Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
-
Size
454KB
-
MD5
5b5e55e9109ef0c766a32ea8d1070723
-
SHA1
55149d7e7fe851a0eada703f46a0ae265a4dfa2e
-
SHA256
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866
-
SHA512
c21648d477d3a0b9e20b178259f1070e4770d6375cf487c9e3f722b2f0b9c7964bd75d96ee4008dc05e7f624011999a5900dfc5d68e2c6a6f87a40affe099799
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2304-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2304 pvjdd.exe 4556 tbhbtt.exe 512 pjjdp.exe 1708 1xfxfxx.exe 4648 xlrlfrl.exe 3060 tnhnhh.exe 4228 3dvvp.exe 2688 dvjdj.exe 1156 5xxxrxx.exe 936 thnhbt.exe 1544 bttnhb.exe 3540 pjjjd.exe 4780 pvjdv.exe 3680 rxflffx.exe 2064 tnnnhh.exe 3292 nhnhnh.exe 2084 ddjpj.exe 4980 xrfxxxx.exe 1456 lrxrllf.exe 3872 nbnhhh.exe 4280 vpdvd.exe 3380 ffxfxxr.exe 3048 rllfxxf.exe 4568 nbnhnh.exe 2696 vppdd.exe 2548 llrlfxr.exe 4860 ttbttt.exe 2648 vjpvp.exe 4364 rfrxrfx.exe 648 xlrlfrl.exe 3624 vppvp.exe 4424 7pjdv.exe 660 9rxrxll.exe 3224 ttnhtb.exe 1588 ddjdv.exe 3232 vdjdv.exe 872 xrffxxx.exe 1172 tnthbb.exe 3260 tntnbb.exe 1592 jvjjj.exe 4156 djpjd.exe 3600 xfxrlfx.exe 4712 ntthnn.exe 2052 nhtntt.exe 1144 dvvjd.exe 1572 llxrlll.exe 2652 fxxfxfx.exe 3772 ntnhbb.exe 4800 1bhbhn.exe 4592 pjvvd.exe 3804 lrxrrff.exe 4376 xxxrllf.exe 4948 bttnbt.exe 3724 vjjdv.exe 4104 pdvvd.exe 448 rlllxxr.exe 5116 xxxrlfx.exe 4804 thtnhh.exe 3504 ddvvp.exe 4536 jpjvp.exe 4260 flllfff.exe 3668 bttnhh.exe 3660 tntnhb.exe 4556 vppjv.exe -
resource yara_rule behavioral2/memory/2304-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-791-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4620 wrote to memory of 2304 4620 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 82 PID 4620 wrote to memory of 2304 4620 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 82 PID 4620 wrote to memory of 2304 4620 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 82 PID 2304 wrote to memory of 4556 2304 pvjdd.exe 145 PID 2304 wrote to memory of 4556 2304 pvjdd.exe 145 PID 2304 wrote to memory of 4556 2304 pvjdd.exe 145 PID 4556 wrote to memory of 512 4556 tbhbtt.exe 146 PID 4556 wrote to memory of 512 4556 tbhbtt.exe 146 PID 4556 wrote to memory of 512 4556 tbhbtt.exe 146 PID 512 wrote to memory of 1708 512 pjjdp.exe 148 PID 512 wrote to memory of 1708 512 pjjdp.exe 148 PID 512 wrote to memory of 1708 512 pjjdp.exe 148 PID 1708 wrote to memory of 4648 1708 1xfxfxx.exe 86 PID 1708 wrote to memory of 4648 1708 1xfxfxx.exe 86 PID 1708 wrote to memory of 4648 1708 1xfxfxx.exe 86 PID 4648 wrote to memory of 3060 4648 xlrlfrl.exe 87 PID 4648 wrote to memory of 3060 4648 xlrlfrl.exe 87 PID 4648 wrote to memory of 3060 4648 xlrlfrl.exe 87 PID 3060 wrote to memory of 4228 3060 tnhnhh.exe 88 PID 3060 wrote to memory of 4228 3060 tnhnhh.exe 88 PID 3060 wrote to memory of 4228 3060 tnhnhh.exe 88 PID 4228 wrote to memory of 2688 4228 3dvvp.exe 89 PID 4228 wrote to memory of 2688 4228 3dvvp.exe 89 PID 4228 wrote to memory of 2688 4228 3dvvp.exe 89 PID 2688 wrote to memory of 1156 2688 dvjdj.exe 152 PID 2688 wrote to memory of 1156 2688 dvjdj.exe 152 PID 2688 wrote to memory of 1156 2688 dvjdj.exe 152 PID 1156 wrote to memory of 936 1156 5xxxrxx.exe 91 PID 1156 wrote to memory of 936 1156 5xxxrxx.exe 91 PID 1156 wrote to memory of 936 1156 5xxxrxx.exe 91 PID 936 wrote to memory of 1544 936 thnhbt.exe 92 PID 936 wrote to memory of 1544 936 thnhbt.exe 92 PID 936 wrote to memory of 1544 936 thnhbt.exe 92 PID 1544 wrote to memory of 3540 1544 bttnhb.exe 93 PID 1544 wrote to memory of 3540 1544 bttnhb.exe 93 PID 1544 wrote to memory of 3540 1544 bttnhb.exe 93 PID 3540 wrote to memory of 4780 3540 pjjjd.exe 94 PID 3540 wrote to memory of 4780 3540 pjjjd.exe 94 PID 3540 wrote to memory of 4780 3540 pjjjd.exe 94 PID 4780 wrote to memory of 3680 4780 pvjdv.exe 95 PID 4780 wrote to memory of 3680 4780 pvjdv.exe 95 PID 4780 wrote to memory of 3680 4780 pvjdv.exe 95 PID 3680 wrote to memory of 2064 3680 rxflffx.exe 96 PID 3680 wrote to memory of 2064 3680 rxflffx.exe 96 PID 3680 wrote to memory of 2064 3680 rxflffx.exe 96 PID 2064 wrote to memory of 3292 2064 tnnnhh.exe 97 PID 2064 wrote to memory of 3292 2064 tnnnhh.exe 97 PID 2064 wrote to memory of 3292 2064 tnnnhh.exe 97 PID 3292 wrote to memory of 2084 3292 nhnhnh.exe 98 PID 3292 wrote to memory of 2084 3292 nhnhnh.exe 98 PID 3292 wrote to memory of 2084 3292 nhnhnh.exe 98 PID 2084 wrote to memory of 4980 2084 ddjpj.exe 99 PID 2084 wrote to memory of 4980 2084 ddjpj.exe 99 PID 2084 wrote to memory of 4980 2084 ddjpj.exe 99 PID 4980 wrote to memory of 1456 4980 xrfxxxx.exe 100 PID 4980 wrote to memory of 1456 4980 xrfxxxx.exe 100 PID 4980 wrote to memory of 1456 4980 xrfxxxx.exe 100 PID 1456 wrote to memory of 3872 1456 lrxrllf.exe 101 PID 1456 wrote to memory of 3872 1456 lrxrllf.exe 101 PID 1456 wrote to memory of 3872 1456 lrxrllf.exe 101 PID 3872 wrote to memory of 4280 3872 nbnhhh.exe 102 PID 3872 wrote to memory of 4280 3872 nbnhhh.exe 102 PID 3872 wrote to memory of 4280 3872 nbnhhh.exe 102 PID 4280 wrote to memory of 3380 4280 vpdvd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\pvjdd.exec:\pvjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\tbhbtt.exec:\tbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\pjjdp.exec:\pjjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\1xfxfxx.exec:\1xfxfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\tnhnhh.exec:\tnhnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\3dvvp.exec:\3dvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\dvjdj.exec:\dvjdj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\5xxxrxx.exec:\5xxxrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\thnhbt.exec:\thnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\bttnhb.exec:\bttnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\pjjjd.exec:\pjjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\pvjdv.exec:\pvjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\rxflffx.exec:\rxflffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\tnnnhh.exec:\tnnnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\nhnhnh.exec:\nhnhnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\ddjpj.exec:\ddjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\lrxrllf.exec:\lrxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\nbnhhh.exec:\nbnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\vpdvd.exec:\vpdvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\ffxfxxr.exec:\ffxfxxr.exe23⤵
- Executes dropped EXE
PID:3380 -
\??\c:\rllfxxf.exec:\rllfxxf.exe24⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nbnhnh.exec:\nbnhnh.exe25⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vppdd.exec:\vppdd.exe26⤵
- Executes dropped EXE
PID:2696 -
\??\c:\llrlfxr.exec:\llrlfxr.exe27⤵
- Executes dropped EXE
PID:2548 -
\??\c:\ttbttt.exec:\ttbttt.exe28⤵
- Executes dropped EXE
PID:4860 -
\??\c:\vjpvp.exec:\vjpvp.exe29⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rfrxrfx.exec:\rfrxrfx.exe30⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:648 -
\??\c:\vppvp.exec:\vppvp.exe32⤵
- Executes dropped EXE
PID:3624 -
\??\c:\7pjdv.exec:\7pjdv.exe33⤵
- Executes dropped EXE
PID:4424 -
\??\c:\9rxrxll.exec:\9rxrxll.exe34⤵
- Executes dropped EXE
PID:660 -
\??\c:\ttnhtb.exec:\ttnhtb.exe35⤵
- Executes dropped EXE
PID:3224 -
\??\c:\ddjdv.exec:\ddjdv.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vdjdv.exec:\vdjdv.exe37⤵
- Executes dropped EXE
PID:3232 -
\??\c:\xrffxxx.exec:\xrffxxx.exe38⤵
- Executes dropped EXE
PID:872 -
\??\c:\tnthbb.exec:\tnthbb.exe39⤵
- Executes dropped EXE
PID:1172 -
\??\c:\tntnbb.exec:\tntnbb.exe40⤵
- Executes dropped EXE
PID:3260 -
\??\c:\jvjjj.exec:\jvjjj.exe41⤵
- Executes dropped EXE
PID:1592 -
\??\c:\djpjd.exec:\djpjd.exe42⤵
- Executes dropped EXE
PID:4156 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe43⤵
- Executes dropped EXE
PID:3600 -
\??\c:\ntthnn.exec:\ntthnn.exe44⤵
- Executes dropped EXE
PID:4712 -
\??\c:\nhtntt.exec:\nhtntt.exe45⤵
- Executes dropped EXE
PID:2052 -
\??\c:\dvvjd.exec:\dvvjd.exe46⤵
- Executes dropped EXE
PID:1144 -
\??\c:\llxrlll.exec:\llxrlll.exe47⤵
- Executes dropped EXE
PID:1572 -
\??\c:\fxxfxfx.exec:\fxxfxfx.exe48⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ntnhbb.exec:\ntnhbb.exe49⤵
- Executes dropped EXE
PID:3772 -
\??\c:\1bhbhn.exec:\1bhbhn.exe50⤵
- Executes dropped EXE
PID:4800 -
\??\c:\pjvvd.exec:\pjvvd.exe51⤵
- Executes dropped EXE
PID:4592 -
\??\c:\lrxrrff.exec:\lrxrrff.exe52⤵
- Executes dropped EXE
PID:3804 -
\??\c:\xxxrllf.exec:\xxxrllf.exe53⤵
- Executes dropped EXE
PID:4376 -
\??\c:\bttnbt.exec:\bttnbt.exe54⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vjjdv.exec:\vjjdv.exe55⤵
- Executes dropped EXE
PID:3724 -
\??\c:\pdvvd.exec:\pdvvd.exe56⤵
- Executes dropped EXE
PID:4104 -
\??\c:\rlllxxr.exec:\rlllxxr.exe57⤵
- Executes dropped EXE
PID:448 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe58⤵
- Executes dropped EXE
PID:5116 -
\??\c:\thtnhh.exec:\thtnhh.exe59⤵
- Executes dropped EXE
PID:4804 -
\??\c:\ddvvp.exec:\ddvvp.exe60⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jpjvp.exec:\jpjvp.exe61⤵
- Executes dropped EXE
PID:4536 -
\??\c:\flllfff.exec:\flllfff.exe62⤵
- Executes dropped EXE
PID:4260 -
\??\c:\bttnhh.exec:\bttnhh.exe63⤵
- Executes dropped EXE
PID:3668 -
\??\c:\tntnhb.exec:\tntnhb.exe64⤵
- Executes dropped EXE
PID:3660 -
\??\c:\vppjv.exec:\vppjv.exe65⤵
- Executes dropped EXE
PID:4556 -
\??\c:\pdjdv.exec:\pdjdv.exe66⤵PID:512
-
\??\c:\frxxrrl.exec:\frxxrrl.exe67⤵PID:888
-
\??\c:\thhbtn.exec:\thhbtn.exe68⤵PID:1708
-
\??\c:\nhnhtt.exec:\nhnhtt.exe69⤵PID:4676
-
\??\c:\jpjdv.exec:\jpjdv.exe70⤵PID:2416
-
\??\c:\rlllffx.exec:\rlllffx.exe71⤵PID:2396
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe72⤵PID:1156
-
\??\c:\nbhbtt.exec:\nbhbtt.exe73⤵PID:4944
-
\??\c:\7jdvd.exec:\7jdvd.exe74⤵PID:3640
-
\??\c:\rllflfx.exec:\rllflfx.exe75⤵PID:956
-
\??\c:\3hnhht.exec:\3hnhht.exe76⤵PID:708
-
\??\c:\lrlxxrf.exec:\lrlxxrf.exe77⤵PID:2436
-
\??\c:\thnhbt.exec:\thnhbt.exe78⤵PID:4940
-
\??\c:\tbhhht.exec:\tbhhht.exe79⤵PID:2796
-
\??\c:\dvjdv.exec:\dvjdv.exe80⤵PID:4604
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe81⤵PID:408
-
\??\c:\jvjdd.exec:\jvjdd.exe82⤵PID:3648
-
\??\c:\fxxrfff.exec:\fxxrfff.exe83⤵PID:1452
-
\??\c:\1lxrxxf.exec:\1lxrxxf.exe84⤵PID:2824
-
\??\c:\9djdv.exec:\9djdv.exe85⤵PID:4568
-
\??\c:\rllxrfx.exec:\rllxrfx.exe86⤵PID:5052
-
\??\c:\rflffxf.exec:\rflffxf.exe87⤵PID:620
-
\??\c:\ttnnhh.exec:\ttnnhh.exe88⤵PID:5100
-
\??\c:\jjpjj.exec:\jjpjj.exe89⤵PID:4700
-
\??\c:\ttbnnn.exec:\ttbnnn.exe90⤵PID:1608
-
\??\c:\bttnhh.exec:\bttnhh.exe91⤵PID:1948
-
\??\c:\vvpdj.exec:\vvpdj.exe92⤵PID:3608
-
\??\c:\1hbtnh.exec:\1hbtnh.exe93⤵PID:3328
-
\??\c:\ddjdv.exec:\ddjdv.exe94⤵PID:2656
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe95⤵PID:368
-
\??\c:\btnnhh.exec:\btnnhh.exe96⤵PID:4600
-
\??\c:\jpjjd.exec:\jpjjd.exe97⤵PID:1592
-
\??\c:\hhbbbb.exec:\hhbbbb.exe98⤵PID:5084
-
\??\c:\nhbtnh.exec:\nhbtnh.exe99⤵PID:3968
-
\??\c:\llrllll.exec:\llrllll.exe100⤵PID:4088
-
\??\c:\dvvpp.exec:\dvvpp.exe101⤵PID:2204
-
\??\c:\pjpjd.exec:\pjpjd.exe102⤵PID:416
-
\??\c:\thnbtt.exec:\thnbtt.exe103⤵PID:4988
-
\??\c:\jpvpj.exec:\jpvpj.exe104⤵PID:3000
-
\??\c:\btthbb.exec:\btthbb.exe105⤵PID:3716
-
\??\c:\dvpjd.exec:\dvpjd.exe106⤵PID:3916
-
\??\c:\nbhbtn.exec:\nbhbtn.exe107⤵PID:4592
-
\??\c:\rffxrrf.exec:\rffxrrf.exe108⤵PID:3500
-
\??\c:\bthbhb.exec:\bthbhb.exe109⤵PID:4376
-
\??\c:\lllffff.exec:\lllffff.exe110⤵PID:1636
-
\??\c:\nttnhb.exec:\nttnhb.exe111⤵PID:4032
-
\??\c:\ddvdv.exec:\ddvdv.exe112⤵PID:2452
-
\??\c:\bhtnnn.exec:\bhtnnn.exe113⤵PID:3808
-
\??\c:\rllxrrl.exec:\rllxrrl.exe114⤵PID:1560
-
\??\c:\tntnbn.exec:\tntnbn.exe115⤵PID:2144
-
\??\c:\ttnhnh.exec:\ttnhnh.exe116⤵PID:5056
-
\??\c:\lffxrrr.exec:\lffxrrr.exe117⤵PID:3504
-
\??\c:\nthhbh.exec:\nthhbh.exe118⤵PID:3200
-
\??\c:\frlfxlf.exec:\frlfxlf.exe119⤵PID:4484
-
\??\c:\nbtnhb.exec:\nbtnhb.exe120⤵PID:636
-
\??\c:\vvppd.exec:\vvppd.exe121⤵PID:1876
-
\??\c:\bhbhnt.exec:\bhbhnt.exe122⤵PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-