Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe
-
Size
454KB
-
MD5
347ec512fa1836bfdad699e568f3ae3a
-
SHA1
703f2d9978965835ef0e7d6c01f82a7ca26c0ec4
-
SHA256
c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3
-
SHA512
f9afaa77cb35ed4dd628e30b91d85527e1645ef9fb329d108d2cb9b019df76d7094a95e3a013a42fc942b0d11702ffea299e794c204f88b658161f9d27db57c7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3636-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-1039-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-1193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-1302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-1590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-1789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-5085-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3976 ttnhhh.exe 4080 jdjdd.exe 4904 lllxrrl.exe 2588 3tnnhh.exe 1968 flrlxxr.exe 4016 rxfxrlf.exe 412 3ffxrrl.exe 4284 dvdvp.exe 4336 fxfxrrl.exe 2544 5dpjd.exe 1476 5rrrlrr.exe 732 tnbbbh.exe 3896 vddvp.exe 1768 fxrllff.exe 1680 dvvdp.exe 1744 bthntt.exe 2944 bbtntt.exe 4636 dpvvp.exe 3888 9rxxrrr.exe 1800 jdpvd.exe 1472 llxrlrr.exe 740 tbtbtt.exe 5008 bbhhnb.exe 2332 nnnnhh.exe 3508 vvjjj.exe 4852 hhtbnn.exe 4052 ttttnn.exe 4668 hhttbh.exe 4916 3thbbh.exe 4260 ppvpp.exe 4456 vvdpv.exe 1256 httnhh.exe 1888 tttnnn.exe 4364 nttbtb.exe 3600 pjpjd.exe 4472 lllxrff.exe 2172 thtnnh.exe 2696 dvddd.exe 1008 llrlfff.exe 3628 7hhbtn.exe 1320 7vvjd.exe 2772 rrrrlxl.exe 3340 hbhbtt.exe 1536 dvjdv.exe 3372 jvpjd.exe 4292 fxrlfxr.exe 4304 ntbttb.exe 220 tbbbnh.exe 3976 1djdd.exe 620 lrfxlxr.exe 2844 5bbtnn.exe 1764 dpjdp.exe 4904 5vdpj.exe 780 lxlxxfl.exe 524 nbbntn.exe 1516 bntnhh.exe 2268 vvdvp.exe 4392 fflxrrl.exe 2584 tnbtbb.exe 2756 ppppj.exe 4756 vpjdd.exe 1216 1llxrrf.exe 1120 thnttn.exe 1344 vjvpp.exe -
resource yara_rule behavioral2/memory/3636-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-1193-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 3976 3636 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 84 PID 3636 wrote to memory of 3976 3636 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 84 PID 3636 wrote to memory of 3976 3636 c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe 84 PID 3976 wrote to memory of 4080 3976 ttnhhh.exe 85 PID 3976 wrote to memory of 4080 3976 ttnhhh.exe 85 PID 3976 wrote to memory of 4080 3976 ttnhhh.exe 85 PID 4080 wrote to memory of 4904 4080 jdjdd.exe 86 PID 4080 wrote to memory of 4904 4080 jdjdd.exe 86 PID 4080 wrote to memory of 4904 4080 jdjdd.exe 86 PID 4904 wrote to memory of 2588 4904 lllxrrl.exe 87 PID 4904 wrote to memory of 2588 4904 lllxrrl.exe 87 PID 4904 wrote to memory of 2588 4904 lllxrrl.exe 87 PID 2588 wrote to memory of 1968 2588 3tnnhh.exe 88 PID 2588 wrote to memory of 1968 2588 3tnnhh.exe 88 PID 2588 wrote to memory of 1968 2588 3tnnhh.exe 88 PID 1968 wrote to memory of 4016 1968 flrlxxr.exe 89 PID 1968 wrote to memory of 4016 1968 flrlxxr.exe 89 PID 1968 wrote to memory of 4016 1968 flrlxxr.exe 89 PID 4016 wrote to memory of 412 4016 rxfxrlf.exe 90 PID 4016 wrote to memory of 412 4016 rxfxrlf.exe 90 PID 4016 wrote to memory of 412 4016 rxfxrlf.exe 90 PID 412 wrote to memory of 4284 412 3ffxrrl.exe 91 PID 412 wrote to memory of 4284 412 3ffxrrl.exe 91 PID 412 wrote to memory of 4284 412 3ffxrrl.exe 91 PID 4284 wrote to memory of 4336 4284 dvdvp.exe 92 PID 4284 wrote to memory of 4336 4284 dvdvp.exe 92 PID 4284 wrote to memory of 4336 4284 dvdvp.exe 92 PID 4336 wrote to memory of 2544 4336 fxfxrrl.exe 93 PID 4336 wrote to memory of 2544 4336 fxfxrrl.exe 93 PID 4336 wrote to memory of 2544 4336 fxfxrrl.exe 93 PID 2544 wrote to memory of 1476 2544 5dpjd.exe 94 PID 2544 wrote to memory of 1476 2544 5dpjd.exe 94 PID 2544 wrote to memory of 1476 2544 5dpjd.exe 94 PID 1476 wrote to memory of 732 1476 5rrrlrr.exe 95 PID 1476 wrote to memory of 732 1476 5rrrlrr.exe 95 PID 1476 wrote to memory of 732 1476 5rrrlrr.exe 95 PID 732 wrote to memory of 3896 732 tnbbbh.exe 96 PID 732 wrote to memory of 3896 732 tnbbbh.exe 96 PID 732 wrote to memory of 3896 732 tnbbbh.exe 96 PID 3896 wrote to memory of 1768 3896 vddvp.exe 97 PID 3896 wrote to memory of 1768 3896 vddvp.exe 97 PID 3896 wrote to memory of 1768 3896 vddvp.exe 97 PID 1768 wrote to memory of 1680 1768 fxrllff.exe 98 PID 1768 wrote to memory of 1680 1768 fxrllff.exe 98 PID 1768 wrote to memory of 1680 1768 fxrllff.exe 98 PID 1680 wrote to memory of 1744 1680 dvvdp.exe 99 PID 1680 wrote to memory of 1744 1680 dvvdp.exe 99 PID 1680 wrote to memory of 1744 1680 dvvdp.exe 99 PID 1744 wrote to memory of 2944 1744 bthntt.exe 100 PID 1744 wrote to memory of 2944 1744 bthntt.exe 100 PID 1744 wrote to memory of 2944 1744 bthntt.exe 100 PID 2944 wrote to memory of 4636 2944 bbtntt.exe 101 PID 2944 wrote to memory of 4636 2944 bbtntt.exe 101 PID 2944 wrote to memory of 4636 2944 bbtntt.exe 101 PID 4636 wrote to memory of 3888 4636 dpvvp.exe 102 PID 4636 wrote to memory of 3888 4636 dpvvp.exe 102 PID 4636 wrote to memory of 3888 4636 dpvvp.exe 102 PID 3888 wrote to memory of 1800 3888 9rxxrrr.exe 103 PID 3888 wrote to memory of 1800 3888 9rxxrrr.exe 103 PID 3888 wrote to memory of 1800 3888 9rxxrrr.exe 103 PID 1800 wrote to memory of 1472 1800 jdpvd.exe 104 PID 1800 wrote to memory of 1472 1800 jdpvd.exe 104 PID 1800 wrote to memory of 1472 1800 jdpvd.exe 104 PID 1472 wrote to memory of 740 1472 llxrlrr.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe"C:\Users\Admin\AppData\Local\Temp\c125b0c5b9419c430c6d69246e84bf88eade04b6f514d76acc975af44391c6e3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\ttnhhh.exec:\ttnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\jdjdd.exec:\jdjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\lllxrrl.exec:\lllxrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\3tnnhh.exec:\3tnnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\flrlxxr.exec:\flrlxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\3ffxrrl.exec:\3ffxrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\dvdvp.exec:\dvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\5dpjd.exec:\5dpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\5rrrlrr.exec:\5rrrlrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\tnbbbh.exec:\tnbbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
\??\c:\vddvp.exec:\vddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\fxrllff.exec:\fxrllff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\dvvdp.exec:\dvvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\bthntt.exec:\bthntt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\bbtntt.exec:\bbtntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\dpvvp.exec:\dpvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\9rxxrrr.exec:\9rxxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\jdpvd.exec:\jdpvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\llxrlrr.exec:\llxrlrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\tbtbtt.exec:\tbtbtt.exe23⤵
- Executes dropped EXE
PID:740 -
\??\c:\bbhhnb.exec:\bbhhnb.exe24⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nnnnhh.exec:\nnnnhh.exe25⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vvjjj.exec:\vvjjj.exe26⤵
- Executes dropped EXE
PID:3508 -
\??\c:\hhtbnn.exec:\hhtbnn.exe27⤵
- Executes dropped EXE
PID:4852 -
\??\c:\ttttnn.exec:\ttttnn.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\hhttbh.exec:\hhttbh.exe29⤵
- Executes dropped EXE
PID:4668 -
\??\c:\3thbbh.exec:\3thbbh.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\ppvpp.exec:\ppvpp.exe31⤵
- Executes dropped EXE
PID:4260 -
\??\c:\vvdpv.exec:\vvdpv.exe32⤵
- Executes dropped EXE
PID:4456 -
\??\c:\httnhh.exec:\httnhh.exe33⤵
- Executes dropped EXE
PID:1256 -
\??\c:\tttnnn.exec:\tttnnn.exe34⤵
- Executes dropped EXE
PID:1888 -
\??\c:\nttbtb.exec:\nttbtb.exe35⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pjpjd.exec:\pjpjd.exe36⤵
- Executes dropped EXE
PID:3600 -
\??\c:\lllxrff.exec:\lllxrff.exe37⤵
- Executes dropped EXE
PID:4472 -
\??\c:\thtnnh.exec:\thtnnh.exe38⤵
- Executes dropped EXE
PID:2172 -
\??\c:\dvddd.exec:\dvddd.exe39⤵
- Executes dropped EXE
PID:2696 -
\??\c:\llrlfff.exec:\llrlfff.exe40⤵
- Executes dropped EXE
PID:1008 -
\??\c:\7hhbtn.exec:\7hhbtn.exe41⤵
- Executes dropped EXE
PID:3628 -
\??\c:\7vvjd.exec:\7vvjd.exe42⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rrrrlxl.exec:\rrrrlxl.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\hbhbtt.exec:\hbhbtt.exe44⤵
- Executes dropped EXE
PID:3340 -
\??\c:\dvjdv.exec:\dvjdv.exe45⤵
- Executes dropped EXE
PID:1536 -
\??\c:\jvpjd.exec:\jvpjd.exe46⤵
- Executes dropped EXE
PID:3372 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe47⤵
- Executes dropped EXE
PID:4292 -
\??\c:\ntbttb.exec:\ntbttb.exe48⤵
- Executes dropped EXE
PID:4304 -
\??\c:\tbbbnh.exec:\tbbbnh.exe49⤵
- Executes dropped EXE
PID:220 -
\??\c:\1djdd.exec:\1djdd.exe50⤵
- Executes dropped EXE
PID:3976 -
\??\c:\lrfxlxr.exec:\lrfxlxr.exe51⤵
- Executes dropped EXE
PID:620 -
\??\c:\5bbtnn.exec:\5bbtnn.exe52⤵
- Executes dropped EXE
PID:2844 -
\??\c:\dpjdp.exec:\dpjdp.exe53⤵
- Executes dropped EXE
PID:1764 -
\??\c:\5vdpj.exec:\5vdpj.exe54⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lxlxxfl.exec:\lxlxxfl.exe55⤵
- Executes dropped EXE
PID:780 -
\??\c:\nbbntn.exec:\nbbntn.exe56⤵
- Executes dropped EXE
PID:524 -
\??\c:\bntnhh.exec:\bntnhh.exe57⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vvdvp.exec:\vvdvp.exe58⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fflxrrl.exec:\fflxrrl.exe59⤵
- Executes dropped EXE
PID:4392 -
\??\c:\tnbtbb.exec:\tnbtbb.exe60⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ppppj.exec:\ppppj.exe61⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vpjdd.exec:\vpjdd.exe62⤵
- Executes dropped EXE
PID:4756 -
\??\c:\1llxrrf.exec:\1llxrrf.exe63⤵
- Executes dropped EXE
PID:1216 -
\??\c:\thnttn.exec:\thnttn.exe64⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vjvpp.exec:\vjvpp.exe65⤵
- Executes dropped EXE
PID:1344 -
\??\c:\xrfxxrx.exec:\xrfxxrx.exe66⤵PID:3068
-
\??\c:\nnnhhh.exec:\nnnhhh.exe67⤵PID:4912
-
\??\c:\nbhbtn.exec:\nbhbtn.exe68⤵PID:5056
-
\??\c:\vpvpp.exec:\vpvpp.exe69⤵PID:3540
-
\??\c:\5rxrlff.exec:\5rxrlff.exe70⤵PID:2092
-
\??\c:\tbnnbh.exec:\tbnnbh.exe71⤵PID:1680
-
\??\c:\vjvjp.exec:\vjvjp.exe72⤵PID:4704
-
\??\c:\5pjvp.exec:\5pjvp.exe73⤵PID:1684
-
\??\c:\lxxrrlx.exec:\lxxrrlx.exe74⤵PID:2504
-
\??\c:\tbbthb.exec:\tbbthb.exe75⤵PID:4296
-
\??\c:\bbbttt.exec:\bbbttt.exe76⤵PID:1568
-
\??\c:\dpjvj.exec:\dpjvj.exe77⤵PID:232
-
\??\c:\llxrlff.exec:\llxrlff.exe78⤵PID:3364
-
\??\c:\thtthn.exec:\thtthn.exe79⤵PID:1624
-
\??\c:\ddvvp.exec:\ddvvp.exe80⤵PID:4812
-
\??\c:\9djvv.exec:\9djvv.exe81⤵PID:740
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe82⤵PID:752
-
\??\c:\5nbhtn.exec:\5nbhtn.exe83⤵PID:3488
-
\??\c:\vpppp.exec:\vpppp.exe84⤵PID:1616
-
\??\c:\pjjpd.exec:\pjjpd.exe85⤵PID:4980
-
\??\c:\rxrfxxr.exec:\rxrfxxr.exe86⤵PID:116
-
\??\c:\hbhbtn.exec:\hbhbtn.exe87⤵PID:4908
-
\??\c:\5hthbh.exec:\5hthbh.exe88⤵PID:2492
-
\??\c:\jdddv.exec:\jdddv.exe89⤵PID:4668
-
\??\c:\fxfxfff.exec:\fxfxfff.exe90⤵PID:4612
-
\??\c:\1fxxlll.exec:\1fxxlll.exe91⤵PID:4600
-
\??\c:\nhbntn.exec:\nhbntn.exe92⤵PID:1804
-
\??\c:\llxxrrf.exec:\llxxrrf.exe93⤵PID:976
-
\??\c:\lffxlll.exec:\lffxlll.exe94⤵PID:1220
-
\??\c:\btnhbt.exec:\btnhbt.exe95⤵PID:5092
-
\??\c:\5vvpd.exec:\5vvpd.exe96⤵PID:2188
-
\??\c:\pjdvj.exec:\pjdvj.exe97⤵PID:3064
-
\??\c:\lfllfff.exec:\lfllfff.exe98⤵PID:404
-
\??\c:\htbnbh.exec:\htbnbh.exe99⤵PID:4792
-
\??\c:\nhtttn.exec:\nhtttn.exe100⤵PID:4004
-
\??\c:\vvvvp.exec:\vvvvp.exe101⤵PID:2096
-
\??\c:\llrfrrl.exec:\llrfrrl.exe102⤵PID:4660
-
\??\c:\3hbtnn.exec:\3hbtnn.exe103⤵PID:5116
-
\??\c:\dvvpp.exec:\dvvpp.exe104⤵PID:4984
-
\??\c:\pdpjp.exec:\pdpjp.exe105⤵PID:2360
-
\??\c:\ttthhh.exec:\ttthhh.exe106⤵PID:3544
-
\??\c:\htbthh.exec:\htbthh.exe107⤵PID:3424
-
\??\c:\vdjdp.exec:\vdjdp.exe108⤵PID:4376
-
\??\c:\fxfxlll.exec:\fxfxlll.exe109⤵PID:604
-
\??\c:\7xxrllf.exec:\7xxrllf.exe110⤵PID:1136
-
\??\c:\tbbttn.exec:\tbbttn.exe111⤵PID:3892
-
\??\c:\7pjdp.exec:\7pjdp.exe112⤵PID:3804
-
\??\c:\rllfxxr.exec:\rllfxxr.exe113⤵PID:836
-
\??\c:\lffffxx.exec:\lffffxx.exe114⤵PID:1828
-
\??\c:\hbhhbt.exec:\hbhhbt.exe115⤵PID:2948
-
\??\c:\jpdvj.exec:\jpdvj.exe116⤵PID:2348
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe117⤵PID:1260
-
\??\c:\hhhbbb.exec:\hhhbbb.exe118⤵PID:3292
-
\??\c:\nhbnht.exec:\nhbnht.exe119⤵PID:2444
-
\??\c:\3djdj.exec:\3djdj.exe120⤵PID:440
-
\??\c:\frlfxxr.exec:\frlfxxr.exe121⤵PID:680
-
\??\c:\nnnhhb.exec:\nnnhhb.exe122⤵PID:3884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-