Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe
-
Size
454KB
-
MD5
ebe2600d634bfceb3ec7732c4edf9284
-
SHA1
e129af3e22fa0b3dcef775e74704026ee1c4d2e2
-
SHA256
bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88
-
SHA512
dc4bd3ee9c9629e67399859cfa4f938f03e38fe60ac19391ad5b559f48dedef0dd67bb90a89d5ae6efbcf38e0a6cebcce273c2d15161178183f03ab50f39318e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1752-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-993-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-1085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-1585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 612 frrfxfx.exe 1680 tttnhh.exe 3376 pjpjj.exe 3348 fflflrl.exe 2152 jvjjj.exe 2332 rllffll.exe 3936 bbnhbt.exe 904 thhbbb.exe 3248 jvdvp.exe 1796 lflfxxr.exe 3040 lfrrrlr.exe 2912 hbntnt.exe 1556 9dvvd.exe 1964 jvddv.exe 4832 ffrxllx.exe 2128 1bnhbb.exe 2776 dvvpj.exe 3044 xllfffx.exe 2084 nthhnt.exe 3872 jjppj.exe 4024 jjjjd.exe 2480 tttttt.exe 4716 jjpjj.exe 4448 dddvp.exe 2876 xffxxff.exe 708 hhhhbt.exe 4428 7jjvv.exe 2900 lflfxrr.exe 4432 tttnnh.exe 2276 pjjpj.exe 2296 xrxxrrr.exe 2488 hbbnhh.exe 768 pdppj.exe 3580 lfllflf.exe 4476 hnnnnn.exe 3324 3tbttt.exe 3644 xlfxxxx.exe 4144 rxrxrxr.exe 4940 tttbbb.exe 1040 5jjdv.exe 428 dddvp.exe 3588 ffrllll.exe 2936 ntbbbb.exe 2060 pvjjv.exe 3344 dvjjj.exe 3392 xlrrfff.exe 1540 lflxrrf.exe 1156 1hnhtn.exe 3260 5jdpd.exe 4336 xfxrlrl.exe 3652 fxxxrrl.exe 4272 9tbtnh.exe 3056 jpdvd.exe 1692 1vvpp.exe 4480 lfffrxr.exe 1000 fllxrfr.exe 2252 bbhbnn.exe 4408 ppvdv.exe 440 3ppdv.exe 2332 xxfxxxr.exe 2752 tbbbtt.exe 2928 5pdpj.exe 3424 1pdvp.exe 3752 frrfxlf.exe -
resource yara_rule behavioral2/memory/1752-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-844-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 612 1752 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 82 PID 1752 wrote to memory of 612 1752 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 82 PID 1752 wrote to memory of 612 1752 bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe 82 PID 612 wrote to memory of 1680 612 frrfxfx.exe 83 PID 612 wrote to memory of 1680 612 frrfxfx.exe 83 PID 612 wrote to memory of 1680 612 frrfxfx.exe 83 PID 1680 wrote to memory of 3376 1680 tttnhh.exe 84 PID 1680 wrote to memory of 3376 1680 tttnhh.exe 84 PID 1680 wrote to memory of 3376 1680 tttnhh.exe 84 PID 3376 wrote to memory of 3348 3376 pjpjj.exe 85 PID 3376 wrote to memory of 3348 3376 pjpjj.exe 85 PID 3376 wrote to memory of 3348 3376 pjpjj.exe 85 PID 3348 wrote to memory of 2152 3348 fflflrl.exe 86 PID 3348 wrote to memory of 2152 3348 fflflrl.exe 86 PID 3348 wrote to memory of 2152 3348 fflflrl.exe 86 PID 2152 wrote to memory of 2332 2152 jvjjj.exe 141 PID 2152 wrote to memory of 2332 2152 jvjjj.exe 141 PID 2152 wrote to memory of 2332 2152 jvjjj.exe 141 PID 2332 wrote to memory of 3936 2332 rllffll.exe 88 PID 2332 wrote to memory of 3936 2332 rllffll.exe 88 PID 2332 wrote to memory of 3936 2332 rllffll.exe 88 PID 3936 wrote to memory of 904 3936 bbnhbt.exe 89 PID 3936 wrote to memory of 904 3936 bbnhbt.exe 89 PID 3936 wrote to memory of 904 3936 bbnhbt.exe 89 PID 904 wrote to memory of 3248 904 thhbbb.exe 90 PID 904 wrote to memory of 3248 904 thhbbb.exe 90 PID 904 wrote to memory of 3248 904 thhbbb.exe 90 PID 3248 wrote to memory of 1796 3248 jvdvp.exe 91 PID 3248 wrote to memory of 1796 3248 jvdvp.exe 91 PID 3248 wrote to memory of 1796 3248 jvdvp.exe 91 PID 1796 wrote to memory of 3040 1796 lflfxxr.exe 92 PID 1796 wrote to memory of 3040 1796 lflfxxr.exe 92 PID 1796 wrote to memory of 3040 1796 lflfxxr.exe 92 PID 3040 wrote to memory of 2912 3040 lfrrrlr.exe 93 PID 3040 wrote to memory of 2912 3040 lfrrrlr.exe 93 PID 3040 wrote to memory of 2912 3040 lfrrrlr.exe 93 PID 2912 wrote to memory of 1556 2912 hbntnt.exe 94 PID 2912 wrote to memory of 1556 2912 hbntnt.exe 94 PID 2912 wrote to memory of 1556 2912 hbntnt.exe 94 PID 1556 wrote to memory of 1964 1556 9dvvd.exe 95 PID 1556 wrote to memory of 1964 1556 9dvvd.exe 95 PID 1556 wrote to memory of 1964 1556 9dvvd.exe 95 PID 1964 wrote to memory of 4832 1964 jvddv.exe 96 PID 1964 wrote to memory of 4832 1964 jvddv.exe 96 PID 1964 wrote to memory of 4832 1964 jvddv.exe 96 PID 4832 wrote to memory of 2128 4832 ffrxllx.exe 97 PID 4832 wrote to memory of 2128 4832 ffrxllx.exe 97 PID 4832 wrote to memory of 2128 4832 ffrxllx.exe 97 PID 2128 wrote to memory of 2776 2128 1bnhbb.exe 98 PID 2128 wrote to memory of 2776 2128 1bnhbb.exe 98 PID 2128 wrote to memory of 2776 2128 1bnhbb.exe 98 PID 2776 wrote to memory of 3044 2776 dvvpj.exe 99 PID 2776 wrote to memory of 3044 2776 dvvpj.exe 99 PID 2776 wrote to memory of 3044 2776 dvvpj.exe 99 PID 3044 wrote to memory of 2084 3044 xllfffx.exe 100 PID 3044 wrote to memory of 2084 3044 xllfffx.exe 100 PID 3044 wrote to memory of 2084 3044 xllfffx.exe 100 PID 2084 wrote to memory of 3872 2084 nthhnt.exe 101 PID 2084 wrote to memory of 3872 2084 nthhnt.exe 101 PID 2084 wrote to memory of 3872 2084 nthhnt.exe 101 PID 3872 wrote to memory of 4024 3872 jjppj.exe 102 PID 3872 wrote to memory of 4024 3872 jjppj.exe 102 PID 3872 wrote to memory of 4024 3872 jjppj.exe 102 PID 4024 wrote to memory of 2480 4024 jjjjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe"C:\Users\Admin\AppData\Local\Temp\bc0441b80dcafa7918bd54404a8ec369371383e7360798f820df8c8aa61acf88.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\frrfxfx.exec:\frrfxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:612 -
\??\c:\tttnhh.exec:\tttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\pjpjj.exec:\pjpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\fflflrl.exec:\fflflrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\jvjjj.exec:\jvjjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\rllffll.exec:\rllffll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\bbnhbt.exec:\bbnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\thhbbb.exec:\thhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\lflfxxr.exec:\lflfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\lfrrrlr.exec:\lfrrrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hbntnt.exec:\hbntnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\9dvvd.exec:\9dvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\jvddv.exec:\jvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\ffrxllx.exec:\ffrxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\1bnhbb.exec:\1bnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\dvvpj.exec:\dvvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\xllfffx.exec:\xllfffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nthhnt.exec:\nthhnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\jjppj.exec:\jjppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\jjjjd.exec:\jjjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\tttttt.exec:\tttttt.exe23⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jjpjj.exec:\jjpjj.exe24⤵
- Executes dropped EXE
PID:4716 -
\??\c:\dddvp.exec:\dddvp.exe25⤵
- Executes dropped EXE
PID:4448 -
\??\c:\xffxxff.exec:\xffxxff.exe26⤵
- Executes dropped EXE
PID:2876 -
\??\c:\hhhhbt.exec:\hhhhbt.exe27⤵
- Executes dropped EXE
PID:708 -
\??\c:\7jjvv.exec:\7jjvv.exe28⤵
- Executes dropped EXE
PID:4428 -
\??\c:\lflfxrr.exec:\lflfxrr.exe29⤵
- Executes dropped EXE
PID:2900 -
\??\c:\tttnnh.exec:\tttnnh.exe30⤵
- Executes dropped EXE
PID:4432 -
\??\c:\pjjpj.exec:\pjjpj.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe32⤵
- Executes dropped EXE
PID:2296 -
\??\c:\hbbnhh.exec:\hbbnhh.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\pdppj.exec:\pdppj.exe34⤵
- Executes dropped EXE
PID:768 -
\??\c:\lfllflf.exec:\lfllflf.exe35⤵
- Executes dropped EXE
PID:3580 -
\??\c:\hnnnnn.exec:\hnnnnn.exe36⤵
- Executes dropped EXE
PID:4476 -
\??\c:\3tbttt.exec:\3tbttt.exe37⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe38⤵
- Executes dropped EXE
PID:3644 -
\??\c:\rxrxrxr.exec:\rxrxrxr.exe39⤵
- Executes dropped EXE
PID:4144 -
\??\c:\tttbbb.exec:\tttbbb.exe40⤵
- Executes dropped EXE
PID:4940 -
\??\c:\5jjdv.exec:\5jjdv.exe41⤵
- Executes dropped EXE
PID:1040 -
\??\c:\dddvp.exec:\dddvp.exe42⤵
- Executes dropped EXE
PID:428 -
\??\c:\ffrllll.exec:\ffrllll.exe43⤵
- Executes dropped EXE
PID:3588 -
\??\c:\ntbbbb.exec:\ntbbbb.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\pvjjv.exec:\pvjjv.exe45⤵
- Executes dropped EXE
PID:2060 -
\??\c:\dvjjj.exec:\dvjjj.exe46⤵
- Executes dropped EXE
PID:3344 -
\??\c:\xlrrfff.exec:\xlrrfff.exe47⤵
- Executes dropped EXE
PID:3392 -
\??\c:\lflxrrf.exec:\lflxrrf.exe48⤵
- Executes dropped EXE
PID:1540 -
\??\c:\1hnhtn.exec:\1hnhtn.exe49⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5jdpd.exec:\5jdpd.exe50⤵
- Executes dropped EXE
PID:3260 -
\??\c:\xfxrlrl.exec:\xfxrlrl.exe51⤵
- Executes dropped EXE
PID:4336 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe52⤵
- Executes dropped EXE
PID:3652 -
\??\c:\9tbtnh.exec:\9tbtnh.exe53⤵
- Executes dropped EXE
PID:4272 -
\??\c:\jpdvd.exec:\jpdvd.exe54⤵
- Executes dropped EXE
PID:3056 -
\??\c:\1vvpp.exec:\1vvpp.exe55⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lfffrxr.exec:\lfffrxr.exe56⤵
- Executes dropped EXE
PID:4480 -
\??\c:\fllxrfr.exec:\fllxrfr.exe57⤵
- Executes dropped EXE
PID:1000 -
\??\c:\bbhbnn.exec:\bbhbnn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
\??\c:\ppvdv.exec:\ppvdv.exe59⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3ppdv.exec:\3ppdv.exe60⤵
- Executes dropped EXE
PID:440 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe61⤵
- Executes dropped EXE
PID:2332 -
\??\c:\tbbbtt.exec:\tbbbtt.exe62⤵
- Executes dropped EXE
PID:2752 -
\??\c:\5pdpj.exec:\5pdpj.exe63⤵
- Executes dropped EXE
PID:2928 -
\??\c:\1pdvp.exec:\1pdvp.exe64⤵
- Executes dropped EXE
PID:3424 -
\??\c:\frrfxlf.exec:\frrfxlf.exe65⤵
- Executes dropped EXE
PID:3752 -
\??\c:\nttnhh.exec:\nttnhh.exe66⤵PID:4456
-
\??\c:\9hnhtn.exec:\9hnhtn.exe67⤵PID:964
-
\??\c:\jjpdv.exec:\jjpdv.exe68⤵PID:4184
-
\??\c:\5pvjp.exec:\5pvjp.exe69⤵PID:1504
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe70⤵PID:4356
-
\??\c:\hhtbbb.exec:\hhtbbb.exe71⤵PID:1556
-
\??\c:\nhhnth.exec:\nhhnth.exe72⤵PID:1468
-
\??\c:\jpvjd.exec:\jpvjd.exe73⤵PID:3028
-
\??\c:\fxrlfff.exec:\fxrlfff.exe74⤵PID:4756
-
\??\c:\fxrlxxf.exec:\fxrlxxf.exe75⤵PID:992
-
\??\c:\bhnbtn.exec:\bhnbtn.exe76⤵PID:2804
-
\??\c:\7hhnnb.exec:\7hhnnb.exe77⤵PID:1300
-
\??\c:\jddpp.exec:\jddpp.exe78⤵PID:1524
-
\??\c:\pdjdd.exec:\pdjdd.exe79⤵PID:4884
-
\??\c:\bhthnb.exec:\bhthnb.exe80⤵PID:2604
-
\??\c:\jjpvv.exec:\jjpvv.exe81⤵PID:1732
-
\??\c:\xxfffff.exec:\xxfffff.exe82⤵PID:4520
-
\??\c:\5ntbbh.exec:\5ntbbh.exe83⤵PID:1588
-
\??\c:\xllfrlx.exec:\xllfrlx.exe84⤵PID:1364
-
\??\c:\nbhbtt.exec:\nbhbtt.exe85⤵PID:2564
-
\??\c:\xxxrlrr.exec:\xxxrlrr.exe86⤵PID:4804
-
\??\c:\hbnnhh.exec:\hbnnhh.exe87⤵PID:2096
-
\??\c:\ddppp.exec:\ddppp.exe88⤵PID:4436
-
\??\c:\vvvpj.exec:\vvvpj.exe89⤵PID:3532
-
\??\c:\vpppj.exec:\vpppj.exe90⤵PID:2268
-
\??\c:\nhbhhn.exec:\nhbhhn.exe91⤵PID:3636
-
\??\c:\ntbbbh.exec:\ntbbbh.exe92⤵PID:728
-
\??\c:\llfxfrx.exec:\llfxfrx.exe93⤵PID:1496
-
\??\c:\1rfffrl.exec:\1rfffrl.exe94⤵PID:2984
-
\??\c:\vvddv.exec:\vvddv.exe95⤵PID:3800
-
\??\c:\vpdjd.exec:\vpdjd.exe96⤵PID:2136
-
\??\c:\lxflflf.exec:\lxflflf.exe97⤵PID:3580
-
\??\c:\hnhbhh.exec:\hnhbhh.exe98⤵PID:4360
-
\??\c:\pvjjd.exec:\pvjjd.exe99⤵PID:1864
-
\??\c:\9bhbbb.exec:\9bhbbb.exe100⤵PID:1988
-
\??\c:\frrrlfx.exec:\frrrlfx.exe101⤵PID:912
-
\??\c:\hbtnht.exec:\hbtnht.exe102⤵PID:1900
-
\??\c:\5httnt.exec:\5httnt.exe103⤵PID:4940
-
\??\c:\7pvpp.exec:\7pvpp.exe104⤵PID:4548
-
\??\c:\dpddj.exec:\dpddj.exe105⤵PID:3908
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe106⤵PID:3516
-
\??\c:\9hthbb.exec:\9hthbb.exe107⤵PID:4080
-
\??\c:\hhtnhh.exec:\hhtnhh.exe108⤵PID:4968
-
\??\c:\pvjdj.exec:\pvjdj.exe109⤵PID:2060
-
\??\c:\fxrrlxx.exec:\fxrrlxx.exe110⤵PID:3916
-
\??\c:\1hhhnn.exec:\1hhhnn.exe111⤵PID:3392
-
\??\c:\jjppv.exec:\jjppv.exe112⤵PID:4916
-
\??\c:\xxlfllx.exec:\xxlfllx.exe113⤵PID:3952
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe114⤵PID:744
-
\??\c:\tnnhhh.exec:\tnnhhh.exe115⤵PID:4332
-
\??\c:\vjvpj.exec:\vjvpj.exe116⤵PID:4936
-
\??\c:\9rlllll.exec:\9rlllll.exe117⤵PID:5076
-
\??\c:\9nbtnn.exec:\9nbtnn.exe118⤵PID:5028
-
\??\c:\jjpjd.exec:\jjpjd.exe119⤵PID:3396
-
\??\c:\xfxlffx.exec:\xfxlffx.exe120⤵PID:3676
-
\??\c:\7ttnhh.exec:\7ttnhh.exe121⤵PID:3308
-
\??\c:\jpddj.exec:\jpddj.exe122⤵PID:4864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-