Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe
-
Size
455KB
-
MD5
48dd9075dcc1cd32773c3a4c632b40d4
-
SHA1
520ec868cdc4b42c36972109f3833bd3ead00904
-
SHA256
25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a
-
SHA512
dff0594b6c9a86b71e95b2785909092264302ba0ad4e39e290fd3b468e9cc34156339de00a12d20dc301978c5f10c06b0e81ee1bea1300b08b474489e9aecbc4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4916-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4916 dvvvv.exe 1704 rflfxxx.exe 4376 5bhhbh.exe 548 jjjdv.exe 3292 7rfflrr.exe 3188 9xxrrff.exe 3988 bbnhnt.exe 3556 pdpjj.exe 2532 3fllrxx.exe 2576 frrxrxr.exe 1960 ttnnnn.exe 4584 dvddd.exe 2640 3xrrllf.exe 4068 lxxxxxx.exe 2700 7vvvv.exe 3620 thbtnt.exe 3748 9lrrrxf.exe 1252 5dddj.exe 2072 xrxrfff.exe 2144 jpvpj.exe 3280 jdddv.exe 1308 xlrlffx.exe 2008 5frrllf.exe 1276 bthtnh.exe 1812 5btttb.exe 1740 rrxxxll.exe 4468 vjpjd.exe 2660 rfllfff.exe 2644 pjvvp.exe 904 lxxxxrr.exe 2932 3nhbhh.exe 440 pjjpj.exe 4192 pjdvd.exe 1688 9jjjd.exe 2324 rflfxrl.exe 4732 9ttttt.exe 1436 nnttbb.exe 4372 ffrrllr.exe 1264 xrxxffl.exe 732 btbbtb.exe 2564 9pvpp.exe 1684 5flfrlf.exe 4868 nttttn.exe 2332 jdjdp.exe 5008 ddvpj.exe 4500 flrllff.exe 2232 thbbtt.exe 2216 9jjdv.exe 3660 pdjpp.exe 1544 frrlffx.exe 4416 1bbbbb.exe 1968 dvvpd.exe 4944 vpjjd.exe 2004 llllffx.exe 2748 hbnhnb.exe 5084 ddjdj.exe 4348 rlxrrrl.exe 1680 3hnnnt.exe 3596 dvvpj.exe 2724 xrlfxxx.exe 3828 xxfxxxx.exe 2396 nhnhnh.exe 5088 dpvpj.exe 212 rrrlfxx.exe -
resource yara_rule behavioral2/memory/4916-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-945-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 4916 3916 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 85 PID 3916 wrote to memory of 4916 3916 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 85 PID 3916 wrote to memory of 4916 3916 25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe 85 PID 4916 wrote to memory of 1704 4916 dvvvv.exe 86 PID 4916 wrote to memory of 1704 4916 dvvvv.exe 86 PID 4916 wrote to memory of 1704 4916 dvvvv.exe 86 PID 1704 wrote to memory of 4376 1704 rflfxxx.exe 87 PID 1704 wrote to memory of 4376 1704 rflfxxx.exe 87 PID 1704 wrote to memory of 4376 1704 rflfxxx.exe 87 PID 4376 wrote to memory of 548 4376 5bhhbh.exe 88 PID 4376 wrote to memory of 548 4376 5bhhbh.exe 88 PID 4376 wrote to memory of 548 4376 5bhhbh.exe 88 PID 548 wrote to memory of 3292 548 jjjdv.exe 89 PID 548 wrote to memory of 3292 548 jjjdv.exe 89 PID 548 wrote to memory of 3292 548 jjjdv.exe 89 PID 3292 wrote to memory of 3188 3292 7rfflrr.exe 90 PID 3292 wrote to memory of 3188 3292 7rfflrr.exe 90 PID 3292 wrote to memory of 3188 3292 7rfflrr.exe 90 PID 3188 wrote to memory of 3988 3188 9xxrrff.exe 91 PID 3188 wrote to memory of 3988 3188 9xxrrff.exe 91 PID 3188 wrote to memory of 3988 3188 9xxrrff.exe 91 PID 3988 wrote to memory of 3556 3988 bbnhnt.exe 92 PID 3988 wrote to memory of 3556 3988 bbnhnt.exe 92 PID 3988 wrote to memory of 3556 3988 bbnhnt.exe 92 PID 3556 wrote to memory of 2532 3556 pdpjj.exe 93 PID 3556 wrote to memory of 2532 3556 pdpjj.exe 93 PID 3556 wrote to memory of 2532 3556 pdpjj.exe 93 PID 2532 wrote to memory of 2576 2532 3fllrxx.exe 94 PID 2532 wrote to memory of 2576 2532 3fllrxx.exe 94 PID 2532 wrote to memory of 2576 2532 3fllrxx.exe 94 PID 2576 wrote to memory of 1960 2576 frrxrxr.exe 95 PID 2576 wrote to memory of 1960 2576 frrxrxr.exe 95 PID 2576 wrote to memory of 1960 2576 frrxrxr.exe 95 PID 1960 wrote to memory of 4584 1960 ttnnnn.exe 96 PID 1960 wrote to memory of 4584 1960 ttnnnn.exe 96 PID 1960 wrote to memory of 4584 1960 ttnnnn.exe 96 PID 4584 wrote to memory of 2640 4584 dvddd.exe 97 PID 4584 wrote to memory of 2640 4584 dvddd.exe 97 PID 4584 wrote to memory of 2640 4584 dvddd.exe 97 PID 2640 wrote to memory of 4068 2640 3xrrllf.exe 98 PID 2640 wrote to memory of 4068 2640 3xrrllf.exe 98 PID 2640 wrote to memory of 4068 2640 3xrrllf.exe 98 PID 4068 wrote to memory of 2700 4068 lxxxxxx.exe 99 PID 4068 wrote to memory of 2700 4068 lxxxxxx.exe 99 PID 4068 wrote to memory of 2700 4068 lxxxxxx.exe 99 PID 2700 wrote to memory of 3620 2700 7vvvv.exe 100 PID 2700 wrote to memory of 3620 2700 7vvvv.exe 100 PID 2700 wrote to memory of 3620 2700 7vvvv.exe 100 PID 3620 wrote to memory of 3748 3620 thbtnt.exe 101 PID 3620 wrote to memory of 3748 3620 thbtnt.exe 101 PID 3620 wrote to memory of 3748 3620 thbtnt.exe 101 PID 3748 wrote to memory of 1252 3748 9lrrrxf.exe 102 PID 3748 wrote to memory of 1252 3748 9lrrrxf.exe 102 PID 3748 wrote to memory of 1252 3748 9lrrrxf.exe 102 PID 1252 wrote to memory of 2072 1252 5dddj.exe 103 PID 1252 wrote to memory of 2072 1252 5dddj.exe 103 PID 1252 wrote to memory of 2072 1252 5dddj.exe 103 PID 2072 wrote to memory of 2144 2072 xrxrfff.exe 104 PID 2072 wrote to memory of 2144 2072 xrxrfff.exe 104 PID 2072 wrote to memory of 2144 2072 xrxrfff.exe 104 PID 2144 wrote to memory of 3280 2144 jpvpj.exe 105 PID 2144 wrote to memory of 3280 2144 jpvpj.exe 105 PID 2144 wrote to memory of 3280 2144 jpvpj.exe 105 PID 3280 wrote to memory of 1308 3280 jdddv.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe"C:\Users\Admin\AppData\Local\Temp\25b2500ee3f2fbe3f33243ac1dee48d020b1a9e67c30b59fe78c46d60943126a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\dvvvv.exec:\dvvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\rflfxxx.exec:\rflfxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\5bhhbh.exec:\5bhhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\jjjdv.exec:\jjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\7rfflrr.exec:\7rfflrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\9xxrrff.exec:\9xxrrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\bbnhnt.exec:\bbnhnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\pdpjj.exec:\pdpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\3fllrxx.exec:\3fllrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\frrxrxr.exec:\frrxrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ttnnnn.exec:\ttnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\dvddd.exec:\dvddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\3xrrllf.exec:\3xrrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\7vvvv.exec:\7vvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\thbtnt.exec:\thbtnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\9lrrrxf.exec:\9lrrrxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\5dddj.exec:\5dddj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\xrxrfff.exec:\xrxrfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\jpvpj.exec:\jpvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\jdddv.exec:\jdddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\xlrlffx.exec:\xlrlffx.exe23⤵
- Executes dropped EXE
PID:1308 -
\??\c:\5frrllf.exec:\5frrllf.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\bthtnh.exec:\bthtnh.exe25⤵
- Executes dropped EXE
PID:1276 -
\??\c:\5btttb.exec:\5btttb.exe26⤵
- Executes dropped EXE
PID:1812 -
\??\c:\rrxxxll.exec:\rrxxxll.exe27⤵
- Executes dropped EXE
PID:1740 -
\??\c:\vjpjd.exec:\vjpjd.exe28⤵
- Executes dropped EXE
PID:4468 -
\??\c:\rfllfff.exec:\rfllfff.exe29⤵
- Executes dropped EXE
PID:2660 -
\??\c:\pjvvp.exec:\pjvvp.exe30⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lxxxxrr.exec:\lxxxxrr.exe31⤵
- Executes dropped EXE
PID:904 -
\??\c:\3nhbhh.exec:\3nhbhh.exe32⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pjjpj.exec:\pjjpj.exe33⤵
- Executes dropped EXE
PID:440 -
\??\c:\pjdvd.exec:\pjdvd.exe34⤵
- Executes dropped EXE
PID:4192 -
\??\c:\9jjjd.exec:\9jjjd.exe35⤵
- Executes dropped EXE
PID:1688 -
\??\c:\rflfxrl.exec:\rflfxrl.exe36⤵
- Executes dropped EXE
PID:2324 -
\??\c:\9ttttt.exec:\9ttttt.exe37⤵
- Executes dropped EXE
PID:4732 -
\??\c:\nnttbb.exec:\nnttbb.exe38⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ffrrllr.exec:\ffrrllr.exe39⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xrxxffl.exec:\xrxxffl.exe40⤵
- Executes dropped EXE
PID:1264 -
\??\c:\btbbtb.exec:\btbbtb.exe41⤵
- Executes dropped EXE
PID:732 -
\??\c:\9pvpp.exec:\9pvpp.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\5flfrlf.exec:\5flfrlf.exe43⤵
- Executes dropped EXE
PID:1684 -
\??\c:\nttttn.exec:\nttttn.exe44⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jdjdp.exec:\jdjdp.exe45⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ddvpj.exec:\ddvpj.exe46⤵
- Executes dropped EXE
PID:5008 -
\??\c:\flrllff.exec:\flrllff.exe47⤵
- Executes dropped EXE
PID:4500 -
\??\c:\thbbtt.exec:\thbbtt.exe48⤵
- Executes dropped EXE
PID:2232 -
\??\c:\9jjdv.exec:\9jjdv.exe49⤵
- Executes dropped EXE
PID:2216 -
\??\c:\pdjpp.exec:\pdjpp.exe50⤵
- Executes dropped EXE
PID:3660 -
\??\c:\frrlffx.exec:\frrlffx.exe51⤵
- Executes dropped EXE
PID:1544 -
\??\c:\1bbbbb.exec:\1bbbbb.exe52⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dvvpd.exec:\dvvpd.exe53⤵
- Executes dropped EXE
PID:1968 -
\??\c:\vpjjd.exec:\vpjjd.exe54⤵
- Executes dropped EXE
PID:4944 -
\??\c:\llllffx.exec:\llllffx.exe55⤵
- Executes dropped EXE
PID:2004 -
\??\c:\hbnhnb.exec:\hbnhnb.exe56⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ddjdj.exec:\ddjdj.exe57⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rlxrrrl.exec:\rlxrrrl.exe58⤵
- Executes dropped EXE
PID:4348 -
\??\c:\3hnnnt.exec:\3hnnnt.exe59⤵
- Executes dropped EXE
PID:1680 -
\??\c:\dvvpj.exec:\dvvpj.exe60⤵
- Executes dropped EXE
PID:3596 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe61⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe62⤵
- Executes dropped EXE
PID:3828 -
\??\c:\nhnhnh.exec:\nhnhnh.exe63⤵
- Executes dropped EXE
PID:2396 -
\??\c:\dpvpj.exec:\dpvpj.exe64⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe65⤵
- Executes dropped EXE
PID:212 -
\??\c:\thttnn.exec:\thttnn.exe66⤵PID:60
-
\??\c:\thhthb.exec:\thhthb.exe67⤵PID:1912
-
\??\c:\vvvvp.exec:\vvvvp.exe68⤵PID:3520
-
\??\c:\lllfxrr.exec:\lllfxrr.exe69⤵PID:1884
-
\??\c:\flrlfff.exec:\flrlfff.exe70⤵PID:544
-
\??\c:\thnhbt.exec:\thnhbt.exe71⤵PID:2896
-
\??\c:\7pjdd.exec:\7pjdd.exe72⤵PID:4200
-
\??\c:\1fxlxrl.exec:\1fxlxrl.exe73⤵PID:3500
-
\??\c:\bnbtnn.exec:\bnbtnn.exe74⤵PID:3220
-
\??\c:\9djdd.exec:\9djdd.exe75⤵PID:1644
-
\??\c:\vvdvp.exec:\vvdvp.exe76⤵PID:2700
-
\??\c:\rrrrlll.exec:\rrrrlll.exe77⤵PID:2104
-
\??\c:\hhhtnh.exec:\hhhtnh.exe78⤵PID:1956
-
\??\c:\pddvp.exec:\pddvp.exe79⤵PID:1336
-
\??\c:\xlrxrrr.exec:\xlrxrrr.exe80⤵PID:5012
-
\??\c:\xlfrxxx.exec:\xlfrxxx.exe81⤵PID:3320
-
\??\c:\nthbbb.exec:\nthbbb.exe82⤵PID:2632
-
\??\c:\dvddd.exec:\dvddd.exe83⤵PID:1620
-
\??\c:\5ddvp.exec:\5ddvp.exe84⤵PID:4728
-
\??\c:\9lrlfff.exec:\9lrlfff.exe85⤵PID:456
-
\??\c:\hbhbtb.exec:\hbhbtb.exe86⤵PID:1244
-
\??\c:\nthbtn.exec:\nthbtn.exe87⤵PID:3404
-
\??\c:\dvdpv.exec:\dvdpv.exe88⤵PID:1900
-
\??\c:\9pvpj.exec:\9pvpj.exe89⤵PID:1896
-
\??\c:\5llffff.exec:\5llffff.exe90⤵PID:4024
-
\??\c:\nnnhbb.exec:\nnnhbb.exe91⤵PID:2812
-
\??\c:\ppjjj.exec:\ppjjj.exe92⤵PID:2660
-
\??\c:\jddvp.exec:\jddvp.exe93⤵PID:872
-
\??\c:\7lfxllf.exec:\7lfxllf.exe94⤵PID:904
-
\??\c:\1bthth.exec:\1bthth.exe95⤵PID:876
-
\??\c:\vpddp.exec:\vpddp.exe96⤵PID:4668
-
\??\c:\jdjdv.exec:\jdjdv.exe97⤵PID:440
-
\??\c:\lrflrxf.exec:\lrflrxf.exe98⤵PID:4816
-
\??\c:\1hthnn.exec:\1hthnn.exe99⤵PID:4172
-
\??\c:\pvdvv.exec:\pvdvv.exe100⤵PID:2684
-
\??\c:\rlxflfl.exec:\rlxflfl.exe101⤵PID:3588
-
\??\c:\3thbth.exec:\3thbth.exe102⤵PID:1396
-
\??\c:\hbbtnn.exec:\hbbtnn.exe103⤵PID:1488
-
\??\c:\pddjd.exec:\pddjd.exe104⤵PID:3192
-
\??\c:\lxfrllf.exec:\lxfrllf.exe105⤵PID:3448
-
\??\c:\5thtbb.exec:\5thtbb.exe106⤵PID:100
-
\??\c:\1nthbb.exec:\1nthbb.exe107⤵PID:2564
-
\??\c:\dpvvp.exec:\dpvvp.exe108⤵PID:2704
-
\??\c:\3llfrlf.exec:\3llfrlf.exe109⤵PID:368
-
\??\c:\fxlfxlf.exec:\fxlfxlf.exe110⤵PID:2976
-
\??\c:\hbhbhb.exec:\hbhbhb.exe111⤵PID:2328
-
\??\c:\9jpjv.exec:\9jpjv.exe112⤵PID:3004
-
\??\c:\xlxrrlf.exec:\xlxrrlf.exe113⤵PID:728
-
\??\c:\bnbbhb.exec:\bnbbhb.exe114⤵PID:8
-
\??\c:\nhtbnt.exec:\nhtbnt.exe115⤵PID:1804
-
\??\c:\dppjv.exec:\dppjv.exe116⤵PID:4436
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe117⤵PID:1772
-
\??\c:\nnttbn.exec:\nnttbn.exe118⤵PID:4896
-
\??\c:\vdpjv.exec:\vdpjv.exe119⤵PID:1492
-
\??\c:\lffxrrx.exec:\lffxrrx.exe120⤵PID:2056
-
\??\c:\nhhbnt.exec:\nhhbnt.exe121⤵PID:1448
-
\??\c:\thttnn.exec:\thttnn.exe122⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-