Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe
-
Size
454KB
-
MD5
b1c2b1be578c8456d581fab13a6adba6
-
SHA1
251ed896de4b6a048e864c1fd66731e6c8d63057
-
SHA256
c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa
-
SHA512
6a79c6210d645541bd117b0a7d089eaa614ef8bcb89a6f183e75007778d97a556de96fb1eac98d8a65dc30d8ba41a5accc1d7554b012146c51fc4f1f656f6970
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4944-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/492-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-1036-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-1297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-1379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4524 hhhbbb.exe 492 htbbbb.exe 180 fxxfrll.exe 4868 djvjp.exe 3176 3ttnhh.exe 264 pjdvp.exe 3124 xlfxrxr.exe 4796 hbbtnn.exe 4324 jddvp.exe 4408 jvpjd.exe 2864 xlxxxfx.exe 3756 5rxfffr.exe 2280 jpppj.exe 2716 bnnhbn.exe 1036 7jjpd.exe 3508 rxlfxrl.exe 5008 hthbbb.exe 1796 jdppj.exe 4316 9bhbnn.exe 2532 5jpvp.exe 644 nnhbnb.exe 1072 jdvpd.exe 4800 rrxrrrx.exe 4272 hnbbtn.exe 1440 1jdvp.exe 2136 dppjv.exe 4592 3rrlxfx.exe 2728 hbnhbh.exe 4740 5xffxxx.exe 2916 btnnhn.exe 2420 pjvvd.exe 2032 llfxxrr.exe 1988 nnbtbb.exe 2312 xxrlxxf.exe 3924 xrfrlfx.exe 3028 vdpjp.exe 2424 rlffllr.exe 2668 3ntbtt.exe 1208 9jvvv.exe 1304 dddpj.exe 840 rflxfxf.exe 4448 thnnhb.exe 3712 jjddv.exe 456 vjdvp.exe 3320 xxfrllf.exe 3808 nthbbb.exe 2724 dddpj.exe 4556 rllxrrr.exe 1576 tbhbtt.exe 492 pdpjd.exe 3060 fxfrfxr.exe 180 3rlflrl.exe 2096 9tbthh.exe 4840 1djdd.exe 4452 pddvv.exe 3684 lffrlxx.exe 5004 7tnhbt.exe 3124 vjdvj.exe 4396 dpvdd.exe 4728 1flxlll.exe 4324 hnbtnn.exe 4408 7vdvp.exe 1844 jjjdj.exe 2864 rflxrrl.exe -
resource yara_rule behavioral2/memory/4944-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/492-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-649-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 4524 4944 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 83 PID 4944 wrote to memory of 4524 4944 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 83 PID 4944 wrote to memory of 4524 4944 c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe 83 PID 4524 wrote to memory of 492 4524 hhhbbb.exe 84 PID 4524 wrote to memory of 492 4524 hhhbbb.exe 84 PID 4524 wrote to memory of 492 4524 hhhbbb.exe 84 PID 492 wrote to memory of 180 492 htbbbb.exe 85 PID 492 wrote to memory of 180 492 htbbbb.exe 85 PID 492 wrote to memory of 180 492 htbbbb.exe 85 PID 180 wrote to memory of 4868 180 fxxfrll.exe 86 PID 180 wrote to memory of 4868 180 fxxfrll.exe 86 PID 180 wrote to memory of 4868 180 fxxfrll.exe 86 PID 4868 wrote to memory of 3176 4868 djvjp.exe 87 PID 4868 wrote to memory of 3176 4868 djvjp.exe 87 PID 4868 wrote to memory of 3176 4868 djvjp.exe 87 PID 3176 wrote to memory of 264 3176 3ttnhh.exe 88 PID 3176 wrote to memory of 264 3176 3ttnhh.exe 88 PID 3176 wrote to memory of 264 3176 3ttnhh.exe 88 PID 264 wrote to memory of 3124 264 pjdvp.exe 89 PID 264 wrote to memory of 3124 264 pjdvp.exe 89 PID 264 wrote to memory of 3124 264 pjdvp.exe 89 PID 3124 wrote to memory of 4796 3124 xlfxrxr.exe 90 PID 3124 wrote to memory of 4796 3124 xlfxrxr.exe 90 PID 3124 wrote to memory of 4796 3124 xlfxrxr.exe 90 PID 4796 wrote to memory of 4324 4796 hbbtnn.exe 91 PID 4796 wrote to memory of 4324 4796 hbbtnn.exe 91 PID 4796 wrote to memory of 4324 4796 hbbtnn.exe 91 PID 4324 wrote to memory of 4408 4324 jddvp.exe 92 PID 4324 wrote to memory of 4408 4324 jddvp.exe 92 PID 4324 wrote to memory of 4408 4324 jddvp.exe 92 PID 4408 wrote to memory of 2864 4408 jvpjd.exe 93 PID 4408 wrote to memory of 2864 4408 jvpjd.exe 93 PID 4408 wrote to memory of 2864 4408 jvpjd.exe 93 PID 2864 wrote to memory of 3756 2864 xlxxxfx.exe 94 PID 2864 wrote to memory of 3756 2864 xlxxxfx.exe 94 PID 2864 wrote to memory of 3756 2864 xlxxxfx.exe 94 PID 3756 wrote to memory of 2280 3756 5rxfffr.exe 95 PID 3756 wrote to memory of 2280 3756 5rxfffr.exe 95 PID 3756 wrote to memory of 2280 3756 5rxfffr.exe 95 PID 2280 wrote to memory of 2716 2280 jpppj.exe 96 PID 2280 wrote to memory of 2716 2280 jpppj.exe 96 PID 2280 wrote to memory of 2716 2280 jpppj.exe 96 PID 2716 wrote to memory of 1036 2716 bnnhbn.exe 97 PID 2716 wrote to memory of 1036 2716 bnnhbn.exe 97 PID 2716 wrote to memory of 1036 2716 bnnhbn.exe 97 PID 1036 wrote to memory of 3508 1036 7jjpd.exe 98 PID 1036 wrote to memory of 3508 1036 7jjpd.exe 98 PID 1036 wrote to memory of 3508 1036 7jjpd.exe 98 PID 3508 wrote to memory of 5008 3508 rxlfxrl.exe 99 PID 3508 wrote to memory of 5008 3508 rxlfxrl.exe 99 PID 3508 wrote to memory of 5008 3508 rxlfxrl.exe 99 PID 5008 wrote to memory of 1796 5008 hthbbb.exe 100 PID 5008 wrote to memory of 1796 5008 hthbbb.exe 100 PID 5008 wrote to memory of 1796 5008 hthbbb.exe 100 PID 1796 wrote to memory of 4316 1796 jdppj.exe 101 PID 1796 wrote to memory of 4316 1796 jdppj.exe 101 PID 1796 wrote to memory of 4316 1796 jdppj.exe 101 PID 4316 wrote to memory of 2532 4316 9bhbnn.exe 102 PID 4316 wrote to memory of 2532 4316 9bhbnn.exe 102 PID 4316 wrote to memory of 2532 4316 9bhbnn.exe 102 PID 2532 wrote to memory of 644 2532 5jpvp.exe 103 PID 2532 wrote to memory of 644 2532 5jpvp.exe 103 PID 2532 wrote to memory of 644 2532 5jpvp.exe 103 PID 644 wrote to memory of 1072 644 nnhbnb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe"C:\Users\Admin\AppData\Local\Temp\c82b0605c1cee2663a059a5284b134cd572bec00f5cd7121426234ea1ba3beaa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\hhhbbb.exec:\hhhbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\htbbbb.exec:\htbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\fxxfrll.exec:\fxxfrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\djvjp.exec:\djvjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\3ttnhh.exec:\3ttnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\pjdvp.exec:\pjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\xlfxrxr.exec:\xlfxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\hbbtnn.exec:\hbbtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\jddvp.exec:\jddvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\jvpjd.exec:\jvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\xlxxxfx.exec:\xlxxxfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\5rxfffr.exec:\5rxfffr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\jpppj.exec:\jpppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\bnnhbn.exec:\bnnhbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\7jjpd.exec:\7jjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\rxlfxrl.exec:\rxlfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\hthbbb.exec:\hthbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\jdppj.exec:\jdppj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\9bhbnn.exec:\9bhbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\5jpvp.exec:\5jpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\nnhbnb.exec:\nnhbnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\jdvpd.exec:\jdvpd.exe23⤵
- Executes dropped EXE
PID:1072 -
\??\c:\rrxrrrx.exec:\rrxrrrx.exe24⤵
- Executes dropped EXE
PID:4800 -
\??\c:\hnbbtn.exec:\hnbbtn.exe25⤵
- Executes dropped EXE
PID:4272 -
\??\c:\1jdvp.exec:\1jdvp.exe26⤵
- Executes dropped EXE
PID:1440 -
\??\c:\dppjv.exec:\dppjv.exe27⤵
- Executes dropped EXE
PID:2136 -
\??\c:\3rrlxfx.exec:\3rrlxfx.exe28⤵
- Executes dropped EXE
PID:4592 -
\??\c:\hbnhbh.exec:\hbnhbh.exe29⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5xffxxx.exec:\5xffxxx.exe30⤵
- Executes dropped EXE
PID:4740 -
\??\c:\btnnhn.exec:\btnnhn.exe31⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pjvvd.exec:\pjvvd.exe32⤵
- Executes dropped EXE
PID:2420 -
\??\c:\llfxxrr.exec:\llfxxrr.exe33⤵
- Executes dropped EXE
PID:2032 -
\??\c:\nnbtbb.exec:\nnbtbb.exe34⤵
- Executes dropped EXE
PID:1988 -
\??\c:\xxrlxxf.exec:\xxrlxxf.exe35⤵
- Executes dropped EXE
PID:2312 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe36⤵
- Executes dropped EXE
PID:3924 -
\??\c:\vdpjp.exec:\vdpjp.exe37⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rlffllr.exec:\rlffllr.exe38⤵
- Executes dropped EXE
PID:2424 -
\??\c:\3ntbtt.exec:\3ntbtt.exe39⤵
- Executes dropped EXE
PID:2668 -
\??\c:\9jvvv.exec:\9jvvv.exe40⤵
- Executes dropped EXE
PID:1208 -
\??\c:\dddpj.exec:\dddpj.exe41⤵
- Executes dropped EXE
PID:1304 -
\??\c:\rflxfxf.exec:\rflxfxf.exe42⤵
- Executes dropped EXE
PID:840 -
\??\c:\thnnhb.exec:\thnnhb.exe43⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jjddv.exec:\jjddv.exe44⤵
- Executes dropped EXE
PID:3712 -
\??\c:\vjdvp.exec:\vjdvp.exe45⤵
- Executes dropped EXE
PID:456 -
\??\c:\xxfrllf.exec:\xxfrllf.exe46⤵
- Executes dropped EXE
PID:3320 -
\??\c:\nthbbb.exec:\nthbbb.exe47⤵
- Executes dropped EXE
PID:3808 -
\??\c:\dddpj.exec:\dddpj.exe48⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rllxrrr.exec:\rllxrrr.exe49⤵
- Executes dropped EXE
PID:4556 -
\??\c:\tbhbtt.exec:\tbhbtt.exe50⤵
- Executes dropped EXE
PID:1576 -
\??\c:\pdpjd.exec:\pdpjd.exe51⤵
- Executes dropped EXE
PID:492 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe52⤵
- Executes dropped EXE
PID:3060 -
\??\c:\3rlflrl.exec:\3rlflrl.exe53⤵
- Executes dropped EXE
PID:180 -
\??\c:\9tbthh.exec:\9tbthh.exe54⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1djdd.exec:\1djdd.exe55⤵
- Executes dropped EXE
PID:4840 -
\??\c:\pddvv.exec:\pddvv.exe56⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lffrlxx.exec:\lffrlxx.exe57⤵
- Executes dropped EXE
PID:3684 -
\??\c:\7tnhbt.exec:\7tnhbt.exe58⤵
- Executes dropped EXE
PID:5004 -
\??\c:\vjdvj.exec:\vjdvj.exe59⤵
- Executes dropped EXE
PID:3124 -
\??\c:\dpvdd.exec:\dpvdd.exe60⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1flxlll.exec:\1flxlll.exe61⤵
- Executes dropped EXE
PID:4728 -
\??\c:\hnbtnn.exec:\hnbtnn.exe62⤵
- Executes dropped EXE
PID:4324 -
\??\c:\7vdvp.exec:\7vdvp.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\jjjdj.exec:\jjjdj.exe64⤵
- Executes dropped EXE
PID:1844 -
\??\c:\rflxrrl.exec:\rflxrrl.exe65⤵
- Executes dropped EXE
PID:2864 -
\??\c:\7nhbtn.exec:\7nhbtn.exe66⤵PID:4576
-
\??\c:\jjjdv.exec:\jjjdv.exe67⤵PID:1908
-
\??\c:\rrrlffx.exec:\rrrlffx.exe68⤵PID:1344
-
\??\c:\hbbnhh.exec:\hbbnhh.exe69⤵PID:440
-
\??\c:\pjdpd.exec:\pjdpd.exe70⤵PID:5104
-
\??\c:\vvpdp.exec:\vvpdp.exe71⤵PID:2360
-
\??\c:\llrlxxr.exec:\llrlxxr.exe72⤵PID:5008
-
\??\c:\htnhtt.exec:\htnhtt.exe73⤵PID:4844
-
\??\c:\jvdvj.exec:\jvdvj.exe74⤵
- System Location Discovery: System Language Discovery
PID:4896 -
\??\c:\fxlxrlx.exec:\fxlxrlx.exe75⤵PID:2348
-
\??\c:\lfflrlx.exec:\lfflrlx.exe76⤵PID:3952
-
\??\c:\3tnhhb.exec:\3tnhhb.exe77⤵PID:4532
-
\??\c:\pjppd.exec:\pjppd.exe78⤵PID:980
-
\??\c:\rllxxrx.exec:\rllxxrx.exe79⤵PID:1680
-
\??\c:\5tnhbb.exec:\5tnhbb.exe80⤵PID:2784
-
\??\c:\ddjjv.exec:\ddjjv.exe81⤵PID:2648
-
\??\c:\frfrxrr.exec:\frfrxrr.exe82⤵PID:1944
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe83⤵PID:3256
-
\??\c:\nththh.exec:\nththh.exe84⤵PID:428
-
\??\c:\5jjjd.exec:\5jjjd.exe85⤵PID:3988
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe86⤵PID:4996
-
\??\c:\tntnbt.exec:\tntnbt.exe87⤵PID:1528
-
\??\c:\pdvpj.exec:\pdvpj.exe88⤵PID:984
-
\??\c:\dddvj.exec:\dddvj.exe89⤵PID:1116
-
\??\c:\xxlxxxf.exec:\xxlxxxf.exe90⤵PID:1664
-
\??\c:\thnhbb.exec:\thnhbb.exe91⤵PID:752
-
\??\c:\djjjd.exec:\djjjd.exe92⤵PID:3896
-
\??\c:\fllfrrl.exec:\fllfrrl.exe93⤵PID:3424
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe94⤵PID:636
-
\??\c:\thbtnn.exec:\thbtnn.exe95⤵PID:2116
-
\??\c:\jddvp.exec:\jddvp.exe96⤵PID:4292
-
\??\c:\pjvpd.exec:\pjvpd.exe97⤵PID:1724
-
\??\c:\flrfrrl.exec:\flrfrrl.exe98⤵PID:5076
-
\??\c:\nthbtn.exec:\nthbtn.exe99⤵PID:1836
-
\??\c:\jvvpp.exec:\jvvpp.exe100⤵PID:2108
-
\??\c:\3vpjv.exec:\3vpjv.exe101⤵PID:3064
-
\??\c:\flxrxxf.exec:\flxrxxf.exe102⤵PID:1292
-
\??\c:\9hhbtt.exec:\9hhbtt.exe103⤵PID:3900
-
\??\c:\pjpdp.exec:\pjpdp.exe104⤵PID:628
-
\??\c:\jpvvd.exec:\jpvvd.exe105⤵PID:4696
-
\??\c:\3fxfflf.exec:\3fxfflf.exe106⤵PID:4428
-
\??\c:\hhtnnt.exec:\hhtnnt.exe107⤵PID:2540
-
\??\c:\ttnbtn.exec:\ttnbtn.exe108⤵PID:4524
-
\??\c:\9djdp.exec:\9djdp.exe109⤵PID:4620
-
\??\c:\rflxrrl.exec:\rflxrrl.exe110⤵PID:952
-
\??\c:\7nhbtn.exec:\7nhbtn.exe111⤵PID:4976
-
\??\c:\dpvjd.exec:\dpvjd.exe112⤵PID:4156
-
\??\c:\ffrllll.exec:\ffrllll.exe113⤵PID:180
-
\??\c:\5tnhtn.exec:\5tnhtn.exe114⤵PID:5108
-
\??\c:\vvvdp.exec:\vvvdp.exe115⤵PID:3176
-
\??\c:\vjjdp.exec:\vjjdp.exe116⤵PID:1284
-
\??\c:\3xffrrl.exec:\3xffrrl.exe117⤵PID:4464
-
\??\c:\thhbtt.exec:\thhbtt.exe118⤵PID:3696
-
\??\c:\pvvpv.exec:\pvvpv.exe119⤵PID:4900
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe120⤵PID:2520
-
\??\c:\3rfxrrl.exec:\3rfxrrl.exe121⤵PID:3200
-
\??\c:\hhnnhb.exec:\hhnnhb.exe122⤵PID:4728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-