Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
-
Size
456KB
-
MD5
1275ac8c581a0c7b5144340f4c05df69
-
SHA1
da9f1de28ae1eebc93d597b16973d99ba395ca9a
-
SHA256
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c
-
SHA512
8a249fae4020eff9514b4bca0a42edb24a18cc2c0e1a81078c40daf7580bd254f1139f75eb51fc4465c359e730d54a768f85b09194a3c2933dc15fa8711d34d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR6:q7Tc2NYHUrAwfMp3CDR6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3188-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/604-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-1404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3240 nhhhhh.exe 5024 vjvdv.exe 4968 9rxlffx.exe 4852 tbhbtt.exe 1964 pjppp.exe 3760 9bbntb.exe 5028 7jjjd.exe 1604 nbhhbb.exe 560 jdvpv.exe 1724 llffxxr.exe 2940 3thbnt.exe 868 dppjd.exe 1104 1nnhbb.exe 4800 lfrrrrr.exe 3852 vjjdd.exe 2416 5pvpp.exe 8 rrffxrf.exe 2148 3ntnhh.exe 3588 pjjdv.exe 3580 hhbbtt.exe 1400 frfxrlf.exe 5056 hbhnhh.exe 4516 jjjjd.exe 1488 tbhbbb.exe 2792 9vvpj.exe 2076 xrfxrrl.exe 1168 tbhhbb.exe 2320 jddjj.exe 4272 xfffxxr.exe 1588 flfrlll.exe 2136 1bbttt.exe 3272 lflflfx.exe 3888 hbbttt.exe 1864 5pjdv.exe 5008 9tnthb.exe 4740 bhbbnb.exe 2124 pdpdp.exe 1448 9lflxrf.exe 4988 3tnhtn.exe 4772 vvvvj.exe 4024 xrfrrlr.exe 3368 tnbtnh.exe 2400 5ppdv.exe 2752 1pjvj.exe 3584 xllfxxx.exe 3060 5hbnhb.exe 4132 jppjj.exe 3552 7rfrfrl.exe 2692 tbbnhn.exe 1144 vpdvp.exe 4416 9rlxlfx.exe 4904 xfxxlxr.exe 1452 3bntnh.exe 1652 1ddpd.exe 5028 rrffffl.exe 1220 flxrffr.exe 1604 7hhtht.exe 1704 vjpdp.exe 860 lrxrxfx.exe 2412 tnthtn.exe 888 vdjvp.exe 3436 xlxxrlr.exe 1196 9rxlfxl.exe 3024 thhbth.exe -
resource yara_rule behavioral2/memory/3188-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/604-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-598-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 3240 3188 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 3188 wrote to memory of 3240 3188 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 3188 wrote to memory of 3240 3188 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 3240 wrote to memory of 5024 3240 nhhhhh.exe 83 PID 3240 wrote to memory of 5024 3240 nhhhhh.exe 83 PID 3240 wrote to memory of 5024 3240 nhhhhh.exe 83 PID 5024 wrote to memory of 4968 5024 vjvdv.exe 84 PID 5024 wrote to memory of 4968 5024 vjvdv.exe 84 PID 5024 wrote to memory of 4968 5024 vjvdv.exe 84 PID 4968 wrote to memory of 4852 4968 9rxlffx.exe 85 PID 4968 wrote to memory of 4852 4968 9rxlffx.exe 85 PID 4968 wrote to memory of 4852 4968 9rxlffx.exe 85 PID 4852 wrote to memory of 1964 4852 tbhbtt.exe 86 PID 4852 wrote to memory of 1964 4852 tbhbtt.exe 86 PID 4852 wrote to memory of 1964 4852 tbhbtt.exe 86 PID 1964 wrote to memory of 3760 1964 pjppp.exe 87 PID 1964 wrote to memory of 3760 1964 pjppp.exe 87 PID 1964 wrote to memory of 3760 1964 pjppp.exe 87 PID 3760 wrote to memory of 5028 3760 9bbntb.exe 88 PID 3760 wrote to memory of 5028 3760 9bbntb.exe 88 PID 3760 wrote to memory of 5028 3760 9bbntb.exe 88 PID 5028 wrote to memory of 1604 5028 7jjjd.exe 89 PID 5028 wrote to memory of 1604 5028 7jjjd.exe 89 PID 5028 wrote to memory of 1604 5028 7jjjd.exe 89 PID 1604 wrote to memory of 560 1604 nbhhbb.exe 90 PID 1604 wrote to memory of 560 1604 nbhhbb.exe 90 PID 1604 wrote to memory of 560 1604 nbhhbb.exe 90 PID 560 wrote to memory of 1724 560 jdvpv.exe 91 PID 560 wrote to memory of 1724 560 jdvpv.exe 91 PID 560 wrote to memory of 1724 560 jdvpv.exe 91 PID 1724 wrote to memory of 2940 1724 llffxxr.exe 92 PID 1724 wrote to memory of 2940 1724 llffxxr.exe 92 PID 1724 wrote to memory of 2940 1724 llffxxr.exe 92 PID 2940 wrote to memory of 868 2940 3thbnt.exe 93 PID 2940 wrote to memory of 868 2940 3thbnt.exe 93 PID 2940 wrote to memory of 868 2940 3thbnt.exe 93 PID 868 wrote to memory of 1104 868 dppjd.exe 94 PID 868 wrote to memory of 1104 868 dppjd.exe 94 PID 868 wrote to memory of 1104 868 dppjd.exe 94 PID 1104 wrote to memory of 4800 1104 1nnhbb.exe 95 PID 1104 wrote to memory of 4800 1104 1nnhbb.exe 95 PID 1104 wrote to memory of 4800 1104 1nnhbb.exe 95 PID 4800 wrote to memory of 3852 4800 lfrrrrr.exe 96 PID 4800 wrote to memory of 3852 4800 lfrrrrr.exe 96 PID 4800 wrote to memory of 3852 4800 lfrrrrr.exe 96 PID 3852 wrote to memory of 2416 3852 vjjdd.exe 97 PID 3852 wrote to memory of 2416 3852 vjjdd.exe 97 PID 3852 wrote to memory of 2416 3852 vjjdd.exe 97 PID 2416 wrote to memory of 8 2416 5pvpp.exe 98 PID 2416 wrote to memory of 8 2416 5pvpp.exe 98 PID 2416 wrote to memory of 8 2416 5pvpp.exe 98 PID 8 wrote to memory of 2148 8 rrffxrf.exe 99 PID 8 wrote to memory of 2148 8 rrffxrf.exe 99 PID 8 wrote to memory of 2148 8 rrffxrf.exe 99 PID 2148 wrote to memory of 3588 2148 3ntnhh.exe 100 PID 2148 wrote to memory of 3588 2148 3ntnhh.exe 100 PID 2148 wrote to memory of 3588 2148 3ntnhh.exe 100 PID 3588 wrote to memory of 3580 3588 pjjdv.exe 101 PID 3588 wrote to memory of 3580 3588 pjjdv.exe 101 PID 3588 wrote to memory of 3580 3588 pjjdv.exe 101 PID 3580 wrote to memory of 1400 3580 hhbbtt.exe 102 PID 3580 wrote to memory of 1400 3580 hhbbtt.exe 102 PID 3580 wrote to memory of 1400 3580 hhbbtt.exe 102 PID 1400 wrote to memory of 5056 1400 frfxrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\nhhhhh.exec:\nhhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\vjvdv.exec:\vjvdv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\9rxlffx.exec:\9rxlffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\tbhbtt.exec:\tbhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\pjppp.exec:\pjppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\9bbntb.exec:\9bbntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\7jjjd.exec:\7jjjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\nbhhbb.exec:\nbhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\jdvpv.exec:\jdvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\llffxxr.exec:\llffxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\3thbnt.exec:\3thbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\dppjd.exec:\dppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\1nnhbb.exec:\1nnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\vjjdd.exec:\vjjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\5pvpp.exec:\5pvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rrffxrf.exec:\rrffxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\3ntnhh.exec:\3ntnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\pjjdv.exec:\pjjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\hhbbtt.exec:\hhbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\frfxrlf.exec:\frfxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\hbhnhh.exec:\hbhnhh.exe23⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jjjjd.exec:\jjjjd.exe24⤵
- Executes dropped EXE
PID:4516 -
\??\c:\tbhbbb.exec:\tbhbbb.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\9vvpj.exec:\9vvpj.exe26⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe27⤵
- Executes dropped EXE
PID:2076 -
\??\c:\tbhhbb.exec:\tbhhbb.exe28⤵
- Executes dropped EXE
PID:1168 -
\??\c:\jddjj.exec:\jddjj.exe29⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xfffxxr.exec:\xfffxxr.exe30⤵
- Executes dropped EXE
PID:4272 -
\??\c:\flfrlll.exec:\flfrlll.exe31⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1bbttt.exec:\1bbttt.exe32⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lflflfx.exec:\lflflfx.exe33⤵
- Executes dropped EXE
PID:3272 -
\??\c:\hbbttt.exec:\hbbttt.exe34⤵
- Executes dropped EXE
PID:3888 -
\??\c:\5pjdv.exec:\5pjdv.exe35⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9tnthb.exec:\9tnthb.exe36⤵
- Executes dropped EXE
PID:5008 -
\??\c:\bhbbnb.exec:\bhbbnb.exe37⤵
- Executes dropped EXE
PID:4740 -
\??\c:\pdpdp.exec:\pdpdp.exe38⤵
- Executes dropped EXE
PID:2124 -
\??\c:\9lflxrf.exec:\9lflxrf.exe39⤵
- Executes dropped EXE
PID:1448 -
\??\c:\3tnhtn.exec:\3tnhtn.exe40⤵
- Executes dropped EXE
PID:4988 -
\??\c:\vvvvj.exec:\vvvvj.exe41⤵
- Executes dropped EXE
PID:4772 -
\??\c:\xrfrrlr.exec:\xrfrrlr.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\tnbtnh.exec:\tnbtnh.exe43⤵
- Executes dropped EXE
PID:3368 -
\??\c:\5ppdv.exec:\5ppdv.exe44⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1pjvj.exec:\1pjvj.exe45⤵
- Executes dropped EXE
PID:2752 -
\??\c:\xllfxxx.exec:\xllfxxx.exe46⤵
- Executes dropped EXE
PID:3584 -
\??\c:\5hbnhb.exec:\5hbnhb.exe47⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jppjj.exec:\jppjj.exe48⤵
- Executes dropped EXE
PID:4132 -
\??\c:\7rfrfrl.exec:\7rfrfrl.exe49⤵
- Executes dropped EXE
PID:3552 -
\??\c:\tbbnhn.exec:\tbbnhn.exe50⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vpdvp.exec:\vpdvp.exe51⤵
- Executes dropped EXE
PID:1144 -
\??\c:\9rlxlfx.exec:\9rlxlfx.exe52⤵
- Executes dropped EXE
PID:4416 -
\??\c:\xfxxlxr.exec:\xfxxlxr.exe53⤵
- Executes dropped EXE
PID:4904 -
\??\c:\3bntnh.exec:\3bntnh.exe54⤵
- Executes dropped EXE
PID:1452 -
\??\c:\1ddpd.exec:\1ddpd.exe55⤵
- Executes dropped EXE
PID:1652 -
\??\c:\rrffffl.exec:\rrffffl.exe56⤵
- Executes dropped EXE
PID:5028 -
\??\c:\flxrffr.exec:\flxrffr.exe57⤵
- Executes dropped EXE
PID:1220 -
\??\c:\7hhtht.exec:\7hhtht.exe58⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vjpdp.exec:\vjpdp.exe59⤵
- Executes dropped EXE
PID:1704 -
\??\c:\lrxrxfx.exec:\lrxrxfx.exe60⤵
- Executes dropped EXE
PID:860 -
\??\c:\tnthtn.exec:\tnthtn.exe61⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vdjvp.exec:\vdjvp.exe62⤵
- Executes dropped EXE
PID:888 -
\??\c:\xlxxrlr.exec:\xlxxrlr.exe63⤵
- Executes dropped EXE
PID:3436 -
\??\c:\9rxlfxl.exec:\9rxlfxl.exe64⤵
- Executes dropped EXE
PID:1196 -
\??\c:\thhbth.exec:\thhbth.exe65⤵
- Executes dropped EXE
PID:3024 -
\??\c:\pjdvj.exec:\pjdvj.exe66⤵PID:4924
-
\??\c:\xffrfxl.exec:\xffrfxl.exe67⤵PID:2664
-
\??\c:\7flxxrr.exec:\7flxxrr.exe68⤵PID:224
-
\??\c:\hbttnh.exec:\hbttnh.exe69⤵PID:8
-
\??\c:\pjjvp.exec:\pjjvp.exe70⤵PID:3720
-
\??\c:\xlrffxr.exec:\xlrffxr.exe71⤵PID:1436
-
\??\c:\tnhttn.exec:\tnhttn.exe72⤵PID:544
-
\??\c:\jdpdv.exec:\jdpdv.exe73⤵PID:2976
-
\??\c:\rlllxlx.exec:\rlllxlx.exe74⤵PID:2464
-
\??\c:\tnbttn.exec:\tnbttn.exe75⤵PID:1764
-
\??\c:\3ppjj.exec:\3ppjj.exe76⤵PID:404
-
\??\c:\ppvpp.exec:\ppvpp.exe77⤵PID:5072
-
\??\c:\fxfrlrl.exec:\fxfrlrl.exe78⤵PID:2812
-
\??\c:\tnnnbb.exec:\tnnnbb.exe79⤵PID:1488
-
\??\c:\vpjpd.exec:\vpjpd.exe80⤵PID:748
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe81⤵PID:3784
-
\??\c:\hbnbtn.exec:\hbnbtn.exe82⤵PID:372
-
\??\c:\7jjdd.exec:\7jjdd.exe83⤵PID:1740
-
\??\c:\5xrllfx.exec:\5xrllfx.exe84⤵PID:3968
-
\??\c:\thhbhb.exec:\thhbhb.exe85⤵PID:2700
-
\??\c:\vddvp.exec:\vddvp.exe86⤵PID:4080
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe87⤵PID:5080
-
\??\c:\tnhtbb.exec:\tnhtbb.exe88⤵PID:1084
-
\??\c:\ttttnt.exec:\ttttnt.exe89⤵PID:3264
-
\??\c:\dvdjd.exec:\dvdjd.exe90⤵PID:2216
-
\??\c:\rfxrffr.exec:\rfxrffr.exe91⤵PID:676
-
\??\c:\tnnhbt.exec:\tnnhbt.exe92⤵PID:4592
-
\??\c:\1bbbtt.exec:\1bbbtt.exe93⤵PID:4496
-
\??\c:\ddvdj.exec:\ddvdj.exe94⤵PID:4748
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe95⤵PID:4364
-
\??\c:\nhhtbt.exec:\nhhtbt.exe96⤵PID:3084
-
\??\c:\jjpvv.exec:\jjpvv.exe97⤵PID:3188
-
\??\c:\djjjd.exec:\djjjd.exe98⤵
- System Location Discovery: System Language Discovery
PID:4836 -
\??\c:\xlxxxxx.exec:\xlxxxxx.exe99⤵PID:4340
-
\??\c:\9ttnhh.exec:\9ttnhh.exe100⤵PID:3552
-
\??\c:\ntnnnt.exec:\ntnnnt.exe101⤵PID:2692
-
\??\c:\pdjdv.exec:\pdjdv.exe102⤵PID:4552
-
\??\c:\rllfxxr.exec:\rllfxxr.exe103⤵PID:1964
-
\??\c:\ddjpj.exec:\ddjpj.exe104⤵PID:4904
-
\??\c:\xrlllrl.exec:\xrlllrl.exe105⤵PID:464
-
\??\c:\bhbbbh.exec:\bhbbbh.exe106⤵PID:516
-
\??\c:\nttnhh.exec:\nttnhh.exe107⤵PID:4908
-
\??\c:\ddpvd.exec:\ddpvd.exe108⤵PID:1220
-
\??\c:\5lllflf.exec:\5lllflf.exe109⤵PID:1604
-
\??\c:\nnhbth.exec:\nnhbth.exe110⤵PID:3804
-
\??\c:\tbtnnn.exec:\tbtnnn.exe111⤵PID:4992
-
\??\c:\ddvdv.exec:\ddvdv.exe112⤵PID:4672
-
\??\c:\3rrrxxr.exec:\3rrrxxr.exe113⤵PID:4780
-
\??\c:\rfllrxf.exec:\rfllrxf.exe114⤵PID:888
-
\??\c:\9bbbtt.exec:\9bbbtt.exe115⤵PID:3436
-
\??\c:\jvjpp.exec:\jvjpp.exe116⤵PID:1196
-
\??\c:\vvdjd.exec:\vvdjd.exe117⤵PID:3024
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe118⤵PID:2416
-
\??\c:\hbthtn.exec:\hbthtn.exe119⤵PID:2664
-
\??\c:\ppvvv.exec:\ppvvv.exe120⤵PID:3336
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe121⤵PID:1664
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe122⤵PID:856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-