Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe
-
Size
454KB
-
MD5
fddbc0fe12541ffda2bf139c1847103b
-
SHA1
3288d732d4d849faca4c2f5f1721eb77a3a9c860
-
SHA256
ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607
-
SHA512
36c990c860b7ec326e9d39f91df186651e09fe1065f8d6c9455fe76008851c146ff6e278409baad2d9a8d8e12a196cb2300003acb6d6a9721ce23e69fce6ca7e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/440-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-1106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-1291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 jddpj.exe 952 pjpjd.exe 4212 nhntnb.exe 992 fxrrfxl.exe 4612 vpdvj.exe 3192 ffrllll.exe 2716 lxxrffx.exe 1108 3pppj.exe 2788 rfllllf.exe 2336 1htnhn.exe 3712 vjppv.exe 2008 jvpjj.exe 1560 bbbthb.exe 2436 jpvpj.exe 1220 lffxrrl.exe 2136 jpjvd.exe 2312 lflfxxr.exe 4584 hhhnth.exe 1192 jpdvp.exe 4888 httbbh.exe 4024 thtnhb.exe 4560 5djdp.exe 4808 ppjdv.exe 1412 7btbnn.exe 5032 llflffr.exe 5000 tttnhb.exe 3516 9ppjj.exe 2988 jjppj.exe 1656 frlrfff.exe 1900 nbnhbn.exe 3172 vpjdv.exe 1920 1vdvd.exe 4420 rrrlllf.exe 4120 jdjdd.exe 5092 lfrrllr.exe 2096 fflffff.exe 3892 7nhnnh.exe 3708 7jpjp.exe 5028 xrfxrlf.exe 1196 bnnhtn.exe 3276 jjpjj.exe 3972 vpdvp.exe 4340 fxfrlfx.exe 3700 hhnhbb.exe 2612 pdjdv.exe 1036 fxrlffx.exe 3984 nhtntn.exe 4384 3ppjd.exe 3852 xrrxrxx.exe 2508 tnnhbh.exe 4224 5ddvv.exe 1648 vpjjj.exe 3652 5lrlxxr.exe 4760 tthhnh.exe 3680 pjvpj.exe 3728 1fxrrrl.exe 4336 rrxrffl.exe 2788 tbhbtn.exe 4460 3pvvp.exe 4700 5jjpj.exe 1064 lflfxxl.exe 3032 ttttnn.exe 3720 dvdvv.exe 724 fxfxxxr.exe -
resource yara_rule behavioral2/memory/440-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-719-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lllxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 440 wrote to memory of 1268 440 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 82 PID 440 wrote to memory of 1268 440 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 82 PID 440 wrote to memory of 1268 440 ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe 82 PID 1268 wrote to memory of 952 1268 jddpj.exe 83 PID 1268 wrote to memory of 952 1268 jddpj.exe 83 PID 1268 wrote to memory of 952 1268 jddpj.exe 83 PID 952 wrote to memory of 4212 952 pjpjd.exe 84 PID 952 wrote to memory of 4212 952 pjpjd.exe 84 PID 952 wrote to memory of 4212 952 pjpjd.exe 84 PID 4212 wrote to memory of 992 4212 nhntnb.exe 85 PID 4212 wrote to memory of 992 4212 nhntnb.exe 85 PID 4212 wrote to memory of 992 4212 nhntnb.exe 85 PID 992 wrote to memory of 4612 992 fxrrfxl.exe 86 PID 992 wrote to memory of 4612 992 fxrrfxl.exe 86 PID 992 wrote to memory of 4612 992 fxrrfxl.exe 86 PID 4612 wrote to memory of 3192 4612 vpdvj.exe 87 PID 4612 wrote to memory of 3192 4612 vpdvj.exe 87 PID 4612 wrote to memory of 3192 4612 vpdvj.exe 87 PID 3192 wrote to memory of 2716 3192 ffrllll.exe 88 PID 3192 wrote to memory of 2716 3192 ffrllll.exe 88 PID 3192 wrote to memory of 2716 3192 ffrllll.exe 88 PID 2716 wrote to memory of 1108 2716 lxxrffx.exe 89 PID 2716 wrote to memory of 1108 2716 lxxrffx.exe 89 PID 2716 wrote to memory of 1108 2716 lxxrffx.exe 89 PID 1108 wrote to memory of 2788 1108 3pppj.exe 90 PID 1108 wrote to memory of 2788 1108 3pppj.exe 90 PID 1108 wrote to memory of 2788 1108 3pppj.exe 90 PID 2788 wrote to memory of 2336 2788 rfllllf.exe 91 PID 2788 wrote to memory of 2336 2788 rfllllf.exe 91 PID 2788 wrote to memory of 2336 2788 rfllllf.exe 91 PID 2336 wrote to memory of 3712 2336 1htnhn.exe 92 PID 2336 wrote to memory of 3712 2336 1htnhn.exe 92 PID 2336 wrote to memory of 3712 2336 1htnhn.exe 92 PID 3712 wrote to memory of 2008 3712 vjppv.exe 93 PID 3712 wrote to memory of 2008 3712 vjppv.exe 93 PID 3712 wrote to memory of 2008 3712 vjppv.exe 93 PID 2008 wrote to memory of 1560 2008 jvpjj.exe 94 PID 2008 wrote to memory of 1560 2008 jvpjj.exe 94 PID 2008 wrote to memory of 1560 2008 jvpjj.exe 94 PID 1560 wrote to memory of 2436 1560 bbbthb.exe 95 PID 1560 wrote to memory of 2436 1560 bbbthb.exe 95 PID 1560 wrote to memory of 2436 1560 bbbthb.exe 95 PID 2436 wrote to memory of 1220 2436 jpvpj.exe 96 PID 2436 wrote to memory of 1220 2436 jpvpj.exe 96 PID 2436 wrote to memory of 1220 2436 jpvpj.exe 96 PID 1220 wrote to memory of 2136 1220 lffxrrl.exe 97 PID 1220 wrote to memory of 2136 1220 lffxrrl.exe 97 PID 1220 wrote to memory of 2136 1220 lffxrrl.exe 97 PID 2136 wrote to memory of 2312 2136 jpjvd.exe 98 PID 2136 wrote to memory of 2312 2136 jpjvd.exe 98 PID 2136 wrote to memory of 2312 2136 jpjvd.exe 98 PID 2312 wrote to memory of 4584 2312 lflfxxr.exe 99 PID 2312 wrote to memory of 4584 2312 lflfxxr.exe 99 PID 2312 wrote to memory of 4584 2312 lflfxxr.exe 99 PID 4584 wrote to memory of 1192 4584 hhhnth.exe 100 PID 4584 wrote to memory of 1192 4584 hhhnth.exe 100 PID 4584 wrote to memory of 1192 4584 hhhnth.exe 100 PID 1192 wrote to memory of 4888 1192 jpdvp.exe 101 PID 1192 wrote to memory of 4888 1192 jpdvp.exe 101 PID 1192 wrote to memory of 4888 1192 jpdvp.exe 101 PID 4888 wrote to memory of 4024 4888 httbbh.exe 102 PID 4888 wrote to memory of 4024 4888 httbbh.exe 102 PID 4888 wrote to memory of 4024 4888 httbbh.exe 102 PID 4024 wrote to memory of 4560 4024 thtnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe"C:\Users\Admin\AppData\Local\Temp\ba17807e259e4f579e9565e137db8c523afa98e19853a80165c65bf2b8db7607.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\jddpj.exec:\jddpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\pjpjd.exec:\pjpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\nhntnb.exec:\nhntnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\fxrrfxl.exec:\fxrrfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\vpdvj.exec:\vpdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\ffrllll.exec:\ffrllll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\lxxrffx.exec:\lxxrffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\3pppj.exec:\3pppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\rfllllf.exec:\rfllllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\1htnhn.exec:\1htnhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vjppv.exec:\vjppv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\jvpjj.exec:\jvpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\bbbthb.exec:\bbbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\jpvpj.exec:\jpvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\lffxrrl.exec:\lffxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\jpjvd.exec:\jpjvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\lflfxxr.exec:\lflfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\hhhnth.exec:\hhhnth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\jpdvp.exec:\jpdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\httbbh.exec:\httbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\thtnhb.exec:\thtnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\5djdp.exec:\5djdp.exe23⤵
- Executes dropped EXE
PID:4560 -
\??\c:\ppjdv.exec:\ppjdv.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808 -
\??\c:\7btbnn.exec:\7btbnn.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\llflffr.exec:\llflffr.exe26⤵
- Executes dropped EXE
PID:5032 -
\??\c:\tttnhb.exec:\tttnhb.exe27⤵
- Executes dropped EXE
PID:5000 -
\??\c:\9ppjj.exec:\9ppjj.exe28⤵
- Executes dropped EXE
PID:3516 -
\??\c:\jjppj.exec:\jjppj.exe29⤵
- Executes dropped EXE
PID:2988 -
\??\c:\frlrfff.exec:\frlrfff.exe30⤵
- Executes dropped EXE
PID:1656 -
\??\c:\nbnhbn.exec:\nbnhbn.exe31⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vpjdv.exec:\vpjdv.exe32⤵
- Executes dropped EXE
PID:3172 -
\??\c:\1vdvd.exec:\1vdvd.exe33⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rrrlllf.exec:\rrrlllf.exe34⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jdjdd.exec:\jdjdd.exe35⤵
- Executes dropped EXE
PID:4120 -
\??\c:\lfrrllr.exec:\lfrrllr.exe36⤵
- Executes dropped EXE
PID:5092 -
\??\c:\fflffff.exec:\fflffff.exe37⤵
- Executes dropped EXE
PID:2096 -
\??\c:\7nhnnh.exec:\7nhnnh.exe38⤵
- Executes dropped EXE
PID:3892 -
\??\c:\7jpjp.exec:\7jpjp.exe39⤵
- Executes dropped EXE
PID:3708 -
\??\c:\xrfxrlf.exec:\xrfxrlf.exe40⤵
- Executes dropped EXE
PID:5028 -
\??\c:\bnnhtn.exec:\bnnhtn.exe41⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jjpjj.exec:\jjpjj.exe42⤵
- Executes dropped EXE
PID:3276 -
\??\c:\vpdvp.exec:\vpdvp.exe43⤵
- Executes dropped EXE
PID:3972 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe44⤵
- Executes dropped EXE
PID:4340 -
\??\c:\hhnhbb.exec:\hhnhbb.exe45⤵
- Executes dropped EXE
PID:3700 -
\??\c:\pdjdv.exec:\pdjdv.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\fxrlffx.exec:\fxrlffx.exe47⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nhtntn.exec:\nhtntn.exe48⤵
- Executes dropped EXE
PID:3984 -
\??\c:\3ppjd.exec:\3ppjd.exe49⤵
- Executes dropped EXE
PID:4384 -
\??\c:\xrrxrxx.exec:\xrrxrxx.exe50⤵
- Executes dropped EXE
PID:3852 -
\??\c:\tnnhbh.exec:\tnnhbh.exe51⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5ddvv.exec:\5ddvv.exe52⤵
- Executes dropped EXE
PID:4224 -
\??\c:\vpjjj.exec:\vpjjj.exe53⤵
- Executes dropped EXE
PID:1648 -
\??\c:\5lrlxxr.exec:\5lrlxxr.exe54⤵
- Executes dropped EXE
PID:3652 -
\??\c:\tthhnh.exec:\tthhnh.exe55⤵
- Executes dropped EXE
PID:4760 -
\??\c:\pjvpj.exec:\pjvpj.exe56⤵
- Executes dropped EXE
PID:3680 -
\??\c:\1fxrrrl.exec:\1fxrrrl.exe57⤵
- Executes dropped EXE
PID:3728 -
\??\c:\rrxrffl.exec:\rrxrffl.exe58⤵
- Executes dropped EXE
PID:4336 -
\??\c:\tbhbtn.exec:\tbhbtn.exe59⤵
- Executes dropped EXE
PID:2788 -
\??\c:\3pvvp.exec:\3pvvp.exe60⤵
- Executes dropped EXE
PID:4460 -
\??\c:\5jjpj.exec:\5jjpj.exe61⤵
- Executes dropped EXE
PID:4700 -
\??\c:\lflfxxl.exec:\lflfxxl.exe62⤵
- Executes dropped EXE
PID:1064 -
\??\c:\ttttnn.exec:\ttttnn.exe63⤵
- Executes dropped EXE
PID:3032 -
\??\c:\dvdvv.exec:\dvdvv.exe64⤵
- Executes dropped EXE
PID:3720 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe65⤵
- Executes dropped EXE
PID:724 -
\??\c:\bhhbnn.exec:\bhhbnn.exe66⤵PID:2412
-
\??\c:\9vvpj.exec:\9vvpj.exe67⤵PID:1592
-
\??\c:\rllrfxr.exec:\rllrfxr.exe68⤵PID:1388
-
\??\c:\bnnhhb.exec:\bnnhhb.exe69⤵PID:1132
-
\??\c:\dpjvj.exec:\dpjvj.exe70⤵PID:2056
-
\??\c:\5xfxrrr.exec:\5xfxrrr.exe71⤵
- System Location Discovery: System Language Discovery
PID:5072 -
\??\c:\7llfxrr.exec:\7llfxrr.exe72⤵PID:752
-
\??\c:\hbhbtn.exec:\hbhbtn.exe73⤵PID:3624
-
\??\c:\vpdjd.exec:\vpdjd.exe74⤵PID:2992
-
\??\c:\7pjdd.exec:\7pjdd.exe75⤵PID:4236
-
\??\c:\xlxlxxr.exec:\xlxlxxr.exe76⤵PID:3280
-
\??\c:\btttnt.exec:\btttnt.exe77⤵PID:4024
-
\??\c:\jjppj.exec:\jjppj.exe78⤵PID:1364
-
\??\c:\rfllffx.exec:\rfllffx.exe79⤵PID:4620
-
\??\c:\htbtnn.exec:\htbtnn.exe80⤵PID:3668
-
\??\c:\7djjd.exec:\7djjd.exe81⤵PID:4600
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe82⤵PID:4788
-
\??\c:\7xrlffx.exec:\7xrlffx.exe83⤵PID:2428
-
\??\c:\ntbbth.exec:\ntbbth.exe84⤵PID:1204
-
\??\c:\vpvpj.exec:\vpvpj.exe85⤵PID:4804
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe86⤵PID:2616
-
\??\c:\thhhnt.exec:\thhhnt.exe87⤵PID:3420
-
\??\c:\bnnhhb.exec:\bnnhhb.exe88⤵PID:1200
-
\??\c:\ppvpd.exec:\ppvpd.exe89⤵PID:3088
-
\??\c:\9lrllll.exec:\9lrllll.exe90⤵PID:3000
-
\??\c:\thhbtt.exec:\thhbtt.exe91⤵PID:1800
-
\??\c:\hbbbtn.exec:\hbbbtn.exe92⤵PID:3484
-
\??\c:\pppvv.exec:\pppvv.exe93⤵PID:4540
-
\??\c:\ppvpj.exec:\ppvpj.exe94⤵PID:2132
-
\??\c:\ffrxflf.exec:\ffrxflf.exe95⤵PID:224
-
\??\c:\5bhbtt.exec:\5bhbtt.exe96⤵PID:2924
-
\??\c:\9pddv.exec:\9pddv.exe97⤵PID:4436
-
\??\c:\tttnnb.exec:\tttnnb.exe98⤵PID:320
-
\??\c:\nnnttn.exec:\nnnttn.exe99⤵PID:1196
-
\??\c:\jddvv.exec:\jddvv.exe100⤵PID:4448
-
\??\c:\7llffxr.exec:\7llffxr.exe101⤵PID:3972
-
\??\c:\hbbbhh.exec:\hbbbhh.exe102⤵PID:1940
-
\??\c:\ntnhtt.exec:\ntnhtt.exe103⤵
- System Location Discovery: System Language Discovery
PID:3700 -
\??\c:\ppdvv.exec:\ppdvv.exe104⤵PID:2216
-
\??\c:\fflflrx.exec:\fflflrx.exe105⤵PID:3976
-
\??\c:\bnttnh.exec:\bnttnh.exe106⤵PID:4288
-
\??\c:\5vdvj.exec:\5vdvj.exe107⤵PID:2880
-
\??\c:\dpdvp.exec:\dpdvp.exe108⤵PID:3472
-
\??\c:\flrlfxl.exec:\flrlfxl.exe109⤵PID:4268
-
\??\c:\tbhbbb.exec:\tbhbbb.exe110⤵PID:3724
-
\??\c:\tnbttn.exec:\tnbttn.exe111⤵PID:3696
-
\??\c:\9pvpv.exec:\9pvpv.exe112⤵PID:3060
-
\??\c:\xlrlffx.exec:\xlrlffx.exe113⤵PID:3932
-
\??\c:\tntntn.exec:\tntntn.exe114⤵PID:2832
-
\??\c:\djjvd.exec:\djjvd.exe115⤵PID:1092
-
\??\c:\fxffrrl.exec:\fxffrrl.exe116⤵PID:852
-
\??\c:\llllffx.exec:\llllffx.exe117⤵PID:388
-
\??\c:\tttnnn.exec:\tttnnn.exe118⤵PID:3856
-
\??\c:\vvvdv.exec:\vvvdv.exe119⤵PID:2336
-
\??\c:\jjpjv.exec:\jjpjv.exe120⤵PID:3152
-
\??\c:\3rxrlxx.exec:\3rxrlxx.exe121⤵PID:1064
-
\??\c:\3nnbtt.exec:\3nnbtt.exe122⤵PID:1536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-