Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe
-
Size
455KB
-
MD5
c7de27d34f447b9990638c79a1110733
-
SHA1
da54e6920b39d407453a998b9ca69440144d0e2f
-
SHA256
c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2
-
SHA512
fa70cd3508749e0bd4845fdfd5206236fc8226b04813426c4e2a3954dd3a90d44e652c7962a78c15c9e74bce9d5859d0392a38506b1a576f42decf94ca0fe2d9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT9:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1396-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-892-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-1931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1504 jjpjj.exe 2080 bhtbbh.exe 4604 7thbhn.exe 2096 jdjjj.exe 2116 rlrxxxl.exe 2408 3lxrrxx.exe 2672 tntnnh.exe 1648 lrlrrxx.exe 2376 7vjjj.exe 2040 frrffrx.exe 1416 rllllrr.exe 3856 3tttbb.exe 2424 rxlffll.exe 1596 3ntbhn.exe 5096 jdppv.exe 1996 xxlllrx.exe 4560 tnnhhn.exe 3596 dvppj.exe 5064 tntttb.exe 1300 5vvpj.exe 2596 1flllrx.exe 1564 bntnnh.exe 2264 pdppp.exe 2840 dpppv.exe 1692 7pddp.exe 960 lflllll.exe 636 xffrlxx.exe 4668 hhhnbb.exe 5100 nhttnn.exe 4792 ffrrlxx.exe 4108 xlrxrrl.exe 4508 1vddv.exe 3868 pjpjj.exe 4656 xxxrllf.exe 2340 xrxlrrl.exe 1552 nnnnhh.exe 4572 dpjjd.exe 3476 dvvpd.exe 1816 lxlfxrl.exe 1928 tntnhh.exe 2976 bthbtn.exe 4364 vpjdd.exe 2584 7xfflrr.exe 4736 tnbtbb.exe 3996 dpdvj.exe 2236 rlfxrfx.exe 4392 bttbtt.exe 4996 jdppd.exe 4784 pjdvv.exe 2208 1xxfxlf.exe 2812 bthbhh.exe 4244 jjdjd.exe 1808 pdjdv.exe 4076 rxxrlff.exe 2252 1nnhbb.exe 3024 vpjdj.exe 1308 pjppj.exe 2984 rflfrrl.exe 1648 bhnhtt.exe 4672 dpvpj.exe 4592 xrfxxxf.exe 2804 fxrrlrx.exe 1256 htbbth.exe 2040 jjjjp.exe -
resource yara_rule behavioral2/memory/1396-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 1504 1396 c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe 82 PID 1396 wrote to memory of 1504 1396 c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe 82 PID 1396 wrote to memory of 1504 1396 c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe 82 PID 1504 wrote to memory of 2080 1504 jjpjj.exe 83 PID 1504 wrote to memory of 2080 1504 jjpjj.exe 83 PID 1504 wrote to memory of 2080 1504 jjpjj.exe 83 PID 2080 wrote to memory of 4604 2080 bhtbbh.exe 84 PID 2080 wrote to memory of 4604 2080 bhtbbh.exe 84 PID 2080 wrote to memory of 4604 2080 bhtbbh.exe 84 PID 4604 wrote to memory of 2096 4604 7thbhn.exe 85 PID 4604 wrote to memory of 2096 4604 7thbhn.exe 85 PID 4604 wrote to memory of 2096 4604 7thbhn.exe 85 PID 2096 wrote to memory of 2116 2096 jdjjj.exe 86 PID 2096 wrote to memory of 2116 2096 jdjjj.exe 86 PID 2096 wrote to memory of 2116 2096 jdjjj.exe 86 PID 2116 wrote to memory of 2408 2116 rlrxxxl.exe 87 PID 2116 wrote to memory of 2408 2116 rlrxxxl.exe 87 PID 2116 wrote to memory of 2408 2116 rlrxxxl.exe 87 PID 2408 wrote to memory of 2672 2408 3lxrrxx.exe 88 PID 2408 wrote to memory of 2672 2408 3lxrrxx.exe 88 PID 2408 wrote to memory of 2672 2408 3lxrrxx.exe 88 PID 2672 wrote to memory of 1648 2672 tntnnh.exe 89 PID 2672 wrote to memory of 1648 2672 tntnnh.exe 89 PID 2672 wrote to memory of 1648 2672 tntnnh.exe 89 PID 1648 wrote to memory of 2376 1648 lrlrrxx.exe 90 PID 1648 wrote to memory of 2376 1648 lrlrrxx.exe 90 PID 1648 wrote to memory of 2376 1648 lrlrrxx.exe 90 PID 2376 wrote to memory of 2040 2376 7vjjj.exe 91 PID 2376 wrote to memory of 2040 2376 7vjjj.exe 91 PID 2376 wrote to memory of 2040 2376 7vjjj.exe 91 PID 2040 wrote to memory of 1416 2040 frrffrx.exe 92 PID 2040 wrote to memory of 1416 2040 frrffrx.exe 92 PID 2040 wrote to memory of 1416 2040 frrffrx.exe 92 PID 1416 wrote to memory of 3856 1416 rllllrr.exe 93 PID 1416 wrote to memory of 3856 1416 rllllrr.exe 93 PID 1416 wrote to memory of 3856 1416 rllllrr.exe 93 PID 3856 wrote to memory of 2424 3856 3tttbb.exe 94 PID 3856 wrote to memory of 2424 3856 3tttbb.exe 94 PID 3856 wrote to memory of 2424 3856 3tttbb.exe 94 PID 2424 wrote to memory of 1596 2424 rxlffll.exe 95 PID 2424 wrote to memory of 1596 2424 rxlffll.exe 95 PID 2424 wrote to memory of 1596 2424 rxlffll.exe 95 PID 1596 wrote to memory of 5096 1596 3ntbhn.exe 96 PID 1596 wrote to memory of 5096 1596 3ntbhn.exe 96 PID 1596 wrote to memory of 5096 1596 3ntbhn.exe 96 PID 5096 wrote to memory of 1996 5096 jdppv.exe 97 PID 5096 wrote to memory of 1996 5096 jdppv.exe 97 PID 5096 wrote to memory of 1996 5096 jdppv.exe 97 PID 1996 wrote to memory of 4560 1996 xxlllrx.exe 98 PID 1996 wrote to memory of 4560 1996 xxlllrx.exe 98 PID 1996 wrote to memory of 4560 1996 xxlllrx.exe 98 PID 4560 wrote to memory of 3596 4560 tnnhhn.exe 99 PID 4560 wrote to memory of 3596 4560 tnnhhn.exe 99 PID 4560 wrote to memory of 3596 4560 tnnhhn.exe 99 PID 3596 wrote to memory of 5064 3596 dvppj.exe 100 PID 3596 wrote to memory of 5064 3596 dvppj.exe 100 PID 3596 wrote to memory of 5064 3596 dvppj.exe 100 PID 5064 wrote to memory of 1300 5064 tntttb.exe 101 PID 5064 wrote to memory of 1300 5064 tntttb.exe 101 PID 5064 wrote to memory of 1300 5064 tntttb.exe 101 PID 1300 wrote to memory of 2596 1300 5vvpj.exe 102 PID 1300 wrote to memory of 2596 1300 5vvpj.exe 102 PID 1300 wrote to memory of 2596 1300 5vvpj.exe 102 PID 2596 wrote to memory of 1564 2596 1flllrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe"C:\Users\Admin\AppData\Local\Temp\c6e0e6fab16ca79792481ae95c2c791f831e95e6d75c15f735b0fca46efeeaa2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\jjpjj.exec:\jjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\bhtbbh.exec:\bhtbbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\7thbhn.exec:\7thbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\jdjjj.exec:\jdjjj.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\rlrxxxl.exec:\rlrxxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\3lxrrxx.exec:\3lxrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\tntnnh.exec:\tntnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\lrlrrxx.exec:\lrlrrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\7vjjj.exec:\7vjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\frrffrx.exec:\frrffrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\rllllrr.exec:\rllllrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\3tttbb.exec:\3tttbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\rxlffll.exec:\rxlffll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\3ntbhn.exec:\3ntbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\jdppv.exec:\jdppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\xxlllrx.exec:\xxlllrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\tnnhhn.exec:\tnnhhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\dvppj.exec:\dvppj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\tntttb.exec:\tntttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\5vvpj.exec:\5vvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\1flllrx.exec:\1flllrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\bntnnh.exec:\bntnnh.exe23⤵
- Executes dropped EXE
PID:1564 -
\??\c:\pdppp.exec:\pdppp.exe24⤵
- Executes dropped EXE
PID:2264 -
\??\c:\dpppv.exec:\dpppv.exe25⤵
- Executes dropped EXE
PID:2840 -
\??\c:\7pddp.exec:\7pddp.exe26⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lflllll.exec:\lflllll.exe27⤵
- Executes dropped EXE
PID:960 -
\??\c:\xffrlxx.exec:\xffrlxx.exe28⤵
- Executes dropped EXE
PID:636 -
\??\c:\hhhnbb.exec:\hhhnbb.exe29⤵
- Executes dropped EXE
PID:4668 -
\??\c:\nhttnn.exec:\nhttnn.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\ffrrlxx.exec:\ffrrlxx.exe31⤵
- Executes dropped EXE
PID:4792 -
\??\c:\xlrxrrl.exec:\xlrxrrl.exe32⤵
- Executes dropped EXE
PID:4108 -
\??\c:\1vddv.exec:\1vddv.exe33⤵
- Executes dropped EXE
PID:4508 -
\??\c:\pjpjj.exec:\pjpjj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3868 -
\??\c:\xxxrllf.exec:\xxxrllf.exe35⤵
- Executes dropped EXE
PID:4656 -
\??\c:\xrxlrrl.exec:\xrxlrrl.exe36⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nnnnhh.exec:\nnnnhh.exe37⤵
- Executes dropped EXE
PID:1552 -
\??\c:\dpjjd.exec:\dpjjd.exe38⤵
- Executes dropped EXE
PID:4572 -
\??\c:\dvvpd.exec:\dvvpd.exe39⤵
- Executes dropped EXE
PID:3476 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe40⤵
- Executes dropped EXE
PID:1816 -
\??\c:\tntnhh.exec:\tntnhh.exe41⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bthbtn.exec:\bthbtn.exe42⤵
- Executes dropped EXE
PID:2976 -
\??\c:\vpjdd.exec:\vpjdd.exe43⤵
- Executes dropped EXE
PID:4364 -
\??\c:\7xfflrr.exec:\7xfflrr.exe44⤵
- Executes dropped EXE
PID:2584 -
\??\c:\tnbtbb.exec:\tnbtbb.exe45⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dpdvj.exec:\dpdvj.exe46⤵
- Executes dropped EXE
PID:3996 -
\??\c:\rlfxrfx.exec:\rlfxrfx.exe47⤵
- Executes dropped EXE
PID:2236 -
\??\c:\bttbtt.exec:\bttbtt.exe48⤵
- Executes dropped EXE
PID:4392 -
\??\c:\jdppd.exec:\jdppd.exe49⤵
- Executes dropped EXE
PID:4996 -
\??\c:\pjdvv.exec:\pjdvv.exe50⤵
- Executes dropped EXE
PID:4784 -
\??\c:\1xxfxlf.exec:\1xxfxlf.exe51⤵
- Executes dropped EXE
PID:2208 -
\??\c:\bthbhh.exec:\bthbhh.exe52⤵
- Executes dropped EXE
PID:2812 -
\??\c:\jjdjd.exec:\jjdjd.exe53⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pdjdv.exec:\pdjdv.exe54⤵
- Executes dropped EXE
PID:1808 -
\??\c:\rxxrlff.exec:\rxxrlff.exe55⤵
- Executes dropped EXE
PID:4076 -
\??\c:\1nnhbb.exec:\1nnhbb.exe56⤵
- Executes dropped EXE
PID:2252 -
\??\c:\vpjdj.exec:\vpjdj.exe57⤵
- Executes dropped EXE
PID:3024 -
\??\c:\pjppj.exec:\pjppj.exe58⤵
- Executes dropped EXE
PID:1308 -
\??\c:\rflfrrl.exec:\rflfrrl.exe59⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bhnhtt.exec:\bhnhtt.exe60⤵
- Executes dropped EXE
PID:1648 -
\??\c:\dpvpj.exec:\dpvpj.exe61⤵
- Executes dropped EXE
PID:4672 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe62⤵
- Executes dropped EXE
PID:4592 -
\??\c:\fxrrlrx.exec:\fxrrlrx.exe63⤵
- Executes dropped EXE
PID:2804 -
\??\c:\htbbth.exec:\htbbth.exe64⤵
- Executes dropped EXE
PID:1256 -
\??\c:\jjjjp.exec:\jjjjp.exe65⤵
- Executes dropped EXE
PID:2040 -
\??\c:\rfrlfff.exec:\rfrlfff.exe66⤵PID:2284
-
\??\c:\xfxlfrl.exec:\xfxlfrl.exe67⤵PID:3964
-
\??\c:\dvddv.exec:\dvddv.exe68⤵PID:2940
-
\??\c:\ppvjv.exec:\ppvjv.exe69⤵PID:2424
-
\??\c:\3rxrffx.exec:\3rxrffx.exe70⤵PID:3808
-
\??\c:\bhhtth.exec:\bhhtth.exe71⤵PID:220
-
\??\c:\thnnbb.exec:\thnnbb.exe72⤵PID:244
-
\??\c:\jvdpj.exec:\jvdpj.exe73⤵PID:3396
-
\??\c:\xfxllll.exec:\xfxllll.exe74⤵PID:4560
-
\??\c:\hbnthn.exec:\hbnthn.exe75⤵PID:4544
-
\??\c:\bhhbtb.exec:\bhhbtb.exe76⤵PID:3680
-
\??\c:\1vpjd.exec:\1vpjd.exe77⤵PID:3828
-
\??\c:\flrlllf.exec:\flrlllf.exe78⤵PID:4968
-
\??\c:\tnbbbn.exec:\tnbbbn.exe79⤵PID:2500
-
\??\c:\vdjdp.exec:\vdjdp.exe80⤵PID:2592
-
\??\c:\djpjj.exec:\djpjj.exe81⤵PID:2596
-
\??\c:\nnnthh.exec:\nnnthh.exe82⤵PID:4848
-
\??\c:\hbbttn.exec:\hbbttn.exe83⤵PID:4928
-
\??\c:\dddvj.exec:\dddvj.exe84⤵PID:2072
-
\??\c:\lxlffff.exec:\lxlffff.exe85⤵PID:2700
-
\??\c:\fxxrlff.exec:\fxxrlff.exe86⤵PID:1696
-
\??\c:\btbttt.exec:\btbttt.exe87⤵PID:1432
-
\??\c:\5vdpj.exec:\5vdpj.exe88⤵PID:2024
-
\??\c:\xrlfllr.exec:\xrlfllr.exe89⤵PID:4780
-
\??\c:\fxxrllf.exec:\fxxrllf.exe90⤵PID:1672
-
\??\c:\hhbbnt.exec:\hhbbnt.exe91⤵PID:640
-
\??\c:\djpvp.exec:\djpvp.exe92⤵PID:3372
-
\??\c:\vvddv.exec:\vvddv.exe93⤵PID:4864
-
\??\c:\frxrlll.exec:\frxrlll.exe94⤵PID:3832
-
\??\c:\htbtnh.exec:\htbtnh.exe95⤵PID:4524
-
\??\c:\hbbtbt.exec:\hbbtbt.exe96⤵PID:2064
-
\??\c:\jdjpj.exec:\jdjpj.exe97⤵PID:4580
-
\??\c:\7pddd.exec:\7pddd.exe98⤵PID:4508
-
\??\c:\1bhbbb.exec:\1bhbbb.exe99⤵PID:3032
-
\??\c:\tntnhn.exec:\tntnhn.exe100⤵PID:3500
-
\??\c:\pdjdv.exec:\pdjdv.exe101⤵PID:3540
-
\??\c:\frrrrrr.exec:\frrrrrr.exe102⤵PID:4860
-
\??\c:\nhthbb.exec:\nhthbb.exe103⤵PID:736
-
\??\c:\bthbtt.exec:\bthbtt.exe104⤵PID:4572
-
\??\c:\djvpj.exec:\djvpj.exe105⤵PID:4908
-
\??\c:\xrrlffx.exec:\xrrlffx.exe106⤵PID:1168
-
\??\c:\fxlrrxx.exec:\fxlrrxx.exe107⤵PID:4156
-
\??\c:\nhhhhb.exec:\nhhhhb.exe108⤵PID:4408
-
\??\c:\ppvvp.exec:\ppvvp.exe109⤵PID:1560
-
\??\c:\xxrlffx.exec:\xxrlffx.exe110⤵PID:652
-
\??\c:\1xfxxxr.exec:\1xfxxxr.exe111⤵PID:4220
-
\??\c:\nttnhh.exec:\nttnhh.exe112⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\jdjdv.exec:\jdjdv.exe113⤵PID:4436
-
\??\c:\3xlrxrx.exec:\3xlrxrx.exe114⤵PID:2756
-
\??\c:\nhhbbt.exec:\nhhbbt.exe115⤵PID:4392
-
\??\c:\5vvpj.exec:\5vvpj.exe116⤵PID:3404
-
\??\c:\ppdvj.exec:\ppdvj.exe117⤵PID:2096
-
\??\c:\xlrrfff.exec:\xlrrfff.exe118⤵PID:408
-
\??\c:\nbbbtt.exec:\nbbbtt.exe119⤵PID:3844
-
\??\c:\djpjd.exec:\djpjd.exe120⤵PID:3780
-
\??\c:\flxlfxx.exec:\flxlfxx.exe121⤵PID:4912
-
\??\c:\lrlxfrl.exec:\lrlxfrl.exe122⤵PID:3172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-