Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe
-
Size
455KB
-
MD5
09e9f5056b0023adbef57c0f93015233
-
SHA1
ff5798bba9c6682831138bcf9204522aaf2ed752
-
SHA256
bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3
-
SHA512
0a9b1cb19c811036ae24a98e49b429e79a9ad054994945caa77e6bf4406eceda9e2d0b9d936868314a768c7190396f86989fef8cb6177cd5be82323301c41ce0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1220-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-1402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-1502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4716 xrrfrlf.exe 3228 vjpjd.exe 3308 9tbthn.exe 2812 vvdpj.exe 3712 xrfxfxf.exe 2208 bhhbtt.exe 4308 djpdv.exe 2396 bhhbtn.exe 4800 3vpjd.exe 4288 3btnhb.exe 8 fffrllf.exe 3040 3djdd.exe 4888 xrlfffx.exe 1332 lllfxrl.exe 5008 pddpj.exe 4960 btbtbt.exe 3348 pjjvj.exe 232 xrxlfrl.exe 3580 ttbtnt.exe 3204 rrrrlll.exe 4604 nttnhh.exe 3104 bbbtnn.exe 2452 dpdvp.exe 816 flfllxl.exe 2988 tbhbbb.exe 2300 pdpvv.exe 4088 tnnnnn.exe 4968 rfrfrlr.exe 1456 9pppj.exe 3852 nnbhth.exe 5112 1vdvv.exe 3140 lflxrrl.exe 4516 3xfxlll.exe 3064 3nbthb.exe 1756 dppjd.exe 1860 rlxrllx.exe 4592 bttnhb.exe 644 hthbbb.exe 3524 jdpjd.exe 3376 lxfxllx.exe 5056 btbhbt.exe 2928 ppvpj.exe 1028 dddvp.exe 4680 fxrrffx.exe 1848 bttnnh.exe 4488 pvvpj.exe 1992 dvjvj.exe 1048 lxffxxr.exe 3596 nhtnnn.exe 1724 xllffxx.exe 1940 rllfxrl.exe 4172 3ntnhn.exe 3808 9jpjp.exe 4664 xrfrllf.exe 3744 xrrrlff.exe 4324 5nnnhh.exe 2796 vjjvp.exe 2504 xrrlxxr.exe 4524 lfffxxr.exe 1088 tbbtnh.exe 2980 ddpjv.exe 1840 fxxlxxl.exe 980 xlrrrll.exe 4204 htbthh.exe -
resource yara_rule behavioral2/memory/1220-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-939-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1220 wrote to memory of 4716 1220 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 82 PID 1220 wrote to memory of 4716 1220 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 82 PID 1220 wrote to memory of 4716 1220 bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe 82 PID 4716 wrote to memory of 3228 4716 xrrfrlf.exe 83 PID 4716 wrote to memory of 3228 4716 xrrfrlf.exe 83 PID 4716 wrote to memory of 3228 4716 xrrfrlf.exe 83 PID 3228 wrote to memory of 3308 3228 vjpjd.exe 84 PID 3228 wrote to memory of 3308 3228 vjpjd.exe 84 PID 3228 wrote to memory of 3308 3228 vjpjd.exe 84 PID 3308 wrote to memory of 2812 3308 9tbthn.exe 85 PID 3308 wrote to memory of 2812 3308 9tbthn.exe 85 PID 3308 wrote to memory of 2812 3308 9tbthn.exe 85 PID 2812 wrote to memory of 3712 2812 vvdpj.exe 86 PID 2812 wrote to memory of 3712 2812 vvdpj.exe 86 PID 2812 wrote to memory of 3712 2812 vvdpj.exe 86 PID 3712 wrote to memory of 2208 3712 xrfxfxf.exe 87 PID 3712 wrote to memory of 2208 3712 xrfxfxf.exe 87 PID 3712 wrote to memory of 2208 3712 xrfxfxf.exe 87 PID 2208 wrote to memory of 4308 2208 bhhbtt.exe 88 PID 2208 wrote to memory of 4308 2208 bhhbtt.exe 88 PID 2208 wrote to memory of 4308 2208 bhhbtt.exe 88 PID 4308 wrote to memory of 2396 4308 djpdv.exe 89 PID 4308 wrote to memory of 2396 4308 djpdv.exe 89 PID 4308 wrote to memory of 2396 4308 djpdv.exe 89 PID 2396 wrote to memory of 4800 2396 bhhbtn.exe 90 PID 2396 wrote to memory of 4800 2396 bhhbtn.exe 90 PID 2396 wrote to memory of 4800 2396 bhhbtn.exe 90 PID 4800 wrote to memory of 4288 4800 3vpjd.exe 91 PID 4800 wrote to memory of 4288 4800 3vpjd.exe 91 PID 4800 wrote to memory of 4288 4800 3vpjd.exe 91 PID 4288 wrote to memory of 8 4288 3btnhb.exe 92 PID 4288 wrote to memory of 8 4288 3btnhb.exe 92 PID 4288 wrote to memory of 8 4288 3btnhb.exe 92 PID 8 wrote to memory of 3040 8 fffrllf.exe 93 PID 8 wrote to memory of 3040 8 fffrllf.exe 93 PID 8 wrote to memory of 3040 8 fffrllf.exe 93 PID 3040 wrote to memory of 4888 3040 3djdd.exe 94 PID 3040 wrote to memory of 4888 3040 3djdd.exe 94 PID 3040 wrote to memory of 4888 3040 3djdd.exe 94 PID 4888 wrote to memory of 1332 4888 xrlfffx.exe 95 PID 4888 wrote to memory of 1332 4888 xrlfffx.exe 95 PID 4888 wrote to memory of 1332 4888 xrlfffx.exe 95 PID 1332 wrote to memory of 5008 1332 lllfxrl.exe 96 PID 1332 wrote to memory of 5008 1332 lllfxrl.exe 96 PID 1332 wrote to memory of 5008 1332 lllfxrl.exe 96 PID 5008 wrote to memory of 4960 5008 pddpj.exe 97 PID 5008 wrote to memory of 4960 5008 pddpj.exe 97 PID 5008 wrote to memory of 4960 5008 pddpj.exe 97 PID 4960 wrote to memory of 3348 4960 btbtbt.exe 98 PID 4960 wrote to memory of 3348 4960 btbtbt.exe 98 PID 4960 wrote to memory of 3348 4960 btbtbt.exe 98 PID 3348 wrote to memory of 232 3348 pjjvj.exe 99 PID 3348 wrote to memory of 232 3348 pjjvj.exe 99 PID 3348 wrote to memory of 232 3348 pjjvj.exe 99 PID 232 wrote to memory of 3580 232 xrxlfrl.exe 100 PID 232 wrote to memory of 3580 232 xrxlfrl.exe 100 PID 232 wrote to memory of 3580 232 xrxlfrl.exe 100 PID 3580 wrote to memory of 3204 3580 ttbtnt.exe 101 PID 3580 wrote to memory of 3204 3580 ttbtnt.exe 101 PID 3580 wrote to memory of 3204 3580 ttbtnt.exe 101 PID 3204 wrote to memory of 4604 3204 rrrrlll.exe 102 PID 3204 wrote to memory of 4604 3204 rrrrlll.exe 102 PID 3204 wrote to memory of 4604 3204 rrrrlll.exe 102 PID 4604 wrote to memory of 3104 4604 nttnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe"C:\Users\Admin\AppData\Local\Temp\bb789aa266d621d988c872c6293088e75e797fc5a98c28beac810eac0b774bc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\xrrfrlf.exec:\xrrfrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\vjpjd.exec:\vjpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\9tbthn.exec:\9tbthn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\vvdpj.exec:\vvdpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\xrfxfxf.exec:\xrfxfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\bhhbtt.exec:\bhhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\djpdv.exec:\djpdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\bhhbtn.exec:\bhhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\3vpjd.exec:\3vpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\3btnhb.exec:\3btnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\fffrllf.exec:\fffrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\3djdd.exec:\3djdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\xrlfffx.exec:\xrlfffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\lllfxrl.exec:\lllfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\pddpj.exec:\pddpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\btbtbt.exec:\btbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\pjjvj.exec:\pjjvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\xrxlfrl.exec:\xrxlfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ttbtnt.exec:\ttbtnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\rrrrlll.exec:\rrrrlll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\nttnhh.exec:\nttnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\bbbtnn.exec:\bbbtnn.exe23⤵
- Executes dropped EXE
PID:3104 -
\??\c:\dpdvp.exec:\dpdvp.exe24⤵
- Executes dropped EXE
PID:2452 -
\??\c:\flfllxl.exec:\flfllxl.exe25⤵
- Executes dropped EXE
PID:816 -
\??\c:\tbhbbb.exec:\tbhbbb.exe26⤵
- Executes dropped EXE
PID:2988 -
\??\c:\pdpvv.exec:\pdpvv.exe27⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tnnnnn.exec:\tnnnnn.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088 -
\??\c:\rfrfrlr.exec:\rfrfrlr.exe29⤵
- Executes dropped EXE
PID:4968 -
\??\c:\9pppj.exec:\9pppj.exe30⤵
- Executes dropped EXE
PID:1456 -
\??\c:\nnbhth.exec:\nnbhth.exe31⤵
- Executes dropped EXE
PID:3852 -
\??\c:\1vdvv.exec:\1vdvv.exe32⤵
- Executes dropped EXE
PID:5112 -
\??\c:\lflxrrl.exec:\lflxrrl.exe33⤵
- Executes dropped EXE
PID:3140 -
\??\c:\3xfxlll.exec:\3xfxlll.exe34⤵
- Executes dropped EXE
PID:4516 -
\??\c:\3nbthb.exec:\3nbthb.exe35⤵
- Executes dropped EXE
PID:3064 -
\??\c:\dppjd.exec:\dppjd.exe36⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rlxrllx.exec:\rlxrllx.exe37⤵
- Executes dropped EXE
PID:1860 -
\??\c:\bttnhb.exec:\bttnhb.exe38⤵
- Executes dropped EXE
PID:4592 -
\??\c:\hthbbb.exec:\hthbbb.exe39⤵
- Executes dropped EXE
PID:644 -
\??\c:\jdpjd.exec:\jdpjd.exe40⤵
- Executes dropped EXE
PID:3524 -
\??\c:\lxfxllx.exec:\lxfxllx.exe41⤵
- Executes dropped EXE
PID:3376 -
\??\c:\btbhbt.exec:\btbhbt.exe42⤵
- Executes dropped EXE
PID:5056 -
\??\c:\ppvpj.exec:\ppvpj.exe43⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dddvp.exec:\dddvp.exe44⤵
- Executes dropped EXE
PID:1028 -
\??\c:\fxrrffx.exec:\fxrrffx.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\bttnnh.exec:\bttnnh.exe46⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pvvpj.exec:\pvvpj.exe47⤵
- Executes dropped EXE
PID:4488 -
\??\c:\dvjvj.exec:\dvjvj.exe48⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lxffxxr.exec:\lxffxxr.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
\??\c:\nhtnnn.exec:\nhtnnn.exe50⤵
- Executes dropped EXE
PID:3596 -
\??\c:\djdpd.exec:\djdpd.exe51⤵PID:4008
-
\??\c:\xllffxx.exec:\xllffxx.exe52⤵
- Executes dropped EXE
PID:1724 -
\??\c:\rllfxrl.exec:\rllfxrl.exe53⤵
- Executes dropped EXE
PID:1940 -
\??\c:\3ntnhn.exec:\3ntnhn.exe54⤵
- Executes dropped EXE
PID:4172 -
\??\c:\9jpjp.exec:\9jpjp.exe55⤵
- Executes dropped EXE
PID:3808 -
\??\c:\xrfrllf.exec:\xrfrllf.exe56⤵
- Executes dropped EXE
PID:4664 -
\??\c:\xrrrlff.exec:\xrrrlff.exe57⤵
- Executes dropped EXE
PID:3744 -
\??\c:\5nnnhh.exec:\5nnnhh.exe58⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vjjvp.exec:\vjjvp.exe59⤵
- Executes dropped EXE
PID:2796 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe60⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lfffxxr.exec:\lfffxxr.exe61⤵
- Executes dropped EXE
PID:4524 -
\??\c:\tbbtnh.exec:\tbbtnh.exe62⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ddpjv.exec:\ddpjv.exe63⤵
- Executes dropped EXE
PID:2980 -
\??\c:\fxxlxxl.exec:\fxxlxxl.exe64⤵
- Executes dropped EXE
PID:1840 -
\??\c:\xlrrrll.exec:\xlrrrll.exe65⤵
- Executes dropped EXE
PID:980 -
\??\c:\htbthh.exec:\htbthh.exe66⤵
- Executes dropped EXE
PID:4204 -
\??\c:\vjjpj.exec:\vjjpj.exe67⤵PID:2728
-
\??\c:\rfxrfxl.exec:\rfxrfxl.exe68⤵PID:1588
-
\??\c:\btbbbb.exec:\btbbbb.exe69⤵PID:1256
-
\??\c:\vdpjv.exec:\vdpjv.exe70⤵PID:4952
-
\??\c:\9rlfxxr.exec:\9rlfxxr.exe71⤵PID:404
-
\??\c:\xlxrxfl.exec:\xlxrxfl.exe72⤵PID:4928
-
\??\c:\1bbbbb.exec:\1bbbbb.exe73⤵PID:3576
-
\??\c:\1jjdv.exec:\1jjdv.exe74⤵PID:4916
-
\??\c:\rllxrlf.exec:\rllxrlf.exe75⤵PID:4060
-
\??\c:\nbthtt.exec:\nbthtt.exe76⤵PID:2200
-
\??\c:\3jjdv.exec:\3jjdv.exe77⤵PID:4428
-
\??\c:\lxxrxxl.exec:\lxxrxxl.exe78⤵PID:100
-
\??\c:\hhtnht.exec:\hhtnht.exe79⤵PID:2792
-
\??\c:\hnbtnt.exec:\hnbtnt.exe80⤵PID:2964
-
\??\c:\pdjdv.exec:\pdjdv.exe81⤵PID:4584
-
\??\c:\dpdvd.exec:\dpdvd.exe82⤵PID:1604
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe83⤵PID:3732
-
\??\c:\9hhbtt.exec:\9hhbtt.exe84⤵PID:3812
-
\??\c:\jppjd.exec:\jppjd.exe85⤵PID:4696
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe86⤵PID:3304
-
\??\c:\nhnhhb.exec:\nhnhhb.exe87⤵PID:2080
-
\??\c:\bhhhhh.exec:\bhhhhh.exe88⤵PID:3296
-
\??\c:\ppdvp.exec:\ppdvp.exe89⤵PID:2976
-
\??\c:\flrrrlf.exec:\flrrrlf.exe90⤵PID:2632
-
\??\c:\5nnhhb.exec:\5nnhhb.exe91⤵PID:3708
-
\??\c:\pdvpp.exec:\pdvpp.exe92⤵PID:1900
-
\??\c:\xrrlfxx.exec:\xrrlfxx.exe93⤵PID:3684
-
\??\c:\3rlffxr.exec:\3rlffxr.exe94⤵PID:4448
-
\??\c:\1bttnh.exec:\1bttnh.exe95⤵PID:4416
-
\??\c:\vppjd.exec:\vppjd.exe96⤵PID:2228
-
\??\c:\pvpjv.exec:\pvpjv.exe97⤵PID:4368
-
\??\c:\fxxrffx.exec:\fxxrffx.exe98⤵PID:684
-
\??\c:\thnhnh.exec:\thnhnh.exe99⤵PID:2672
-
\??\c:\vjpjv.exec:\vjpjv.exe100⤵PID:5100
-
\??\c:\jdppv.exec:\jdppv.exe101⤵PID:5016
-
\??\c:\xxlfffl.exec:\xxlfffl.exe102⤵PID:1860
-
\??\c:\hnbtht.exec:\hnbtht.exe103⤵PID:2768
-
\??\c:\pdjdv.exec:\pdjdv.exe104⤵PID:644
-
\??\c:\5jddd.exec:\5jddd.exe105⤵PID:2084
-
\??\c:\3lfxrlf.exec:\3lfxrlf.exe106⤵PID:3772
-
\??\c:\nbbbbb.exec:\nbbbbb.exe107⤵PID:5056
-
\??\c:\3pppd.exec:\3pppd.exe108⤵PID:2928
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe109⤵PID:384
-
\??\c:\nthhbt.exec:\nthhbt.exe110⤵PID:3516
-
\??\c:\7btnhh.exec:\7btnhh.exe111⤵PID:4220
-
\??\c:\1pvpd.exec:\1pvpd.exe112⤵PID:2156
-
\??\c:\fxlxfxf.exec:\fxlxfxf.exe113⤵PID:2372
-
\??\c:\9nntnn.exec:\9nntnn.exe114⤵PID:5084
-
\??\c:\ntbnhb.exec:\ntbnhb.exe115⤵PID:5092
-
\??\c:\7djdv.exec:\7djdv.exe116⤵PID:1348
-
\??\c:\xflxllf.exec:\xflxllf.exe117⤵PID:3592
-
\??\c:\thnhbt.exec:\thnhbt.exe118⤵PID:1940
-
\??\c:\bhtnnb.exec:\bhtnnb.exe119⤵
- System Location Discovery: System Language Discovery
PID:4376 -
\??\c:\djpjv.exec:\djpjv.exe120⤵PID:3004
-
\??\c:\5rlfxxx.exec:\5rlfxxx.exe121⤵PID:4664
-
\??\c:\nnbbnn.exec:\nnbbnn.exe122⤵PID:3648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-