Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe
-
Size
454KB
-
MD5
f22623451e3cd3d9dfb5f40ae0074b04
-
SHA1
830fb8dc24de69ae3f2918d0f06d51e10fb22ace
-
SHA256
bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5
-
SHA512
ab70cb57320d2590bc29da01fe11078cebb9bec47e3f703b5a48efce360a528b4ea4b8e48dd577afb2f267508835e81804dab91f85c8ebd5b2fc9a87d4ae5b45
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/684-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 552 pddvv.exe 3868 rrfxllf.exe 2180 vvpjd.exe 3740 hhbthb.exe 4160 vpddd.exe 3604 ffxrlfx.exe 4212 pjdpp.exe 3424 1xlfxxx.exe 2000 pvvpp.exe 2752 hbbnbt.exe 2764 rflflff.exe 2744 hbhhbt.exe 2464 vjpdj.exe 1596 frfxllf.exe 4464 nbnhhh.exe 2656 jvvdv.exe 4716 xxfxlfx.exe 976 nhtnbt.exe 4792 pppjd.exe 4460 rxxrffx.exe 3804 9htttb.exe 1076 1jvjd.exe 2952 llrlxrl.exe 1400 hbbtnh.exe 452 dpjvd.exe 2436 xffxrlf.exe 2624 7xfxrrf.exe 1572 rfrlllf.exe 3392 9nbtnn.exe 3656 vppjd.exe 1676 fxxrfxr.exe 924 lxlfxxx.exe 4940 jdvvd.exe 2120 flxlfrl.exe 436 ttbnbt.exe 3576 jpvvv.exe 3288 jpvpd.exe 1936 lfxfrll.exe 744 hnhtht.exe 4280 vpdvd.exe 716 3xxxrrr.exe 2420 thhtbt.exe 2072 vpdpd.exe 4436 lflllrx.exe 2180 5nbthb.exe 4084 jpvvj.exe 432 xfxrlxf.exe 3332 nhbtnn.exe 2800 ppvvp.exe 4088 3pjjd.exe 2816 lffxlrl.exe 4624 tthbth.exe 3096 btbttt.exe 5004 pvjdv.exe 2832 5hbtbb.exe 5000 vpvpv.exe 1812 xxxxrrl.exe 4364 hbhtbt.exe 1156 vjpjd.exe 5112 1fxxlxr.exe 2116 jjpjd.exe 2960 frxrfxr.exe 4612 rffxrrl.exe 3508 bttnhb.exe -
resource yara_rule behavioral2/memory/684-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 684 wrote to memory of 552 684 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 83 PID 684 wrote to memory of 552 684 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 83 PID 684 wrote to memory of 552 684 bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe 83 PID 552 wrote to memory of 3868 552 pddvv.exe 84 PID 552 wrote to memory of 3868 552 pddvv.exe 84 PID 552 wrote to memory of 3868 552 pddvv.exe 84 PID 3868 wrote to memory of 2180 3868 rrfxllf.exe 85 PID 3868 wrote to memory of 2180 3868 rrfxllf.exe 85 PID 3868 wrote to memory of 2180 3868 rrfxllf.exe 85 PID 2180 wrote to memory of 3740 2180 vvpjd.exe 86 PID 2180 wrote to memory of 3740 2180 vvpjd.exe 86 PID 2180 wrote to memory of 3740 2180 vvpjd.exe 86 PID 3740 wrote to memory of 4160 3740 hhbthb.exe 87 PID 3740 wrote to memory of 4160 3740 hhbthb.exe 87 PID 3740 wrote to memory of 4160 3740 hhbthb.exe 87 PID 4160 wrote to memory of 3604 4160 vpddd.exe 88 PID 4160 wrote to memory of 3604 4160 vpddd.exe 88 PID 4160 wrote to memory of 3604 4160 vpddd.exe 88 PID 3604 wrote to memory of 4212 3604 ffxrlfx.exe 89 PID 3604 wrote to memory of 4212 3604 ffxrlfx.exe 89 PID 3604 wrote to memory of 4212 3604 ffxrlfx.exe 89 PID 4212 wrote to memory of 3424 4212 pjdpp.exe 90 PID 4212 wrote to memory of 3424 4212 pjdpp.exe 90 PID 4212 wrote to memory of 3424 4212 pjdpp.exe 90 PID 3424 wrote to memory of 2000 3424 1xlfxxx.exe 91 PID 3424 wrote to memory of 2000 3424 1xlfxxx.exe 91 PID 3424 wrote to memory of 2000 3424 1xlfxxx.exe 91 PID 2000 wrote to memory of 2752 2000 pvvpp.exe 92 PID 2000 wrote to memory of 2752 2000 pvvpp.exe 92 PID 2000 wrote to memory of 2752 2000 pvvpp.exe 92 PID 2752 wrote to memory of 2764 2752 hbbnbt.exe 93 PID 2752 wrote to memory of 2764 2752 hbbnbt.exe 93 PID 2752 wrote to memory of 2764 2752 hbbnbt.exe 93 PID 2764 wrote to memory of 2744 2764 rflflff.exe 94 PID 2764 wrote to memory of 2744 2764 rflflff.exe 94 PID 2764 wrote to memory of 2744 2764 rflflff.exe 94 PID 2744 wrote to memory of 2464 2744 hbhhbt.exe 95 PID 2744 wrote to memory of 2464 2744 hbhhbt.exe 95 PID 2744 wrote to memory of 2464 2744 hbhhbt.exe 95 PID 2464 wrote to memory of 1596 2464 vjpdj.exe 96 PID 2464 wrote to memory of 1596 2464 vjpdj.exe 96 PID 2464 wrote to memory of 1596 2464 vjpdj.exe 96 PID 1596 wrote to memory of 4464 1596 frfxllf.exe 97 PID 1596 wrote to memory of 4464 1596 frfxllf.exe 97 PID 1596 wrote to memory of 4464 1596 frfxllf.exe 97 PID 4464 wrote to memory of 2656 4464 nbnhhh.exe 98 PID 4464 wrote to memory of 2656 4464 nbnhhh.exe 98 PID 4464 wrote to memory of 2656 4464 nbnhhh.exe 98 PID 2656 wrote to memory of 4716 2656 jvvdv.exe 99 PID 2656 wrote to memory of 4716 2656 jvvdv.exe 99 PID 2656 wrote to memory of 4716 2656 jvvdv.exe 99 PID 4716 wrote to memory of 976 4716 xxfxlfx.exe 100 PID 4716 wrote to memory of 976 4716 xxfxlfx.exe 100 PID 4716 wrote to memory of 976 4716 xxfxlfx.exe 100 PID 976 wrote to memory of 4792 976 nhtnbt.exe 101 PID 976 wrote to memory of 4792 976 nhtnbt.exe 101 PID 976 wrote to memory of 4792 976 nhtnbt.exe 101 PID 4792 wrote to memory of 4460 4792 pppjd.exe 102 PID 4792 wrote to memory of 4460 4792 pppjd.exe 102 PID 4792 wrote to memory of 4460 4792 pppjd.exe 102 PID 4460 wrote to memory of 3804 4460 rxxrffx.exe 103 PID 4460 wrote to memory of 3804 4460 rxxrffx.exe 103 PID 4460 wrote to memory of 3804 4460 rxxrffx.exe 103 PID 3804 wrote to memory of 1076 3804 9htttb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe"C:\Users\Admin\AppData\Local\Temp\bd003de2378883d618c9a70d4680d2d72662bbf3eee7c7a07f5058a6757944e5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\pddvv.exec:\pddvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\rrfxllf.exec:\rrfxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\vvpjd.exec:\vvpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\hhbthb.exec:\hhbthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\vpddd.exec:\vpddd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\pjdpp.exec:\pjdpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\1xlfxxx.exec:\1xlfxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\pvvpp.exec:\pvvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\hbbnbt.exec:\hbbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\rflflff.exec:\rflflff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\hbhhbt.exec:\hbhhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vjpdj.exec:\vjpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\frfxllf.exec:\frfxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\nbnhhh.exec:\nbnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\jvvdv.exec:\jvvdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\nhtnbt.exec:\nhtnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\pppjd.exec:\pppjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\rxxrffx.exec:\rxxrffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\9htttb.exec:\9htttb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\1jvjd.exec:\1jvjd.exe23⤵
- Executes dropped EXE
PID:1076 -
\??\c:\llrlxrl.exec:\llrlxrl.exe24⤵
- Executes dropped EXE
PID:2952 -
\??\c:\hbbtnh.exec:\hbbtnh.exe25⤵
- Executes dropped EXE
PID:1400 -
\??\c:\dpjvd.exec:\dpjvd.exe26⤵
- Executes dropped EXE
PID:452 -
\??\c:\xffxrlf.exec:\xffxrlf.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7xfxrrf.exec:\7xfxrrf.exe28⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rfrlllf.exec:\rfrlllf.exe29⤵
- Executes dropped EXE
PID:1572 -
\??\c:\9nbtnn.exec:\9nbtnn.exe30⤵
- Executes dropped EXE
PID:3392 -
\??\c:\vppjd.exec:\vppjd.exe31⤵
- Executes dropped EXE
PID:3656 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe32⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe33⤵
- Executes dropped EXE
PID:924 -
\??\c:\jdvvd.exec:\jdvvd.exe34⤵
- Executes dropped EXE
PID:4940 -
\??\c:\flxlfrl.exec:\flxlfrl.exe35⤵
- Executes dropped EXE
PID:2120 -
\??\c:\ttbnbt.exec:\ttbnbt.exe36⤵
- Executes dropped EXE
PID:436 -
\??\c:\jpvvv.exec:\jpvvv.exe37⤵
- Executes dropped EXE
PID:3576 -
\??\c:\jpvpd.exec:\jpvpd.exe38⤵
- Executes dropped EXE
PID:3288 -
\??\c:\lfxfrll.exec:\lfxfrll.exe39⤵
- Executes dropped EXE
PID:1936 -
\??\c:\hnhtht.exec:\hnhtht.exe40⤵
- Executes dropped EXE
PID:744 -
\??\c:\vpdvd.exec:\vpdvd.exe41⤵
- Executes dropped EXE
PID:4280 -
\??\c:\3xxxrrr.exec:\3xxxrrr.exe42⤵
- Executes dropped EXE
PID:716 -
\??\c:\thhtbt.exec:\thhtbt.exe43⤵
- Executes dropped EXE
PID:2420 -
\??\c:\vpdpd.exec:\vpdpd.exe44⤵
- Executes dropped EXE
PID:2072 -
\??\c:\lflllrx.exec:\lflllrx.exe45⤵
- Executes dropped EXE
PID:4436 -
\??\c:\5nbthb.exec:\5nbthb.exe46⤵
- Executes dropped EXE
PID:2180 -
\??\c:\jpvvj.exec:\jpvvj.exe47⤵
- Executes dropped EXE
PID:4084 -
\??\c:\xfxrlxf.exec:\xfxrlxf.exe48⤵
- Executes dropped EXE
PID:432 -
\??\c:\nhbtnn.exec:\nhbtnn.exe49⤵
- Executes dropped EXE
PID:3332 -
\??\c:\ppvvp.exec:\ppvvp.exe50⤵
- Executes dropped EXE
PID:2800 -
\??\c:\3pjjd.exec:\3pjjd.exe51⤵
- Executes dropped EXE
PID:4088 -
\??\c:\lffxlrl.exec:\lffxlrl.exe52⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tthbth.exec:\tthbth.exe53⤵
- Executes dropped EXE
PID:4624 -
\??\c:\btbttt.exec:\btbttt.exe54⤵
- Executes dropped EXE
PID:3096 -
\??\c:\pvjdv.exec:\pvjdv.exe55⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5hbtbb.exec:\5hbtbb.exe56⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vpvpv.exec:\vpvpv.exe57⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe58⤵
- Executes dropped EXE
PID:1812 -
\??\c:\hbhtbt.exec:\hbhtbt.exe59⤵
- Executes dropped EXE
PID:4364 -
\??\c:\vjpjd.exec:\vjpjd.exe60⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1fxxlxr.exec:\1fxxlxr.exe61⤵
- Executes dropped EXE
PID:5112 -
\??\c:\jjpjd.exec:\jjpjd.exe62⤵
- Executes dropped EXE
PID:2116 -
\??\c:\frxrfxr.exec:\frxrfxr.exe63⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rffxrrl.exec:\rffxrrl.exe64⤵
- Executes dropped EXE
PID:4612 -
\??\c:\bttnhb.exec:\bttnhb.exe65⤵
- Executes dropped EXE
PID:3508 -
\??\c:\xrrrrrl.exec:\xrrrrrl.exe66⤵PID:3020
-
\??\c:\nbhtbt.exec:\nbhtbt.exe67⤵PID:4416
-
\??\c:\vpppj.exec:\vpppj.exe68⤵PID:4420
-
\??\c:\vjpjd.exec:\vjpjd.exe69⤵PID:3744
-
\??\c:\9fxrflf.exec:\9fxrflf.exe70⤵PID:3144
-
\??\c:\tbhnhb.exec:\tbhnhb.exe71⤵PID:2036
-
\??\c:\1pjjv.exec:\1pjjv.exe72⤵PID:2892
-
\??\c:\jdvjv.exec:\jdvjv.exe73⤵PID:4032
-
\??\c:\fflfrll.exec:\fflfrll.exe74⤵PID:1400
-
\??\c:\rflfxrl.exec:\rflfxrl.exe75⤵PID:3748
-
\??\c:\tbbtnn.exec:\tbbtnn.exe76⤵PID:5076
-
\??\c:\vppjj.exec:\vppjj.exe77⤵PID:2436
-
\??\c:\jpdvp.exec:\jpdvp.exe78⤵PID:2316
-
\??\c:\lffrfff.exec:\lffrfff.exe79⤵PID:4452
-
\??\c:\1tnbtt.exec:\1tnbtt.exe80⤵PID:5100
-
\??\c:\jvdvj.exec:\jvdvj.exe81⤵PID:1404
-
\??\c:\3pvvp.exec:\3pvvp.exe82⤵PID:4004
-
\??\c:\1ffrlxr.exec:\1ffrlxr.exe83⤵PID:3360
-
\??\c:\tntnnh.exec:\tntnnh.exe84⤵PID:4736
-
\??\c:\pdvdp.exec:\pdvdp.exe85⤵PID:1480
-
\??\c:\xxxflxf.exec:\xxxflxf.exe86⤵PID:2492
-
\??\c:\hthtbn.exec:\hthtbn.exe87⤵PID:4884
-
\??\c:\htnnbt.exec:\htnnbt.exe88⤵PID:2168
-
\??\c:\pjdvj.exec:\pjdvj.exe89⤵PID:3904
-
\??\c:\xflxlfl.exec:\xflxlfl.exe90⤵PID:4948
-
\??\c:\xrlfrrf.exec:\xrlfrrf.exe91⤵PID:1916
-
\??\c:\hnthtb.exec:\hnthtb.exe92⤵PID:3016
-
\??\c:\ddvpv.exec:\ddvpv.exe93⤵PID:4512
-
\??\c:\xrlxrlx.exec:\xrlxrlx.exe94⤵PID:3668
-
\??\c:\rfxrfxl.exec:\rfxrfxl.exe95⤵PID:4028
-
\??\c:\bbbnht.exec:\bbbnht.exe96⤵PID:4276
-
\??\c:\jddpd.exec:\jddpd.exe97⤵PID:4012
-
\??\c:\rfxlrlx.exec:\rfxlrlx.exe98⤵PID:1656
-
\??\c:\7rlflfx.exec:\7rlflfx.exe99⤵PID:3164
-
\??\c:\bhhbnh.exec:\bhhbnh.exe100⤵PID:2204
-
\??\c:\7dpdj.exec:\7dpdj.exe101⤵PID:1276
-
\??\c:\xlrlrlx.exec:\xlrlrlx.exe102⤵PID:4436
-
\??\c:\hhntht.exec:\hhntht.exe103⤵PID:2180
-
\??\c:\ntbtbb.exec:\ntbtbb.exe104⤵PID:4836
-
\??\c:\ddvjv.exec:\ddvjv.exe105⤵PID:4084
-
\??\c:\lllxlfx.exec:\lllxlfx.exe106⤵PID:4516
-
\??\c:\nbthth.exec:\nbthth.exe107⤵PID:3528
-
\??\c:\jddpv.exec:\jddpv.exe108⤵PID:4204
-
\??\c:\ddjvd.exec:\ddjvd.exe109⤵PID:3548
-
\??\c:\rfxlxlx.exec:\rfxlxlx.exe110⤵PID:4212
-
\??\c:\hthbnt.exec:\hthbnt.exe111⤵PID:232
-
\??\c:\vpvjv.exec:\vpvjv.exe112⤵PID:2964
-
\??\c:\lxxflrf.exec:\lxxflrf.exe113⤵PID:3104
-
\??\c:\7lrlfxl.exec:\7lrlfxl.exe114⤵PID:3932
-
\??\c:\5nthnh.exec:\5nthnh.exe115⤵
- System Location Discovery: System Language Discovery
PID:3568 -
\??\c:\jddvd.exec:\jddvd.exe116⤵PID:5000
-
\??\c:\xlrxxrr.exec:\xlrxxrr.exe117⤵PID:4380
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe118⤵PID:3912
-
\??\c:\nnttnt.exec:\nnttnt.exe119⤵PID:5064
-
\??\c:\xrrlllf.exec:\xrrlllf.exe120⤵PID:1596
-
\??\c:\5bhtnn.exec:\5bhtnn.exe121⤵PID:3572
-
\??\c:\5bnbbt.exec:\5bnbbt.exe122⤵PID:4660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-