Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe
-
Size
454KB
-
MD5
b5bc05a41818bd95bb82a225494cd5ea
-
SHA1
88a7ef02d79c347993ae870c04a3b1cf538da87a
-
SHA256
9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f
-
SHA512
8fca3cda66e7c3a829c2efa0223cddcb600e0724c0b4719e91d535152b878113f5fd724dd37960c2a3cb17e23ee7e6ca872541601624a6eec38e40f7b9b5b24a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2064-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-986-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-1618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3448 fxflfff.exe 2136 hbbbtn.exe 4148 jdpjp.exe 3916 24000.exe 2928 824888.exe 4228 82226.exe 4752 84604.exe 3124 lfrllll.exe 3392 rxxrlfx.exe 764 9tnbnh.exe 2228 pjdvj.exe 1744 jvdvd.exe 3704 26660.exe 1316 m4048.exe 5052 8666666.exe 3028 o444822.exe 2164 0480448.exe 2184 nbtttb.exe 5116 pjjpp.exe 5020 2666066.exe 3684 ttbbtt.exe 1864 2062066.exe 2256 rffxxlf.exe 940 282448.exe 4432 bhnnnn.exe 1976 2888444.exe 4112 ddpjp.exe 4028 djppj.exe 3612 624600.exe 876 o482648.exe 1140 nhnnbn.exe 3480 vjjvv.exe 4424 fxxxrlf.exe 4304 6222660.exe 5084 dppdj.exe 5068 thtnbb.exe 4812 hbntbn.exe 1032 jvvdv.exe 4348 2884604.exe 2020 8626862.exe 436 288260.exe 892 pjjdv.exe 4768 48444.exe 2028 2808260.exe 4184 7nbnhb.exe 228 fllfxrl.exe 2084 1tbnhh.exe 4320 0408268.exe 4440 8686226.exe 4356 1thbtt.exe 3936 lxxrxrr.exe 3236 04048.exe 3956 5vvpj.exe 4700 xfffrrl.exe 4524 vpjdv.exe 3908 httnhh.exe 3600 k80668.exe 1508 9frrxff.exe 4828 42604.exe 2748 bbtttt.exe 3592 3pjjj.exe 4864 880606.exe 3360 thnttb.exe 1604 bhnhnn.exe -
resource yara_rule behavioral2/memory/2064-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-597-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8200426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 3448 2064 9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe 83 PID 2064 wrote to memory of 3448 2064 9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe 83 PID 2064 wrote to memory of 3448 2064 9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe 83 PID 3448 wrote to memory of 2136 3448 fxflfff.exe 84 PID 3448 wrote to memory of 2136 3448 fxflfff.exe 84 PID 3448 wrote to memory of 2136 3448 fxflfff.exe 84 PID 2136 wrote to memory of 4148 2136 hbbbtn.exe 85 PID 2136 wrote to memory of 4148 2136 hbbbtn.exe 85 PID 2136 wrote to memory of 4148 2136 hbbbtn.exe 85 PID 4148 wrote to memory of 3916 4148 jdpjp.exe 86 PID 4148 wrote to memory of 3916 4148 jdpjp.exe 86 PID 4148 wrote to memory of 3916 4148 jdpjp.exe 86 PID 3916 wrote to memory of 2928 3916 24000.exe 87 PID 3916 wrote to memory of 2928 3916 24000.exe 87 PID 3916 wrote to memory of 2928 3916 24000.exe 87 PID 2928 wrote to memory of 4228 2928 824888.exe 88 PID 2928 wrote to memory of 4228 2928 824888.exe 88 PID 2928 wrote to memory of 4228 2928 824888.exe 88 PID 4228 wrote to memory of 4752 4228 82226.exe 89 PID 4228 wrote to memory of 4752 4228 82226.exe 89 PID 4228 wrote to memory of 4752 4228 82226.exe 89 PID 4752 wrote to memory of 3124 4752 84604.exe 90 PID 4752 wrote to memory of 3124 4752 84604.exe 90 PID 4752 wrote to memory of 3124 4752 84604.exe 90 PID 3124 wrote to memory of 3392 3124 lfrllll.exe 91 PID 3124 wrote to memory of 3392 3124 lfrllll.exe 91 PID 3124 wrote to memory of 3392 3124 lfrllll.exe 91 PID 3392 wrote to memory of 764 3392 rxxrlfx.exe 92 PID 3392 wrote to memory of 764 3392 rxxrlfx.exe 92 PID 3392 wrote to memory of 764 3392 rxxrlfx.exe 92 PID 764 wrote to memory of 2228 764 9tnbnh.exe 93 PID 764 wrote to memory of 2228 764 9tnbnh.exe 93 PID 764 wrote to memory of 2228 764 9tnbnh.exe 93 PID 2228 wrote to memory of 1744 2228 pjdvj.exe 94 PID 2228 wrote to memory of 1744 2228 pjdvj.exe 94 PID 2228 wrote to memory of 1744 2228 pjdvj.exe 94 PID 1744 wrote to memory of 3704 1744 jvdvd.exe 95 PID 1744 wrote to memory of 3704 1744 jvdvd.exe 95 PID 1744 wrote to memory of 3704 1744 jvdvd.exe 95 PID 3704 wrote to memory of 1316 3704 26660.exe 96 PID 3704 wrote to memory of 1316 3704 26660.exe 96 PID 3704 wrote to memory of 1316 3704 26660.exe 96 PID 1316 wrote to memory of 5052 1316 m4048.exe 97 PID 1316 wrote to memory of 5052 1316 m4048.exe 97 PID 1316 wrote to memory of 5052 1316 m4048.exe 97 PID 5052 wrote to memory of 3028 5052 8666666.exe 98 PID 5052 wrote to memory of 3028 5052 8666666.exe 98 PID 5052 wrote to memory of 3028 5052 8666666.exe 98 PID 3028 wrote to memory of 2164 3028 o444822.exe 99 PID 3028 wrote to memory of 2164 3028 o444822.exe 99 PID 3028 wrote to memory of 2164 3028 o444822.exe 99 PID 2164 wrote to memory of 2184 2164 0480448.exe 100 PID 2164 wrote to memory of 2184 2164 0480448.exe 100 PID 2164 wrote to memory of 2184 2164 0480448.exe 100 PID 2184 wrote to memory of 5116 2184 nbtttb.exe 101 PID 2184 wrote to memory of 5116 2184 nbtttb.exe 101 PID 2184 wrote to memory of 5116 2184 nbtttb.exe 101 PID 5116 wrote to memory of 5020 5116 pjjpp.exe 102 PID 5116 wrote to memory of 5020 5116 pjjpp.exe 102 PID 5116 wrote to memory of 5020 5116 pjjpp.exe 102 PID 5020 wrote to memory of 3684 5020 2666066.exe 103 PID 5020 wrote to memory of 3684 5020 2666066.exe 103 PID 5020 wrote to memory of 3684 5020 2666066.exe 103 PID 3684 wrote to memory of 1864 3684 ttbbtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe"C:\Users\Admin\AppData\Local\Temp\9bce8515ebffa2b4231c32f9fba721b21cf6a25ff9ea0ec898c511bd666f266f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\fxflfff.exec:\fxflfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\hbbbtn.exec:\hbbbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\jdpjp.exec:\jdpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\24000.exec:\24000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\824888.exec:\824888.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\82226.exec:\82226.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\84604.exec:\84604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\lfrllll.exec:\lfrllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\9tnbnh.exec:\9tnbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\pjdvj.exec:\pjdvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\jvdvd.exec:\jvdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\26660.exec:\26660.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\m4048.exec:\m4048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\8666666.exec:\8666666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\o444822.exec:\o444822.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\0480448.exec:\0480448.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nbtttb.exec:\nbtttb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\pjjpp.exec:\pjjpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\2666066.exec:\2666066.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\ttbbtt.exec:\ttbbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\2062066.exec:\2062066.exe23⤵
- Executes dropped EXE
PID:1864 -
\??\c:\rffxxlf.exec:\rffxxlf.exe24⤵
- Executes dropped EXE
PID:2256 -
\??\c:\282448.exec:\282448.exe25⤵
- Executes dropped EXE
PID:940 -
\??\c:\bhnnnn.exec:\bhnnnn.exe26⤵
- Executes dropped EXE
PID:4432 -
\??\c:\2888444.exec:\2888444.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\ddpjp.exec:\ddpjp.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4112 -
\??\c:\djppj.exec:\djppj.exe29⤵
- Executes dropped EXE
PID:4028 -
\??\c:\624600.exec:\624600.exe30⤵
- Executes dropped EXE
PID:3612 -
\??\c:\o482648.exec:\o482648.exe31⤵
- Executes dropped EXE
PID:876 -
\??\c:\nhnnbn.exec:\nhnnbn.exe32⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vjjvv.exec:\vjjvv.exe33⤵
- Executes dropped EXE
PID:3480 -
\??\c:\fxxxrlf.exec:\fxxxrlf.exe34⤵
- Executes dropped EXE
PID:4424 -
\??\c:\6222660.exec:\6222660.exe35⤵
- Executes dropped EXE
PID:4304 -
\??\c:\dppdj.exec:\dppdj.exe36⤵
- Executes dropped EXE
PID:5084 -
\??\c:\thtnbb.exec:\thtnbb.exe37⤵
- Executes dropped EXE
PID:5068 -
\??\c:\hbntbn.exec:\hbntbn.exe38⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jvvdv.exec:\jvvdv.exe39⤵
- Executes dropped EXE
PID:1032 -
\??\c:\2884604.exec:\2884604.exe40⤵
- Executes dropped EXE
PID:4348 -
\??\c:\8626862.exec:\8626862.exe41⤵
- Executes dropped EXE
PID:2020 -
\??\c:\288260.exec:\288260.exe42⤵
- Executes dropped EXE
PID:436 -
\??\c:\pjjdv.exec:\pjjdv.exe43⤵
- Executes dropped EXE
PID:892 -
\??\c:\48444.exec:\48444.exe44⤵
- Executes dropped EXE
PID:4768 -
\??\c:\2808260.exec:\2808260.exe45⤵
- Executes dropped EXE
PID:2028 -
\??\c:\7nbnhb.exec:\7nbnhb.exe46⤵
- Executes dropped EXE
PID:4184 -
\??\c:\fllfxrl.exec:\fllfxrl.exe47⤵
- Executes dropped EXE
PID:228 -
\??\c:\1tbnhh.exec:\1tbnhh.exe48⤵
- Executes dropped EXE
PID:2084 -
\??\c:\0408268.exec:\0408268.exe49⤵
- Executes dropped EXE
PID:4320 -
\??\c:\8686226.exec:\8686226.exe50⤵
- Executes dropped EXE
PID:4440 -
\??\c:\1thbtt.exec:\1thbtt.exe51⤵
- Executes dropped EXE
PID:4356 -
\??\c:\lxxrxrr.exec:\lxxrxrr.exe52⤵
- Executes dropped EXE
PID:3936 -
\??\c:\04048.exec:\04048.exe53⤵
- Executes dropped EXE
PID:3236 -
\??\c:\5vvpj.exec:\5vvpj.exe54⤵
- Executes dropped EXE
PID:3956 -
\??\c:\xfffrrl.exec:\xfffrrl.exe55⤵
- Executes dropped EXE
PID:4700 -
\??\c:\vpjdv.exec:\vpjdv.exe56⤵
- Executes dropped EXE
PID:4524 -
\??\c:\httnhh.exec:\httnhh.exe57⤵
- Executes dropped EXE
PID:3908 -
\??\c:\k80668.exec:\k80668.exe58⤵
- Executes dropped EXE
PID:3600 -
\??\c:\9frrxff.exec:\9frrxff.exe59⤵
- Executes dropped EXE
PID:1508 -
\??\c:\42604.exec:\42604.exe60⤵
- Executes dropped EXE
PID:4828 -
\??\c:\bbtttt.exec:\bbtttt.exe61⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3pjjj.exec:\3pjjj.exe62⤵
- Executes dropped EXE
PID:3592 -
\??\c:\880606.exec:\880606.exe63⤵
- Executes dropped EXE
PID:4864 -
\??\c:\thnttb.exec:\thnttb.exe64⤵
- Executes dropped EXE
PID:3360 -
\??\c:\bhnhnn.exec:\bhnhnn.exe65⤵
- Executes dropped EXE
PID:1604 -
\??\c:\6804848.exec:\6804848.exe66⤵PID:2544
-
\??\c:\1jjjd.exec:\1jjjd.exe67⤵PID:3244
-
\??\c:\vdjpv.exec:\vdjpv.exe68⤵PID:4012
-
\??\c:\btnbtb.exec:\btnbtb.exe69⤵PID:4748
-
\??\c:\62886.exec:\62886.exe70⤵PID:2980
-
\??\c:\8088282.exec:\8088282.exe71⤵PID:2408
-
\??\c:\0220826.exec:\0220826.exe72⤵PID:1780
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe73⤵PID:3488
-
\??\c:\xlxllfl.exec:\xlxllfl.exe74⤵PID:868
-
\??\c:\5vdvj.exec:\5vdvj.exe75⤵PID:4852
-
\??\c:\hnbtnh.exec:\hnbtnh.exe76⤵PID:3048
-
\??\c:\k20666.exec:\k20666.exe77⤵PID:4836
-
\??\c:\hbhhnn.exec:\hbhhnn.exe78⤵PID:5032
-
\??\c:\0864444.exec:\0864444.exe79⤵PID:3928
-
\??\c:\20644.exec:\20644.exe80⤵PID:3300
-
\??\c:\hbnhnn.exec:\hbnhnn.exe81⤵PID:5048
-
\??\c:\9vdvp.exec:\9vdvp.exe82⤵PID:2728
-
\??\c:\htbbtt.exec:\htbbtt.exe83⤵PID:3004
-
\??\c:\6804488.exec:\6804488.exe84⤵PID:1864
-
\??\c:\e68822.exec:\e68822.exe85⤵PID:4872
-
\??\c:\82886.exec:\82886.exe86⤵PID:4556
-
\??\c:\8888282.exec:\8888282.exe87⤵PID:3580
-
\??\c:\ddjdv.exec:\ddjdv.exe88⤵PID:4432
-
\??\c:\jvvvj.exec:\jvvvj.exe89⤵PID:3344
-
\??\c:\dvvvp.exec:\dvvvp.exe90⤵PID:4032
-
\??\c:\hhnhbb.exec:\hhnhbb.exe91⤵PID:4024
-
\??\c:\hbhhbb.exec:\hbhhbb.exe92⤵PID:4912
-
\??\c:\02686.exec:\02686.exe93⤵PID:4532
-
\??\c:\ttbttt.exec:\ttbttt.exe94⤵PID:1804
-
\??\c:\nhhbnn.exec:\nhhbnn.exe95⤵PID:760
-
\??\c:\60440.exec:\60440.exe96⤵PID:1140
-
\??\c:\3lrlllf.exec:\3lrlllf.exe97⤵PID:3564
-
\??\c:\a2882.exec:\a2882.exe98⤵PID:3864
-
\??\c:\9jvpv.exec:\9jvpv.exe99⤵PID:4104
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe100⤵PID:1596
-
\??\c:\6622666.exec:\6622666.exe101⤵PID:2924
-
\??\c:\5xrxxff.exec:\5xrxxff.exe102⤵PID:3748
-
\??\c:\1lxxffl.exec:\1lxxffl.exe103⤵PID:5080
-
\??\c:\rlrlflf.exec:\rlrlflf.exe104⤵PID:1588
-
\??\c:\240266.exec:\240266.exe105⤵PID:4972
-
\??\c:\vpdvp.exec:\vpdvp.exe106⤵PID:4528
-
\??\c:\7dvvp.exec:\7dvvp.exe107⤵PID:1988
-
\??\c:\bbnnhn.exec:\bbnnhn.exe108⤵PID:2132
-
\??\c:\44224.exec:\44224.exe109⤵PID:412
-
\??\c:\88666.exec:\88666.exe110⤵PID:2760
-
\??\c:\446048.exec:\446048.exe111⤵PID:448
-
\??\c:\ffrrflf.exec:\ffrrflf.exe112⤵PID:2668
-
\??\c:\82260.exec:\82260.exe113⤵PID:208
-
\??\c:\48664.exec:\48664.exe114⤵PID:1344
-
\??\c:\ttntnn.exec:\ttntnn.exe115⤵PID:4344
-
\??\c:\3ffffff.exec:\3ffffff.exe116⤵PID:4328
-
\??\c:\tbntnt.exec:\tbntnt.exe117⤵PID:4960
-
\??\c:\0402226.exec:\0402226.exe118⤵PID:3448
-
\??\c:\vvpjj.exec:\vvpjj.exe119⤵PID:2136
-
\??\c:\48820.exec:\48820.exe120⤵PID:4048
-
\??\c:\jvdvp.exec:\jvdvp.exe121⤵PID:4212
-
\??\c:\rrrrlll.exec:\rrrrlll.exe122⤵PID:816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-