Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe
-
Size
455KB
-
MD5
a3319195a96a1f367235b029c9b53f12
-
SHA1
2f991103478d9f7848269830d97f2f72d9900b88
-
SHA256
bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60
-
SHA512
c943099f8fee9cce1365f2b0e7c64480828170f6b8efffce1d846778c1398363b3f94d286a780bf53d57280bccd3f2edc93b9a7a84276a62842b0824348db9a2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTf:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-1100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-1417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2272 hbnntt.exe 4084 jddvp.exe 4120 lxxrllf.exe 4784 5bthbn.exe 3780 vjpdp.exe 3952 flrlffx.exe 2644 thnhhb.exe 4720 vjpjp.exe 3892 xrrlfrr.exe 2216 nhnhhh.exe 2520 hbbtnn.exe 3148 vjjdv.exe 5076 3lxrrrl.exe 4696 htbttt.exe 2864 5tnhbh.exe 4460 9jdpd.exe 3772 1xrlflf.exe 3012 ffrrfxf.exe 1524 1ddjp.exe 4704 tntnnn.exe 2660 xxrxxrr.exe 4524 5jjdd.exe 4780 lxflflf.exe 3620 rxxrlfr.exe 2020 vppjd.exe 3120 thhbtn.exe 4916 vdjdv.exe 1804 5xxfxxl.exe 3208 hbbhtt.exe 1284 vjpjd.exe 3240 nhnhbb.exe 3184 jpvpp.exe 2744 3pjjd.exe 1796 jppdp.exe 1556 jdpjd.exe 3000 flfrrlf.exe 2984 ffrlfrr.exe 4776 bthbbt.exe 1068 tbnhhh.exe 2128 jvjdd.exe 4972 xrxllfl.exe 2060 tnbbhb.exe 1712 1djdv.exe 2532 djpjd.exe 2956 1xlfxrl.exe 2188 bntnnh.exe 3264 jjpjj.exe 1264 xlfxxxx.exe 1484 5xrlxlx.exe 4812 9ttnhb.exe 4348 vdpjd.exe 4576 dpvdv.exe 2964 7lrrxxf.exe 2272 3hbtnt.exe 4836 1nnhbb.exe 1528 vpdvp.exe 1300 llrlfxr.exe 1788 ntthbt.exe 4144 5tnnnn.exe 3576 jdjpj.exe 3292 9ffrllx.exe 4336 ttnhbt.exe 4148 nhhhht.exe 2160 pjvpv.exe -
resource yara_rule behavioral2/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-631-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2272 2352 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 82 PID 2352 wrote to memory of 2272 2352 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 82 PID 2352 wrote to memory of 2272 2352 bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe 82 PID 2272 wrote to memory of 4084 2272 hbnntt.exe 83 PID 2272 wrote to memory of 4084 2272 hbnntt.exe 83 PID 2272 wrote to memory of 4084 2272 hbnntt.exe 83 PID 4084 wrote to memory of 4120 4084 jddvp.exe 84 PID 4084 wrote to memory of 4120 4084 jddvp.exe 84 PID 4084 wrote to memory of 4120 4084 jddvp.exe 84 PID 4120 wrote to memory of 4784 4120 lxxrllf.exe 85 PID 4120 wrote to memory of 4784 4120 lxxrllf.exe 85 PID 4120 wrote to memory of 4784 4120 lxxrllf.exe 85 PID 4784 wrote to memory of 3780 4784 5bthbn.exe 86 PID 4784 wrote to memory of 3780 4784 5bthbn.exe 86 PID 4784 wrote to memory of 3780 4784 5bthbn.exe 86 PID 3780 wrote to memory of 3952 3780 vjpdp.exe 87 PID 3780 wrote to memory of 3952 3780 vjpdp.exe 87 PID 3780 wrote to memory of 3952 3780 vjpdp.exe 87 PID 3952 wrote to memory of 2644 3952 flrlffx.exe 88 PID 3952 wrote to memory of 2644 3952 flrlffx.exe 88 PID 3952 wrote to memory of 2644 3952 flrlffx.exe 88 PID 2644 wrote to memory of 4720 2644 thnhhb.exe 89 PID 2644 wrote to memory of 4720 2644 thnhhb.exe 89 PID 2644 wrote to memory of 4720 2644 thnhhb.exe 89 PID 4720 wrote to memory of 3892 4720 vjpjp.exe 90 PID 4720 wrote to memory of 3892 4720 vjpjp.exe 90 PID 4720 wrote to memory of 3892 4720 vjpjp.exe 90 PID 3892 wrote to memory of 2216 3892 xrrlfrr.exe 91 PID 3892 wrote to memory of 2216 3892 xrrlfrr.exe 91 PID 3892 wrote to memory of 2216 3892 xrrlfrr.exe 91 PID 2216 wrote to memory of 2520 2216 nhnhhh.exe 92 PID 2216 wrote to memory of 2520 2216 nhnhhh.exe 92 PID 2216 wrote to memory of 2520 2216 nhnhhh.exe 92 PID 2520 wrote to memory of 3148 2520 hbbtnn.exe 93 PID 2520 wrote to memory of 3148 2520 hbbtnn.exe 93 PID 2520 wrote to memory of 3148 2520 hbbtnn.exe 93 PID 3148 wrote to memory of 5076 3148 vjjdv.exe 94 PID 3148 wrote to memory of 5076 3148 vjjdv.exe 94 PID 3148 wrote to memory of 5076 3148 vjjdv.exe 94 PID 5076 wrote to memory of 4696 5076 3lxrrrl.exe 95 PID 5076 wrote to memory of 4696 5076 3lxrrrl.exe 95 PID 5076 wrote to memory of 4696 5076 3lxrrrl.exe 95 PID 4696 wrote to memory of 2864 4696 htbttt.exe 96 PID 4696 wrote to memory of 2864 4696 htbttt.exe 96 PID 4696 wrote to memory of 2864 4696 htbttt.exe 96 PID 2864 wrote to memory of 4460 2864 5tnhbh.exe 97 PID 2864 wrote to memory of 4460 2864 5tnhbh.exe 97 PID 2864 wrote to memory of 4460 2864 5tnhbh.exe 97 PID 4460 wrote to memory of 3772 4460 9jdpd.exe 98 PID 4460 wrote to memory of 3772 4460 9jdpd.exe 98 PID 4460 wrote to memory of 3772 4460 9jdpd.exe 98 PID 3772 wrote to memory of 3012 3772 1xrlflf.exe 99 PID 3772 wrote to memory of 3012 3772 1xrlflf.exe 99 PID 3772 wrote to memory of 3012 3772 1xrlflf.exe 99 PID 3012 wrote to memory of 1524 3012 ffrrfxf.exe 100 PID 3012 wrote to memory of 1524 3012 ffrrfxf.exe 100 PID 3012 wrote to memory of 1524 3012 ffrrfxf.exe 100 PID 1524 wrote to memory of 4704 1524 1ddjp.exe 101 PID 1524 wrote to memory of 4704 1524 1ddjp.exe 101 PID 1524 wrote to memory of 4704 1524 1ddjp.exe 101 PID 4704 wrote to memory of 2660 4704 tntnnn.exe 102 PID 4704 wrote to memory of 2660 4704 tntnnn.exe 102 PID 4704 wrote to memory of 2660 4704 tntnnn.exe 102 PID 2660 wrote to memory of 4524 2660 xxrxxrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe"C:\Users\Admin\AppData\Local\Temp\bc10936dcca187c39a8077ce1205c3e4606303e5bca295f558e792bea9b71b60.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\hbnntt.exec:\hbnntt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\jddvp.exec:\jddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\lxxrllf.exec:\lxxrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\5bthbn.exec:\5bthbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\vjpdp.exec:\vjpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\flrlffx.exec:\flrlffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\thnhhb.exec:\thnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\vjpjp.exec:\vjpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\nhnhhh.exec:\nhnhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\hbbtnn.exec:\hbbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\vjjdv.exec:\vjjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\3lxrrrl.exec:\3lxrrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\htbttt.exec:\htbttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\5tnhbh.exec:\5tnhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\9jdpd.exec:\9jdpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\1xrlflf.exec:\1xrlflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\ffrrfxf.exec:\ffrrfxf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\1ddjp.exec:\1ddjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\tntnnn.exec:\tntnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\xxrxxrr.exec:\xxrxxrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\5jjdd.exec:\5jjdd.exe23⤵
- Executes dropped EXE
PID:4524 -
\??\c:\lxflflf.exec:\lxflflf.exe24⤵
- Executes dropped EXE
PID:4780 -
\??\c:\rxxrlfr.exec:\rxxrlfr.exe25⤵
- Executes dropped EXE
PID:3620 -
\??\c:\vppjd.exec:\vppjd.exe26⤵
- Executes dropped EXE
PID:2020 -
\??\c:\thhbtn.exec:\thhbtn.exe27⤵
- Executes dropped EXE
PID:3120 -
\??\c:\vdjdv.exec:\vdjdv.exe28⤵
- Executes dropped EXE
PID:4916 -
\??\c:\5xxfxxl.exec:\5xxfxxl.exe29⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hbbhtt.exec:\hbbhtt.exe30⤵
- Executes dropped EXE
PID:3208 -
\??\c:\vjpjd.exec:\vjpjd.exe31⤵
- Executes dropped EXE
PID:1284 -
\??\c:\nhnhbb.exec:\nhnhbb.exe32⤵
- Executes dropped EXE
PID:3240 -
\??\c:\jpvpp.exec:\jpvpp.exe33⤵
- Executes dropped EXE
PID:3184 -
\??\c:\3pjjd.exec:\3pjjd.exe34⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jppdp.exec:\jppdp.exe35⤵
- Executes dropped EXE
PID:1796 -
\??\c:\jdpjd.exec:\jdpjd.exe36⤵
- Executes dropped EXE
PID:1556 -
\??\c:\flfrrlf.exec:\flfrrlf.exe37⤵
- Executes dropped EXE
PID:3000 -
\??\c:\ffrlfrr.exec:\ffrlfrr.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\bthbbt.exec:\bthbbt.exe39⤵
- Executes dropped EXE
PID:4776 -
\??\c:\tbnhhh.exec:\tbnhhh.exe40⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jvjdd.exec:\jvjdd.exe41⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xrxllfl.exec:\xrxllfl.exe42⤵
- Executes dropped EXE
PID:4972 -
\??\c:\tnbbhb.exec:\tnbbhb.exe43⤵
- Executes dropped EXE
PID:2060 -
\??\c:\1djdv.exec:\1djdv.exe44⤵
- Executes dropped EXE
PID:1712 -
\??\c:\djpjd.exec:\djpjd.exe45⤵
- Executes dropped EXE
PID:2532 -
\??\c:\1xlfxrl.exec:\1xlfxrl.exe46⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bntnnh.exec:\bntnnh.exe47⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jjpjj.exec:\jjpjj.exe48⤵
- Executes dropped EXE
PID:3264 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe49⤵
- Executes dropped EXE
PID:1264 -
\??\c:\5xrlxlx.exec:\5xrlxlx.exe50⤵
- Executes dropped EXE
PID:1484 -
\??\c:\9ttnhb.exec:\9ttnhb.exe51⤵
- Executes dropped EXE
PID:4812 -
\??\c:\vdpjd.exec:\vdpjd.exe52⤵
- Executes dropped EXE
PID:4348 -
\??\c:\dpvdv.exec:\dpvdv.exe53⤵
- Executes dropped EXE
PID:4576 -
\??\c:\7lrrxxf.exec:\7lrrxxf.exe54⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3hbtnt.exec:\3hbtnt.exe55⤵
- Executes dropped EXE
PID:2272 -
\??\c:\1nnhbb.exec:\1nnhbb.exe56⤵
- Executes dropped EXE
PID:4836 -
\??\c:\vpdvp.exec:\vpdvp.exe57⤵
- Executes dropped EXE
PID:1528 -
\??\c:\llrlfxr.exec:\llrlfxr.exe58⤵
- Executes dropped EXE
PID:1300 -
\??\c:\ntthbt.exec:\ntthbt.exe59⤵
- Executes dropped EXE
PID:1788 -
\??\c:\5tnnnn.exec:\5tnnnn.exe60⤵
- Executes dropped EXE
PID:4144 -
\??\c:\jdjpj.exec:\jdjpj.exe61⤵
- Executes dropped EXE
PID:3576 -
\??\c:\9ffrllx.exec:\9ffrllx.exe62⤵
- Executes dropped EXE
PID:3292 -
\??\c:\ttnhbt.exec:\ttnhbt.exe63⤵
- Executes dropped EXE
PID:4336 -
\??\c:\nhhhht.exec:\nhhhht.exe64⤵
- Executes dropped EXE
PID:4148 -
\??\c:\pjvpv.exec:\pjvpv.exe65⤵
- Executes dropped EXE
PID:2160 -
\??\c:\9xxlxxr.exec:\9xxlxxr.exe66⤵PID:740
-
\??\c:\bbhbhn.exec:\bbhbhn.exe67⤵PID:3988
-
\??\c:\dpdvp.exec:\dpdvp.exe68⤵PID:1256
-
\??\c:\jdpjj.exec:\jdpjj.exe69⤵PID:2608
-
\??\c:\lxllffx.exec:\lxllffx.exe70⤵PID:3728
-
\??\c:\9ddvp.exec:\9ddvp.exe71⤵PID:1324
-
\??\c:\rllfrrl.exec:\rllfrrl.exe72⤵PID:3648
-
\??\c:\llrxfrx.exec:\llrxfrx.exe73⤵PID:3116
-
\??\c:\bbhbtn.exec:\bbhbtn.exe74⤵PID:2504
-
\??\c:\dvddv.exec:\dvddv.exe75⤵PID:1320
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe76⤵PID:2624
-
\??\c:\1xxxlxl.exec:\1xxxlxl.exe77⤵PID:1296
-
\??\c:\hhthbb.exec:\hhthbb.exe78⤵PID:2068
-
\??\c:\pddjd.exec:\pddjd.exe79⤵PID:3500
-
\??\c:\1xxlffr.exec:\1xxlffr.exe80⤵PID:2100
-
\??\c:\nnnbhn.exec:\nnnbhn.exe81⤵PID:2876
-
\??\c:\5ttnbb.exec:\5ttnbb.exe82⤵PID:2660
-
\??\c:\vvvvv.exec:\vvvvv.exe83⤵PID:1144
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe84⤵PID:4232
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe85⤵PID:4140
-
\??\c:\thtnhh.exec:\thtnhh.exe86⤵PID:4612
-
\??\c:\9jpdd.exec:\9jpdd.exe87⤵PID:948
-
\??\c:\fxlrrfx.exec:\fxlrrfx.exe88⤵PID:2364
-
\??\c:\flfrlfx.exec:\flfrlfx.exe89⤵
- System Location Discovery: System Language Discovery
PID:1280 -
\??\c:\nbhbtn.exec:\nbhbtn.exe90⤵PID:3960
-
\??\c:\djjdv.exec:\djjdv.exe91⤵PID:4876
-
\??\c:\jddvp.exec:\jddvp.exe92⤵PID:232
-
\??\c:\llxfffx.exec:\llxfffx.exe93⤵PID:5108
-
\??\c:\5hnhbb.exec:\5hnhbb.exe94⤵PID:2544
-
\??\c:\1vpvj.exec:\1vpvj.exe95⤵PID:4156
-
\??\c:\9fxlxrx.exec:\9fxlxrx.exe96⤵PID:4424
-
\??\c:\9nnntt.exec:\9nnntt.exe97⤵PID:1408
-
\??\c:\nhnhbb.exec:\nhnhbb.exe98⤵PID:3504
-
\??\c:\1frrlll.exec:\1frrlll.exe99⤵PID:2108
-
\??\c:\fxffxrr.exec:\fxffxrr.exe100⤵PID:1276
-
\??\c:\htbttn.exec:\htbttn.exe101⤵PID:3828
-
\??\c:\5vdvj.exec:\5vdvj.exe102⤵PID:1656
-
\??\c:\lxlfrrr.exec:\lxlfrrr.exe103⤵PID:1692
-
\??\c:\btbtbt.exec:\btbtbt.exe104⤵PID:32
-
\??\c:\hbtnnn.exec:\hbtnnn.exe105⤵PID:4636
-
\??\c:\djjdv.exec:\djjdv.exe106⤵PID:2128
-
\??\c:\lflxxff.exec:\lflxxff.exe107⤵PID:408
-
\??\c:\flxlfxr.exec:\flxlfxr.exe108⤵PID:2060
-
\??\c:\hnhnnt.exec:\hnhnnt.exe109⤵PID:1712
-
\??\c:\pdjdp.exec:\pdjdp.exe110⤵PID:1156
-
\??\c:\tttnbh.exec:\tttnbh.exe111⤵PID:2956
-
\??\c:\3nhtnn.exec:\3nhtnn.exe112⤵PID:4552
-
\??\c:\ppvjd.exec:\ppvjd.exe113⤵PID:3404
-
\??\c:\lxxfxxf.exec:\lxxfxxf.exe114⤵PID:3288
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe115⤵PID:4340
-
\??\c:\jddvj.exec:\jddvj.exe116⤵PID:2352
-
\??\c:\lffrlfr.exec:\lffrlfr.exe117⤵PID:1444
-
\??\c:\5bnhbt.exec:\5bnhbt.exe118⤵PID:4084
-
\??\c:\jddjd.exec:\jddjd.exe119⤵PID:3492
-
\??\c:\vdpdp.exec:\vdpdp.exe120⤵PID:4628
-
\??\c:\lflxfrx.exec:\lflxfrx.exe121⤵PID:4540
-
\??\c:\ntbthh.exec:\ntbthh.exe122⤵PID:4956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-