Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe
-
Size
454KB
-
MD5
097bdd3c15eed55665edb40dc8b4704e
-
SHA1
9a1188d3d5de91d9678605cef1e5012a6586dbde
-
SHA256
bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281
-
SHA512
c0924a2735b18a9080fdcbef15c72f3705a60704e52f0386ecc635f2839afbac5e7cf8bf2cdd4a7051cf7081374c9f5d2a0e8d7860e86a4e3f440cda6b92b824
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1712-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-1442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-1528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1112 jdjdd.exe 2076 9tnhnb.exe 452 xrrxxxx.exe 456 btbbbb.exe 2632 bbtttt.exe 3304 rflffff.exe 3804 tnnnnn.exe 4984 pjjdd.exe 2836 jvdvp.exe 1512 7nhtnn.exe 5088 pddvp.exe 4228 ffffxff.exe 3428 9bbbtt.exe 1552 5pvpj.exe 384 jddvp.exe 2436 fxxrrrr.exe 1644 rflllrr.exe 2456 9dddd.exe 4512 vvpjv.exe 3348 5rlfxxr.exe 4088 jdvjp.exe 4452 llrrrrx.exe 2756 lfffxff.exe 4016 tnhbtt.exe 3856 xrxxrrx.exe 1420 jvvpj.exe 1716 bnhbtt.exe 3952 1vvpp.exe 1504 pvjdv.exe 1944 btbtnt.exe 1948 jdppj.exe 2320 nbhbbt.exe 2816 xrfffll.exe 4896 pdjvp.exe 396 xflfxxx.exe 3620 thhbtt.exe 708 tbnhbt.exe 1816 3rxrxxr.exe 516 1rlxrrf.exe 1004 hthhhh.exe 336 3jdpj.exe 2768 xfllfff.exe 3940 9ttnhb.exe 2008 vjvpd.exe 4236 xrrfxlf.exe 3216 btnhtn.exe 1332 bnhhbn.exe 3204 djvpv.exe 2076 fllfxxr.exe 2788 bthbhh.exe 2516 hhnhbn.exe 1612 vppjj.exe 4192 rlrlfxx.exe 1608 3ttnnh.exe 3304 bbhtth.exe 3168 fxrlrrr.exe 4148 xxrrlff.exe 3008 nhtbnh.exe 2624 dpvvj.exe 3928 xfrlxxl.exe 4408 bntnnn.exe 688 jpjdv.exe 1360 djpjd.exe 4336 frfxrxx.exe -
resource yara_rule behavioral2/memory/1712-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-644-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rflfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1112 1712 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 83 PID 1712 wrote to memory of 1112 1712 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 83 PID 1712 wrote to memory of 1112 1712 bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe 83 PID 1112 wrote to memory of 2076 1112 jdjdd.exe 84 PID 1112 wrote to memory of 2076 1112 jdjdd.exe 84 PID 1112 wrote to memory of 2076 1112 jdjdd.exe 84 PID 2076 wrote to memory of 452 2076 9tnhnb.exe 85 PID 2076 wrote to memory of 452 2076 9tnhnb.exe 85 PID 2076 wrote to memory of 452 2076 9tnhnb.exe 85 PID 452 wrote to memory of 456 452 xrrxxxx.exe 86 PID 452 wrote to memory of 456 452 xrrxxxx.exe 86 PID 452 wrote to memory of 456 452 xrrxxxx.exe 86 PID 456 wrote to memory of 2632 456 btbbbb.exe 87 PID 456 wrote to memory of 2632 456 btbbbb.exe 87 PID 456 wrote to memory of 2632 456 btbbbb.exe 87 PID 2632 wrote to memory of 3304 2632 bbtttt.exe 88 PID 2632 wrote to memory of 3304 2632 bbtttt.exe 88 PID 2632 wrote to memory of 3304 2632 bbtttt.exe 88 PID 3304 wrote to memory of 3804 3304 rflffff.exe 89 PID 3304 wrote to memory of 3804 3304 rflffff.exe 89 PID 3304 wrote to memory of 3804 3304 rflffff.exe 89 PID 3804 wrote to memory of 4984 3804 tnnnnn.exe 90 PID 3804 wrote to memory of 4984 3804 tnnnnn.exe 90 PID 3804 wrote to memory of 4984 3804 tnnnnn.exe 90 PID 4984 wrote to memory of 2836 4984 pjjdd.exe 91 PID 4984 wrote to memory of 2836 4984 pjjdd.exe 91 PID 4984 wrote to memory of 2836 4984 pjjdd.exe 91 PID 2836 wrote to memory of 1512 2836 jvdvp.exe 92 PID 2836 wrote to memory of 1512 2836 jvdvp.exe 92 PID 2836 wrote to memory of 1512 2836 jvdvp.exe 92 PID 1512 wrote to memory of 5088 1512 7nhtnn.exe 93 PID 1512 wrote to memory of 5088 1512 7nhtnn.exe 93 PID 1512 wrote to memory of 5088 1512 7nhtnn.exe 93 PID 5088 wrote to memory of 4228 5088 pddvp.exe 94 PID 5088 wrote to memory of 4228 5088 pddvp.exe 94 PID 5088 wrote to memory of 4228 5088 pddvp.exe 94 PID 4228 wrote to memory of 3428 4228 ffffxff.exe 95 PID 4228 wrote to memory of 3428 4228 ffffxff.exe 95 PID 4228 wrote to memory of 3428 4228 ffffxff.exe 95 PID 3428 wrote to memory of 1552 3428 9bbbtt.exe 96 PID 3428 wrote to memory of 1552 3428 9bbbtt.exe 96 PID 3428 wrote to memory of 1552 3428 9bbbtt.exe 96 PID 1552 wrote to memory of 384 1552 5pvpj.exe 97 PID 1552 wrote to memory of 384 1552 5pvpj.exe 97 PID 1552 wrote to memory of 384 1552 5pvpj.exe 97 PID 384 wrote to memory of 2436 384 jddvp.exe 98 PID 384 wrote to memory of 2436 384 jddvp.exe 98 PID 384 wrote to memory of 2436 384 jddvp.exe 98 PID 2436 wrote to memory of 1644 2436 fxxrrrr.exe 99 PID 2436 wrote to memory of 1644 2436 fxxrrrr.exe 99 PID 2436 wrote to memory of 1644 2436 fxxrrrr.exe 99 PID 1644 wrote to memory of 2456 1644 rflllrr.exe 100 PID 1644 wrote to memory of 2456 1644 rflllrr.exe 100 PID 1644 wrote to memory of 2456 1644 rflllrr.exe 100 PID 2456 wrote to memory of 4512 2456 9dddd.exe 101 PID 2456 wrote to memory of 4512 2456 9dddd.exe 101 PID 2456 wrote to memory of 4512 2456 9dddd.exe 101 PID 4512 wrote to memory of 3348 4512 vvpjv.exe 102 PID 4512 wrote to memory of 3348 4512 vvpjv.exe 102 PID 4512 wrote to memory of 3348 4512 vvpjv.exe 102 PID 3348 wrote to memory of 4088 3348 5rlfxxr.exe 103 PID 3348 wrote to memory of 4088 3348 5rlfxxr.exe 103 PID 3348 wrote to memory of 4088 3348 5rlfxxr.exe 103 PID 4088 wrote to memory of 4452 4088 jdvjp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe"C:\Users\Admin\AppData\Local\Temp\bbd411989b7ce341847f2da1e23cef0f7bb3539566e72a8c249a6c88cbcb1281.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\jdjdd.exec:\jdjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\9tnhnb.exec:\9tnhnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\xrrxxxx.exec:\xrrxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\btbbbb.exec:\btbbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\bbtttt.exec:\bbtttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\rflffff.exec:\rflffff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\tnnnnn.exec:\tnnnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\pjjdd.exec:\pjjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\7nhtnn.exec:\7nhtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\pddvp.exec:\pddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\ffffxff.exec:\ffffxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\9bbbtt.exec:\9bbbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\5pvpj.exec:\5pvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\jddvp.exec:\jddvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\rflllrr.exec:\rflllrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\9dddd.exec:\9dddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vvpjv.exec:\vvpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\5rlfxxr.exec:\5rlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\jdvjp.exec:\jdvjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\llrrrrx.exec:\llrrrrx.exe23⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lfffxff.exec:\lfffxff.exe24⤵
- Executes dropped EXE
PID:2756 -
\??\c:\tnhbtt.exec:\tnhbtt.exe25⤵
- Executes dropped EXE
PID:4016 -
\??\c:\xrxxrrx.exec:\xrxxrrx.exe26⤵
- Executes dropped EXE
PID:3856 -
\??\c:\jvvpj.exec:\jvvpj.exe27⤵
- Executes dropped EXE
PID:1420 -
\??\c:\bnhbtt.exec:\bnhbtt.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1vvpp.exec:\1vvpp.exe29⤵
- Executes dropped EXE
PID:3952 -
\??\c:\pvjdv.exec:\pvjdv.exe30⤵
- Executes dropped EXE
PID:1504 -
\??\c:\btbtnt.exec:\btbtnt.exe31⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jdppj.exec:\jdppj.exe32⤵
- Executes dropped EXE
PID:1948 -
\??\c:\nbhbbt.exec:\nbhbbt.exe33⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xrfffll.exec:\xrfffll.exe34⤵
- Executes dropped EXE
PID:2816 -
\??\c:\pdjvp.exec:\pdjvp.exe35⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xflfxxx.exec:\xflfxxx.exe36⤵
- Executes dropped EXE
PID:396 -
\??\c:\thhbtt.exec:\thhbtt.exe37⤵
- Executes dropped EXE
PID:3620 -
\??\c:\tbnhbt.exec:\tbnhbt.exe38⤵
- Executes dropped EXE
PID:708 -
\??\c:\3rxrxxr.exec:\3rxrxxr.exe39⤵
- Executes dropped EXE
PID:1816 -
\??\c:\1rlxrrf.exec:\1rlxrrf.exe40⤵
- Executes dropped EXE
PID:516 -
\??\c:\hthhhh.exec:\hthhhh.exe41⤵
- Executes dropped EXE
PID:1004 -
\??\c:\3jdpj.exec:\3jdpj.exe42⤵
- Executes dropped EXE
PID:336 -
\??\c:\xfllfff.exec:\xfllfff.exe43⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9ttnhb.exec:\9ttnhb.exe44⤵
- Executes dropped EXE
PID:3940 -
\??\c:\vjvpd.exec:\vjvpd.exe45⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xrrfxlf.exec:\xrrfxlf.exe46⤵
- Executes dropped EXE
PID:4236 -
\??\c:\btnhtn.exec:\btnhtn.exe47⤵
- Executes dropped EXE
PID:3216 -
\??\c:\bnhhbn.exec:\bnhhbn.exe48⤵
- Executes dropped EXE
PID:1332 -
\??\c:\djvpv.exec:\djvpv.exe49⤵
- Executes dropped EXE
PID:3204 -
\??\c:\fllfxxr.exec:\fllfxxr.exe50⤵
- Executes dropped EXE
PID:2076 -
\??\c:\bthbhh.exec:\bthbhh.exe51⤵
- Executes dropped EXE
PID:2788 -
\??\c:\hhnhbn.exec:\hhnhbn.exe52⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vppjj.exec:\vppjj.exe53⤵
- Executes dropped EXE
PID:1612 -
\??\c:\rlrlfxx.exec:\rlrlfxx.exe54⤵
- Executes dropped EXE
PID:4192 -
\??\c:\3ttnnh.exec:\3ttnnh.exe55⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bbhtth.exec:\bbhtth.exe56⤵
- Executes dropped EXE
PID:3304 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe57⤵
- Executes dropped EXE
PID:3168 -
\??\c:\xxrrlff.exec:\xxrrlff.exe58⤵
- Executes dropped EXE
PID:4148 -
\??\c:\nhtbnh.exec:\nhtbnh.exe59⤵
- Executes dropped EXE
PID:3008 -
\??\c:\dpvvj.exec:\dpvvj.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\xfrlxxl.exec:\xfrlxxl.exe61⤵
- Executes dropped EXE
PID:3928 -
\??\c:\bntnnn.exec:\bntnnn.exe62⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jpjdv.exec:\jpjdv.exe63⤵
- Executes dropped EXE
PID:688 -
\??\c:\djpjd.exec:\djpjd.exe64⤵
- Executes dropped EXE
PID:1360 -
\??\c:\frfxrxx.exec:\frfxrxx.exe65⤵
- Executes dropped EXE
PID:4336 -
\??\c:\9tbtth.exec:\9tbtth.exe66⤵PID:4616
-
\??\c:\dpdvv.exec:\dpdvv.exe67⤵PID:464
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe68⤵PID:1552
-
\??\c:\5thbhh.exec:\5thbhh.exe69⤵PID:5064
-
\??\c:\jdppv.exec:\jdppv.exe70⤵PID:1480
-
\??\c:\7rrlllf.exec:\7rrlllf.exe71⤵PID:2436
-
\??\c:\tnhbtt.exec:\tnhbtt.exe72⤵PID:3596
-
\??\c:\pjvdd.exec:\pjvdd.exe73⤵PID:3580
-
\??\c:\pdjpj.exec:\pdjpj.exe74⤵PID:776
-
\??\c:\rllrrrx.exec:\rllrrrx.exe75⤵PID:4144
-
\??\c:\tnbhht.exec:\tnbhht.exe76⤵PID:944
-
\??\c:\tthbtt.exec:\tthbtt.exe77⤵PID:3348
-
\??\c:\jdjjd.exec:\jdjjd.exe78⤵PID:640
-
\??\c:\btbtnn.exec:\btbtnn.exe79⤵PID:3848
-
\??\c:\ntnnhh.exec:\ntnnhh.exe80⤵PID:976
-
\??\c:\vvvvp.exec:\vvvvp.exe81⤵PID:1276
-
\??\c:\rlrllll.exec:\rlrllll.exe82⤵PID:4256
-
\??\c:\1tthhh.exec:\1tthhh.exe83⤵PID:1600
-
\??\c:\vpvpj.exec:\vpvpj.exe84⤵PID:1128
-
\??\c:\pjjdv.exec:\pjjdv.exe85⤵PID:2952
-
\??\c:\rlrxrrl.exec:\rlrxrrl.exe86⤵PID:4424
-
\??\c:\bnthhb.exec:\bnthhb.exe87⤵PID:4932
-
\??\c:\vjvvp.exec:\vjvvp.exe88⤵PID:3756
-
\??\c:\vvvpj.exec:\vvvpj.exe89⤵
- System Location Discovery: System Language Discovery
PID:1744 -
\??\c:\xfrrlrl.exec:\xfrrlrl.exe90⤵PID:916
-
\??\c:\hntnnh.exec:\hntnnh.exe91⤵PID:4828
-
\??\c:\3vdvp.exec:\3vdvp.exe92⤵PID:4340
-
\??\c:\ddjvp.exec:\ddjvp.exe93⤵PID:4300
-
\??\c:\rlrlfrl.exec:\rlrlfrl.exe94⤵PID:2524
-
\??\c:\btbtth.exec:\btbtth.exe95⤵PID:2864
-
\??\c:\vvjjv.exec:\vvjjv.exe96⤵PID:2816
-
\??\c:\rrxrllf.exec:\rrxrllf.exe97⤵PID:4896
-
\??\c:\nhhbbb.exec:\nhhbbb.exe98⤵PID:396
-
\??\c:\9djdv.exec:\9djdv.exe99⤵PID:3112
-
\??\c:\rrxrlll.exec:\rrxrlll.exe100⤵PID:2912
-
\??\c:\5nnnhh.exec:\5nnnhh.exe101⤵PID:1708
-
\??\c:\bnbbtn.exec:\bnbbtn.exe102⤵PID:4996
-
\??\c:\vvddv.exec:\vvddv.exe103⤵PID:4536
-
\??\c:\xllxrrl.exec:\xllxrrl.exe104⤵PID:4464
-
\??\c:\tthhbb.exec:\tthhbb.exe105⤵PID:2768
-
\??\c:\djpjj.exec:\djpjj.exe106⤵PID:3940
-
\??\c:\9jdjd.exec:\9jdjd.exe107⤵PID:1732
-
\??\c:\xrrlffx.exec:\xrrlffx.exe108⤵PID:3604
-
\??\c:\hbhbtn.exec:\hbhbtn.exe109⤵PID:1712
-
\??\c:\1hnhhh.exec:\1hnhhh.exe110⤵PID:4324
-
\??\c:\vpjpd.exec:\vpjpd.exe111⤵PID:2892
-
\??\c:\xxxrffx.exec:\xxxrffx.exe112⤵PID:2940
-
\??\c:\bbnhnt.exec:\bbnhnt.exe113⤵PID:3560
-
\??\c:\jjpjd.exec:\jjpjd.exe114⤵PID:1116
-
\??\c:\vvvpj.exec:\vvvpj.exe115⤵PID:1612
-
\??\c:\fxrfxfx.exec:\fxrfxfx.exe116⤵PID:2916
-
\??\c:\bnnhhb.exec:\bnnhhb.exe117⤵PID:692
-
\??\c:\nbhbtn.exec:\nbhbtn.exe118⤵PID:1844
-
\??\c:\jdpjd.exec:\jdpjd.exe119⤵PID:1072
-
\??\c:\frrfrlf.exec:\frrfrlf.exe120⤵PID:4912
-
\??\c:\ttthbb.exec:\ttthbb.exe121⤵PID:4148
-
\??\c:\vpvvj.exec:\vpvvj.exe122⤵PID:3180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-