Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 07:40
Behavioral task
behavioral1
Sample
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe
-
Size
334KB
-
MD5
859196f26a3f989742f0b6597c231aa7
-
SHA1
745c83505fb366f60dfa8ce8141bd6c7f40c2d9f
-
SHA256
ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58
-
SHA512
9154896ccc4c0115eef588dfbb947c0e23be3c75ecb48713263b835508448d2eba5f8c343c80964b4fae58e672f8067851bc8c0cc559b8973d78d1474491d87b
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbebg:R4wFHoSHYHUrAwfMp3CDbg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1028-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1352-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-37-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4516-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3180-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4692-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2716-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3372-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/708-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/596-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4076-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/564-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/280-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/852-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3932-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2784-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-382-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-428-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/484-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-546-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2680-615-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-667-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-670-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1352 hhbnhb.exe 336 lxfffxf.exe 1056 bhbbtn.exe 5044 nbnthb.exe 4768 jdjdd.exe 3932 pjjdd.exe 4516 ddvvv.exe 3180 frrlxxl.exe 1120 bhnnhh.exe 3968 frrfxrl.exe 4488 rfxrffx.exe 4484 tbbttt.exe 1884 ffxrlfx.exe 212 7bhbtn.exe 3612 dpvvp.exe 4692 rxfrfxr.exe 2716 bnthhb.exe 1348 pjjpd.exe 4640 fxxlflf.exe 3320 bnnnhh.exe 696 jdjjv.exe 2112 djvvp.exe 3372 ffflxxr.exe 708 btntnn.exe 3420 vpdvp.exe 556 lllfrrx.exe 3024 hnbtnn.exe 596 nbhbhh.exe 5060 nbbbtt.exe 2652 jpdvv.exe 3116 frxrrrl.exe 2984 bhtnnn.exe 5076 djpjp.exe 4632 pjjdv.exe 4424 rlrrrrx.exe 4076 nhtttt.exe 484 btbttt.exe 4040 vpdvp.exe 4392 pjppp.exe 4936 lxxxrxr.exe 4464 bhnhbn.exe 564 vpddv.exe 3848 lfffrrl.exe 3496 nbhnhh.exe 224 jvdvp.exe 1640 pdjdv.exe 1312 flxxrrr.exe 4524 tbhbtb.exe 280 jdpdj.exe 4620 pvjdv.exe 852 lxfxrll.exe 3932 ntbtnh.exe 4612 ppvvv.exe 1616 lfxfrfx.exe 4036 httnhh.exe 1336 pjjjd.exe 2784 rrrlxxx.exe 2000 rrrlrrx.exe 1540 htttnn.exe 4928 hhbhbh.exe 2296 dvvpd.exe 4488 fxfxrrr.exe 2456 flrlfxx.exe 4712 hhtnhh.exe -
resource yara_rule behavioral2/memory/1028-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c15-3.dat upx behavioral2/memory/1028-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c6c-9.dat upx behavioral2/memory/336-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000f000000023c80-11.dat upx behavioral2/memory/1056-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c89-19.dat upx behavioral2/memory/5044-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c8e-25.dat upx behavioral2/memory/4768-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1352-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c8f-29.dat upx behavioral2/memory/4768-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3932-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c90-36.dat upx behavioral2/memory/3932-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023c94-40.dat upx behavioral2/memory/4516-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c96-45.dat upx behavioral2/memory/1120-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3180-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9a-52.dat upx behavioral2/files/0x0008000000023c9b-57.dat upx behavioral2/memory/4488-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c9c-63.dat upx behavioral2/memory/1120-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3968-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ccb-66.dat upx behavioral2/files/0x0008000000023cce-70.dat upx behavioral2/memory/1884-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/212-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cd6-76.dat upx behavioral2/files/0x0009000000023cd7-80.dat upx behavioral2/memory/3612-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cf2-85.dat upx behavioral2/memory/4692-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2716-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cf3-91.dat upx behavioral2/files/0x0008000000023cf4-95.dat upx behavioral2/memory/1348-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023d09-100.dat upx behavioral2/memory/4640-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023c71-106.dat upx behavioral2/memory/3320-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0016000000023d0a-110.dat upx behavioral2/files/0x0008000000023d10-114.dat upx behavioral2/memory/3372-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2112-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d14-120.dat upx behavioral2/memory/708-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d20-125.dat upx behavioral2/files/0x0008000000023d21-129.dat upx behavioral2/memory/3420-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d22-134.dat upx behavioral2/memory/556-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d23-139.dat upx behavioral2/memory/3024-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/596-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d24-145.dat upx behavioral2/files/0x0008000000023d25-150.dat upx behavioral2/memory/5060-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023d26-155.dat upx behavioral2/files/0x000b000000023bc8-158.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1028 wrote to memory of 1352 1028 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 82 PID 1028 wrote to memory of 1352 1028 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 82 PID 1028 wrote to memory of 1352 1028 ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe 82 PID 1352 wrote to memory of 336 1352 hhbnhb.exe 85 PID 1352 wrote to memory of 336 1352 hhbnhb.exe 85 PID 1352 wrote to memory of 336 1352 hhbnhb.exe 85 PID 336 wrote to memory of 1056 336 lxfffxf.exe 86 PID 336 wrote to memory of 1056 336 lxfffxf.exe 86 PID 336 wrote to memory of 1056 336 lxfffxf.exe 86 PID 1056 wrote to memory of 5044 1056 bhbbtn.exe 87 PID 1056 wrote to memory of 5044 1056 bhbbtn.exe 87 PID 1056 wrote to memory of 5044 1056 bhbbtn.exe 87 PID 5044 wrote to memory of 4768 5044 nbnthb.exe 89 PID 5044 wrote to memory of 4768 5044 nbnthb.exe 89 PID 5044 wrote to memory of 4768 5044 nbnthb.exe 89 PID 4768 wrote to memory of 3932 4768 jdjdd.exe 90 PID 4768 wrote to memory of 3932 4768 jdjdd.exe 90 PID 4768 wrote to memory of 3932 4768 jdjdd.exe 90 PID 3932 wrote to memory of 4516 3932 pjjdd.exe 92 PID 3932 wrote to memory of 4516 3932 pjjdd.exe 92 PID 3932 wrote to memory of 4516 3932 pjjdd.exe 92 PID 4516 wrote to memory of 3180 4516 ddvvv.exe 93 PID 4516 wrote to memory of 3180 4516 ddvvv.exe 93 PID 4516 wrote to memory of 3180 4516 ddvvv.exe 93 PID 3180 wrote to memory of 1120 3180 frrlxxl.exe 94 PID 3180 wrote to memory of 1120 3180 frrlxxl.exe 94 PID 3180 wrote to memory of 1120 3180 frrlxxl.exe 94 PID 1120 wrote to memory of 3968 1120 bhnnhh.exe 95 PID 1120 wrote to memory of 3968 1120 bhnnhh.exe 95 PID 1120 wrote to memory of 3968 1120 bhnnhh.exe 95 PID 3968 wrote to memory of 4488 3968 frrfxrl.exe 96 PID 3968 wrote to memory of 4488 3968 frrfxrl.exe 96 PID 3968 wrote to memory of 4488 3968 frrfxrl.exe 96 PID 4488 wrote to memory of 4484 4488 rfxrffx.exe 97 PID 4488 wrote to memory of 4484 4488 rfxrffx.exe 97 PID 4488 wrote to memory of 4484 4488 rfxrffx.exe 97 PID 4484 wrote to memory of 1884 4484 tbbttt.exe 99 PID 4484 wrote to memory of 1884 4484 tbbttt.exe 99 PID 4484 wrote to memory of 1884 4484 tbbttt.exe 99 PID 1884 wrote to memory of 212 1884 ffxrlfx.exe 100 PID 1884 wrote to memory of 212 1884 ffxrlfx.exe 100 PID 1884 wrote to memory of 212 1884 ffxrlfx.exe 100 PID 212 wrote to memory of 3612 212 7bhbtn.exe 101 PID 212 wrote to memory of 3612 212 7bhbtn.exe 101 PID 212 wrote to memory of 3612 212 7bhbtn.exe 101 PID 3612 wrote to memory of 4692 3612 dpvvp.exe 102 PID 3612 wrote to memory of 4692 3612 dpvvp.exe 102 PID 3612 wrote to memory of 4692 3612 dpvvp.exe 102 PID 4692 wrote to memory of 2716 4692 rxfrfxr.exe 103 PID 4692 wrote to memory of 2716 4692 rxfrfxr.exe 103 PID 4692 wrote to memory of 2716 4692 rxfrfxr.exe 103 PID 2716 wrote to memory of 1348 2716 bnthhb.exe 104 PID 2716 wrote to memory of 1348 2716 bnthhb.exe 104 PID 2716 wrote to memory of 1348 2716 bnthhb.exe 104 PID 1348 wrote to memory of 4640 1348 pjjpd.exe 105 PID 1348 wrote to memory of 4640 1348 pjjpd.exe 105 PID 1348 wrote to memory of 4640 1348 pjjpd.exe 105 PID 4640 wrote to memory of 3320 4640 fxxlflf.exe 106 PID 4640 wrote to memory of 3320 4640 fxxlflf.exe 106 PID 4640 wrote to memory of 3320 4640 fxxlflf.exe 106 PID 3320 wrote to memory of 696 3320 bnnnhh.exe 107 PID 3320 wrote to memory of 696 3320 bnnnhh.exe 107 PID 3320 wrote to memory of 696 3320 bnnnhh.exe 107 PID 696 wrote to memory of 2112 696 jdjjv.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe"C:\Users\Admin\AppData\Local\Temp\ed50f8332ec622363962ef35385f228c75eef11f8da485222a9f3cb0f1498a58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\hhbnhb.exec:\hhbnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\lxfffxf.exec:\lxfffxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\bhbbtn.exec:\bhbbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\nbnthb.exec:\nbnthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\jdjdd.exec:\jdjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\pjjdd.exec:\pjjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\ddvvv.exec:\ddvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\frrlxxl.exec:\frrlxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\bhnnhh.exec:\bhnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\frrfxrl.exec:\frrfxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\rfxrffx.exec:\rfxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\tbbttt.exec:\tbbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\7bhbtn.exec:\7bhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\dpvvp.exec:\dpvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\rxfrfxr.exec:\rxfrfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\bnthhb.exec:\bnthhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\pjjpd.exec:\pjjpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\fxxlflf.exec:\fxxlflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\bnnnhh.exec:\bnnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\jdjjv.exec:\jdjjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\djvvp.exec:\djvvp.exe23⤵
- Executes dropped EXE
PID:2112 -
\??\c:\ffflxxr.exec:\ffflxxr.exe24⤵
- Executes dropped EXE
PID:3372 -
\??\c:\btntnn.exec:\btntnn.exe25⤵
- Executes dropped EXE
PID:708 -
\??\c:\vpdvp.exec:\vpdvp.exe26⤵
- Executes dropped EXE
PID:3420 -
\??\c:\lllfrrx.exec:\lllfrrx.exe27⤵
- Executes dropped EXE
PID:556 -
\??\c:\hnbtnn.exec:\hnbtnn.exe28⤵
- Executes dropped EXE
PID:3024 -
\??\c:\nbhbhh.exec:\nbhbhh.exe29⤵
- Executes dropped EXE
PID:596 -
\??\c:\nbbbtt.exec:\nbbbtt.exe30⤵
- Executes dropped EXE
PID:5060 -
\??\c:\jpdvv.exec:\jpdvv.exe31⤵
- Executes dropped EXE
PID:2652 -
\??\c:\frxrrrl.exec:\frxrrrl.exe32⤵
- Executes dropped EXE
PID:3116 -
\??\c:\bhtnnn.exec:\bhtnnn.exe33⤵
- Executes dropped EXE
PID:2984 -
\??\c:\djpjp.exec:\djpjp.exe34⤵
- Executes dropped EXE
PID:5076 -
\??\c:\pjjdv.exec:\pjjdv.exe35⤵
- Executes dropped EXE
PID:4632 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe36⤵
- Executes dropped EXE
PID:4424 -
\??\c:\nhtttt.exec:\nhtttt.exe37⤵
- Executes dropped EXE
PID:4076 -
\??\c:\btbttt.exec:\btbttt.exe38⤵
- Executes dropped EXE
PID:484 -
\??\c:\vpdvp.exec:\vpdvp.exe39⤵
- Executes dropped EXE
PID:4040 -
\??\c:\pjppp.exec:\pjppp.exe40⤵
- Executes dropped EXE
PID:4392 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe41⤵
- Executes dropped EXE
PID:4936 -
\??\c:\bhnhbn.exec:\bhnhbn.exe42⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vpddv.exec:\vpddv.exe43⤵
- Executes dropped EXE
PID:564 -
\??\c:\lfffrrl.exec:\lfffrrl.exe44⤵
- Executes dropped EXE
PID:3848 -
\??\c:\nnttnb.exec:\nnttnb.exe45⤵PID:4340
-
\??\c:\nbhnhh.exec:\nbhnhh.exe46⤵
- Executes dropped EXE
PID:3496 -
\??\c:\jvdvp.exec:\jvdvp.exe47⤵
- Executes dropped EXE
PID:224 -
\??\c:\pdjdv.exec:\pdjdv.exe48⤵
- Executes dropped EXE
PID:1640 -
\??\c:\flxxrrr.exec:\flxxrrr.exe49⤵
- Executes dropped EXE
PID:1312 -
\??\c:\tbhbtb.exec:\tbhbtb.exe50⤵
- Executes dropped EXE
PID:4524 -
\??\c:\jdpdj.exec:\jdpdj.exe51⤵
- Executes dropped EXE
PID:280 -
\??\c:\pvjdv.exec:\pvjdv.exe52⤵
- Executes dropped EXE
PID:4620 -
\??\c:\lxfxrll.exec:\lxfxrll.exe53⤵
- Executes dropped EXE
PID:852 -
\??\c:\ntbtnh.exec:\ntbtnh.exe54⤵
- Executes dropped EXE
PID:3932 -
\??\c:\ppvvv.exec:\ppvvv.exe55⤵
- Executes dropped EXE
PID:4612 -
\??\c:\lfxfrfx.exec:\lfxfrfx.exe56⤵
- Executes dropped EXE
PID:1616 -
\??\c:\httnhh.exec:\httnhh.exe57⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pjjjd.exec:\pjjjd.exe58⤵
- Executes dropped EXE
PID:1336 -
\??\c:\rrrlxxx.exec:\rrrlxxx.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
\??\c:\rrrlrrx.exec:\rrrlrrx.exe60⤵
- Executes dropped EXE
PID:2000 -
\??\c:\htttnn.exec:\htttnn.exe61⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hhbhbh.exec:\hhbhbh.exe62⤵
- Executes dropped EXE
PID:4928 -
\??\c:\dvvpd.exec:\dvvpd.exe63⤵
- Executes dropped EXE
PID:2296 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe64⤵
- Executes dropped EXE
PID:4488 -
\??\c:\flrlfxx.exec:\flrlfxx.exe65⤵
- Executes dropped EXE
PID:2456 -
\??\c:\hhtnhh.exec:\hhtnhh.exe66⤵
- Executes dropped EXE
PID:4712 -
\??\c:\jdjjd.exec:\jdjjd.exe67⤵PID:4000
-
\??\c:\rlllxxr.exec:\rlllxxr.exe68⤵PID:3172
-
\??\c:\hhhtnn.exec:\hhhtnn.exe69⤵PID:4032
-
\??\c:\nhhbbh.exec:\nhhbbh.exe70⤵PID:2424
-
\??\c:\7dpjp.exec:\7dpjp.exe71⤵PID:3120
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe72⤵PID:4692
-
\??\c:\fffxrrl.exec:\fffxrrl.exe73⤵PID:3544
-
\??\c:\thtnhh.exec:\thtnhh.exe74⤵PID:4500
-
\??\c:\bhhhtt.exec:\bhhhtt.exe75⤵PID:3988
-
\??\c:\pdvpp.exec:\pdvpp.exe76⤵PID:4088
-
\??\c:\xfrllfl.exec:\xfrllfl.exe77⤵PID:1768
-
\??\c:\xfffxxr.exec:\xfffxxr.exe78⤵PID:3264
-
\??\c:\nbhbbb.exec:\nbhbbb.exe79⤵PID:924
-
\??\c:\thhbtt.exec:\thhbtt.exe80⤵PID:2112
-
\??\c:\jddvj.exec:\jddvj.exe81⤵PID:1644
-
\??\c:\dpjdv.exec:\dpjdv.exe82⤵PID:812
-
\??\c:\fllfxxr.exec:\fllfxxr.exe83⤵PID:2860
-
\??\c:\llllfxr.exec:\llllfxr.exe84⤵PID:3900
-
\??\c:\bntnnh.exec:\bntnnh.exe85⤵PID:3344
-
\??\c:\tnbbbb.exec:\tnbbbb.exe86⤵PID:532
-
\??\c:\dvvvj.exec:\dvvvj.exe87⤵PID:2376
-
\??\c:\ffxrlrr.exec:\ffxrlrr.exe88⤵PID:904
-
\??\c:\fxllrrx.exec:\fxllrrx.exe89⤵PID:3392
-
\??\c:\bthbhh.exec:\bthbhh.exe90⤵PID:1604
-
\??\c:\bhnnnn.exec:\bhnnnn.exe91⤵PID:760
-
\??\c:\3jvpp.exec:\3jvpp.exe92⤵PID:2652
-
\??\c:\vjppd.exec:\vjppd.exe93⤵PID:4820
-
\??\c:\9rlrffl.exec:\9rlrffl.exe94⤵PID:1956
-
\??\c:\tnnnhh.exec:\tnnnhh.exe95⤵PID:4736
-
\??\c:\hbbhtt.exec:\hbbhtt.exe96⤵PID:444
-
\??\c:\dvvpp.exec:\dvvpp.exe97⤵
- System Location Discovery: System Language Discovery
PID:856 -
\??\c:\pjdvd.exec:\pjdvd.exe98⤵PID:3464
-
\??\c:\fffxfxr.exec:\fffxfxr.exe99⤵PID:484
-
\??\c:\nhhbhb.exec:\nhhbhb.exe100⤵PID:4040
-
\??\c:\bhnhhn.exec:\bhnhhn.exe101⤵PID:3136
-
\??\c:\5dddp.exec:\5dddp.exe102⤵PID:4072
-
\??\c:\dpvpd.exec:\dpvpd.exe103⤵PID:4932
-
\??\c:\fxrlffx.exec:\fxrlffx.exe104⤵PID:564
-
\??\c:\9xrlffx.exec:\9xrlffx.exe105⤵PID:1228
-
\??\c:\nhbtnn.exec:\nhbtnn.exe106⤵PID:4340
-
\??\c:\dpppj.exec:\dpppj.exe107⤵PID:3660
-
\??\c:\1jvdd.exec:\1jvdd.exe108⤵PID:2404
-
\??\c:\lxllfxx.exec:\lxllfxx.exe109⤵PID:1704
-
\??\c:\flxxfxf.exec:\flxxfxf.exe110⤵PID:2428
-
\??\c:\tbnhbb.exec:\tbnhbb.exe111⤵PID:4212
-
\??\c:\bhhbth.exec:\bhhbth.exe112⤵
- System Location Discovery: System Language Discovery
PID:3360 -
\??\c:\ffxlfrl.exec:\ffxlfrl.exe113⤵PID:3732
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe114⤵PID:1000
-
\??\c:\htnnnn.exec:\htnnnn.exe115⤵PID:3940
-
\??\c:\bbbntb.exec:\bbbntb.exe116⤵PID:4904
-
\??\c:\vppdv.exec:\vppdv.exe117⤵PID:968
-
\??\c:\1pvpp.exec:\1pvpp.exe118⤵PID:1468
-
\??\c:\lfllrrx.exec:\lfllrrx.exe119⤵PID:1636
-
\??\c:\ntbbtn.exec:\ntbbtn.exe120⤵PID:4240
-
\??\c:\vpvpd.exec:\vpvpd.exe121⤵PID:1656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-