Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
-
Size
454KB
-
MD5
75aa1d13efe8ce777c478382731b8c5f
-
SHA1
8d7bf8d1a58dcb7af52d27ec1b1464148130efe2
-
SHA256
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58
-
SHA512
5230fa37af838d002b7471a5443b8a12bcd1c573f98e28f4a3983017498aa42468bf3a14f4955822445faa6d274ab4b1ac98514397e7758779ac35413aa31c59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/1748-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-1091-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1064 1jjdv.exe 836 5ffrflx.exe 3368 tnnnbb.exe 1960 pdjdv.exe 3912 3lrlfxx.exe 320 7jvvd.exe 2668 hhtnhh.exe 4124 rrrllll.exe 2612 7jppj.exe 5104 1frrxxl.exe 4800 5dpjp.exe 2944 tnhnnb.exe 2936 5ffxrrl.exe 4084 tnbhhh.exe 3336 vjdvv.exe 4936 bbnnnb.exe 2784 pjvpv.exe 3904 hbttnt.exe 1008 thhhbb.exe 3376 1llrfll.exe 3328 dddpj.exe 1476 lllfxxr.exe 3124 pjjjd.exe 4464 9nnhnb.exe 2224 vpjpv.exe 3732 7rfxxxf.exe 4156 jdjdv.exe 4740 tnnhbb.exe 1020 fxlfrrr.exe 2012 5nnhbb.exe 880 xxxxrrr.exe 1528 3bhbhb.exe 4192 dvvpp.exe 4108 nntthh.exe 1068 vjdvv.exe 60 1pvvv.exe 996 3llfxxx.exe 2616 hhhhbb.exe 2924 dvdvj.exe 2484 frxrllf.exe 1168 flrllff.exe 2568 3ttnnn.exe 2280 vpjdv.exe 1864 xlxlxxx.exe 3196 1nhhhh.exe 2332 9nnhbb.exe 2596 1jjdd.exe 4380 fxfrrll.exe 2384 btthbb.exe 444 jpvvj.exe 3068 9fflrrl.exe 2016 rlrrrxx.exe 1056 btnhbt.exe 228 pjpjj.exe 3672 5flfxxr.exe 1636 1bhhhh.exe 1628 dpvpj.exe 3488 jjpjv.exe 3028 rxxrllf.exe 1576 bhbthh.exe 872 jpvvv.exe 3648 pjpjd.exe 2744 xxllflr.exe 3900 7lffflf.exe -
resource yara_rule behavioral2/memory/1748-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-889-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1064 1748 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 83 PID 1748 wrote to memory of 1064 1748 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 83 PID 1748 wrote to memory of 1064 1748 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 83 PID 1064 wrote to memory of 836 1064 1jjdv.exe 84 PID 1064 wrote to memory of 836 1064 1jjdv.exe 84 PID 1064 wrote to memory of 836 1064 1jjdv.exe 84 PID 836 wrote to memory of 3368 836 5ffrflx.exe 85 PID 836 wrote to memory of 3368 836 5ffrflx.exe 85 PID 836 wrote to memory of 3368 836 5ffrflx.exe 85 PID 3368 wrote to memory of 1960 3368 tnnnbb.exe 86 PID 3368 wrote to memory of 1960 3368 tnnnbb.exe 86 PID 3368 wrote to memory of 1960 3368 tnnnbb.exe 86 PID 1960 wrote to memory of 3912 1960 pdjdv.exe 87 PID 1960 wrote to memory of 3912 1960 pdjdv.exe 87 PID 1960 wrote to memory of 3912 1960 pdjdv.exe 87 PID 3912 wrote to memory of 320 3912 3lrlfxx.exe 88 PID 3912 wrote to memory of 320 3912 3lrlfxx.exe 88 PID 3912 wrote to memory of 320 3912 3lrlfxx.exe 88 PID 320 wrote to memory of 2668 320 7jvvd.exe 89 PID 320 wrote to memory of 2668 320 7jvvd.exe 89 PID 320 wrote to memory of 2668 320 7jvvd.exe 89 PID 2668 wrote to memory of 4124 2668 hhtnhh.exe 90 PID 2668 wrote to memory of 4124 2668 hhtnhh.exe 90 PID 2668 wrote to memory of 4124 2668 hhtnhh.exe 90 PID 4124 wrote to memory of 2612 4124 rrrllll.exe 91 PID 4124 wrote to memory of 2612 4124 rrrllll.exe 91 PID 4124 wrote to memory of 2612 4124 rrrllll.exe 91 PID 2612 wrote to memory of 5104 2612 7jppj.exe 92 PID 2612 wrote to memory of 5104 2612 7jppj.exe 92 PID 2612 wrote to memory of 5104 2612 7jppj.exe 92 PID 5104 wrote to memory of 4800 5104 1frrxxl.exe 93 PID 5104 wrote to memory of 4800 5104 1frrxxl.exe 93 PID 5104 wrote to memory of 4800 5104 1frrxxl.exe 93 PID 4800 wrote to memory of 2944 4800 5dpjp.exe 94 PID 4800 wrote to memory of 2944 4800 5dpjp.exe 94 PID 4800 wrote to memory of 2944 4800 5dpjp.exe 94 PID 2944 wrote to memory of 2936 2944 tnhnnb.exe 95 PID 2944 wrote to memory of 2936 2944 tnhnnb.exe 95 PID 2944 wrote to memory of 2936 2944 tnhnnb.exe 95 PID 2936 wrote to memory of 4084 2936 5ffxrrl.exe 96 PID 2936 wrote to memory of 4084 2936 5ffxrrl.exe 96 PID 2936 wrote to memory of 4084 2936 5ffxrrl.exe 96 PID 4084 wrote to memory of 3336 4084 tnbhhh.exe 97 PID 4084 wrote to memory of 3336 4084 tnbhhh.exe 97 PID 4084 wrote to memory of 3336 4084 tnbhhh.exe 97 PID 3336 wrote to memory of 4936 3336 vjdvv.exe 98 PID 3336 wrote to memory of 4936 3336 vjdvv.exe 98 PID 3336 wrote to memory of 4936 3336 vjdvv.exe 98 PID 4936 wrote to memory of 2784 4936 bbnnnb.exe 99 PID 4936 wrote to memory of 2784 4936 bbnnnb.exe 99 PID 4936 wrote to memory of 2784 4936 bbnnnb.exe 99 PID 2784 wrote to memory of 3904 2784 pjvpv.exe 100 PID 2784 wrote to memory of 3904 2784 pjvpv.exe 100 PID 2784 wrote to memory of 3904 2784 pjvpv.exe 100 PID 3904 wrote to memory of 1008 3904 hbttnt.exe 101 PID 3904 wrote to memory of 1008 3904 hbttnt.exe 101 PID 3904 wrote to memory of 1008 3904 hbttnt.exe 101 PID 1008 wrote to memory of 3376 1008 thhhbb.exe 102 PID 1008 wrote to memory of 3376 1008 thhhbb.exe 102 PID 1008 wrote to memory of 3376 1008 thhhbb.exe 102 PID 3376 wrote to memory of 3328 3376 1llrfll.exe 103 PID 3376 wrote to memory of 3328 3376 1llrfll.exe 103 PID 3376 wrote to memory of 3328 3376 1llrfll.exe 103 PID 3328 wrote to memory of 1476 3328 dddpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\1jjdv.exec:\1jjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\5ffrflx.exec:\5ffrflx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\tnnnbb.exec:\tnnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\pdjdv.exec:\pdjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\3lrlfxx.exec:\3lrlfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\7jvvd.exec:\7jvvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\hhtnhh.exec:\hhtnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rrrllll.exec:\rrrllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\7jppj.exec:\7jppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\1frrxxl.exec:\1frrxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\5dpjp.exec:\5dpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\tnhnnb.exec:\tnhnnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\tnbhhh.exec:\tnbhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\vjdvv.exec:\vjdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\bbnnnb.exec:\bbnnnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\pjvpv.exec:\pjvpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\hbttnt.exec:\hbttnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\thhhbb.exec:\thhhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\1llrfll.exec:\1llrfll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\dddpj.exec:\dddpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\lllfxxr.exec:\lllfxxr.exe23⤵
- Executes dropped EXE
PID:1476 -
\??\c:\pjjjd.exec:\pjjjd.exe24⤵
- Executes dropped EXE
PID:3124 -
\??\c:\9nnhnb.exec:\9nnhnb.exe25⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vpjpv.exec:\vpjpv.exe26⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7rfxxxf.exec:\7rfxxxf.exe27⤵
- Executes dropped EXE
PID:3732 -
\??\c:\jdjdv.exec:\jdjdv.exe28⤵
- Executes dropped EXE
PID:4156 -
\??\c:\tnnhbb.exec:\tnnhbb.exe29⤵
- Executes dropped EXE
PID:4740 -
\??\c:\fxlfrrr.exec:\fxlfrrr.exe30⤵
- Executes dropped EXE
PID:1020 -
\??\c:\5nnhbb.exec:\5nnhbb.exe31⤵
- Executes dropped EXE
PID:2012 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\3bhbhb.exec:\3bhbhb.exe33⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvvpp.exec:\dvvpp.exe34⤵
- Executes dropped EXE
PID:4192 -
\??\c:\nntthh.exec:\nntthh.exe35⤵
- Executes dropped EXE
PID:4108 -
\??\c:\vjdvv.exec:\vjdvv.exe36⤵
- Executes dropped EXE
PID:1068 -
\??\c:\1pvvv.exec:\1pvvv.exe37⤵
- Executes dropped EXE
PID:60 -
\??\c:\3llfxxx.exec:\3llfxxx.exe38⤵
- Executes dropped EXE
PID:996 -
\??\c:\hhhhbb.exec:\hhhhbb.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\dvdvj.exec:\dvdvj.exe40⤵
- Executes dropped EXE
PID:2924 -
\??\c:\frxrllf.exec:\frxrllf.exe41⤵
- Executes dropped EXE
PID:2484 -
\??\c:\flrllff.exec:\flrllff.exe42⤵
- Executes dropped EXE
PID:1168 -
\??\c:\3ttnnn.exec:\3ttnnn.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vpjdv.exec:\vpjdv.exe44⤵
- Executes dropped EXE
PID:2280 -
\??\c:\xlxlxxx.exec:\xlxlxxx.exe45⤵
- Executes dropped EXE
PID:1864 -
\??\c:\1nhhhh.exec:\1nhhhh.exe46⤵
- Executes dropped EXE
PID:3196 -
\??\c:\9nnhbb.exec:\9nnhbb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
\??\c:\1jjdd.exec:\1jjdd.exe48⤵
- Executes dropped EXE
PID:2596 -
\??\c:\fxfrrll.exec:\fxfrrll.exe49⤵
- Executes dropped EXE
PID:4380 -
\??\c:\btthbb.exec:\btthbb.exe50⤵
- Executes dropped EXE
PID:2384 -
\??\c:\jpvvj.exec:\jpvvj.exe51⤵
- Executes dropped EXE
PID:444 -
\??\c:\9fflrrl.exec:\9fflrrl.exe52⤵
- Executes dropped EXE
PID:3068 -
\??\c:\rlrrrxx.exec:\rlrrrxx.exe53⤵
- Executes dropped EXE
PID:2016 -
\??\c:\btnhbt.exec:\btnhbt.exe54⤵
- Executes dropped EXE
PID:1056 -
\??\c:\pjpjj.exec:\pjpjj.exe55⤵
- Executes dropped EXE
PID:228 -
\??\c:\5flfxxr.exec:\5flfxxr.exe56⤵
- Executes dropped EXE
PID:3672 -
\??\c:\1bhhhh.exec:\1bhhhh.exe57⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dpvpj.exec:\dpvpj.exe58⤵
- Executes dropped EXE
PID:1628 -
\??\c:\jjpjv.exec:\jjpjv.exe59⤵
- Executes dropped EXE
PID:3488 -
\??\c:\rxxrllf.exec:\rxxrllf.exe60⤵
- Executes dropped EXE
PID:3028 -
\??\c:\bhbthh.exec:\bhbthh.exe61⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jpvvv.exec:\jpvvv.exe62⤵
- Executes dropped EXE
PID:872 -
\??\c:\pjpjd.exec:\pjpjd.exe63⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xxllflr.exec:\xxllflr.exe64⤵
- Executes dropped EXE
PID:2744 -
\??\c:\7lffflf.exec:\7lffflf.exe65⤵
- Executes dropped EXE
PID:3900 -
\??\c:\hhbttn.exec:\hhbttn.exe66⤵PID:4400
-
\??\c:\jdpvj.exec:\jdpvj.exe67⤵PID:4544
-
\??\c:\llxrffr.exec:\llxrffr.exe68⤵PID:1964
-
\??\c:\hbnhbh.exec:\hbnhbh.exe69⤵PID:4808
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:2540
-
\??\c:\lfrfffx.exec:\lfrfffx.exe71⤵PID:4296
-
\??\c:\5btnnn.exec:\5btnnn.exe72⤵PID:2792
-
\??\c:\tbthhn.exec:\tbthhn.exe73⤵PID:2400
-
\??\c:\jjjpp.exec:\jjjpp.exe74⤵PID:4628
-
\??\c:\lrxxrxx.exec:\lrxxrxx.exe75⤵PID:1772
-
\??\c:\bbtnhn.exec:\bbtnhn.exe76⤵PID:1824
-
\??\c:\7ppjd.exec:\7ppjd.exe77⤵PID:4308
-
\??\c:\fxfxlll.exec:\fxfxlll.exe78⤵PID:4336
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe79⤵PID:1444
-
\??\c:\5bhbtn.exec:\5bhbtn.exe80⤵PID:4452
-
\??\c:\jvdjd.exec:\jvdjd.exe81⤵PID:3124
-
\??\c:\xfrllll.exec:\xfrllll.exe82⤵PID:2068
-
\??\c:\3bthbb.exec:\3bthbb.exe83⤵PID:724
-
\??\c:\vpddj.exec:\vpddj.exe84⤵PID:2620
-
\??\c:\9jdvp.exec:\9jdvp.exe85⤵PID:1264
-
\??\c:\rrxrllf.exec:\rrxrllf.exe86⤵PID:2084
-
\??\c:\hbhnbn.exec:\hbhnbn.exe87⤵PID:688
-
\??\c:\jpvvd.exec:\jpvvd.exe88⤵PID:4740
-
\??\c:\rflfxxr.exec:\rflfxxr.exe89⤵PID:3172
-
\??\c:\llrlffl.exec:\llrlffl.exe90⤵PID:2012
-
\??\c:\9tbttt.exec:\9tbttt.exe91⤵PID:2624
-
\??\c:\djjjj.exec:\djjjj.exe92⤵PID:3428
-
\??\c:\5xxrfff.exec:\5xxrfff.exe93⤵PID:864
-
\??\c:\rfxxxrf.exec:\rfxxxrf.exe94⤵PID:4192
-
\??\c:\bbnntt.exec:\bbnntt.exe95⤵PID:4108
-
\??\c:\pvdvj.exec:\pvdvj.exe96⤵PID:3776
-
\??\c:\xxxrllf.exec:\xxxrllf.exe97⤵PID:2984
-
\??\c:\rxffrrr.exec:\rxffrrr.exe98⤵PID:996
-
\??\c:\3ntnnh.exec:\3ntnnh.exe99⤵PID:2752
-
\??\c:\ddjdd.exec:\ddjdd.exe100⤵PID:3412
-
\??\c:\9rrfxll.exec:\9rrfxll.exe101⤵PID:4684
-
\??\c:\hhhbhb.exec:\hhhbhb.exe102⤵PID:4604
-
\??\c:\bhttnn.exec:\bhttnn.exe103⤵PID:2044
-
\??\c:\vdpvj.exec:\vdpvj.exe104⤵PID:2180
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe105⤵PID:1808
-
\??\c:\9xfffff.exec:\9xfffff.exe106⤵PID:1212
-
\??\c:\htnnhh.exec:\htnnhh.exe107⤵PID:3196
-
\??\c:\9vjdv.exec:\9vjdv.exe108⤵PID:4388
-
\??\c:\frxxllr.exec:\frxxllr.exe109⤵PID:2596
-
\??\c:\tnbbht.exec:\tnbbht.exe110⤵PID:4540
-
\??\c:\7ppjd.exec:\7ppjd.exe111⤵PID:404
-
\??\c:\vvdvv.exec:\vvdvv.exe112⤵PID:1064
-
\??\c:\5fxlffr.exec:\5fxlffr.exe113⤵PID:3256
-
\??\c:\nnntnn.exec:\nnntnn.exe114⤵PID:964
-
\??\c:\pjvjv.exec:\pjvjv.exe115⤵PID:532
-
\??\c:\3djvd.exec:\3djvd.exe116⤵PID:1120
-
\??\c:\xflxrlf.exec:\xflxrlf.exe117⤵PID:4256
-
\??\c:\9bbtbb.exec:\9bbtbb.exe118⤵PID:4456
-
\??\c:\vvdpj.exec:\vvdpj.exe119⤵PID:3972
-
\??\c:\dpvdj.exec:\dpvdj.exe120⤵PID:1448
-
\??\c:\fllxlfx.exec:\fllxlfx.exe121⤵PID:3992
-
\??\c:\ttbthh.exec:\ttbthh.exe122⤵PID:3528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-