Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:18
Behavioral task
behavioral1
Sample
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe
-
Size
332KB
-
MD5
af511fab26b228f68b2248dc415371e9
-
SHA1
8298d872a4366cd07cd369b3deed183b950a81c5
-
SHA256
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1
-
SHA512
dc34216b39376e02e7054c5f5130c3754a6064be334bd2555c7d3265a1524ac0913780285aa2e49c5082972774ab6f1d73aab24aa157a4711a768d368521becc
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbef:R4wFHoSHYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2376-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3096-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4236-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-141-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1664-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/848-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3264-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-299-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3936-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/676-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-427-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1216-432-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4804-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-476-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-919-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-1170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-1293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3956 3xlfxff.exe 1952 jjjdd.exe 2840 7xflrxf.exe 3536 tnntbh.exe 3660 hhnnht.exe 4052 lxrfxxr.exe 1756 pjvvv.exe 3500 xrfffll.exe 2896 bnbbtt.exe 4948 lrrrrxl.exe 628 ppppd.exe 2740 rlrrllf.exe 4572 hbbtnh.exe 4388 vdvdv.exe 3140 hnbtnt.exe 2464 rrxxlrr.exe 776 3bnhbb.exe 4936 vpvpj.exe 4596 xlrlxrx.exe 3520 jjppp.exe 3172 vvjjp.exe 3096 hhbbnn.exe 1240 jpvvp.exe 1156 9lxxrxx.exe 1716 lfrxrrf.exe 4236 tbnbtn.exe 1152 ppppj.exe 1300 lflfxxl.exe 3452 dvvvp.exe 3612 1lrlfxr.exe 4708 rfllfxx.exe 3984 hthbbh.exe 4984 vjvvp.exe 3184 jdddd.exe 5032 bhnbtn.exe 4632 nnhtnh.exe 1084 pjvvv.exe 1664 ffllffx.exe 1208 nhnhtt.exe 1184 jpvvp.exe 448 pjpjj.exe 5008 nhtnnh.exe 1624 hhnhbb.exe 4032 hbhhhb.exe 1076 djppd.exe 1040 lfxrffr.exe 1388 xrrfxxx.exe 5052 3thbhh.exe 5020 dpvvp.exe 848 pjpjv.exe 4844 lrxxxrf.exe 3992 thbthh.exe 2544 dvjjd.exe 5068 ffflrrf.exe 2916 vdjjd.exe 2260 lllrlxr.exe 4292 xrxrlff.exe 4332 vpppp.exe 2788 ddppd.exe 2344 xrlfffx.exe 2596 tnttbb.exe 4580 hbhbtn.exe 3176 jvjpd.exe 3224 lfrlfff.exe -
resource yara_rule behavioral2/memory/2376-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b93-3.dat upx behavioral2/memory/2376-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-8.dat upx behavioral2/memory/3956-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-11.dat upx behavioral2/memory/2840-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-19.dat upx behavioral2/memory/3536-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1952-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-24.dat upx behavioral2/files/0x0007000000023c8f-28.dat upx behavioral2/memory/4052-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-33.dat upx behavioral2/memory/4052-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-38.dat upx behavioral2/memory/1756-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-43.dat upx behavioral2/memory/3500-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-48.dat upx behavioral2/memory/2896-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-53.dat upx behavioral2/memory/4948-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-59.dat upx behavioral2/files/0x0007000000023c96-62.dat upx behavioral2/memory/4572-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-68.dat upx behavioral2/files/0x0007000000023c98-71.dat upx behavioral2/memory/3660-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c88-76.dat upx behavioral2/memory/3140-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-81.dat upx behavioral2/memory/2464-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-86.dat upx behavioral2/memory/4936-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-95.dat upx behavioral2/files/0x0007000000023c9c-92.dat upx behavioral2/memory/3520-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-100.dat upx behavioral2/files/0x0007000000023c9f-106.dat upx behavioral2/memory/3172-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-109.dat upx behavioral2/files/0x0007000000023ca1-114.dat upx behavioral2/memory/1156-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3096-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-119.dat upx behavioral2/files/0x0007000000023ca3-123.dat upx behavioral2/memory/4236-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-128.dat upx behavioral2/files/0x0007000000023ca5-132.dat upx behavioral2/files/0x0007000000023ca6-136.dat upx behavioral2/files/0x0007000000023ca7-140.dat upx behavioral2/memory/3612-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3452-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-146.dat upx behavioral2/files/0x0007000000023ca9-150.dat upx behavioral2/memory/4984-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3184-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4632-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5008-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1388-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1664-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/848-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4844-199-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3956 2376 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 83 PID 2376 wrote to memory of 3956 2376 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 83 PID 2376 wrote to memory of 3956 2376 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 83 PID 3956 wrote to memory of 1952 3956 3xlfxff.exe 84 PID 3956 wrote to memory of 1952 3956 3xlfxff.exe 84 PID 3956 wrote to memory of 1952 3956 3xlfxff.exe 84 PID 1952 wrote to memory of 2840 1952 jjjdd.exe 85 PID 1952 wrote to memory of 2840 1952 jjjdd.exe 85 PID 1952 wrote to memory of 2840 1952 jjjdd.exe 85 PID 2840 wrote to memory of 3536 2840 7xflrxf.exe 86 PID 2840 wrote to memory of 3536 2840 7xflrxf.exe 86 PID 2840 wrote to memory of 3536 2840 7xflrxf.exe 86 PID 3536 wrote to memory of 3660 3536 tnntbh.exe 87 PID 3536 wrote to memory of 3660 3536 tnntbh.exe 87 PID 3536 wrote to memory of 3660 3536 tnntbh.exe 87 PID 3660 wrote to memory of 4052 3660 hhnnht.exe 88 PID 3660 wrote to memory of 4052 3660 hhnnht.exe 88 PID 3660 wrote to memory of 4052 3660 hhnnht.exe 88 PID 4052 wrote to memory of 1756 4052 lxrfxxr.exe 89 PID 4052 wrote to memory of 1756 4052 lxrfxxr.exe 89 PID 4052 wrote to memory of 1756 4052 lxrfxxr.exe 89 PID 1756 wrote to memory of 3500 1756 pjvvv.exe 90 PID 1756 wrote to memory of 3500 1756 pjvvv.exe 90 PID 1756 wrote to memory of 3500 1756 pjvvv.exe 90 PID 3500 wrote to memory of 2896 3500 xrfffll.exe 91 PID 3500 wrote to memory of 2896 3500 xrfffll.exe 91 PID 3500 wrote to memory of 2896 3500 xrfffll.exe 91 PID 2896 wrote to memory of 4948 2896 bnbbtt.exe 92 PID 2896 wrote to memory of 4948 2896 bnbbtt.exe 92 PID 2896 wrote to memory of 4948 2896 bnbbtt.exe 92 PID 4948 wrote to memory of 628 4948 lrrrrxl.exe 93 PID 4948 wrote to memory of 628 4948 lrrrrxl.exe 93 PID 4948 wrote to memory of 628 4948 lrrrrxl.exe 93 PID 628 wrote to memory of 2740 628 ppppd.exe 94 PID 628 wrote to memory of 2740 628 ppppd.exe 94 PID 628 wrote to memory of 2740 628 ppppd.exe 94 PID 2740 wrote to memory of 4572 2740 rlrrllf.exe 95 PID 2740 wrote to memory of 4572 2740 rlrrllf.exe 95 PID 2740 wrote to memory of 4572 2740 rlrrllf.exe 95 PID 4572 wrote to memory of 4388 4572 hbbtnh.exe 96 PID 4572 wrote to memory of 4388 4572 hbbtnh.exe 96 PID 4572 wrote to memory of 4388 4572 hbbtnh.exe 96 PID 4388 wrote to memory of 3140 4388 vdvdv.exe 97 PID 4388 wrote to memory of 3140 4388 vdvdv.exe 97 PID 4388 wrote to memory of 3140 4388 vdvdv.exe 97 PID 3140 wrote to memory of 2464 3140 hnbtnt.exe 98 PID 3140 wrote to memory of 2464 3140 hnbtnt.exe 98 PID 3140 wrote to memory of 2464 3140 hnbtnt.exe 98 PID 2464 wrote to memory of 776 2464 rrxxlrr.exe 99 PID 2464 wrote to memory of 776 2464 rrxxlrr.exe 99 PID 2464 wrote to memory of 776 2464 rrxxlrr.exe 99 PID 776 wrote to memory of 4936 776 3bnhbb.exe 100 PID 776 wrote to memory of 4936 776 3bnhbb.exe 100 PID 776 wrote to memory of 4936 776 3bnhbb.exe 100 PID 4936 wrote to memory of 4596 4936 vpvpj.exe 101 PID 4936 wrote to memory of 4596 4936 vpvpj.exe 101 PID 4936 wrote to memory of 4596 4936 vpvpj.exe 101 PID 4596 wrote to memory of 3520 4596 xlrlxrx.exe 102 PID 4596 wrote to memory of 3520 4596 xlrlxrx.exe 102 PID 4596 wrote to memory of 3520 4596 xlrlxrx.exe 102 PID 3520 wrote to memory of 3172 3520 jjppp.exe 103 PID 3520 wrote to memory of 3172 3520 jjppp.exe 103 PID 3520 wrote to memory of 3172 3520 jjppp.exe 103 PID 3172 wrote to memory of 3096 3172 vvjjp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe"C:\Users\Admin\AppData\Local\Temp\bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\3xlfxff.exec:\3xlfxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\jjjdd.exec:\jjjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\7xflrxf.exec:\7xflrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\tnntbh.exec:\tnntbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\hhnnht.exec:\hhnnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\lxrfxxr.exec:\lxrfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\pjvvv.exec:\pjvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\xrfffll.exec:\xrfffll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\bnbbtt.exec:\bnbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\lrrrrxl.exec:\lrrrrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\ppppd.exec:\ppppd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\rlrrllf.exec:\rlrrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\hbbtnh.exec:\hbbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\vdvdv.exec:\vdvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\hnbtnt.exec:\hnbtnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\rrxxlrr.exec:\rrxxlrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\3bnhbb.exec:\3bnhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\vpvpj.exec:\vpvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\xlrlxrx.exec:\xlrlxrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\jjppp.exec:\jjppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\vvjjp.exec:\vvjjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\hhbbnn.exec:\hhbbnn.exe23⤵
- Executes dropped EXE
PID:3096 -
\??\c:\jpvvp.exec:\jpvvp.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240 -
\??\c:\9lxxrxx.exec:\9lxxrxx.exe25⤵
- Executes dropped EXE
PID:1156 -
\??\c:\lfrxrrf.exec:\lfrxrrf.exe26⤵
- Executes dropped EXE
PID:1716 -
\??\c:\tbnbtn.exec:\tbnbtn.exe27⤵
- Executes dropped EXE
PID:4236 -
\??\c:\ppppj.exec:\ppppj.exe28⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lflfxxl.exec:\lflfxxl.exe29⤵
- Executes dropped EXE
PID:1300 -
\??\c:\dvvvp.exec:\dvvvp.exe30⤵
- Executes dropped EXE
PID:3452 -
\??\c:\1lrlfxr.exec:\1lrlfxr.exe31⤵
- Executes dropped EXE
PID:3612 -
\??\c:\rfllfxx.exec:\rfllfxx.exe32⤵
- Executes dropped EXE
PID:4708 -
\??\c:\hthbbh.exec:\hthbbh.exe33⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vjvvp.exec:\vjvvp.exe34⤵
- Executes dropped EXE
PID:4984 -
\??\c:\jdddd.exec:\jdddd.exe35⤵
- Executes dropped EXE
PID:3184 -
\??\c:\bhnbtn.exec:\bhnbtn.exe36⤵
- Executes dropped EXE
PID:5032 -
\??\c:\nnhtnh.exec:\nnhtnh.exe37⤵
- Executes dropped EXE
PID:4632 -
\??\c:\pjvvv.exec:\pjvvv.exe38⤵
- Executes dropped EXE
PID:1084 -
\??\c:\ffllffx.exec:\ffllffx.exe39⤵
- Executes dropped EXE
PID:1664 -
\??\c:\nhnhtt.exec:\nhnhtt.exe40⤵
- Executes dropped EXE
PID:1208 -
\??\c:\jpvvp.exec:\jpvvp.exe41⤵
- Executes dropped EXE
PID:1184 -
\??\c:\pjpjj.exec:\pjpjj.exe42⤵
- Executes dropped EXE
PID:448 -
\??\c:\nhtnnh.exec:\nhtnnh.exe43⤵
- Executes dropped EXE
PID:5008 -
\??\c:\hhnhbb.exec:\hhnhbb.exe44⤵
- Executes dropped EXE
PID:1624 -
\??\c:\hbhhhb.exec:\hbhhhb.exe45⤵
- Executes dropped EXE
PID:4032 -
\??\c:\djppd.exec:\djppd.exe46⤵
- Executes dropped EXE
PID:1076 -
\??\c:\lfxrffr.exec:\lfxrffr.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xrrfxxx.exec:\xrrfxxx.exe48⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3thbhh.exec:\3thbhh.exe49⤵
- Executes dropped EXE
PID:5052 -
\??\c:\dpvvp.exec:\dpvvp.exe50⤵
- Executes dropped EXE
PID:5020 -
\??\c:\pjpjv.exec:\pjpjv.exe51⤵
- Executes dropped EXE
PID:848 -
\??\c:\lrxxxrf.exec:\lrxxxrf.exe52⤵
- Executes dropped EXE
PID:4844 -
\??\c:\thbthh.exec:\thbthh.exe53⤵
- Executes dropped EXE
PID:3992 -
\??\c:\dvjjd.exec:\dvjjd.exe54⤵
- Executes dropped EXE
PID:2544 -
\??\c:\ffflrrf.exec:\ffflrrf.exe55⤵
- Executes dropped EXE
PID:5068 -
\??\c:\vdjjd.exec:\vdjjd.exe56⤵
- Executes dropped EXE
PID:2916 -
\??\c:\lllrlxr.exec:\lllrlxr.exe57⤵
- Executes dropped EXE
PID:2260 -
\??\c:\xrxrlff.exec:\xrxrlff.exe58⤵
- Executes dropped EXE
PID:4292 -
\??\c:\vpppp.exec:\vpppp.exe59⤵
- Executes dropped EXE
PID:4332 -
\??\c:\ddppd.exec:\ddppd.exe60⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xrlfffx.exec:\xrlfffx.exe61⤵
- Executes dropped EXE
PID:2344 -
\??\c:\tnttbb.exec:\tnttbb.exe62⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hbhbtn.exec:\hbhbtn.exe63⤵
- Executes dropped EXE
PID:4580 -
\??\c:\jvjpd.exec:\jvjpd.exe64⤵
- Executes dropped EXE
PID:3176 -
\??\c:\lfrlfff.exec:\lfrlfff.exe65⤵
- Executes dropped EXE
PID:3224 -
\??\c:\llfflll.exec:\llfflll.exe66⤵PID:4092
-
\??\c:\tnthhh.exec:\tnthhh.exe67⤵PID:60
-
\??\c:\tnnnhn.exec:\tnnnhn.exe68⤵PID:2620
-
\??\c:\vvddj.exec:\vvddj.exe69⤵PID:1072
-
\??\c:\flxxxxr.exec:\flxxxxr.exe70⤵PID:3264
-
\??\c:\fxxrrxx.exec:\fxxrrxx.exe71⤵PID:348
-
\??\c:\bhbbtn.exec:\bhbbtn.exe72⤵PID:1796
-
\??\c:\jjpjd.exec:\jjpjd.exe73⤵PID:4520
-
\??\c:\rllfxxr.exec:\rllfxxr.exe74⤵PID:2912
-
\??\c:\hhnnnb.exec:\hhnnnb.exe75⤵PID:4528
-
\??\c:\pdddj.exec:\pdddj.exe76⤵PID:1744
-
\??\c:\jdvpj.exec:\jdvpj.exe77⤵PID:3348
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe78⤵PID:2880
-
\??\c:\thnhbh.exec:\thnhbh.exe79⤵PID:3588
-
\??\c:\1vvpp.exec:\1vvpp.exe80⤵PID:2472
-
\??\c:\xxfffrx.exec:\xxfffrx.exe81⤵PID:1228
-
\??\c:\hhhhhh.exec:\hhhhhh.exe82⤵PID:2464
-
\??\c:\vvvpd.exec:\vvvpd.exe83⤵PID:4612
-
\??\c:\rfxllfx.exec:\rfxllfx.exe84⤵PID:2968
-
\??\c:\rlfxlxx.exec:\rlfxlxx.exe85⤵PID:828
-
\??\c:\htnhbb.exec:\htnhbb.exe86⤵PID:3676
-
\??\c:\ddvpp.exec:\ddvpp.exe87⤵PID:1512
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe88⤵PID:712
-
\??\c:\7flfxxr.exec:\7flfxxr.exe89⤵PID:4800
-
\??\c:\hhnnhn.exec:\hhnnhn.exe90⤵PID:4084
-
\??\c:\vddvp.exec:\vddvp.exe91⤵PID:3108
-
\??\c:\frflfff.exec:\frflfff.exe92⤵PID:4896
-
\??\c:\7xxxfxf.exec:\7xxxfxf.exe93⤵PID:4700
-
\??\c:\bbbhhh.exec:\bbbhhh.exe94⤵PID:1336
-
\??\c:\dpvpp.exec:\dpvpp.exe95⤵PID:972
-
\??\c:\ppppp.exec:\ppppp.exe96⤵PID:3764
-
\??\c:\xlllfll.exec:\xlllfll.exe97⤵PID:3296
-
\??\c:\nnnnnn.exec:\nnnnnn.exe98⤵PID:3580
-
\??\c:\vpddj.exec:\vpddj.exe99⤵PID:4500
-
\??\c:\frrrlrx.exec:\frrrlrx.exe100⤵PID:3148
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe101⤵PID:2424
-
\??\c:\nhhhbb.exec:\nhhhbb.exe102⤵PID:4992
-
\??\c:\dpvpp.exec:\dpvpp.exe103⤵PID:3824
-
\??\c:\ffxxrxx.exec:\ffxxrxx.exe104⤵PID:3836
-
\??\c:\frfxxrr.exec:\frfxxrr.exe105⤵PID:1856
-
\??\c:\vjvdv.exec:\vjvdv.exe106⤵PID:3936
-
\??\c:\pjvpv.exec:\pjvpv.exe107⤵PID:4804
-
\??\c:\ffllrrl.exec:\ffllrrl.exe108⤵PID:4704
-
\??\c:\thnbbt.exec:\thnbbt.exe109⤵PID:1604
-
\??\c:\1jjvv.exec:\1jjvv.exe110⤵PID:4056
-
\??\c:\lxxrrlx.exec:\lxxrrlx.exe111⤵PID:2652
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe112⤵PID:5104
-
\??\c:\nthbtt.exec:\nthbtt.exe113⤵PID:3200
-
\??\c:\jdvvj.exec:\jdvvj.exe114⤵PID:2636
-
\??\c:\1flfrxr.exec:\1flfrxr.exe115⤵PID:3900
-
\??\c:\lfxrlxr.exec:\lfxrlxr.exe116⤵PID:5080
-
\??\c:\hbhbtt.exec:\hbhbtt.exe117⤵PID:4036
-
\??\c:\dppjj.exec:\dppjj.exe118⤵PID:1588
-
\??\c:\xrxrllf.exec:\xrxrllf.exe119⤵PID:3940
-
\??\c:\rrxxxrr.exec:\rrxxxrr.exe120⤵PID:3992
-
\??\c:\bhtnnn.exec:\bhtnnn.exe121⤵PID:2544
-
\??\c:\pjppp.exec:\pjppp.exe122⤵PID:5076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-