 1pvvd.exe 41 PID 2992 wrote to memory of 1668 2992 1pvvd.exe 41 PID 1668 wrote to memory of 1420 1668 dpjjj.exe 42 PID 1668 wrote to memory of 1420 1668 dpjjj.exe 42 PID 1668 wrote to memory of 1420 1668 dpjjj.exe 42 PID 1668 wrote to memory of 1420 1668 dpjjj.exe 42 PID 1420 wrote to memory of 1568 1420 bhbnbn.exe 43 PID 1420 wrote to memory of 1568 1420 bhbnbn.exe 43 PID 1420 wrote to memory of 1568 1420 bhbnbn.exe 43 PID 1420 wrote to memory of 1568 1420 bhbnbn.exe 43 PID 1568 wrote to memory of 1380 1568 dpdpv.exe 44 PID 1568 wrote to memory of 1380 1568 dpdpv.exe 44 PID 1568 wrote to memory of 1380 1568 dpdpv.exe 44 PID 1568 wrote to memory of 1380 1568 dpdpv.exe 44 PID 1380 wrote to memory of 1560 1380 1bnntn.exe 45 PID 1380 wrote to memory of 1560 1380 1bnntn.exe 45 PID 1380 wrote to memory of 1560 1380 1bnntn.exe 45 PID 1380 wrote to memory of 1560 1380 1bnntn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe"C:\Users\Admin\AppData\Local\Temp\edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\pppvj.exec:\pppvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\7ffllrr.exec:\7ffllrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\hbnntb.exec:\hbnntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\vpddp.exec:\vpddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\1tbbnt.exec:\1tbbnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\9dvdj.exec:\9dvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\nhbbbb.exec:\nhbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\vpvvd.exec:\vpvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\jjddp.exec:\jjddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\flrrfxf.exec:\flrrfxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\1pvvd.exec:\1pvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\dpjjj.exec:\dpjjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\bhbnbn.exec:\bhbnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\dpdpv.exec:\dpdpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\1bnntn.exec:\1bnntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\5vvvv.exec:\5vvvv.exe17⤵
- Executes dropped EXE
PID:1560 -
\??\c:\hhbbnn.exec:\hhbbnn.exe18⤵
- Executes dropped EXE
PID:1632 -
\??\c:\vvppd.exec:\vvppd.exe19⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xfffllx.exec:\xfffllx.exe20⤵
- Executes dropped EXE
PID:836 -
\??\c:\1djpp.exec:\1djpp.exe21⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nhbhnt.exec:\nhbhnt.exe22⤵
- Executes dropped EXE
PID:2088 -
\??\c:\hhbhtt.exec:\hhbhtt.exe23⤵
- Executes dropped EXE
PID:264 -
\??\c:\ppjpj.exec:\ppjpj.exe24⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bthbht.exec:\bthbht.exe25⤵
- Executes dropped EXE
PID:936 -
\??\c:\dvdjp.exec:\dvdjp.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\tnnbnn.exec:\tnnbnn.exe27⤵
- Executes dropped EXE
PID:2108 -
\??\c:\pdpvp.exec:\pdpvp.exe28⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rrlxflx.exec:\rrlxflx.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\pdvvj.exec:\pdvvj.exe30⤵
- Executes dropped EXE
PID:1608 -
\??\c:\9rlfrxl.exec:\9rlfrxl.exe31⤵
- Executes dropped EXE
PID:576 -
\??\c:\dvpvd.exec:\dvpvd.exe32⤵
- Executes dropped EXE
PID:2400 -
\??\c:\rfxfffl.exec:\rfxfffl.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\tnhnth.exec:\tnhnth.exe34⤵PID:1800
-
\??\c:\dvddd.exec:\dvddd.exe35⤵
- Executes dropped EXE
PID:2152 -
\??\c:\vjddp.exec:\vjddp.exe36⤵
- Executes dropped EXE
PID:276 -
\??\c:\dvjvj.exec:\dvjvj.exe37⤵
- Executes dropped EXE
PID:2504 -
\??\c:\rfxxfxl.exec:\rfxxfxl.exe38⤵
- Executes dropped EXE
PID:3008 -
\??\c:\hbtbhn.exec:\hbtbhn.exe39⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3tnhnn.exec:\3tnhnn.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\3jjjv.exec:\3jjjv.exe41⤵
- Executes dropped EXE
PID:2684 -
\??\c:\rrlrrrx.exec:\rrlrrrx.exe42⤵
- Executes dropped EXE
PID:1836 -
\??\c:\xrlrrlx.exec:\xrlrrlx.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\btnntb.exec:\btnntb.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\3lrrxxl.exec:\3lrrxxl.exe45⤵
- Executes dropped EXE
PID:2680 -
\??\c:\5lxfxxf.exec:\5lxfxxf.exe46⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7bnbhh.exec:\7bnbhh.exe47⤵
- Executes dropped EXE
PID:2996 -
\??\c:\ppvjv.exec:\ppvjv.exe48⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rlfxflr.exec:\rlfxflr.exe49⤵
- Executes dropped EXE
PID:2016 -
\??\c:\5rxxflr.exec:\5rxxflr.exe50⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nbhntn.exec:\nbhntn.exe51⤵
- Executes dropped EXE
PID:1772 -
\??\c:\pdpvj.exec:\pdpvj.exe52⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vjvvd.exec:\vjvvd.exe53⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lxfffxl.exec:\lxfffxl.exe54⤵
- Executes dropped EXE
PID:1704 -
\??\c:\3rlxxxx.exec:\3rlxxxx.exe55⤵
- Executes dropped EXE
PID:1472 -
\??\c:\thbntt.exec:\thbntt.exe56⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jvdjp.exec:\jvdjp.exe57⤵
- Executes dropped EXE
PID:1632 -
\??\c:\3flfxlr.exec:\3flfxlr.exe58⤵
- Executes dropped EXE
PID:1684 -
\??\c:\xlxfrrx.exec:\xlxfrrx.exe59⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bbhttt.exec:\bbhttt.exe60⤵
- Executes dropped EXE
PID:592 -
\??\c:\7nnnhn.exec:\7nnnhn.exe61⤵
- Executes dropped EXE
PID:304 -
\??\c:\ppjvj.exec:\ppjvj.exe62⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xxlflfr.exec:\xxlflfr.exe63⤵
- Executes dropped EXE
PID:1088 -
\??\c:\rrfllfl.exec:\rrfllfl.exe64⤵
- Executes dropped EXE
PID:480 -
\??\c:\hbhbhh.exec:\hbhbhh.exe65⤵
- Executes dropped EXE
PID:1896 -
\??\c:\5jvjp.exec:\5jvjp.exe66⤵
- Executes dropped EXE
PID:984 -
\??\c:\dpvpp.exec:\dpvpp.exe67⤵PID:1660
-
\??\c:\xrlfllx.exec:\xrlfllx.exe68⤵PID:1648
-
\??\c:\3nbttt.exec:\3nbttt.exe69⤵PID:2108
-
\??\c:\hthntt.exec:\hthntt.exe70⤵PID:2936
-
\??\c:\ppjpd.exec:\ppjpd.exe71⤵PID:2316
-
\??\c:\frxrffl.exec:\frxrffl.exe72⤵PID:2112
-
\??\c:\llxrxrl.exec:\llxrxrl.exe73⤵PID:532
-
\??\c:\bthntb.exec:\bthntb.exe74⤵PID:568
-
\??\c:\3jdjp.exec:\3jdjp.exe75⤵PID:2448
-
\??\c:\lfrlllx.exec:\lfrlllx.exe76⤵PID:2272
-
\??\c:\ffrrflr.exec:\ffrrflr.exe77⤵PID:2148
-
\??\c:\btnbnb.exec:\btnbnb.exe78⤵PID:1532
-
\??\c:\dvjvj.exec:\dvjvj.exe79⤵PID:2664
-
\??\c:\7dvpd.exec:\7dvpd.exe80⤵PID:276
-
\??\c:\lfllllf.exec:\lfllllf.exe81⤵PID:2672
-
\??\c:\ffrrxxf.exec:\ffrrxxf.exe82⤵PID:3008
-
\??\c:\3hhnbn.exec:\3hhnbn.exe83⤵PID:2280
-
\??\c:\jjdjv.exec:\jjdjv.exe84⤵PID:2796
-
\??\c:\ddppv.exec:\ddppv.exe85⤵PID:2588
-
\??\c:\5ffllrx.exec:\5ffllrx.exe86⤵PID:2616
-
\??\c:\httthh.exec:\httthh.exe87⤵PID:2740
-
\??\c:\5nttbb.exec:\5nttbb.exe88⤵PID:2080
-
\??\c:\pjdvd.exec:\pjdvd.exe89⤵PID:2592
-
\??\c:\1fxrxxl.exec:\1fxrxxl.exe90⤵PID:2636
-
\??\c:\lfxlflf.exec:\lfxlflf.exe91⤵PID:2284
-
\??\c:\3tbhnn.exec:\3tbhnn.exe92⤵PID:2996
-
\??\c:\5vppd.exec:\5vppd.exe93⤵PID:2000
-
\??\c:\vpvpd.exec:\vpvpd.exe94⤵
- System Location Discovery: System Language Discovery
PID:2016 -
\??\c:\rxxrffx.exec:\rxxrffx.exe95⤵PID:1996
-
\??\c:\bnbbhb.exec:\bnbbhb.exe96⤵PID:1772
-
\??\c:\thtnnh.exec:\thtnnh.exe97⤵PID:1876
-
\??\c:\jjddd.exec:\jjddd.exe98⤵PID:2336
-
\??\c:\3lxrlrx.exec:\3lxrlrx.exe99⤵PID:1068
-
\??\c:\xrfxxxl.exec:\xrfxxxl.exe100⤵PID:1472
-
\??\c:\nhbnbb.exec:\nhbnbb.exe101⤵PID:1360
-
\??\c:\7pdjd.exec:\7pdjd.exe102⤵PID:1632
-
\??\c:\dpddj.exec:\dpddj.exe103⤵PID:2812
-
\??\c:\5lllxxl.exec:\5lllxxl.exe104⤵PID:2972
-
\??\c:\xxffrxx.exec:\xxffrxx.exe105⤵PID:784
-
\??\c:\bbnbhh.exec:\bbnbhh.exe106⤵PID:844
-
\??\c:\7dppj.exec:\7dppj.exe107⤵PID:2480
-
\??\c:\1ffflrx.exec:\1ffflrx.exe108⤵PID:1088
-
\??\c:\9llrlxr.exec:\9llrlxr.exe109⤵PID:480
-
\??\c:\bbnbhh.exec:\bbnbhh.exe110⤵PID:316
-
\??\c:\5ddjv.exec:\5ddjv.exe111⤵PID:984
-
\??\c:\3rllxlr.exec:\3rllxlr.exe112⤵PID:852
-
\??\c:\xrlrrxf.exec:\xrlrrxf.exe113⤵PID:772
-
\??\c:\hbtbtt.exec:\hbtbtt.exe114⤵PID:2108
-
\??\c:\tnbtbh.exec:\tnbtbh.exe115⤵PID:2160
-
\??\c:\dvpvd.exec:\dvpvd.exe116⤵PID:2156
-
\??\c:\1rllrrx.exec:\1rllrrx.exe117⤵PID:2112
-
\??\c:\rlxxffl.exec:\rlxxffl.exe118⤵PID:2952
-
\??\c:\hhthnt.exec:\hhthnt.exe119⤵PID:2956
-
\??\c:\pjdjp.exec:\pjdjp.exe120⤵PID:2448
-
\??\c:\7vvvd.exec:\7vvvd.exe121⤵PID:1800
-
\??\c:\7fxflxl.exec:\7fxflxl.exe122⤵PID:2296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-