Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe
-
Size
454KB
-
MD5
05e8eb9485a7d8e5f248b84564d228f0
-
SHA1
9a664c81ba6a032b34a9eefccd98031843d2398b
-
SHA256
7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2e
-
SHA512
2575cf2d0aa69628ac1ec6be4e7bc7f70d1dcb1ab8f8b5a209b5058c36182bf4aebf23398f87138feb84052552208ec5a201fec893ea084a851b4c7059c38e5b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/780-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-961-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-1481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-1813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2248 7httnh.exe 1708 7vjvj.exe 228 rfxxlfr.exe 3996 tbtnnt.exe 640 thhbtt.exe 4156 pppjd.exe 2816 frxxrrr.exe 1156 ddddd.exe 4368 xflllxr.exe 1144 rflfxxr.exe 5048 tbtnhh.exe 2948 jjppv.exe 2264 3nbthh.exe 4204 jjjpv.exe 4980 xrrllfx.exe 3504 jvddv.exe 3376 3jjjd.exe 4268 lffrlfr.exe 1864 xlrlfxr.exe 1608 rxlfxxr.exe 1428 pddvj.exe 1360 3hbntn.exe 2464 djpjv.exe 3516 ffrrlrr.exe 528 hntnhh.exe 4120 ppvjj.exe 2032 3hhbtb.exe 4064 jddvp.exe 4516 1dpjj.exe 2004 hnhbtn.exe 2712 jdjpd.exe 2836 9rllffx.exe 2708 hnnhbh.exe 1444 rrlfrlx.exe 3428 bhnhht.exe 4072 jddpj.exe 848 rfxfxll.exe 1732 hnttbb.exe 4520 dvjdv.exe 1048 frxlffx.exe 4704 nthhtt.exe 2720 jdpjp.exe 4908 ddpjj.exe 1284 rllfxxr.exe 4208 1nbtht.exe 3944 hnnhbt.exe 4720 pdjjd.exe 4920 rlllllf.exe 4724 nhtttt.exe 3272 7pjvj.exe 3112 5lrflfx.exe 4560 rlrrrrl.exe 2512 thnnhb.exe 2740 dpjvp.exe 1564 fffxxxr.exe 4612 hnhtnn.exe 228 dppdv.exe 4088 rlffxxx.exe 3808 1bbtnh.exe 4456 djdpj.exe 4940 jdjvp.exe 1076 xrxrlfx.exe 4664 hthtbh.exe 2452 pjjvp.exe -
resource yara_rule behavioral2/memory/780-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-1183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-1308-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 780 wrote to memory of 2248 780 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 82 PID 780 wrote to memory of 2248 780 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 82 PID 780 wrote to memory of 2248 780 7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe 82 PID 2248 wrote to memory of 1708 2248 7httnh.exe 83 PID 2248 wrote to memory of 1708 2248 7httnh.exe 83 PID 2248 wrote to memory of 1708 2248 7httnh.exe 83 PID 1708 wrote to memory of 228 1708 7vjvj.exe 84 PID 1708 wrote to memory of 228 1708 7vjvj.exe 84 PID 1708 wrote to memory of 228 1708 7vjvj.exe 84 PID 228 wrote to memory of 3996 228 rfxxlfr.exe 85 PID 228 wrote to memory of 3996 228 rfxxlfr.exe 85 PID 228 wrote to memory of 3996 228 rfxxlfr.exe 85 PID 3996 wrote to memory of 640 3996 tbtnnt.exe 86 PID 3996 wrote to memory of 640 3996 tbtnnt.exe 86 PID 3996 wrote to memory of 640 3996 tbtnnt.exe 86 PID 640 wrote to memory of 4156 640 thhbtt.exe 87 PID 640 wrote to memory of 4156 640 thhbtt.exe 87 PID 640 wrote to memory of 4156 640 thhbtt.exe 87 PID 4156 wrote to memory of 2816 4156 pppjd.exe 88 PID 4156 wrote to memory of 2816 4156 pppjd.exe 88 PID 4156 wrote to memory of 2816 4156 pppjd.exe 88 PID 2816 wrote to memory of 1156 2816 frxxrrr.exe 89 PID 2816 wrote to memory of 1156 2816 frxxrrr.exe 89 PID 2816 wrote to memory of 1156 2816 frxxrrr.exe 89 PID 1156 wrote to memory of 4368 1156 ddddd.exe 90 PID 1156 wrote to memory of 4368 1156 ddddd.exe 90 PID 1156 wrote to memory of 4368 1156 ddddd.exe 90 PID 4368 wrote to memory of 1144 4368 xflllxr.exe 91 PID 4368 wrote to memory of 1144 4368 xflllxr.exe 91 PID 4368 wrote to memory of 1144 4368 xflllxr.exe 91 PID 1144 wrote to memory of 5048 1144 rflfxxr.exe 92 PID 1144 wrote to memory of 5048 1144 rflfxxr.exe 92 PID 1144 wrote to memory of 5048 1144 rflfxxr.exe 92 PID 5048 wrote to memory of 2948 5048 tbtnhh.exe 93 PID 5048 wrote to memory of 2948 5048 tbtnhh.exe 93 PID 5048 wrote to memory of 2948 5048 tbtnhh.exe 93 PID 2948 wrote to memory of 2264 2948 jjppv.exe 94 PID 2948 wrote to memory of 2264 2948 jjppv.exe 94 PID 2948 wrote to memory of 2264 2948 jjppv.exe 94 PID 2264 wrote to memory of 4204 2264 3nbthh.exe 95 PID 2264 wrote to memory of 4204 2264 3nbthh.exe 95 PID 2264 wrote to memory of 4204 2264 3nbthh.exe 95 PID 4204 wrote to memory of 4980 4204 jjjpv.exe 96 PID 4204 wrote to memory of 4980 4204 jjjpv.exe 96 PID 4204 wrote to memory of 4980 4204 jjjpv.exe 96 PID 4980 wrote to memory of 3504 4980 xrrllfx.exe 97 PID 4980 wrote to memory of 3504 4980 xrrllfx.exe 97 PID 4980 wrote to memory of 3504 4980 xrrllfx.exe 97 PID 3504 wrote to memory of 3376 3504 jvddv.exe 98 PID 3504 wrote to memory of 3376 3504 jvddv.exe 98 PID 3504 wrote to memory of 3376 3504 jvddv.exe 98 PID 3376 wrote to memory of 4268 3376 3jjjd.exe 99 PID 3376 wrote to memory of 4268 3376 3jjjd.exe 99 PID 3376 wrote to memory of 4268 3376 3jjjd.exe 99 PID 4268 wrote to memory of 1864 4268 lffrlfr.exe 100 PID 4268 wrote to memory of 1864 4268 lffrlfr.exe 100 PID 4268 wrote to memory of 1864 4268 lffrlfr.exe 100 PID 1864 wrote to memory of 1608 1864 xlrlfxr.exe 101 PID 1864 wrote to memory of 1608 1864 xlrlfxr.exe 101 PID 1864 wrote to memory of 1608 1864 xlrlfxr.exe 101 PID 1608 wrote to memory of 1428 1608 rxlfxxr.exe 102 PID 1608 wrote to memory of 1428 1608 rxlfxxr.exe 102 PID 1608 wrote to memory of 1428 1608 rxlfxxr.exe 102 PID 1428 wrote to memory of 1360 1428 pddvj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe"C:\Users\Admin\AppData\Local\Temp\7eb39d91e0690aeaedc25509cadf3f6269df12ff88f852d031e2e6a3a496be2eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\7httnh.exec:\7httnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\7vjvj.exec:\7vjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\rfxxlfr.exec:\rfxxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\tbtnnt.exec:\tbtnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\thhbtt.exec:\thhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\pppjd.exec:\pppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\frxxrrr.exec:\frxxrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\ddddd.exec:\ddddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\xflllxr.exec:\xflllxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\rflfxxr.exec:\rflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\tbtnhh.exec:\tbtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\jjppv.exec:\jjppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\3nbthh.exec:\3nbthh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\jjjpv.exec:\jjjpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\xrrllfx.exec:\xrrllfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\jvddv.exec:\jvddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\3jjjd.exec:\3jjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\lffrlfr.exec:\lffrlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\pddvj.exec:\pddvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\3hbntn.exec:\3hbntn.exe23⤵
- Executes dropped EXE
PID:1360 -
\??\c:\djpjv.exec:\djpjv.exe24⤵
- Executes dropped EXE
PID:2464 -
\??\c:\ffrrlrr.exec:\ffrrlrr.exe25⤵
- Executes dropped EXE
PID:3516 -
\??\c:\hntnhh.exec:\hntnhh.exe26⤵
- Executes dropped EXE
PID:528 -
\??\c:\ppvjj.exec:\ppvjj.exe27⤵
- Executes dropped EXE
PID:4120 -
\??\c:\3hhbtb.exec:\3hhbtb.exe28⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jddvp.exec:\jddvp.exe29⤵
- Executes dropped EXE
PID:4064 -
\??\c:\1dpjj.exec:\1dpjj.exe30⤵
- Executes dropped EXE
PID:4516 -
\??\c:\hnhbtn.exec:\hnhbtn.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\jdjpd.exec:\jdjpd.exe32⤵
- Executes dropped EXE
PID:2712 -
\??\c:\9rllffx.exec:\9rllffx.exe33⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hnnhbh.exec:\hnnhbh.exe34⤵
- Executes dropped EXE
PID:2708 -
\??\c:\rrlfrlx.exec:\rrlfrlx.exe35⤵
- Executes dropped EXE
PID:1444 -
\??\c:\bhnhht.exec:\bhnhht.exe36⤵
- Executes dropped EXE
PID:3428 -
\??\c:\jddpj.exec:\jddpj.exe37⤵
- Executes dropped EXE
PID:4072 -
\??\c:\rfxfxll.exec:\rfxfxll.exe38⤵
- Executes dropped EXE
PID:848 -
\??\c:\hnttbb.exec:\hnttbb.exe39⤵
- Executes dropped EXE
PID:1732 -
\??\c:\dvjdv.exec:\dvjdv.exe40⤵
- Executes dropped EXE
PID:4520 -
\??\c:\frxlffx.exec:\frxlffx.exe41⤵
- Executes dropped EXE
PID:1048 -
\??\c:\nthhtt.exec:\nthhtt.exe42⤵
- Executes dropped EXE
PID:4704 -
\??\c:\jdpjp.exec:\jdpjp.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\ddpjj.exec:\ddpjj.exe44⤵
- Executes dropped EXE
PID:4908 -
\??\c:\rllfxxr.exec:\rllfxxr.exe45⤵
- Executes dropped EXE
PID:1284 -
\??\c:\1nbtht.exec:\1nbtht.exe46⤵
- Executes dropped EXE
PID:4208 -
\??\c:\hnnhbt.exec:\hnnhbt.exe47⤵
- Executes dropped EXE
PID:3944 -
\??\c:\pdjjd.exec:\pdjjd.exe48⤵
- Executes dropped EXE
PID:4720 -
\??\c:\rlllllf.exec:\rlllllf.exe49⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nhtttt.exec:\nhtttt.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724 -
\??\c:\7pjvj.exec:\7pjvj.exe51⤵
- Executes dropped EXE
PID:3272 -
\??\c:\5lrflfx.exec:\5lrflfx.exe52⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe53⤵
- Executes dropped EXE
PID:4560 -
\??\c:\thnnhb.exec:\thnnhb.exe54⤵
- Executes dropped EXE
PID:2512 -
\??\c:\dpjvp.exec:\dpjvp.exe55⤵
- Executes dropped EXE
PID:2740 -
\??\c:\fffxxxr.exec:\fffxxxr.exe56⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hnhtnn.exec:\hnhtnn.exe57⤵
- Executes dropped EXE
PID:4612 -
\??\c:\dppdv.exec:\dppdv.exe58⤵
- Executes dropped EXE
PID:228 -
\??\c:\rlffxxx.exec:\rlffxxx.exe59⤵
- Executes dropped EXE
PID:4088 -
\??\c:\1bbtnh.exec:\1bbtnh.exe60⤵
- Executes dropped EXE
PID:3808 -
\??\c:\djdpj.exec:\djdpj.exe61⤵
- Executes dropped EXE
PID:4456 -
\??\c:\jdjvp.exec:\jdjvp.exe62⤵
- Executes dropped EXE
PID:4940 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe63⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hthtbh.exec:\hthtbh.exe64⤵
- Executes dropped EXE
PID:4664 -
\??\c:\pjjvp.exec:\pjjvp.exe65⤵
- Executes dropped EXE
PID:2452 -
\??\c:\xlrlffx.exec:\xlrlffx.exe66⤵PID:2952
-
\??\c:\rlrlfll.exec:\rlrlfll.exe67⤵PID:5060
-
\??\c:\1bbnhh.exec:\1bbnhh.exe68⤵PID:3708
-
\??\c:\dddvv.exec:\dddvv.exe69⤵PID:2508
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe70⤵PID:116
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe71⤵PID:2656
-
\??\c:\hbnhnh.exec:\hbnhnh.exe72⤵PID:3760
-
\??\c:\jdvpp.exec:\jdvpp.exe73⤵PID:2972
-
\??\c:\fffxllf.exec:\fffxllf.exe74⤵PID:4204
-
\??\c:\lfxrllf.exec:\lfxrllf.exe75⤵PID:3304
-
\??\c:\bttnbt.exec:\bttnbt.exe76⤵PID:3900
-
\??\c:\9jpjd.exec:\9jpjd.exe77⤵PID:3852
-
\??\c:\xllxfxx.exec:\xllxfxx.exe78⤵PID:336
-
\??\c:\3bhbhh.exec:\3bhbhh.exe79⤵PID:4424
-
\??\c:\vjpdv.exec:\vjpdv.exe80⤵PID:3008
-
\??\c:\djpjv.exec:\djpjv.exe81⤵PID:2584
-
\??\c:\lfffxxr.exec:\lfffxxr.exe82⤵PID:1680
-
\??\c:\hbtnhb.exec:\hbtnhb.exe83⤵PID:2296
-
\??\c:\vppjd.exec:\vppjd.exe84⤵PID:1608
-
\??\c:\llfrlfl.exec:\llfrlfl.exe85⤵PID:3296
-
\??\c:\thnhbb.exec:\thnhbb.exe86⤵PID:1860
-
\??\c:\dpvpj.exec:\dpvpj.exe87⤵PID:1044
-
\??\c:\jjjdv.exec:\jjjdv.exe88⤵PID:2660
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe89⤵PID:2908
-
\??\c:\3bhbnn.exec:\3bhbnn.exe90⤵PID:3828
-
\??\c:\pvdjd.exec:\pvdjd.exe91⤵PID:4744
-
\??\c:\frfxrrl.exec:\frfxrrl.exe92⤵PID:4120
-
\??\c:\flrllrl.exec:\flrllrl.exe93⤵PID:216
-
\??\c:\tnttnh.exec:\tnttnh.exe94⤵PID:4928
-
\??\c:\pdpjj.exec:\pdpjj.exe95⤵PID:432
-
\??\c:\lfllllx.exec:\lfllllx.exe96⤵PID:2812
-
\??\c:\7bhbhh.exec:\7bhbhh.exe97⤵PID:1784
-
\??\c:\3jddv.exec:\3jddv.exe98⤵PID:2428
-
\??\c:\rflffxx.exec:\rflffxx.exe99⤵PID:3792
-
\??\c:\btbbnt.exec:\btbbnt.exe100⤵PID:2180
-
\??\c:\tnnthh.exec:\tnnthh.exe101⤵PID:2996
-
\??\c:\vvdvv.exec:\vvdvv.exe102⤵PID:3000
-
\??\c:\lflfxxf.exec:\lflfxxf.exe103⤵PID:412
-
\??\c:\nnbtbb.exec:\nnbtbb.exe104⤵PID:5028
-
\??\c:\vvvjj.exec:\vvvjj.exe105⤵PID:1776
-
\??\c:\pvjdv.exec:\pvjdv.exe106⤵PID:1672
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe107⤵PID:1888
-
\??\c:\ntbthb.exec:\ntbthb.exe108⤵PID:3492
-
\??\c:\pvppd.exec:\pvppd.exe109⤵PID:4856
-
\??\c:\rflxrlf.exec:\rflxrlf.exe110⤵PID:4628
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe111⤵PID:4956
-
\??\c:\thnhbt.exec:\thnhbt.exe112⤵PID:4144
-
\??\c:\vdjvp.exec:\vdjvp.exe113⤵PID:4668
-
\??\c:\pjjdp.exec:\pjjdp.exe114⤵PID:3848
-
\??\c:\llrlxxx.exec:\llrlxxx.exe115⤵PID:2256
-
\??\c:\nnbbth.exec:\nnbbth.exe116⤵PID:4488
-
\??\c:\htbtbb.exec:\htbtbb.exe117⤵PID:2060
-
\??\c:\dvdvv.exec:\dvdvv.exe118⤵PID:4020
-
\??\c:\xrxxlrx.exec:\xrxxlrx.exe119⤵PID:4428
-
\??\c:\fxfxffl.exec:\fxfxffl.exe120⤵PID:3968
-
\??\c:\nbtnhn.exec:\nbtnhn.exe121⤵PID:4560
-
\??\c:\pjdvp.exec:\pjdvp.exe122⤵PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-