Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe
-
Size
454KB
-
MD5
5b5e55e9109ef0c766a32ea8d1070723
-
SHA1
55149d7e7fe851a0eada703f46a0ae265a4dfa2e
-
SHA256
bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866
-
SHA512
c21648d477d3a0b9e20b178259f1070e4770d6375cf487c9e3f722b2f0b9c7964bd75d96ee4008dc05e7f624011999a5900dfc5d68e2c6a6f87a40affe099799
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3556-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-1001-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1144 jvvvd.exe 436 1lllxxl.exe 4728 bnhttn.exe 1676 3bbbhb.exe 1508 vjvpp.exe 4692 rfxrxrf.exe 2920 tbthtt.exe 1048 rffrlxf.exe 208 ttbhtn.exe 3948 ntttbt.exe 3980 jpjvj.exe 4500 rrfxfxx.exe 2408 bhnnhh.exe 848 jdvdj.exe 2660 3lfxrrl.exe 2648 httnhh.exe 4760 ddjvj.exe 3580 xrxfxlf.exe 944 rllfrrl.exe 1896 5bhtbh.exe 3092 vvpdv.exe 2008 dvvjv.exe 3512 nttnhb.exe 4104 vpdpj.exe 4504 3xlfxxf.exe 1152 vvjpv.exe 2576 vjjdv.exe 2040 xrrfrrl.exe 2692 thnhtt.exe 2788 vppjd.exe 3540 rxfxxrl.exe 4888 9ddvd.exe 3056 htttnh.exe 2200 llfxrrl.exe 4428 bttthh.exe 2240 jjdvp.exe 3400 rlxrxxf.exe 2952 nhbtnn.exe 3636 ttnhtt.exe 464 lfffxxf.exe 1372 bbbbnn.exe 4876 pdjdv.exe 2352 rfrrxfr.exe 1868 9xfrfrf.exe 4752 1btntn.exe 1508 dvvpj.exe 540 pppjd.exe 2592 lfxrxxr.exe 3472 3nthtn.exe 4692 jvdpp.exe 4220 3frxlxf.exe 5076 ttnhbb.exe 1988 nbhthb.exe 4732 dpdpd.exe 4696 rrrrfff.exe 2744 xrlffff.exe 3176 ntbbnn.exe 1312 jvdpv.exe 3416 jdvpp.exe 3800 fxrxlff.exe 1572 ntbtnh.exe 4500 btbhtb.exe 516 7vpjd.exe 3036 lrxffrr.exe -
resource yara_rule behavioral2/memory/3556-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-858-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3556 wrote to memory of 1144 3556 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 83 PID 3556 wrote to memory of 1144 3556 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 83 PID 3556 wrote to memory of 1144 3556 bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe 83 PID 1144 wrote to memory of 436 1144 jvvvd.exe 84 PID 1144 wrote to memory of 436 1144 jvvvd.exe 84 PID 1144 wrote to memory of 436 1144 jvvvd.exe 84 PID 436 wrote to memory of 4728 436 1lllxxl.exe 85 PID 436 wrote to memory of 4728 436 1lllxxl.exe 85 PID 436 wrote to memory of 4728 436 1lllxxl.exe 85 PID 4728 wrote to memory of 1676 4728 bnhttn.exe 86 PID 4728 wrote to memory of 1676 4728 bnhttn.exe 86 PID 4728 wrote to memory of 1676 4728 bnhttn.exe 86 PID 1676 wrote to memory of 1508 1676 3bbbhb.exe 87 PID 1676 wrote to memory of 1508 1676 3bbbhb.exe 87 PID 1676 wrote to memory of 1508 1676 3bbbhb.exe 87 PID 1508 wrote to memory of 4692 1508 vjvpp.exe 88 PID 1508 wrote to memory of 4692 1508 vjvpp.exe 88 PID 1508 wrote to memory of 4692 1508 vjvpp.exe 88 PID 4692 wrote to memory of 2920 4692 rfxrxrf.exe 89 PID 4692 wrote to memory of 2920 4692 rfxrxrf.exe 89 PID 4692 wrote to memory of 2920 4692 rfxrxrf.exe 89 PID 2920 wrote to memory of 1048 2920 tbthtt.exe 90 PID 2920 wrote to memory of 1048 2920 tbthtt.exe 90 PID 2920 wrote to memory of 1048 2920 tbthtt.exe 90 PID 1048 wrote to memory of 208 1048 rffrlxf.exe 91 PID 1048 wrote to memory of 208 1048 rffrlxf.exe 91 PID 1048 wrote to memory of 208 1048 rffrlxf.exe 91 PID 208 wrote to memory of 3948 208 ttbhtn.exe 92 PID 208 wrote to memory of 3948 208 ttbhtn.exe 92 PID 208 wrote to memory of 3948 208 ttbhtn.exe 92 PID 3948 wrote to memory of 3980 3948 ntttbt.exe 93 PID 3948 wrote to memory of 3980 3948 ntttbt.exe 93 PID 3948 wrote to memory of 3980 3948 ntttbt.exe 93 PID 3980 wrote to memory of 4500 3980 jpjvj.exe 94 PID 3980 wrote to memory of 4500 3980 jpjvj.exe 94 PID 3980 wrote to memory of 4500 3980 jpjvj.exe 94 PID 4500 wrote to memory of 2408 4500 rrfxfxx.exe 95 PID 4500 wrote to memory of 2408 4500 rrfxfxx.exe 95 PID 4500 wrote to memory of 2408 4500 rrfxfxx.exe 95 PID 2408 wrote to memory of 848 2408 bhnnhh.exe 96 PID 2408 wrote to memory of 848 2408 bhnnhh.exe 96 PID 2408 wrote to memory of 848 2408 bhnnhh.exe 96 PID 848 wrote to memory of 2660 848 jdvdj.exe 97 PID 848 wrote to memory of 2660 848 jdvdj.exe 97 PID 848 wrote to memory of 2660 848 jdvdj.exe 97 PID 2660 wrote to memory of 2648 2660 3lfxrrl.exe 98 PID 2660 wrote to memory of 2648 2660 3lfxrrl.exe 98 PID 2660 wrote to memory of 2648 2660 3lfxrrl.exe 98 PID 2648 wrote to memory of 4760 2648 httnhh.exe 99 PID 2648 wrote to memory of 4760 2648 httnhh.exe 99 PID 2648 wrote to memory of 4760 2648 httnhh.exe 99 PID 4760 wrote to memory of 3580 4760 ddjvj.exe 100 PID 4760 wrote to memory of 3580 4760 ddjvj.exe 100 PID 4760 wrote to memory of 3580 4760 ddjvj.exe 100 PID 3580 wrote to memory of 944 3580 xrxfxlf.exe 101 PID 3580 wrote to memory of 944 3580 xrxfxlf.exe 101 PID 3580 wrote to memory of 944 3580 xrxfxlf.exe 101 PID 944 wrote to memory of 1896 944 rllfrrl.exe 102 PID 944 wrote to memory of 1896 944 rllfrrl.exe 102 PID 944 wrote to memory of 1896 944 rllfrrl.exe 102 PID 1896 wrote to memory of 3092 1896 5bhtbh.exe 103 PID 1896 wrote to memory of 3092 1896 5bhtbh.exe 103 PID 1896 wrote to memory of 3092 1896 5bhtbh.exe 103 PID 3092 wrote to memory of 2008 3092 vvpdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"C:\Users\Admin\AppData\Local\Temp\bcc750e6cfaf700bd204fa9bfe1d025a5990c214e951b2039a69f2a14f0ed866.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\jvvvd.exec:\jvvvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\1lllxxl.exec:\1lllxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\bnhttn.exec:\bnhttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\3bbbhb.exec:\3bbbhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\vjvpp.exec:\vjvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\rfxrxrf.exec:\rfxrxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\tbthtt.exec:\tbthtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rffrlxf.exec:\rffrlxf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\ttbhtn.exec:\ttbhtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\ntttbt.exec:\ntttbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\jpjvj.exec:\jpjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\rrfxfxx.exec:\rrfxfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\bhnnhh.exec:\bhnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\jdvdj.exec:\jdvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\3lfxrrl.exec:\3lfxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\httnhh.exec:\httnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\ddjvj.exec:\ddjvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\xrxfxlf.exec:\xrxfxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\rllfrrl.exec:\rllfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\5bhtbh.exec:\5bhtbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\vvpdv.exec:\vvpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\dvvjv.exec:\dvvjv.exe23⤵
- Executes dropped EXE
PID:2008 -
\??\c:\nttnhb.exec:\nttnhb.exe24⤵
- Executes dropped EXE
PID:3512 -
\??\c:\vpdpj.exec:\vpdpj.exe25⤵
- Executes dropped EXE
PID:4104 -
\??\c:\3xlfxxf.exec:\3xlfxxf.exe26⤵
- Executes dropped EXE
PID:4504 -
\??\c:\vvjpv.exec:\vvjpv.exe27⤵
- Executes dropped EXE
PID:1152 -
\??\c:\vjjdv.exec:\vjjdv.exe28⤵
- Executes dropped EXE
PID:2576 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe29⤵
- Executes dropped EXE
PID:2040 -
\??\c:\thnhtt.exec:\thnhtt.exe30⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vppjd.exec:\vppjd.exe31⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rxfxxrl.exec:\rxfxxrl.exe32⤵
- Executes dropped EXE
PID:3540 -
\??\c:\9ddvd.exec:\9ddvd.exe33⤵
- Executes dropped EXE
PID:4888 -
\??\c:\htttnh.exec:\htttnh.exe34⤵
- Executes dropped EXE
PID:3056 -
\??\c:\llfxrrl.exec:\llfxrrl.exe35⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bttthh.exec:\bttthh.exe36⤵
- Executes dropped EXE
PID:4428 -
\??\c:\jjdvp.exec:\jjdvp.exe37⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe38⤵
- Executes dropped EXE
PID:3400 -
\??\c:\nhbtnn.exec:\nhbtnn.exe39⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ttnhtt.exec:\ttnhtt.exe40⤵
- Executes dropped EXE
PID:3636 -
\??\c:\9djdv.exec:\9djdv.exe41⤵PID:4492
-
\??\c:\lfffxxf.exec:\lfffxxf.exe42⤵
- Executes dropped EXE
PID:464 -
\??\c:\bbbbnn.exec:\bbbbnn.exe43⤵
- Executes dropped EXE
PID:1372 -
\??\c:\pdjdv.exec:\pdjdv.exe44⤵
- Executes dropped EXE
PID:4876 -
\??\c:\rfrrxfr.exec:\rfrrxfr.exe45⤵
- Executes dropped EXE
PID:2352 -
\??\c:\9xfrfrf.exec:\9xfrfrf.exe46⤵
- Executes dropped EXE
PID:1868 -
\??\c:\1btntn.exec:\1btntn.exe47⤵
- Executes dropped EXE
PID:4752 -
\??\c:\dvvpj.exec:\dvvpj.exe48⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pppjd.exec:\pppjd.exe49⤵
- Executes dropped EXE
PID:540 -
\??\c:\lfxrxxr.exec:\lfxrxxr.exe50⤵
- Executes dropped EXE
PID:2592 -
\??\c:\3nthtn.exec:\3nthtn.exe51⤵
- Executes dropped EXE
PID:3472 -
\??\c:\jvdpp.exec:\jvdpp.exe52⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3frxlxf.exec:\3frxlxf.exe53⤵
- Executes dropped EXE
PID:4220 -
\??\c:\ttnhbb.exec:\ttnhbb.exe54⤵
- Executes dropped EXE
PID:5076 -
\??\c:\nbhthb.exec:\nbhthb.exe55⤵
- Executes dropped EXE
PID:1988 -
\??\c:\dpdpd.exec:\dpdpd.exe56⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rrrrfff.exec:\rrrrfff.exe57⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xrlffff.exec:\xrlffff.exe58⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ntbbnn.exec:\ntbbnn.exe59⤵
- Executes dropped EXE
PID:3176 -
\??\c:\jvdpv.exec:\jvdpv.exe60⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jdvpp.exec:\jdvpp.exe61⤵
- Executes dropped EXE
PID:3416 -
\??\c:\fxrxlff.exec:\fxrxlff.exe62⤵
- Executes dropped EXE
PID:3800 -
\??\c:\ntbtnh.exec:\ntbtnh.exe63⤵
- Executes dropped EXE
PID:1572 -
\??\c:\btbhtb.exec:\btbhtb.exe64⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7vpjd.exec:\7vpjd.exe65⤵
- Executes dropped EXE
PID:516 -
\??\c:\lrxffrr.exec:\lrxffrr.exe66⤵
- Executes dropped EXE
PID:3036 -
\??\c:\nttbtt.exec:\nttbtt.exe67⤵PID:792
-
\??\c:\tttnbt.exec:\tttnbt.exe68⤵PID:3004
-
\??\c:\vvvjp.exec:\vvvjp.exe69⤵PID:3156
-
\??\c:\rlfrfrl.exec:\rlfrfrl.exe70⤵PID:4192
-
\??\c:\5hbbhh.exec:\5hbbhh.exe71⤵PID:3904
-
\??\c:\ttbtbh.exec:\ttbtbh.exe72⤵PID:5044
-
\??\c:\pppjv.exec:\pppjv.exe73⤵PID:2064
-
\??\c:\1rrlflf.exec:\1rrlflf.exe74⤵PID:3192
-
\??\c:\3fllfxr.exec:\3fllfxr.exe75⤵PID:4144
-
\??\c:\bbhbbb.exec:\bbhbbb.exe76⤵PID:3896
-
\??\c:\pjdjv.exec:\pjdjv.exe77⤵PID:784
-
\??\c:\pppdv.exec:\pppdv.exe78⤵PID:808
-
\??\c:\lllxllf.exec:\lllxllf.exe79⤵PID:1704
-
\??\c:\dppjd.exec:\dppjd.exe80⤵PID:3600
-
\??\c:\frxxrrl.exec:\frxxrrl.exe81⤵PID:1780
-
\??\c:\xxfrlfx.exec:\xxfrlfx.exe82⤵PID:4716
-
\??\c:\hbnhhh.exec:\hbnhhh.exe83⤵PID:3324
-
\??\c:\jvjvp.exec:\jvjvp.exe84⤵PID:1280
-
\??\c:\rllfrrr.exec:\rllfrrr.exe85⤵PID:4204
-
\??\c:\hnnhht.exec:\hnnhht.exe86⤵PID:2956
-
\??\c:\vjpjv.exec:\vjpjv.exe87⤵PID:1168
-
\??\c:\jjjdp.exec:\jjjdp.exe88⤵PID:1740
-
\??\c:\flrxlxl.exec:\flrxlxl.exe89⤵PID:64
-
\??\c:\hhbnbt.exec:\hhbnbt.exe90⤵PID:876
-
\??\c:\jvvjp.exec:\jvvjp.exe91⤵PID:1972
-
\??\c:\vjjdp.exec:\vjjdp.exe92⤵PID:400
-
\??\c:\lxllfff.exec:\lxllfff.exe93⤵PID:1976
-
\??\c:\thnbtn.exec:\thnbtn.exe94⤵PID:4888
-
\??\c:\1bbthh.exec:\1bbthh.exe95⤵PID:3056
-
\??\c:\vddpj.exec:\vddpj.exe96⤵PID:1100
-
\??\c:\fffrxlf.exec:\fffrxlf.exe97⤵PID:3876
-
\??\c:\thnhbb.exec:\thnhbb.exe98⤵PID:4416
-
\??\c:\tnttbt.exec:\tnttbt.exe99⤵PID:4420
-
\??\c:\5vjvp.exec:\5vjvp.exe100⤵PID:1960
-
\??\c:\3lfrxrx.exec:\3lfrxrx.exe101⤵PID:1464
-
\??\c:\hnbbtb.exec:\hnbbtb.exe102⤵PID:4492
-
\??\c:\bbtntt.exec:\bbtntt.exe103⤵PID:2144
-
\??\c:\jvvpj.exec:\jvvpj.exe104⤵PID:436
-
\??\c:\9rrfllx.exec:\9rrfllx.exe105⤵PID:1848
-
\??\c:\htbtnh.exec:\htbtnh.exe106⤵PID:3864
-
\??\c:\bbbtnh.exec:\bbbtnh.exe107⤵PID:3216
-
\??\c:\jjpjd.exec:\jjpjd.exe108⤵PID:3628
-
\??\c:\vdjdp.exec:\vdjdp.exe109⤵PID:4936
-
\??\c:\rxxrxrl.exec:\rxxrxrl.exe110⤵PID:2936
-
\??\c:\hnbbtt.exec:\hnbbtt.exe111⤵PID:4228
-
\??\c:\jddpj.exec:\jddpj.exe112⤵PID:4620
-
\??\c:\jjjjv.exec:\jjjjv.exe113⤵PID:1568
-
\??\c:\lxlxlfr.exec:\lxlxlfr.exe114⤵PID:4692
-
\??\c:\hnnbth.exec:\hnnbth.exe115⤵PID:2264
-
\??\c:\vpvpv.exec:\vpvpv.exe116⤵PID:1840
-
\??\c:\xlxxrlf.exec:\xlxxrlf.exe117⤵PID:208
-
\??\c:\xlfrlxx.exec:\xlfrlxx.exe118⤵PID:4732
-
\??\c:\7bhttn.exec:\7bhttn.exe119⤵PID:3108
-
\??\c:\pvpdp.exec:\pvpdp.exe120⤵PID:1908
-
\??\c:\3ffrfxr.exec:\3ffrfxr.exe121⤵PID:1308
-
\??\c:\xrrrlff.exec:\xrrrlff.exe122⤵PID:2172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-