Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe
-
Size
457KB
-
MD5
29f398db199413059046227728a5e04f
-
SHA1
3a63536dfe9aa33275ee630e418767cf54b0f44f
-
SHA256
bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c
-
SHA512
ffd15ab5ca0b75e92109c41cf26f8cd95c61f5516e0967ac45c9a67f717592031a613038dd896b54049e84bbb010ede081489ea093519eea702640e8e4156de6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw4:q7Tc2NYHUrAwfMp3CDRw4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1020-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-1275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-1324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-1448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-1913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4316 rfxxxff.exe 716 xlxfxfx.exe 3992 lfrxxll.exe 3700 htnntb.exe 4608 ffllrxf.exe 968 bhnttt.exe 2484 nttbhn.exe 1604 lxfxxrr.exe 2596 9hnbbn.exe 3948 7thnht.exe 3900 jjjjd.exe 4160 xrxrrrr.exe 816 hntnnb.exe 2940 bbnhtt.exe 4452 dppjp.exe 4020 fxxrrll.exe 3640 bttbtn.exe 2280 7tthnn.exe 2124 1djdp.exe 4952 fxfxlff.exe 876 ffrlfff.exe 2744 tthhnn.exe 2624 jvdvp.exe 1416 7vppp.exe 1688 1lrrlrl.exe 2416 hhnhbb.exe 3928 jdppd.exe 3296 9rfxffl.exe 2364 xffxxrl.exe 2584 5ttnhh.exe 4604 dvjjp.exe 4880 5djdd.exe 3984 fxflffl.exe 1012 3bhnnb.exe 1552 bbhbtt.exe 1040 vjvpp.exe 2132 lfxrrrr.exe 3480 flxrllf.exe 1748 7ttnhh.exe 3136 vppjp.exe 4884 ddpvv.exe 3244 ffxxrrf.exe 3088 nhtntt.exe 3468 jdjdv.exe 4668 jvjdv.exe 2696 rrflffx.exe 4972 tnbtnn.exe 3516 nhnnnn.exe 2688 vpjdv.exe 3204 xrfxrrl.exe 4164 rxllfff.exe 772 hntttt.exe 4408 jjddj.exe 880 llrrrrr.exe 1800 llxxxff.exe 4124 5bhhhh.exe 3748 pjvpj.exe 2444 pjpjj.exe 3268 rxlxxxr.exe 4240 tnntnb.exe 4828 ppjdj.exe 3636 pvjpj.exe 1680 fxlflfr.exe 4608 hbnnhh.exe -
resource yara_rule behavioral2/memory/1020-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-1275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-1324-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 4316 1020 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 82 PID 1020 wrote to memory of 4316 1020 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 82 PID 1020 wrote to memory of 4316 1020 bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe 82 PID 4316 wrote to memory of 716 4316 rfxxxff.exe 83 PID 4316 wrote to memory of 716 4316 rfxxxff.exe 83 PID 4316 wrote to memory of 716 4316 rfxxxff.exe 83 PID 716 wrote to memory of 3992 716 xlxfxfx.exe 84 PID 716 wrote to memory of 3992 716 xlxfxfx.exe 84 PID 716 wrote to memory of 3992 716 xlxfxfx.exe 84 PID 3992 wrote to memory of 3700 3992 lfrxxll.exe 85 PID 3992 wrote to memory of 3700 3992 lfrxxll.exe 85 PID 3992 wrote to memory of 3700 3992 lfrxxll.exe 85 PID 3700 wrote to memory of 4608 3700 htnntb.exe 145 PID 3700 wrote to memory of 4608 3700 htnntb.exe 145 PID 3700 wrote to memory of 4608 3700 htnntb.exe 145 PID 4608 wrote to memory of 968 4608 ffllrxf.exe 87 PID 4608 wrote to memory of 968 4608 ffllrxf.exe 87 PID 4608 wrote to memory of 968 4608 ffllrxf.exe 87 PID 968 wrote to memory of 2484 968 bhnttt.exe 88 PID 968 wrote to memory of 2484 968 bhnttt.exe 88 PID 968 wrote to memory of 2484 968 bhnttt.exe 88 PID 2484 wrote to memory of 1604 2484 nttbhn.exe 89 PID 2484 wrote to memory of 1604 2484 nttbhn.exe 89 PID 2484 wrote to memory of 1604 2484 nttbhn.exe 89 PID 1604 wrote to memory of 2596 1604 lxfxxrr.exe 90 PID 1604 wrote to memory of 2596 1604 lxfxxrr.exe 90 PID 1604 wrote to memory of 2596 1604 lxfxxrr.exe 90 PID 2596 wrote to memory of 3948 2596 9hnbbn.exe 91 PID 2596 wrote to memory of 3948 2596 9hnbbn.exe 91 PID 2596 wrote to memory of 3948 2596 9hnbbn.exe 91 PID 3948 wrote to memory of 3900 3948 7thnht.exe 92 PID 3948 wrote to memory of 3900 3948 7thnht.exe 92 PID 3948 wrote to memory of 3900 3948 7thnht.exe 92 PID 3900 wrote to memory of 4160 3900 jjjjd.exe 93 PID 3900 wrote to memory of 4160 3900 jjjjd.exe 93 PID 3900 wrote to memory of 4160 3900 jjjjd.exe 93 PID 4160 wrote to memory of 816 4160 xrxrrrr.exe 94 PID 4160 wrote to memory of 816 4160 xrxrrrr.exe 94 PID 4160 wrote to memory of 816 4160 xrxrrrr.exe 94 PID 816 wrote to memory of 2940 816 hntnnb.exe 95 PID 816 wrote to memory of 2940 816 hntnnb.exe 95 PID 816 wrote to memory of 2940 816 hntnnb.exe 95 PID 2940 wrote to memory of 4452 2940 bbnhtt.exe 96 PID 2940 wrote to memory of 4452 2940 bbnhtt.exe 96 PID 2940 wrote to memory of 4452 2940 bbnhtt.exe 96 PID 4452 wrote to memory of 4020 4452 dppjp.exe 97 PID 4452 wrote to memory of 4020 4452 dppjp.exe 97 PID 4452 wrote to memory of 4020 4452 dppjp.exe 97 PID 4020 wrote to memory of 3640 4020 fxxrrll.exe 98 PID 4020 wrote to memory of 3640 4020 fxxrrll.exe 98 PID 4020 wrote to memory of 3640 4020 fxxrrll.exe 98 PID 3640 wrote to memory of 2280 3640 bttbtn.exe 157 PID 3640 wrote to memory of 2280 3640 bttbtn.exe 157 PID 3640 wrote to memory of 2280 3640 bttbtn.exe 157 PID 2280 wrote to memory of 2124 2280 7tthnn.exe 158 PID 2280 wrote to memory of 2124 2280 7tthnn.exe 158 PID 2280 wrote to memory of 2124 2280 7tthnn.exe 158 PID 2124 wrote to memory of 4952 2124 1djdp.exe 101 PID 2124 wrote to memory of 4952 2124 1djdp.exe 101 PID 2124 wrote to memory of 4952 2124 1djdp.exe 101 PID 4952 wrote to memory of 876 4952 fxfxlff.exe 102 PID 4952 wrote to memory of 876 4952 fxfxlff.exe 102 PID 4952 wrote to memory of 876 4952 fxfxlff.exe 102 PID 876 wrote to memory of 2744 876 ffrlfff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe"C:\Users\Admin\AppData\Local\Temp\bb09e7ffffe63b15bb9255d6f26114698cb471c5db50ac76325e17f76cfa6f6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\rfxxxff.exec:\rfxxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\xlxfxfx.exec:\xlxfxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716 -
\??\c:\lfrxxll.exec:\lfrxxll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\htnntb.exec:\htnntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\ffllrxf.exec:\ffllrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\bhnttt.exec:\bhnttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\nttbhn.exec:\nttbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\9hnbbn.exec:\9hnbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\7thnht.exec:\7thnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\jjjjd.exec:\jjjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\hntnnb.exec:\hntnnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\bbnhtt.exec:\bbnhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\dppjp.exec:\dppjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\fxxrrll.exec:\fxxrrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\bttbtn.exec:\bttbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\7tthnn.exec:\7tthnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\1djdp.exec:\1djdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\fxfxlff.exec:\fxfxlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\ffrlfff.exec:\ffrlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\tthhnn.exec:\tthhnn.exe23⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jvdvp.exec:\jvdvp.exe24⤵
- Executes dropped EXE
PID:2624 -
\??\c:\7vppp.exec:\7vppp.exe25⤵
- Executes dropped EXE
PID:1416 -
\??\c:\1lrrlrl.exec:\1lrrlrl.exe26⤵
- Executes dropped EXE
PID:1688 -
\??\c:\hhnhbb.exec:\hhnhbb.exe27⤵
- Executes dropped EXE
PID:2416 -
\??\c:\jdppd.exec:\jdppd.exe28⤵
- Executes dropped EXE
PID:3928 -
\??\c:\9rfxffl.exec:\9rfxffl.exe29⤵
- Executes dropped EXE
PID:3296 -
\??\c:\xffxxrl.exec:\xffxxrl.exe30⤵
- Executes dropped EXE
PID:2364 -
\??\c:\5ttnhh.exec:\5ttnhh.exe31⤵
- Executes dropped EXE
PID:2584 -
\??\c:\dvjjp.exec:\dvjjp.exe32⤵
- Executes dropped EXE
PID:4604 -
\??\c:\5djdd.exec:\5djdd.exe33⤵
- Executes dropped EXE
PID:4880 -
\??\c:\fxflffl.exec:\fxflffl.exe34⤵
- Executes dropped EXE
PID:3984 -
\??\c:\3bhnnb.exec:\3bhnnb.exe35⤵
- Executes dropped EXE
PID:1012 -
\??\c:\bbhbtt.exec:\bbhbtt.exe36⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vjvpp.exec:\vjvpp.exe37⤵
- Executes dropped EXE
PID:1040 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe38⤵
- Executes dropped EXE
PID:2132 -
\??\c:\flxrllf.exec:\flxrllf.exe39⤵
- Executes dropped EXE
PID:3480 -
\??\c:\7ttnhh.exec:\7ttnhh.exe40⤵
- Executes dropped EXE
PID:1748 -
\??\c:\vppjp.exec:\vppjp.exe41⤵
- Executes dropped EXE
PID:3136 -
\??\c:\ddpvv.exec:\ddpvv.exe42⤵
- Executes dropped EXE
PID:4884 -
\??\c:\ffxxrrf.exec:\ffxxrrf.exe43⤵
- Executes dropped EXE
PID:3244 -
\??\c:\nhtntt.exec:\nhtntt.exe44⤵
- Executes dropped EXE
PID:3088 -
\??\c:\jdjdv.exec:\jdjdv.exe45⤵
- Executes dropped EXE
PID:3468 -
\??\c:\jvjdv.exec:\jvjdv.exe46⤵
- Executes dropped EXE
PID:4668 -
\??\c:\rrflffx.exec:\rrflffx.exe47⤵
- Executes dropped EXE
PID:2696 -
\??\c:\tnbtnn.exec:\tnbtnn.exe48⤵
- Executes dropped EXE
PID:4972 -
\??\c:\nhnnnn.exec:\nhnnnn.exe49⤵
- Executes dropped EXE
PID:3516 -
\??\c:\vpjdv.exec:\vpjdv.exe50⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe51⤵
- Executes dropped EXE
PID:3204 -
\??\c:\rxllfff.exec:\rxllfff.exe52⤵
- Executes dropped EXE
PID:4164 -
\??\c:\hntttt.exec:\hntttt.exe53⤵
- Executes dropped EXE
PID:772 -
\??\c:\jjddj.exec:\jjddj.exe54⤵
- Executes dropped EXE
PID:4408 -
\??\c:\llrrrrr.exec:\llrrrrr.exe55⤵
- Executes dropped EXE
PID:880 -
\??\c:\llxxxff.exec:\llxxxff.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\5bhhhh.exec:\5bhhhh.exe57⤵
- Executes dropped EXE
PID:4124 -
\??\c:\pjvpj.exec:\pjvpj.exe58⤵
- Executes dropped EXE
PID:3748 -
\??\c:\pjpjj.exec:\pjpjj.exe59⤵
- Executes dropped EXE
PID:2444 -
\??\c:\rxlxxxr.exec:\rxlxxxr.exe60⤵
- Executes dropped EXE
PID:3268 -
\??\c:\tnntnb.exec:\tnntnb.exe61⤵
- Executes dropped EXE
PID:4240 -
\??\c:\ppjdj.exec:\ppjdj.exe62⤵
- Executes dropped EXE
PID:4828 -
\??\c:\pvjpj.exec:\pvjpj.exe63⤵
- Executes dropped EXE
PID:3636 -
\??\c:\fxlflfr.exec:\fxlflfr.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\hbnnhh.exec:\hbnnhh.exe65⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ddppv.exec:\ddppv.exe66⤵PID:2628
-
\??\c:\pjpjd.exec:\pjpjd.exe67⤵PID:860
-
\??\c:\rlxlxfr.exec:\rlxlxfr.exe68⤵PID:4688
-
\??\c:\7hhhhh.exec:\7hhhhh.exe69⤵PID:3092
-
\??\c:\btbbtt.exec:\btbbtt.exe70⤵PID:4856
-
\??\c:\5pppv.exec:\5pppv.exe71⤵PID:3948
-
\??\c:\flxlllr.exec:\flxlllr.exe72⤵PID:5092
-
\??\c:\pjjpv.exec:\pjjpv.exe73⤵PID:4184
-
\??\c:\xlrrlll.exec:\xlrrlll.exe74⤵PID:3960
-
\??\c:\bbbttt.exec:\bbbttt.exe75⤵PID:5020
-
\??\c:\ddjdd.exec:\ddjdd.exe76⤵PID:5036
-
\??\c:\pdpjj.exec:\pdpjj.exe77⤵PID:2280
-
\??\c:\fffffff.exec:\fffffff.exe78⤵
- System Location Discovery: System Language Discovery
PID:2124 -
\??\c:\llxxxxl.exec:\llxxxxl.exe79⤵
- System Location Discovery: System Language Discovery
PID:3236 -
\??\c:\nnnhnh.exec:\nnnhnh.exe80⤵PID:3016
-
\??\c:\jdjvp.exec:\jdjvp.exe81⤵PID:4656
-
\??\c:\pdpjd.exec:\pdpjd.exe82⤵PID:3132
-
\??\c:\nhttnn.exec:\nhttnn.exe83⤵PID:488
-
\??\c:\dpvvv.exec:\dpvvv.exe84⤵PID:2416
-
\??\c:\xlllfff.exec:\xlllfff.exe85⤵PID:1572
-
\??\c:\rrlfxrr.exec:\rrlfxrr.exe86⤵PID:1732
-
\??\c:\ddvvp.exec:\ddvvp.exe87⤵PID:4632
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe88⤵PID:2420
-
\??\c:\ppddv.exec:\ppddv.exe89⤵PID:3984
-
\??\c:\nbhbbb.exec:\nbhbbb.exe90⤵PID:3008
-
\??\c:\jdvvv.exec:\jdvvv.exe91⤵PID:2004
-
\??\c:\lflxrrl.exec:\lflxrrl.exe92⤵PID:2536
-
\??\c:\ttbbbb.exec:\ttbbbb.exe93⤵PID:740
-
\??\c:\jppjd.exec:\jppjd.exe94⤵PID:3136
-
\??\c:\nhttnt.exec:\nhttnt.exe95⤵PID:1396
-
\??\c:\fflrlll.exec:\fflrlll.exe96⤵PID:2888
-
\??\c:\jpvjd.exec:\jpvjd.exe97⤵PID:2592
-
\??\c:\hhhbbt.exec:\hhhbbt.exe98⤵PID:1036
-
\??\c:\jdjjd.exec:\jdjjd.exe99⤵PID:1184
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe100⤵PID:1676
-
\??\c:\jjpdd.exec:\jjpdd.exe101⤵PID:4016
-
\??\c:\lfffxxr.exec:\lfffxxr.exe102⤵PID:3680
-
\??\c:\xfrrrrr.exec:\xfrrrrr.exe103⤵PID:2272
-
\??\c:\rlrrrxx.exec:\rlrrrxx.exe104⤵PID:316
-
\??\c:\vdjdj.exec:\vdjdj.exe105⤵PID:4388
-
\??\c:\7hbhbt.exec:\7hbhbt.exe106⤵PID:3776
-
\??\c:\pdjjv.exec:\pdjjv.exe107⤵PID:1488
-
\??\c:\flrlfxx.exec:\flrlfxx.exe108⤵PID:1800
-
\??\c:\bbntnt.exec:\bbntnt.exe109⤵PID:2172
-
\??\c:\jvvjv.exec:\jvvjv.exe110⤵PID:220
-
\??\c:\xffxxrr.exec:\xffxxrr.exe111⤵PID:2064
-
\??\c:\xxllrfx.exec:\xxllrfx.exe112⤵PID:2288
-
\??\c:\ttnhhh.exec:\ttnhhh.exe113⤵PID:3728
-
\??\c:\jjdpv.exec:\jjdpv.exe114⤵PID:2152
-
\??\c:\lfrllll.exec:\lfrllll.exe115⤵PID:4516
-
\??\c:\7thhhn.exec:\7thhhn.exe116⤵PID:1724
-
\??\c:\1jvvv.exec:\1jvvv.exe117⤵PID:4544
-
\??\c:\dpjjj.exec:\dpjjj.exe118⤵PID:3020
-
\??\c:\rllfxfx.exec:\rllfxfx.exe119⤵PID:1460
-
\??\c:\hhhnht.exec:\hhhnht.exe120⤵PID:4312
-
\??\c:\dddvv.exec:\dddvv.exe121⤵PID:2484
-
\??\c:\xrxxrrl.exec:\xrxxrrl.exe122⤵PID:1812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-