Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe
-
Size
455KB
-
MD5
3f7232c7d9aeda461fae0b5599e4e73d
-
SHA1
21465f687d7f39feb1a006d4455c1dd4f99ec4ba
-
SHA256
b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c
-
SHA512
58813418671e582dcb657b754f9a85f531fe94a4be8b995cbc4945f7e2fd73e354eac6bab504d5d11cb85e12b04aac359c11d52c0d6c2cee1181a07e50050ec6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-816-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-1447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3456 7bhbtn.exe 2368 vjpjd.exe 2812 3frlflf.exe 1444 rllfxxr.exe 4616 pjdjj.exe 1268 nhnhhb.exe 2348 ppvpd.exe 1244 1pvpv.exe 2292 bbbbth.exe 2824 fffrllf.exe 3756 nbtttt.exe 4804 xlllfrr.exe 2656 9tbnnn.exe 1500 lflfxxl.exe 2660 jvppj.exe 2784 pdjdp.exe 3628 rrffxlf.exe 4596 rrrrrrr.exe 836 fxxlllf.exe 4768 frrlfxr.exe 1648 bbhtnn.exe 5088 xxxfxxr.exe 4704 bhnnhb.exe 2664 3jppd.exe 2280 xlflrff.exe 2676 fxxrrlf.exe 3220 hbhhhh.exe 4172 ddddp.exe 4840 ttttnt.exe 4288 vpvvj.exe 4940 5jvvv.exe 4544 9dvvp.exe 4576 pjpjj.exe 3540 fxxlffx.exe 4676 tbbhth.exe 4304 vpddj.exe 760 fxffllf.exe 844 ffrrffr.exe 2196 hnhbhb.exe 4700 ppvjd.exe 2368 rffrllf.exe 1616 nbhhhh.exe 3864 7jddv.exe 468 rlrrlrr.exe 4616 tbtnnn.exe 4348 bbbbtn.exe 3412 pvjdd.exe 2348 lllfxlf.exe 4848 9bnnbb.exe 4820 dvvvp.exe 2292 pvdjj.exe 2824 fflfxfx.exe 2504 hbhbtt.exe 316 vdddp.exe 1660 lrffllf.exe 4108 7tnnhh.exe 2888 5hnbnn.exe 1500 9ppdv.exe 4960 rrrxllf.exe 2784 tthntn.exe 4044 nhnnbb.exe 928 9djdp.exe 864 rlrxrff.exe 1884 3hntnt.exe -
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-856-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3456 4856 b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe 82 PID 4856 wrote to memory of 3456 4856 b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe 82 PID 4856 wrote to memory of 3456 4856 b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe 82 PID 3456 wrote to memory of 2368 3456 7bhbtn.exe 83 PID 3456 wrote to memory of 2368 3456 7bhbtn.exe 83 PID 3456 wrote to memory of 2368 3456 7bhbtn.exe 83 PID 2368 wrote to memory of 2812 2368 vjpjd.exe 84 PID 2368 wrote to memory of 2812 2368 vjpjd.exe 84 PID 2368 wrote to memory of 2812 2368 vjpjd.exe 84 PID 2812 wrote to memory of 1444 2812 3frlflf.exe 85 PID 2812 wrote to memory of 1444 2812 3frlflf.exe 85 PID 2812 wrote to memory of 1444 2812 3frlflf.exe 85 PID 1444 wrote to memory of 4616 1444 rllfxxr.exe 86 PID 1444 wrote to memory of 4616 1444 rllfxxr.exe 86 PID 1444 wrote to memory of 4616 1444 rllfxxr.exe 86 PID 4616 wrote to memory of 1268 4616 pjdjj.exe 87 PID 4616 wrote to memory of 1268 4616 pjdjj.exe 87 PID 4616 wrote to memory of 1268 4616 pjdjj.exe 87 PID 1268 wrote to memory of 2348 1268 nhnhhb.exe 88 PID 1268 wrote to memory of 2348 1268 nhnhhb.exe 88 PID 1268 wrote to memory of 2348 1268 nhnhhb.exe 88 PID 2348 wrote to memory of 1244 2348 ppvpd.exe 89 PID 2348 wrote to memory of 1244 2348 ppvpd.exe 89 PID 2348 wrote to memory of 1244 2348 ppvpd.exe 89 PID 1244 wrote to memory of 2292 1244 1pvpv.exe 90 PID 1244 wrote to memory of 2292 1244 1pvpv.exe 90 PID 1244 wrote to memory of 2292 1244 1pvpv.exe 90 PID 2292 wrote to memory of 2824 2292 bbbbth.exe 91 PID 2292 wrote to memory of 2824 2292 bbbbth.exe 91 PID 2292 wrote to memory of 2824 2292 bbbbth.exe 91 PID 2824 wrote to memory of 3756 2824 fffrllf.exe 92 PID 2824 wrote to memory of 3756 2824 fffrllf.exe 92 PID 2824 wrote to memory of 3756 2824 fffrllf.exe 92 PID 3756 wrote to memory of 4804 3756 nbtttt.exe 93 PID 3756 wrote to memory of 4804 3756 nbtttt.exe 93 PID 3756 wrote to memory of 4804 3756 nbtttt.exe 93 PID 4804 wrote to memory of 2656 4804 xlllfrr.exe 94 PID 4804 wrote to memory of 2656 4804 xlllfrr.exe 94 PID 4804 wrote to memory of 2656 4804 xlllfrr.exe 94 PID 2656 wrote to memory of 1500 2656 9tbnnn.exe 95 PID 2656 wrote to memory of 1500 2656 9tbnnn.exe 95 PID 2656 wrote to memory of 1500 2656 9tbnnn.exe 95 PID 1500 wrote to memory of 2660 1500 lflfxxl.exe 96 PID 1500 wrote to memory of 2660 1500 lflfxxl.exe 96 PID 1500 wrote to memory of 2660 1500 lflfxxl.exe 96 PID 2660 wrote to memory of 2784 2660 jvppj.exe 97 PID 2660 wrote to memory of 2784 2660 jvppj.exe 97 PID 2660 wrote to memory of 2784 2660 jvppj.exe 97 PID 2784 wrote to memory of 3628 2784 pdjdp.exe 98 PID 2784 wrote to memory of 3628 2784 pdjdp.exe 98 PID 2784 wrote to memory of 3628 2784 pdjdp.exe 98 PID 3628 wrote to memory of 4596 3628 rrffxlf.exe 99 PID 3628 wrote to memory of 4596 3628 rrffxlf.exe 99 PID 3628 wrote to memory of 4596 3628 rrffxlf.exe 99 PID 4596 wrote to memory of 836 4596 rrrrrrr.exe 100 PID 4596 wrote to memory of 836 4596 rrrrrrr.exe 100 PID 4596 wrote to memory of 836 4596 rrrrrrr.exe 100 PID 836 wrote to memory of 4768 836 fxxlllf.exe 101 PID 836 wrote to memory of 4768 836 fxxlllf.exe 101 PID 836 wrote to memory of 4768 836 fxxlllf.exe 101 PID 4768 wrote to memory of 1648 4768 frrlfxr.exe 102 PID 4768 wrote to memory of 1648 4768 frrlfxr.exe 102 PID 4768 wrote to memory of 1648 4768 frrlfxr.exe 102 PID 1648 wrote to memory of 5088 1648 bbhtnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe"C:\Users\Admin\AppData\Local\Temp\b00fa19e8ff822092d53f80a732cd56f7f6a11d1cc4e2b38f45de915344bd46c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\7bhbtn.exec:\7bhbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\vjpjd.exec:\vjpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\3frlflf.exec:\3frlflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\rllfxxr.exec:\rllfxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\pjdjj.exec:\pjdjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\nhnhhb.exec:\nhnhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\ppvpd.exec:\ppvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\1pvpv.exec:\1pvpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\bbbbth.exec:\bbbbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\fffrllf.exec:\fffrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\nbtttt.exec:\nbtttt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\xlllfrr.exec:\xlllfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\9tbnnn.exec:\9tbnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\lflfxxl.exec:\lflfxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jvppj.exec:\jvppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\pdjdp.exec:\pdjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\rrffxlf.exec:\rrffxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\fxxlllf.exec:\fxxlllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\frrlfxr.exec:\frrlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\bbhtnn.exec:\bbhtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\xxxfxxr.exec:\xxxfxxr.exe23⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bhnnhb.exec:\bhnnhb.exe24⤵
- Executes dropped EXE
PID:4704 -
\??\c:\3jppd.exec:\3jppd.exe25⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xlflrff.exec:\xlflrff.exe26⤵
- Executes dropped EXE
PID:2280 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe27⤵
- Executes dropped EXE
PID:2676 -
\??\c:\hbhhhh.exec:\hbhhhh.exe28⤵
- Executes dropped EXE
PID:3220 -
\??\c:\ddddp.exec:\ddddp.exe29⤵
- Executes dropped EXE
PID:4172 -
\??\c:\ttttnt.exec:\ttttnt.exe30⤵
- Executes dropped EXE
PID:4840 -
\??\c:\vpvvj.exec:\vpvvj.exe31⤵
- Executes dropped EXE
PID:4288 -
\??\c:\5jvvv.exec:\5jvvv.exe32⤵
- Executes dropped EXE
PID:4940 -
\??\c:\9dvvp.exec:\9dvvp.exe33⤵
- Executes dropped EXE
PID:4544 -
\??\c:\pjpjj.exec:\pjpjj.exe34⤵
- Executes dropped EXE
PID:4576 -
\??\c:\fxxlffx.exec:\fxxlffx.exe35⤵
- Executes dropped EXE
PID:3540 -
\??\c:\tbbhth.exec:\tbbhth.exe36⤵
- Executes dropped EXE
PID:4676 -
\??\c:\vpddj.exec:\vpddj.exe37⤵
- Executes dropped EXE
PID:4304 -
\??\c:\fxffllf.exec:\fxffllf.exe38⤵
- Executes dropped EXE
PID:760 -
\??\c:\ffrrffr.exec:\ffrrffr.exe39⤵
- Executes dropped EXE
PID:844 -
\??\c:\hnhbhb.exec:\hnhbhb.exe40⤵
- Executes dropped EXE
PID:2196 -
\??\c:\ppvjd.exec:\ppvjd.exe41⤵
- Executes dropped EXE
PID:4700 -
\??\c:\rffrllf.exec:\rffrllf.exe42⤵
- Executes dropped EXE
PID:2368 -
\??\c:\nbhhhh.exec:\nbhhhh.exe43⤵
- Executes dropped EXE
PID:1616 -
\??\c:\7jddv.exec:\7jddv.exe44⤵
- Executes dropped EXE
PID:3864 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe45⤵
- Executes dropped EXE
PID:468 -
\??\c:\tbtnnn.exec:\tbtnnn.exe46⤵
- Executes dropped EXE
PID:4616 -
\??\c:\bbbbtn.exec:\bbbbtn.exe47⤵
- Executes dropped EXE
PID:4348 -
\??\c:\pvjdd.exec:\pvjdd.exe48⤵
- Executes dropped EXE
PID:3412 -
\??\c:\lllfxlf.exec:\lllfxlf.exe49⤵
- Executes dropped EXE
PID:2348 -
\??\c:\9bnnbb.exec:\9bnnbb.exe50⤵
- Executes dropped EXE
PID:4848 -
\??\c:\dvvvp.exec:\dvvvp.exe51⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pvdjj.exec:\pvdjj.exe52⤵
- Executes dropped EXE
PID:2292 -
\??\c:\fflfxfx.exec:\fflfxfx.exe53⤵
- Executes dropped EXE
PID:2824 -
\??\c:\hbhbtt.exec:\hbhbtt.exe54⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vdddp.exec:\vdddp.exe55⤵
- Executes dropped EXE
PID:316 -
\??\c:\lrffllf.exec:\lrffllf.exe56⤵
- Executes dropped EXE
PID:1660 -
\??\c:\7tnnhh.exec:\7tnnhh.exe57⤵
- Executes dropped EXE
PID:4108 -
\??\c:\5hnbnn.exec:\5hnbnn.exe58⤵
- Executes dropped EXE
PID:2888 -
\??\c:\9ppdv.exec:\9ppdv.exe59⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rrrxllf.exec:\rrrxllf.exe60⤵
- Executes dropped EXE
PID:4960 -
\??\c:\tthntn.exec:\tthntn.exe61⤵
- Executes dropped EXE
PID:2784 -
\??\c:\nhnnbb.exec:\nhnnbb.exe62⤵
- Executes dropped EXE
PID:4044 -
\??\c:\9djdp.exec:\9djdp.exe63⤵
- Executes dropped EXE
PID:928 -
\??\c:\rlrxrff.exec:\rlrxrff.exe64⤵
- Executes dropped EXE
PID:864 -
\??\c:\3hntnt.exec:\3hntnt.exe65⤵
- Executes dropped EXE
PID:1884 -
\??\c:\hbnbtt.exec:\hbnbtt.exe66⤵PID:2540
-
\??\c:\jjvjd.exec:\jjvjd.exe67⤵PID:2872
-
\??\c:\llxxxxr.exec:\llxxxxr.exe68⤵PID:4420
-
\??\c:\hntttb.exec:\hntttb.exe69⤵PID:4692
-
\??\c:\3hhbbb.exec:\3hhbbb.exe70⤵PID:2988
-
\??\c:\djdpj.exec:\djdpj.exe71⤵PID:3796
-
\??\c:\rxfxlll.exec:\rxfxlll.exe72⤵PID:5088
-
\??\c:\frxxrrl.exec:\frxxrrl.exe73⤵PID:1308
-
\??\c:\3ntbbb.exec:\3ntbbb.exe74⤵PID:3172
-
\??\c:\vvppj.exec:\vvppj.exe75⤵PID:3636
-
\??\c:\9rrrflf.exec:\9rrrflf.exe76⤵PID:1808
-
\??\c:\tnbttt.exec:\tnbttt.exe77⤵PID:3000
-
\??\c:\dpvpj.exec:\dpvpj.exe78⤵PID:1880
-
\??\c:\fflllll.exec:\fflllll.exe79⤵PID:2228
-
\??\c:\tntnnn.exec:\tntnnn.exe80⤵PID:3744
-
\??\c:\jvpjd.exec:\jvpjd.exe81⤵PID:2828
-
\??\c:\1ddpd.exec:\1ddpd.exe82⤵PID:4172
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe83⤵PID:2076
-
\??\c:\7bhhbt.exec:\7bhhbt.exe84⤵PID:1748
-
\??\c:\3jvvd.exec:\3jvvd.exe85⤵PID:1052
-
\??\c:\3fllrrx.exec:\3fllrrx.exe86⤵PID:4040
-
\??\c:\thtnnn.exec:\thtnnn.exe87⤵PID:3240
-
\??\c:\7hhbbb.exec:\7hhbbb.exe88⤵PID:4120
-
\??\c:\5vvpj.exec:\5vvpj.exe89⤵PID:3556
-
\??\c:\ffxrrlf.exec:\ffxrrlf.exe90⤵PID:1536
-
\??\c:\5ntnnn.exec:\5ntnnn.exe91⤵PID:1252
-
\??\c:\pdvpj.exec:\pdvpj.exe92⤵PID:3508
-
\??\c:\xxfxxff.exec:\xxfxxff.exe93⤵PID:4908
-
\??\c:\hhttnt.exec:\hhttnt.exe94⤵PID:3164
-
\??\c:\3vvvp.exec:\3vvvp.exe95⤵PID:5104
-
\??\c:\xrxrffr.exec:\xrxrffr.exe96⤵PID:1404
-
\??\c:\1bhbnn.exec:\1bhbnn.exe97⤵PID:3052
-
\??\c:\9ppjj.exec:\9ppjj.exe98⤵PID:4312
-
\??\c:\1jjdd.exec:\1jjdd.exe99⤵PID:3804
-
\??\c:\bnbbtt.exec:\bnbbtt.exe100⤵PID:1384
-
\??\c:\ppjdv.exec:\ppjdv.exe101⤵PID:1668
-
\??\c:\pjjvp.exec:\pjjvp.exe102⤵PID:1532
-
\??\c:\5hhhnn.exec:\5hhhnn.exe103⤵PID:840
-
\??\c:\5bhbtt.exec:\5bhbtt.exe104⤵
- System Location Discovery: System Language Discovery
PID:3876 -
\??\c:\jjpvp.exec:\jjpvp.exe105⤵PID:4628
-
\??\c:\rrrlxxl.exec:\rrrlxxl.exe106⤵PID:1444
-
\??\c:\tbbtnn.exec:\tbbtnn.exe107⤵PID:4832
-
\??\c:\1ppjd.exec:\1ppjd.exe108⤵PID:2484
-
\??\c:\fxlfrlf.exec:\fxlfrlf.exe109⤵PID:3956
-
\??\c:\1lrlrrl.exec:\1lrlrrl.exe110⤵PID:4616
-
\??\c:\nbhttb.exec:\nbhttb.exe111⤵PID:1272
-
\??\c:\pdjdv.exec:\pdjdv.exe112⤵PID:924
-
\??\c:\lffxrlf.exec:\lffxrlf.exe113⤵PID:1244
-
\??\c:\flrlfxx.exec:\flrlfxx.exe114⤵PID:4796
-
\??\c:\5ttnbh.exec:\5ttnbh.exe115⤵PID:4216
-
\??\c:\9pdjp.exec:\9pdjp.exe116⤵PID:3328
-
\??\c:\7djdp.exec:\7djdp.exe117⤵PID:1276
-
\??\c:\rxxrrxr.exec:\rxxrrxr.exe118⤵PID:1160
-
\??\c:\9nnnnt.exec:\9nnnnt.exe119⤵PID:2504
-
\??\c:\pjpjd.exec:\pjpjd.exe120⤵PID:3324
-
\??\c:\rrfxllx.exec:\rrfxllx.exe121⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-