Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe
-
Size
454KB
-
MD5
36b624cdfecae57de9bfbb44faa9a37f
-
SHA1
c774e95654a4c3d15034140f43365a4017e2d42e
-
SHA256
edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf
-
SHA512
c79d3b73b6ffe10785cee435bf9c550468e1bbfa06840cc1be192f8db84142ca0c7c0a6326545407660d197aae524df58a99be4f3a7e52891049a780b207f1b9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2808-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4280 3ddvp.exe 1376 5thhbh.exe 1668 fffxrrl.exe 4092 bhbhhh.exe 1332 ppvjd.exe 224 rlrllll.exe 2600 3vjjj.exe 3936 rfxrlfx.exe 2096 hbhbtt.exe 2092 pppjv.exe 4200 frxrllf.exe 2000 rfffxxf.exe 2708 fxlffxr.exe 4884 lxlxrlx.exe 2448 tntnhb.exe 1900 jdvpd.exe 4612 5lfxrrr.exe 3572 5nthhb.exe 4264 dpvjj.exe 3280 7rxrrrx.exe 2284 3tbthh.exe 4500 1rlxxxx.exe 1392 nnhhhh.exe 1664 7nbnbn.exe 748 3dvvd.exe 4228 rlfxlfx.exe 1144 rflrxlf.exe 1716 bthbtn.exe 3532 flrlfxr.exe 3284 vpjvp.exe 5108 rxxlxrl.exe 2784 dddvd.exe 1552 nbtnhb.exe 3476 pjdvj.exe 3540 fxfrrlr.exe 3236 ttbnhb.exe 3412 ppvjd.exe 4388 lfrlrrf.exe 2652 tbhbnn.exe 1300 vvvpj.exe 3136 hnnhtt.exe 4188 pjddj.exe 708 lfxrxrl.exe 4588 hbhnhb.exe 2196 pddvp.exe 2084 ntthtt.exe 1304 ttbthh.exe 1544 jddpp.exe 4564 frlfllx.exe 1976 bttnbb.exe 4736 9jpjv.exe 3268 7xrffxf.exe 3964 lfllfxl.exe 4992 bbnnbh.exe 4320 7jpjd.exe 4092 rxlllll.exe 2300 9bnnhb.exe 1332 thhhbb.exe 5104 vjvdv.exe 2600 lxffffx.exe 5084 nthhtt.exe 1384 pjpdv.exe 1600 jjvpj.exe 4944 tnnbtt.exe -
resource yara_rule behavioral2/memory/2808-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-902-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-924-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4280 2808 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 83 PID 2808 wrote to memory of 4280 2808 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 83 PID 2808 wrote to memory of 4280 2808 edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe 83 PID 4280 wrote to memory of 1376 4280 3ddvp.exe 84 PID 4280 wrote to memory of 1376 4280 3ddvp.exe 84 PID 4280 wrote to memory of 1376 4280 3ddvp.exe 84 PID 1376 wrote to memory of 1668 1376 5thhbh.exe 85 PID 1376 wrote to memory of 1668 1376 5thhbh.exe 85 PID 1376 wrote to memory of 1668 1376 5thhbh.exe 85 PID 1668 wrote to memory of 4092 1668 fffxrrl.exe 86 PID 1668 wrote to memory of 4092 1668 fffxrrl.exe 86 PID 1668 wrote to memory of 4092 1668 fffxrrl.exe 86 PID 4092 wrote to memory of 1332 4092 bhbhhh.exe 87 PID 4092 wrote to memory of 1332 4092 bhbhhh.exe 87 PID 4092 wrote to memory of 1332 4092 bhbhhh.exe 87 PID 1332 wrote to memory of 224 1332 ppvjd.exe 88 PID 1332 wrote to memory of 224 1332 ppvjd.exe 88 PID 1332 wrote to memory of 224 1332 ppvjd.exe 88 PID 224 wrote to memory of 2600 224 rlrllll.exe 89 PID 224 wrote to memory of 2600 224 rlrllll.exe 89 PID 224 wrote to memory of 2600 224 rlrllll.exe 89 PID 2600 wrote to memory of 3936 2600 3vjjj.exe 90 PID 2600 wrote to memory of 3936 2600 3vjjj.exe 90 PID 2600 wrote to memory of 3936 2600 3vjjj.exe 90 PID 3936 wrote to memory of 2096 3936 rfxrlfx.exe 91 PID 3936 wrote to memory of 2096 3936 rfxrlfx.exe 91 PID 3936 wrote to memory of 2096 3936 rfxrlfx.exe 91 PID 2096 wrote to memory of 2092 2096 hbhbtt.exe 92 PID 2096 wrote to memory of 2092 2096 hbhbtt.exe 92 PID 2096 wrote to memory of 2092 2096 hbhbtt.exe 92 PID 2092 wrote to memory of 4200 2092 pppjv.exe 93 PID 2092 wrote to memory of 4200 2092 pppjv.exe 93 PID 2092 wrote to memory of 4200 2092 pppjv.exe 93 PID 4200 wrote to memory of 2000 4200 frxrllf.exe 94 PID 4200 wrote to memory of 2000 4200 frxrllf.exe 94 PID 4200 wrote to memory of 2000 4200 frxrllf.exe 94 PID 2000 wrote to memory of 2708 2000 rfffxxf.exe 95 PID 2000 wrote to memory of 2708 2000 rfffxxf.exe 95 PID 2000 wrote to memory of 2708 2000 rfffxxf.exe 95 PID 2708 wrote to memory of 4884 2708 fxlffxr.exe 96 PID 2708 wrote to memory of 4884 2708 fxlffxr.exe 96 PID 2708 wrote to memory of 4884 2708 fxlffxr.exe 96 PID 4884 wrote to memory of 2448 4884 lxlxrlx.exe 97 PID 4884 wrote to memory of 2448 4884 lxlxrlx.exe 97 PID 4884 wrote to memory of 2448 4884 lxlxrlx.exe 97 PID 2448 wrote to memory of 1900 2448 tntnhb.exe 98 PID 2448 wrote to memory of 1900 2448 tntnhb.exe 98 PID 2448 wrote to memory of 1900 2448 tntnhb.exe 98 PID 1900 wrote to memory of 4612 1900 jdvpd.exe 99 PID 1900 wrote to memory of 4612 1900 jdvpd.exe 99 PID 1900 wrote to memory of 4612 1900 jdvpd.exe 99 PID 4612 wrote to memory of 3572 4612 5lfxrrr.exe 100 PID 4612 wrote to memory of 3572 4612 5lfxrrr.exe 100 PID 4612 wrote to memory of 3572 4612 5lfxrrr.exe 100 PID 3572 wrote to memory of 4264 3572 5nthhb.exe 101 PID 3572 wrote to memory of 4264 3572 5nthhb.exe 101 PID 3572 wrote to memory of 4264 3572 5nthhb.exe 101 PID 4264 wrote to memory of 3280 4264 dpvjj.exe 102 PID 4264 wrote to memory of 3280 4264 dpvjj.exe 102 PID 4264 wrote to memory of 3280 4264 dpvjj.exe 102 PID 3280 wrote to memory of 2284 3280 7rxrrrx.exe 103 PID 3280 wrote to memory of 2284 3280 7rxrrrx.exe 103 PID 3280 wrote to memory of 2284 3280 7rxrrrx.exe 103 PID 2284 wrote to memory of 4500 2284 3tbthh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe"C:\Users\Admin\AppData\Local\Temp\edb6528151936246bc0175487c5724b731ffe298db5bb99b91984f65bba7bcbf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\3ddvp.exec:\3ddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\5thhbh.exec:\5thhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\fffxrrl.exec:\fffxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\bhbhhh.exec:\bhbhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\ppvjd.exec:\ppvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\rlrllll.exec:\rlrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\3vjjj.exec:\3vjjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\hbhbtt.exec:\hbhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pppjv.exec:\pppjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\frxrllf.exec:\frxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\rfffxxf.exec:\rfffxxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\fxlffxr.exec:\fxlffxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\lxlxrlx.exec:\lxlxrlx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\tntnhb.exec:\tntnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\jdvpd.exec:\jdvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\5lfxrrr.exec:\5lfxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\5nthhb.exec:\5nthhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\dpvjj.exec:\dpvjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\7rxrrrx.exec:\7rxrrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\3tbthh.exec:\3tbthh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\1rlxxxx.exec:\1rlxxxx.exe23⤵
- Executes dropped EXE
PID:4500 -
\??\c:\nnhhhh.exec:\nnhhhh.exe24⤵
- Executes dropped EXE
PID:1392 -
\??\c:\7nbnbn.exec:\7nbnbn.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3dvvd.exec:\3dvvd.exe26⤵
- Executes dropped EXE
PID:748 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe27⤵
- Executes dropped EXE
PID:4228 -
\??\c:\rflrxlf.exec:\rflrxlf.exe28⤵
- Executes dropped EXE
PID:1144 -
\??\c:\bthbtn.exec:\bthbtn.exe29⤵
- Executes dropped EXE
PID:1716 -
\??\c:\flrlfxr.exec:\flrlfxr.exe30⤵
- Executes dropped EXE
PID:3532 -
\??\c:\vpjvp.exec:\vpjvp.exe31⤵
- Executes dropped EXE
PID:3284 -
\??\c:\rxxlxrl.exec:\rxxlxrl.exe32⤵
- Executes dropped EXE
PID:5108 -
\??\c:\dddvd.exec:\dddvd.exe33⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nbtnhb.exec:\nbtnhb.exe34⤵
- Executes dropped EXE
PID:1552 -
\??\c:\pjdvj.exec:\pjdvj.exe35⤵
- Executes dropped EXE
PID:3476 -
\??\c:\fxfrrlr.exec:\fxfrrlr.exe36⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ttbnhb.exec:\ttbnhb.exe37⤵
- Executes dropped EXE
PID:3236 -
\??\c:\ppvjd.exec:\ppvjd.exe38⤵
- Executes dropped EXE
PID:3412 -
\??\c:\lfrlrrf.exec:\lfrlrrf.exe39⤵
- Executes dropped EXE
PID:4388 -
\??\c:\tbhbnn.exec:\tbhbnn.exe40⤵
- Executes dropped EXE
PID:2652 -
\??\c:\vvvpj.exec:\vvvpj.exe41⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hnnhtt.exec:\hnnhtt.exe42⤵
- Executes dropped EXE
PID:3136 -
\??\c:\pjddj.exec:\pjddj.exe43⤵
- Executes dropped EXE
PID:4188 -
\??\c:\lfxrxrl.exec:\lfxrxrl.exe44⤵
- Executes dropped EXE
PID:708 -
\??\c:\hbhnhb.exec:\hbhnhb.exe45⤵
- Executes dropped EXE
PID:4588 -
\??\c:\pddvp.exec:\pddvp.exe46⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ntthtt.exec:\ntthtt.exe47⤵
- Executes dropped EXE
PID:2084 -
\??\c:\ttbthh.exec:\ttbthh.exe48⤵
- Executes dropped EXE
PID:1304 -
\??\c:\jddpp.exec:\jddpp.exe49⤵
- Executes dropped EXE
PID:1544 -
\??\c:\frlfllx.exec:\frlfllx.exe50⤵
- Executes dropped EXE
PID:4564 -
\??\c:\bttnbb.exec:\bttnbb.exe51⤵
- Executes dropped EXE
PID:1976 -
\??\c:\9jpjv.exec:\9jpjv.exe52⤵
- Executes dropped EXE
PID:4736 -
\??\c:\7xrffxf.exec:\7xrffxf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3268 -
\??\c:\lfllfxl.exec:\lfllfxl.exe54⤵
- Executes dropped EXE
PID:3964 -
\??\c:\bbnnbh.exec:\bbnnbh.exe55⤵
- Executes dropped EXE
PID:4992 -
\??\c:\7jpjd.exec:\7jpjd.exe56⤵
- Executes dropped EXE
PID:4320 -
\??\c:\rxlllll.exec:\rxlllll.exe57⤵
- Executes dropped EXE
PID:4092 -
\??\c:\9bnnhb.exec:\9bnnhb.exe58⤵
- Executes dropped EXE
PID:2300 -
\??\c:\thhhbb.exec:\thhhbb.exe59⤵
- Executes dropped EXE
PID:1332 -
\??\c:\vjvdv.exec:\vjvdv.exe60⤵
- Executes dropped EXE
PID:5104 -
\??\c:\lxffffx.exec:\lxffffx.exe61⤵
- Executes dropped EXE
PID:2600 -
\??\c:\nthhtt.exec:\nthhtt.exe62⤵
- Executes dropped EXE
PID:5084 -
\??\c:\pjpdv.exec:\pjpdv.exe63⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jjvpj.exec:\jjvpj.exe64⤵
- Executes dropped EXE
PID:1600 -
\??\c:\tnnbtt.exec:\tnnbtt.exe65⤵
- Executes dropped EXE
PID:4944 -
\??\c:\nhhbtt.exec:\nhhbtt.exe66⤵PID:1052
-
\??\c:\vpvpj.exec:\vpvpj.exe67⤵
- System Location Discovery: System Language Discovery
PID:2684 -
\??\c:\xfxrffx.exec:\xfxrffx.exe68⤵PID:4660
-
\??\c:\thnhtn.exec:\thnhtn.exe69⤵PID:4720
-
\??\c:\tbnhhn.exec:\tbnhhn.exe70⤵PID:3328
-
\??\c:\jpvjp.exec:\jpvjp.exe71⤵
- System Location Discovery: System Language Discovery
PID:4760 -
\??\c:\xflflll.exec:\xflflll.exe72⤵PID:4032
-
\??\c:\fffrrxx.exec:\fffrrxx.exe73⤵PID:4568
-
\??\c:\httnhb.exec:\httnhb.exe74⤵PID:1116
-
\??\c:\vpvpp.exec:\vpvpp.exe75⤵PID:3172
-
\??\c:\7vppp.exec:\7vppp.exe76⤵PID:3988
-
\??\c:\rxfxrlr.exec:\rxfxrlr.exe77⤵PID:3252
-
\??\c:\9hnbnh.exec:\9hnbnh.exe78⤵PID:2200
-
\??\c:\pppvv.exec:\pppvv.exe79⤵PID:1604
-
\??\c:\lxlfxxf.exec:\lxlfxxf.exe80⤵PID:696
-
\??\c:\xxflllf.exec:\xxflllf.exe81⤵PID:1148
-
\??\c:\nbnbbt.exec:\nbnbbt.exe82⤵PID:3912
-
\??\c:\vjjvj.exec:\vjjvj.exe83⤵PID:2564
-
\??\c:\1ffxlfx.exec:\1ffxlfx.exe84⤵PID:4464
-
\??\c:\ttthnn.exec:\ttthnn.exe85⤵PID:1032
-
\??\c:\9vjdp.exec:\9vjdp.exe86⤵PID:428
-
\??\c:\rllxxxl.exec:\rllxxxl.exe87⤵PID:2824
-
\??\c:\hnthbt.exec:\hnthbt.exe88⤵PID:468
-
\??\c:\nnthtn.exec:\nnthtn.exe89⤵PID:3248
-
\??\c:\jvvpd.exec:\jvvpd.exe90⤵PID:2756
-
\??\c:\5jjvj.exec:\5jjvj.exe91⤵PID:1144
-
\??\c:\fxrfxlf.exec:\fxrfxlf.exe92⤵PID:1328
-
\??\c:\9ttnhb.exec:\9ttnhb.exe93⤵PID:432
-
\??\c:\nhthth.exec:\nhthth.exe94⤵PID:4820
-
\??\c:\ddpjj.exec:\ddpjj.exe95⤵PID:4484
-
\??\c:\frfxllf.exec:\frfxllf.exe96⤵PID:4164
-
\??\c:\hnnhhh.exec:\hnnhhh.exe97⤵PID:744
-
\??\c:\pvvpj.exec:\pvvpj.exe98⤵PID:4544
-
\??\c:\rlrlxxl.exec:\rlrlxxl.exe99⤵PID:2792
-
\??\c:\btnhtb.exec:\btnhtb.exe100⤵PID:3584
-
\??\c:\dvvdv.exec:\dvvdv.exe101⤵PID:3236
-
\??\c:\xxrlxlf.exec:\xxrlxlf.exe102⤵PID:4892
-
\??\c:\1tbnht.exec:\1tbnht.exe103⤵PID:764
-
\??\c:\tnbnhh.exec:\tnbnhh.exe104⤵PID:2440
-
\??\c:\9vjvd.exec:\9vjvd.exe105⤵PID:2228
-
\??\c:\9xrrflx.exec:\9xrrflx.exe106⤵PID:3372
-
\??\c:\9hhbtt.exec:\9hhbtt.exe107⤵PID:4176
-
\??\c:\5htnhb.exec:\5htnhb.exe108⤵PID:3688
-
\??\c:\lflfxxr.exec:\lflfxxr.exe109⤵PID:2476
-
\??\c:\5xlfrrl.exec:\5xlfrrl.exe110⤵PID:4020
-
\??\c:\tnbttt.exec:\tnbttt.exe111⤵PID:3972
-
\??\c:\ddpvp.exec:\ddpvp.exe112⤵PID:1076
-
\??\c:\rfxfxrl.exec:\rfxfxrl.exe113⤵PID:1304
-
\??\c:\3xxlffx.exec:\3xxlffx.exe114⤵PID:4896
-
\??\c:\nnbttt.exec:\nnbttt.exe115⤵PID:1268
-
\??\c:\pppjd.exec:\pppjd.exe116⤵PID:4280
-
\??\c:\frxlxxr.exec:\frxlxxr.exe117⤵PID:4736
-
\??\c:\9hbbtt.exec:\9hbbtt.exe118⤵PID:4952
-
\??\c:\jppjv.exec:\jppjv.exe119⤵PID:4916
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe120⤵PID:4992
-
\??\c:\lfxlfxl.exec:\lfxlfxl.exe121⤵PID:2184
-
\??\c:\tnnbnn.exec:\tnnbnn.exe122⤵PID:5032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-