Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 07:29
Behavioral task
behavioral1
Sample
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe
-
Size
334KB
-
MD5
859196f26a3f989742f0b6597c231aa7
-
SHA1
745c83505fb366f60dfa8ce8141bd6c7f40c2d9f
-
SHA256
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58
-
SHA512
9154896ccc4c0115eef588dfbb947c0e23be3c75ecb48713263b835508448d2eba5f8c343c80964b4fae58e672f8067851bc8c0cc559b8973d78d1474491d87b
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbebg:R4wFHoSHYHUrAwfMp3CDbg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2136-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1836-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2152-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1144-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2396-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/568-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/988-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3428-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3124-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-515-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3852-577-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-582-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-669-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1836 3ttthb.exe 2152 pjpdj.exe 3464 vjpdp.exe 4540 rxfxrlf.exe 4556 tnthbt.exe 2776 flfrlff.exe 4440 btnhtn.exe 2312 rllfrlx.exe 2012 5hhthb.exe 4820 pdvpj.exe 3628 thbnhn.exe 3640 vpjdv.exe 3812 lrlfrfr.exe 3588 dvjdv.exe 1144 xfxrllr.exe 5044 1dpjd.exe 2432 rlxrlfx.exe 2940 tnthbt.exe 208 jdpjv.exe 3084 nhtnbt.exe 3512 vpvjv.exe 1496 fffrlfx.exe 2884 hnnbth.exe 2396 bnnhtn.exe 2832 3hbnhh.exe 1132 pjpjv.exe 4996 flxrfrl.exe 2340 frrlrfl.exe 4420 pvjvj.exe 5096 xlllxxl.exe 4336 tnbbnh.exe 3852 pjjdp.exe 1152 rxlfrfr.exe 2296 bhhbnt.exe 4920 dvdpj.exe 5028 rlrrlxr.exe 2444 nhbntn.exe 1580 3pppd.exe 448 3ffrllf.exe 3632 7bhbhb.exe 1488 hnbthh.exe 1912 vjdpj.exe 3396 9ppdp.exe 500 fxxrxlr.exe 3184 3nhhtt.exe 1936 xrxllfr.exe 4404 5tnhbb.exe 2480 jdpdd.exe 4256 jdpdj.exe 2140 5tnbtt.exe 2016 dvddp.exe 5084 lrlfrlf.exe 3372 9tbnhb.exe 4472 thhtnh.exe 3912 jdjvp.exe 4688 rrxrffx.exe 2936 bbbtnn.exe 568 vdvjv.exe 2916 3dvjd.exe 1692 lflxxrr.exe 3720 9lxlrrf.exe 988 nhnhhb.exe 3900 vdpdv.exe 3640 5lrfxxl.exe -
resource yara_rule behavioral2/memory/2136-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x001900000001ed6c-3.dat upx behavioral2/memory/2136-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1836-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bb3-9.dat upx behavioral2/memory/1836-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3464-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bbf-16.dat upx behavioral2/memory/2152-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3464-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bc1-21.dat upx behavioral2/files/0x000c000000023bc2-26.dat upx behavioral2/files/0x000b000000023bd9-29.dat upx behavioral2/memory/4556-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bdc-34.dat upx behavioral2/memory/2776-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bdd-39.dat upx behavioral2/memory/4440-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bdf-44.dat upx behavioral2/memory/2312-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d2d-49.dat upx behavioral2/memory/2012-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d2e-54.dat upx behavioral2/memory/4820-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3628-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d2f-61.dat upx behavioral2/memory/3640-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d30-64.dat upx behavioral2/files/0x0007000000023d31-69.dat upx behavioral2/memory/3812-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d32-74.dat upx behavioral2/memory/3588-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023bbc-79.dat upx behavioral2/memory/1144-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d33-84.dat upx behavioral2/memory/2432-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bc2-89.dat upx behavioral2/files/0x000c000000023be6-93.dat upx behavioral2/memory/2940-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d35-98.dat upx behavioral2/memory/208-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d36-103.dat upx behavioral2/memory/3512-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d37-108.dat upx behavioral2/files/0x0007000000023d38-112.dat upx behavioral2/memory/2884-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1496-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d39-119.dat upx behavioral2/files/0x0007000000023d3a-123.dat upx behavioral2/memory/2396-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d3b-127.dat upx behavioral2/files/0x0007000000023d3c-131.dat upx behavioral2/memory/4996-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1132-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d3d-137.dat upx behavioral2/memory/2340-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023d3e-141.dat upx behavioral2/files/0x0007000000023d41-146.dat upx behavioral2/files/0x0007000000023d42-150.dat upx behavioral2/files/0x0007000000023d43-155.dat upx behavioral2/memory/4336-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2296-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2444-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1580-173-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1836 2136 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 84 PID 2136 wrote to memory of 1836 2136 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 84 PID 2136 wrote to memory of 1836 2136 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 84 PID 1836 wrote to memory of 2152 1836 3ttthb.exe 85 PID 1836 wrote to memory of 2152 1836 3ttthb.exe 85 PID 1836 wrote to memory of 2152 1836 3ttthb.exe 85 PID 2152 wrote to memory of 3464 2152 pjpdj.exe 86 PID 2152 wrote to memory of 3464 2152 pjpdj.exe 86 PID 2152 wrote to memory of 3464 2152 pjpdj.exe 86 PID 3464 wrote to memory of 4540 3464 vjpdp.exe 87 PID 3464 wrote to memory of 4540 3464 vjpdp.exe 87 PID 3464 wrote to memory of 4540 3464 vjpdp.exe 87 PID 4540 wrote to memory of 4556 4540 rxfxrlf.exe 88 PID 4540 wrote to memory of 4556 4540 rxfxrlf.exe 88 PID 4540 wrote to memory of 4556 4540 rxfxrlf.exe 88 PID 4556 wrote to memory of 2776 4556 tnthbt.exe 89 PID 4556 wrote to memory of 2776 4556 tnthbt.exe 89 PID 4556 wrote to memory of 2776 4556 tnthbt.exe 89 PID 2776 wrote to memory of 4440 2776 flfrlff.exe 90 PID 2776 wrote to memory of 4440 2776 flfrlff.exe 90 PID 2776 wrote to memory of 4440 2776 flfrlff.exe 90 PID 4440 wrote to memory of 2312 4440 btnhtn.exe 91 PID 4440 wrote to memory of 2312 4440 btnhtn.exe 91 PID 4440 wrote to memory of 2312 4440 btnhtn.exe 91 PID 2312 wrote to memory of 2012 2312 rllfrlx.exe 92 PID 2312 wrote to memory of 2012 2312 rllfrlx.exe 92 PID 2312 wrote to memory of 2012 2312 rllfrlx.exe 92 PID 2012 wrote to memory of 4820 2012 5hhthb.exe 93 PID 2012 wrote to memory of 4820 2012 5hhthb.exe 93 PID 2012 wrote to memory of 4820 2012 5hhthb.exe 93 PID 4820 wrote to memory of 3628 4820 pdvpj.exe 94 PID 4820 wrote to memory of 3628 4820 pdvpj.exe 94 PID 4820 wrote to memory of 3628 4820 pdvpj.exe 94 PID 3628 wrote to memory of 3640 3628 thbnhn.exe 95 PID 3628 wrote to memory of 3640 3628 thbnhn.exe 95 PID 3628 wrote to memory of 3640 3628 thbnhn.exe 95 PID 3640 wrote to memory of 3812 3640 vpjdv.exe 96 PID 3640 wrote to memory of 3812 3640 vpjdv.exe 96 PID 3640 wrote to memory of 3812 3640 vpjdv.exe 96 PID 3812 wrote to memory of 3588 3812 lrlfrfr.exe 97 PID 3812 wrote to memory of 3588 3812 lrlfrfr.exe 97 PID 3812 wrote to memory of 3588 3812 lrlfrfr.exe 97 PID 3588 wrote to memory of 1144 3588 dvjdv.exe 98 PID 3588 wrote to memory of 1144 3588 dvjdv.exe 98 PID 3588 wrote to memory of 1144 3588 dvjdv.exe 98 PID 1144 wrote to memory of 5044 1144 xfxrllr.exe 99 PID 1144 wrote to memory of 5044 1144 xfxrllr.exe 99 PID 1144 wrote to memory of 5044 1144 xfxrllr.exe 99 PID 5044 wrote to memory of 2432 5044 1dpjd.exe 100 PID 5044 wrote to memory of 2432 5044 1dpjd.exe 100 PID 5044 wrote to memory of 2432 5044 1dpjd.exe 100 PID 2432 wrote to memory of 2940 2432 rlxrlfx.exe 101 PID 2432 wrote to memory of 2940 2432 rlxrlfx.exe 101 PID 2432 wrote to memory of 2940 2432 rlxrlfx.exe 101 PID 2940 wrote to memory of 208 2940 tnthbt.exe 102 PID 2940 wrote to memory of 208 2940 tnthbt.exe 102 PID 2940 wrote to memory of 208 2940 tnthbt.exe 102 PID 208 wrote to memory of 3084 208 jdpjv.exe 103 PID 208 wrote to memory of 3084 208 jdpjv.exe 103 PID 208 wrote to memory of 3084 208 jdpjv.exe 103 PID 3084 wrote to memory of 3512 3084 nhtnbt.exe 104 PID 3084 wrote to memory of 3512 3084 nhtnbt.exe 104 PID 3084 wrote to memory of 3512 3084 nhtnbt.exe 104 PID 3512 wrote to memory of 1496 3512 vpvjv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe"C:\Users\Admin\AppData\Local\Temp\ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\3ttthb.exec:\3ttthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\pjpdj.exec:\pjpdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\vjpdp.exec:\vjpdp.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\tnthbt.exec:\tnthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\flfrlff.exec:\flfrlff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\btnhtn.exec:\btnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\rllfrlx.exec:\rllfrlx.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\5hhthb.exec:\5hhthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\pdvpj.exec:\pdvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\thbnhn.exec:\thbnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\vpjdv.exec:\vpjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\lrlfrfr.exec:\lrlfrfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\dvjdv.exec:\dvjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\xfxrllr.exec:\xfxrllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\1dpjd.exec:\1dpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\tnthbt.exec:\tnthbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\jdpjv.exec:\jdpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\nhtnbt.exec:\nhtnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\vpvjv.exec:\vpvjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\fffrlfx.exec:\fffrlfx.exe23⤵
- Executes dropped EXE
PID:1496 -
\??\c:\hnnbth.exec:\hnnbth.exe24⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bnnhtn.exec:\bnnhtn.exe25⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3hbnhh.exec:\3hbnhh.exe26⤵
- Executes dropped EXE
PID:2832 -
\??\c:\pjpjv.exec:\pjpjv.exe27⤵
- Executes dropped EXE
PID:1132 -
\??\c:\flxrfrl.exec:\flxrfrl.exe28⤵
- Executes dropped EXE
PID:4996 -
\??\c:\frrlrfl.exec:\frrlrfl.exe29⤵
- Executes dropped EXE
PID:2340 -
\??\c:\pvjvj.exec:\pvjvj.exe30⤵
- Executes dropped EXE
PID:4420 -
\??\c:\xlllxxl.exec:\xlllxxl.exe31⤵
- Executes dropped EXE
PID:5096 -
\??\c:\tnbbnh.exec:\tnbbnh.exe32⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pjjdp.exec:\pjjdp.exe33⤵
- Executes dropped EXE
PID:3852 -
\??\c:\rxlfrfr.exec:\rxlfrfr.exe34⤵
- Executes dropped EXE
PID:1152 -
\??\c:\bhhbnt.exec:\bhhbnt.exe35⤵
- Executes dropped EXE
PID:2296 -
\??\c:\dvdpj.exec:\dvdpj.exe36⤵
- Executes dropped EXE
PID:4920 -
\??\c:\rlrrlxr.exec:\rlrrlxr.exe37⤵
- Executes dropped EXE
PID:5028 -
\??\c:\nhbntn.exec:\nhbntn.exe38⤵
- Executes dropped EXE
PID:2444 -
\??\c:\3pppd.exec:\3pppd.exe39⤵
- Executes dropped EXE
PID:1580 -
\??\c:\3ffrllf.exec:\3ffrllf.exe40⤵
- Executes dropped EXE
PID:448 -
\??\c:\7bhbhb.exec:\7bhbhb.exe41⤵
- Executes dropped EXE
PID:3632 -
\??\c:\hnbthh.exec:\hnbthh.exe42⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vjdpj.exec:\vjdpj.exe43⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9ppdp.exec:\9ppdp.exe44⤵
- Executes dropped EXE
PID:3396 -
\??\c:\fxxrxlr.exec:\fxxrxlr.exe45⤵
- Executes dropped EXE
PID:500 -
\??\c:\3nhhtt.exec:\3nhhtt.exe46⤵
- Executes dropped EXE
PID:3184 -
\??\c:\xrxllfr.exec:\xrxllfr.exe47⤵
- Executes dropped EXE
PID:1936 -
\??\c:\5tnhbb.exec:\5tnhbb.exe48⤵
- Executes dropped EXE
PID:4404 -
\??\c:\jdpdd.exec:\jdpdd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2480 -
\??\c:\jdpdj.exec:\jdpdj.exe50⤵
- Executes dropped EXE
PID:4256 -
\??\c:\5tnbtt.exec:\5tnbtt.exe51⤵
- Executes dropped EXE
PID:2140 -
\??\c:\dvddp.exec:\dvddp.exe52⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe53⤵
- Executes dropped EXE
PID:5084 -
\??\c:\9tbnhb.exec:\9tbnhb.exe54⤵
- Executes dropped EXE
PID:3372 -
\??\c:\thhtnh.exec:\thhtnh.exe55⤵
- Executes dropped EXE
PID:4472 -
\??\c:\jdjvp.exec:\jdjvp.exe56⤵
- Executes dropped EXE
PID:3912 -
\??\c:\rrxrffx.exec:\rrxrffx.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4688 -
\??\c:\bbbtnn.exec:\bbbtnn.exe58⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vdvjv.exec:\vdvjv.exe59⤵
- Executes dropped EXE
PID:568 -
\??\c:\3dvjd.exec:\3dvjd.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lflxxrr.exec:\lflxxrr.exe61⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9lxlrrf.exec:\9lxlrrf.exe62⤵
- Executes dropped EXE
PID:3720 -
\??\c:\nhnhhb.exec:\nhnhhb.exe63⤵
- Executes dropped EXE
PID:988 -
\??\c:\vdpdv.exec:\vdpdv.exe64⤵
- Executes dropped EXE
PID:3900 -
\??\c:\5lrfxxl.exec:\5lrfxxl.exe65⤵
- Executes dropped EXE
PID:3640 -
\??\c:\lflfxfx.exec:\lflfxfx.exe66⤵PID:1932
-
\??\c:\bbhbbt.exec:\bbhbbt.exe67⤵PID:3588
-
\??\c:\vpvvp.exec:\vpvvp.exe68⤵PID:408
-
\??\c:\jpvjv.exec:\jpvjv.exe69⤵PID:2972
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe70⤵PID:2028
-
\??\c:\lrxlxxr.exec:\lrxlxxr.exe71⤵PID:5044
-
\??\c:\thhtnh.exec:\thhtnh.exe72⤵PID:3000
-
\??\c:\ntbtnh.exec:\ntbtnh.exe73⤵PID:3556
-
\??\c:\ddjdd.exec:\ddjdd.exe74⤵PID:3244
-
\??\c:\1rrfxrl.exec:\1rrfxrl.exe75⤵PID:208
-
\??\c:\tnnbth.exec:\tnnbth.exe76⤵PID:3728
-
\??\c:\7nhthh.exec:\7nhthh.exe77⤵PID:3144
-
\??\c:\9jdpj.exec:\9jdpj.exe78⤵PID:4496
-
\??\c:\5jppd.exec:\5jppd.exe79⤵PID:2056
-
\??\c:\9xfxxrx.exec:\9xfxxrx.exe80⤵PID:2884
-
\??\c:\hhnhbb.exec:\hhnhbb.exe81⤵PID:4856
-
\??\c:\nhhbtt.exec:\nhhbtt.exe82⤵PID:1320
-
\??\c:\1jvpj.exec:\1jvpj.exe83⤵PID:3824
-
\??\c:\vvpjp.exec:\vvpjp.exe84⤵PID:1520
-
\??\c:\tnhthb.exec:\tnhthb.exe85⤵PID:2544
-
\??\c:\5dpjp.exec:\5dpjp.exe86⤵PID:4504
-
\??\c:\lxfrrrx.exec:\lxfrrrx.exe87⤵PID:3352
-
\??\c:\bhtnbn.exec:\bhtnbn.exe88⤵PID:4872
-
\??\c:\jjjdp.exec:\jjjdp.exe89⤵PID:2336
-
\??\c:\1xfrrrl.exec:\1xfrrrl.exe90⤵PID:3312
-
\??\c:\5xxlxrl.exec:\5xxlxrl.exe91⤵PID:2416
-
\??\c:\bnnnnh.exec:\bnnnnh.exe92⤵PID:4868
-
\??\c:\pjpdj.exec:\pjpdj.exe93⤵PID:3936
-
\??\c:\dvpdp.exec:\dvpdp.exe94⤵PID:2748
-
\??\c:\ffllxfx.exec:\ffllxfx.exe95⤵PID:1864
-
\??\c:\lflxlfx.exec:\lflxlfx.exe96⤵PID:2296
-
\??\c:\hnbthb.exec:\hnbthb.exe97⤵
- System Location Discovery: System Language Discovery
PID:3148 -
\??\c:\vjjvp.exec:\vjjvp.exe98⤵PID:1400
-
\??\c:\ppppd.exec:\ppppd.exe99⤵PID:2444
-
\??\c:\xxxrlrr.exec:\xxxrlrr.exe100⤵PID:3972
-
\??\c:\hnntnt.exec:\hnntnt.exe101⤵PID:3652
-
\??\c:\thhthh.exec:\thhthh.exe102⤵PID:1408
-
\??\c:\vpjdp.exec:\vpjdp.exe103⤵PID:3620
-
\??\c:\5xfrfxf.exec:\5xfrfxf.exe104⤵PID:908
-
\??\c:\lxxffrx.exec:\lxxffrx.exe105⤵PID:4392
-
\??\c:\nntnbt.exec:\nntnbt.exe106⤵PID:2988
-
\??\c:\nbbthh.exec:\nbbthh.exe107⤵PID:4572
-
\??\c:\vjjvj.exec:\vjjvj.exe108⤵PID:2572
-
\??\c:\lrxxlfx.exec:\lrxxlfx.exe109⤵PID:2040
-
\??\c:\lflrfxl.exec:\lflrfxl.exe110⤵PID:3364
-
\??\c:\htbtnn.exec:\htbtnn.exe111⤵PID:3744
-
\??\c:\9jdpd.exec:\9jdpd.exe112⤵PID:4848
-
\??\c:\dppdp.exec:\dppdp.exe113⤵PID:3464
-
\??\c:\9rlxlfl.exec:\9rlxlfl.exe114⤵PID:4540
-
\??\c:\3bthbb.exec:\3bthbb.exe115⤵PID:4972
-
\??\c:\bnnhtn.exec:\bnnhtn.exe116⤵PID:3428
-
\??\c:\vpvpj.exec:\vpvpj.exe117⤵PID:1952
-
\??\c:\rrrfrlf.exec:\rrrfrlf.exe118⤵PID:496
-
\??\c:\ttnhbb.exec:\ttnhbb.exe119⤵PID:2484
-
\??\c:\hhhthb.exec:\hhhthb.exe120⤵PID:4688
-
\??\c:\djppd.exec:\djppd.exe121⤵PID:712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-