Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
-
Size
454KB
-
MD5
c91ca7a7775240001c0561985e00f02f
-
SHA1
c2960e0fbe92f88afaf9530544d70c1747d56f8b
-
SHA256
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777
-
SHA512
52f0328b29ab476a3a866e11b727befda9756455f43c14ec0da53ecc2f90a92a1912338cf487df5fc7bfd196cacc9a5c0a5e4c93535bfad1b19e328f89adfcb1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1664-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-1073-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-1154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-1370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4540 vppjj.exe 1684 llrlrrx.exe 2944 xflflfl.exe 4256 rfxxlff.exe 864 nbhhbb.exe 3840 bhbnnt.exe 5100 fxffxxx.exe 2240 tnbbhh.exe 1628 dvppj.exe 3424 pjjdv.exe 1424 9dddv.exe 1720 rrxxflx.exe 2012 llxfllx.exe 3132 pdjdv.exe 3596 tnbttt.exe 1280 rrfxlfr.exe 3880 ppdjd.exe 4952 rxlfflf.exe 1512 9nhnhb.exe 2608 nhnbnh.exe 4176 vvvpd.exe 1820 xrlfxrl.exe 4632 1hnhtb.exe 1108 pvvpj.exe 3696 9ttnbb.exe 2772 7hhbnn.exe 4052 vvvjd.exe 1276 xrlfrlx.exe 2896 llfxrll.exe 4316 tnbtnn.exe 3640 bbbbhn.exe 4612 vdpjv.exe 4920 bhhhbh.exe 2580 9pvpp.exe 1064 rrrrrlf.exe 2228 hhhbbt.exe 2756 1nnhbt.exe 4500 3vpjv.exe 1564 1lfrlfx.exe 1776 vpjpd.exe 4348 lrrrfxr.exe 4188 ttbttn.exe 1676 vppjv.exe 4248 xfflfrl.exe 1892 xlxxrff.exe 2408 bbhhhb.exe 3600 1vvpd.exe 2640 lllfrrr.exe 864 3hbthh.exe 4280 htnnnt.exe 3280 ddpvj.exe 3428 rrrlfrr.exe 1040 bhbbtt.exe 3368 vjjvp.exe 1692 5frrffr.exe 1500 lxrlfxr.exe 4080 bbnbth.exe 396 jvvpj.exe 4124 xrrfxrf.exe 2012 fxrfxrl.exe 636 tnhbtn.exe 1432 ddvpd.exe 3596 xllfrfr.exe 1968 flxxxxf.exe -
resource yara_rule behavioral2/memory/1664-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rfrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4540 1664 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 1664 wrote to memory of 4540 1664 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 1664 wrote to memory of 4540 1664 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 83 PID 4540 wrote to memory of 1684 4540 vppjj.exe 84 PID 4540 wrote to memory of 1684 4540 vppjj.exe 84 PID 4540 wrote to memory of 1684 4540 vppjj.exe 84 PID 1684 wrote to memory of 2944 1684 llrlrrx.exe 85 PID 1684 wrote to memory of 2944 1684 llrlrrx.exe 85 PID 1684 wrote to memory of 2944 1684 llrlrrx.exe 85 PID 2944 wrote to memory of 4256 2944 xflflfl.exe 86 PID 2944 wrote to memory of 4256 2944 xflflfl.exe 86 PID 2944 wrote to memory of 4256 2944 xflflfl.exe 86 PID 4256 wrote to memory of 864 4256 rfxxlff.exe 87 PID 4256 wrote to memory of 864 4256 rfxxlff.exe 87 PID 4256 wrote to memory of 864 4256 rfxxlff.exe 87 PID 864 wrote to memory of 3840 864 nbhhbb.exe 88 PID 864 wrote to memory of 3840 864 nbhhbb.exe 88 PID 864 wrote to memory of 3840 864 nbhhbb.exe 88 PID 3840 wrote to memory of 5100 3840 bhbnnt.exe 89 PID 3840 wrote to memory of 5100 3840 bhbnnt.exe 89 PID 3840 wrote to memory of 5100 3840 bhbnnt.exe 89 PID 5100 wrote to memory of 2240 5100 fxffxxx.exe 90 PID 5100 wrote to memory of 2240 5100 fxffxxx.exe 90 PID 5100 wrote to memory of 2240 5100 fxffxxx.exe 90 PID 2240 wrote to memory of 1628 2240 tnbbhh.exe 91 PID 2240 wrote to memory of 1628 2240 tnbbhh.exe 91 PID 2240 wrote to memory of 1628 2240 tnbbhh.exe 91 PID 1628 wrote to memory of 3424 1628 dvppj.exe 92 PID 1628 wrote to memory of 3424 1628 dvppj.exe 92 PID 1628 wrote to memory of 3424 1628 dvppj.exe 92 PID 3424 wrote to memory of 1424 3424 pjjdv.exe 93 PID 3424 wrote to memory of 1424 3424 pjjdv.exe 93 PID 3424 wrote to memory of 1424 3424 pjjdv.exe 93 PID 1424 wrote to memory of 1720 1424 9dddv.exe 94 PID 1424 wrote to memory of 1720 1424 9dddv.exe 94 PID 1424 wrote to memory of 1720 1424 9dddv.exe 94 PID 1720 wrote to memory of 2012 1720 rrxxflx.exe 95 PID 1720 wrote to memory of 2012 1720 rrxxflx.exe 95 PID 1720 wrote to memory of 2012 1720 rrxxflx.exe 95 PID 2012 wrote to memory of 3132 2012 llxfllx.exe 96 PID 2012 wrote to memory of 3132 2012 llxfllx.exe 96 PID 2012 wrote to memory of 3132 2012 llxfllx.exe 96 PID 3132 wrote to memory of 3596 3132 pdjdv.exe 97 PID 3132 wrote to memory of 3596 3132 pdjdv.exe 97 PID 3132 wrote to memory of 3596 3132 pdjdv.exe 97 PID 3596 wrote to memory of 1280 3596 tnbttt.exe 98 PID 3596 wrote to memory of 1280 3596 tnbttt.exe 98 PID 3596 wrote to memory of 1280 3596 tnbttt.exe 98 PID 1280 wrote to memory of 3880 1280 rrfxlfr.exe 99 PID 1280 wrote to memory of 3880 1280 rrfxlfr.exe 99 PID 1280 wrote to memory of 3880 1280 rrfxlfr.exe 99 PID 3880 wrote to memory of 4952 3880 ppdjd.exe 100 PID 3880 wrote to memory of 4952 3880 ppdjd.exe 100 PID 3880 wrote to memory of 4952 3880 ppdjd.exe 100 PID 4952 wrote to memory of 1512 4952 rxlfflf.exe 101 PID 4952 wrote to memory of 1512 4952 rxlfflf.exe 101 PID 4952 wrote to memory of 1512 4952 rxlfflf.exe 101 PID 1512 wrote to memory of 2608 1512 9nhnhb.exe 102 PID 1512 wrote to memory of 2608 1512 9nhnhb.exe 102 PID 1512 wrote to memory of 2608 1512 9nhnhb.exe 102 PID 2608 wrote to memory of 4176 2608 nhnbnh.exe 103 PID 2608 wrote to memory of 4176 2608 nhnbnh.exe 103 PID 2608 wrote to memory of 4176 2608 nhnbnh.exe 103 PID 4176 wrote to memory of 1820 4176 vvvpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\vppjj.exec:\vppjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\llrlrrx.exec:\llrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\xflflfl.exec:\xflflfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\rfxxlff.exec:\rfxxlff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\nbhhbb.exec:\nbhhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\bhbnnt.exec:\bhbnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\fxffxxx.exec:\fxffxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\tnbbhh.exec:\tnbbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\dvppj.exec:\dvppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\pjjdv.exec:\pjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\9dddv.exec:\9dddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\rrxxflx.exec:\rrxxflx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\llxfllx.exec:\llxfllx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\pdjdv.exec:\pdjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\tnbttt.exec:\tnbttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\rrfxlfr.exec:\rrfxlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\ppdjd.exec:\ppdjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\rxlfflf.exec:\rxlfflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\9nhnhb.exec:\9nhnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\nhnbnh.exec:\nhnbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\vvvpd.exec:\vvvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe23⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1hnhtb.exec:\1hnhtb.exe24⤵
- Executes dropped EXE
PID:4632 -
\??\c:\pvvpj.exec:\pvvpj.exe25⤵
- Executes dropped EXE
PID:1108 -
\??\c:\9ttnbb.exec:\9ttnbb.exe26⤵
- Executes dropped EXE
PID:3696 -
\??\c:\7hhbnn.exec:\7hhbnn.exe27⤵
- Executes dropped EXE
PID:2772 -
\??\c:\vvvjd.exec:\vvvjd.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\xrlfrlx.exec:\xrlfrlx.exe29⤵
- Executes dropped EXE
PID:1276 -
\??\c:\llfxrll.exec:\llfxrll.exe30⤵
- Executes dropped EXE
PID:2896 -
\??\c:\tnbtnn.exec:\tnbtnn.exe31⤵
- Executes dropped EXE
PID:4316 -
\??\c:\bbbbhn.exec:\bbbbhn.exe32⤵
- Executes dropped EXE
PID:3640 -
\??\c:\vdpjv.exec:\vdpjv.exe33⤵
- Executes dropped EXE
PID:4612 -
\??\c:\bhhhbh.exec:\bhhhbh.exe34⤵
- Executes dropped EXE
PID:4920 -
\??\c:\9pvpp.exec:\9pvpp.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rrrrrlf.exec:\rrrrrlf.exe36⤵
- Executes dropped EXE
PID:1064 -
\??\c:\hhhbbt.exec:\hhhbbt.exe37⤵
- Executes dropped EXE
PID:2228 -
\??\c:\1nnhbt.exec:\1nnhbt.exe38⤵
- Executes dropped EXE
PID:2756 -
\??\c:\3vpjv.exec:\3vpjv.exe39⤵
- Executes dropped EXE
PID:4500 -
\??\c:\1lfrlfx.exec:\1lfrlfx.exe40⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vpjpd.exec:\vpjpd.exe41⤵
- Executes dropped EXE
PID:1776 -
\??\c:\lrrrfxr.exec:\lrrrfxr.exe42⤵
- Executes dropped EXE
PID:4348 -
\??\c:\ttbttn.exec:\ttbttn.exe43⤵
- Executes dropped EXE
PID:4188 -
\??\c:\vppjv.exec:\vppjv.exe44⤵
- Executes dropped EXE
PID:1676 -
\??\c:\xfflfrl.exec:\xfflfrl.exe45⤵
- Executes dropped EXE
PID:4248 -
\??\c:\xlxxrff.exec:\xlxxrff.exe46⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bbhhhb.exec:\bbhhhb.exe47⤵
- Executes dropped EXE
PID:2408 -
\??\c:\1vvpd.exec:\1vvpd.exe48⤵
- Executes dropped EXE
PID:3600 -
\??\c:\lllfrrr.exec:\lllfrrr.exe49⤵
- Executes dropped EXE
PID:2640 -
\??\c:\3hbthh.exec:\3hbthh.exe50⤵
- Executes dropped EXE
PID:864 -
\??\c:\htnnnt.exec:\htnnnt.exe51⤵
- Executes dropped EXE
PID:4280 -
\??\c:\ddpvj.exec:\ddpvj.exe52⤵
- Executes dropped EXE
PID:3280 -
\??\c:\rrrlfrr.exec:\rrrlfrr.exe53⤵
- Executes dropped EXE
PID:3428 -
\??\c:\bhbbtt.exec:\bhbbtt.exe54⤵
- Executes dropped EXE
PID:1040 -
\??\c:\vjjvp.exec:\vjjvp.exe55⤵
- Executes dropped EXE
PID:3368 -
\??\c:\5frrffr.exec:\5frrffr.exe56⤵
- Executes dropped EXE
PID:1692 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe57⤵
- Executes dropped EXE
PID:1500 -
\??\c:\bbnbth.exec:\bbnbth.exe58⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jvvpj.exec:\jvvpj.exe59⤵
- Executes dropped EXE
PID:396 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe60⤵
- Executes dropped EXE
PID:4124 -
\??\c:\fxrfxrl.exec:\fxrfxrl.exe61⤵
- Executes dropped EXE
PID:2012 -
\??\c:\tnhbtn.exec:\tnhbtn.exe62⤵
- Executes dropped EXE
PID:636 -
\??\c:\ddvpd.exec:\ddvpd.exe63⤵
- Executes dropped EXE
PID:1432 -
\??\c:\xllfrfr.exec:\xllfrfr.exe64⤵
- Executes dropped EXE
PID:3596 -
\??\c:\flxxxxf.exec:\flxxxxf.exe65⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bnhtnh.exec:\bnhtnh.exe66⤵PID:2988
-
\??\c:\jjppv.exec:\jjppv.exe67⤵PID:1164
-
\??\c:\fllfrxr.exec:\fllfrxr.exe68⤵PID:4432
-
\??\c:\btnhth.exec:\btnhth.exe69⤵PID:3684
-
\??\c:\jdvjd.exec:\jdvjd.exe70⤵PID:3152
-
\??\c:\djdjp.exec:\djdjp.exe71⤵PID:1980
-
\??\c:\rlfxrrl.exec:\rlfxrrl.exe72⤵PID:3420
-
\??\c:\ttthbt.exec:\ttthbt.exe73⤵PID:2584
-
\??\c:\vvvvj.exec:\vvvvj.exe74⤵PID:2964
-
\??\c:\vjjdp.exec:\vjjdp.exe75⤵PID:4720
-
\??\c:\3llfrlx.exec:\3llfrlx.exe76⤵PID:3696
-
\??\c:\9hhhbt.exec:\9hhhbt.exe77⤵PID:3628
-
\??\c:\vppjj.exec:\vppjj.exe78⤵PID:2532
-
\??\c:\vvvpj.exec:\vvvpj.exe79⤵PID:4884
-
\??\c:\xflxrfx.exec:\xflxrfx.exe80⤵
- System Location Discovery: System Language Discovery
PID:676 -
\??\c:\bnnbtn.exec:\bnnbtn.exe81⤵PID:3492
-
\??\c:\tttntt.exec:\tttntt.exe82⤵PID:2380
-
\??\c:\vjjvp.exec:\vjjvp.exe83⤵PID:3936
-
\??\c:\flrlfxl.exec:\flrlfxl.exe84⤵PID:4440
-
\??\c:\3hhbtt.exec:\3hhbtt.exe85⤵PID:3324
-
\??\c:\jvvvv.exec:\jvvvv.exe86⤵PID:768
-
\??\c:\3ppdp.exec:\3ppdp.exe87⤵PID:4732
-
\??\c:\5rrllfx.exec:\5rrllfx.exe88⤵PID:3884
-
\??\c:\7hhbnh.exec:\7hhbnh.exe89⤵PID:4652
-
\??\c:\vvdvp.exec:\vvdvp.exe90⤵PID:3960
-
\??\c:\vvjjv.exec:\vvjjv.exe91⤵PID:4428
-
\??\c:\fllfxrl.exec:\fllfxrl.exe92⤵PID:3888
-
\??\c:\bbttnn.exec:\bbttnn.exe93⤵PID:2704
-
\??\c:\jdvdv.exec:\jdvdv.exe94⤵PID:1668
-
\??\c:\rllllll.exec:\rllllll.exe95⤵PID:3652
-
\??\c:\ttnhth.exec:\ttnhth.exe96⤵PID:4452
-
\??\c:\ntthbt.exec:\ntthbt.exe97⤵PID:4248
-
\??\c:\vvdpp.exec:\vvdpp.exe98⤵PID:2152
-
\??\c:\lffrxrx.exec:\lffrxrx.exe99⤵PID:2204
-
\??\c:\bnnbtn.exec:\bnnbtn.exe100⤵PID:2936
-
\??\c:\1djjd.exec:\1djjd.exe101⤵PID:1156
-
\??\c:\3lfrxrx.exec:\3lfrxrx.exe102⤵PID:2492
-
\??\c:\frrlfxr.exec:\frrlfxr.exe103⤵PID:116
-
\??\c:\htttnt.exec:\htttnt.exe104⤵PID:1180
-
\??\c:\dvdpj.exec:\dvdpj.exe105⤵PID:4260
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe106⤵PID:1040
-
\??\c:\bbhbtt.exec:\bbhbtt.exe107⤵
- System Location Discovery: System Language Discovery
PID:4308 -
\??\c:\htnbhn.exec:\htnbhn.exe108⤵PID:4200
-
\??\c:\vpjvp.exec:\vpjvp.exe109⤵PID:3424
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe110⤵PID:4864
-
\??\c:\fxxrlfr.exec:\fxxrlfr.exe111⤵PID:4080
-
\??\c:\7tnnhn.exec:\7tnnhn.exe112⤵PID:4608
-
\??\c:\jjvpj.exec:\jjvpj.exe113⤵PID:396
-
\??\c:\frxxrrr.exec:\frxxrrr.exe114⤵PID:2788
-
\??\c:\bbnhtt.exec:\bbnhtt.exe115⤵PID:2008
-
\??\c:\pvvvp.exec:\pvvvp.exe116⤵PID:1044
-
\??\c:\1ddvj.exec:\1ddvj.exe117⤵PID:1804
-
\??\c:\fxlfrlf.exec:\fxlfrlf.exe118⤵PID:1452
-
\??\c:\lfxlfxl.exec:\lfxlfxl.exe119⤵PID:2400
-
\??\c:\thnnhn.exec:\thnnhn.exe120⤵PID:2420
-
\??\c:\jvvpj.exec:\jvvpj.exe121⤵PID:4420
-
\??\c:\djppp.exec:\djppp.exe122⤵PID:1504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-