Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe
-
Size
454KB
-
MD5
8e8fd5179b44e25bb63bd0849ac58685
-
SHA1
982feb66e0e0faa5ee498e443f44872c17da836c
-
SHA256
cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c
-
SHA512
2f3ef00dfab11468ba3c3fb9b514ecc5285ee8e88001e63a20be4cdb2e0c94a955367db6999668cb1b62faeec775d72b1accbd96a7588f79377bd22bb8092fa5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1388-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-930-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-1470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-1857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 ffffxff.exe 2624 bbhbtt.exe 1392 9rlrlll.exe 3124 bhtnnh.exe 4360 vjpjd.exe 2216 7ttnhh.exe 2180 htttnn.exe 3904 lxxrrlf.exe 4844 frxrllf.exe 2172 fxlfxxr.exe 2272 dvdjj.exe 4480 pjdvp.exe 4900 vdjjd.exe 768 xxlfrrr.exe 456 pdpjd.exe 2500 djpjd.exe 2932 bttnnn.exe 4416 3vdvj.exe 3532 rllffxx.exe 2112 pjjjd.exe 5012 bbnhhh.exe 2088 fflrfxf.exe 2016 pppvd.exe 732 thhbtn.exe 3220 htthbb.exe 4936 jdpjd.exe 2168 nhhbtt.exe 4640 fxxrrrr.exe 4476 vpjpj.exe 2832 1llfxrx.exe 4352 bhnhhh.exe 2260 rlfrxxf.exe 1512 htbnhb.exe 2084 xrxlfxr.exe 4332 llrlxrl.exe 1368 bhtnbb.exe 1064 ddpvj.exe 1812 rflxrlf.exe 3104 9bnhbb.exe 2916 vjvjd.exe 4824 pdddv.exe 1504 3lffxxr.exe 4256 nhnhhb.exe 4616 jddvp.exe 2924 ffffxlf.exe 4296 lfffxrl.exe 4308 9btbtn.exe 1720 5vvpj.exe 4876 lfflffx.exe 3428 nhnnnt.exe 3912 9dvvj.exe 2128 lflfxxr.exe 4512 flrrrrl.exe 2248 hnhbnn.exe 964 vjpjj.exe 3420 xxrrlll.exe 3612 1bhtth.exe 2512 nntnhh.exe 3904 vpjjd.exe 1524 lflrllx.exe 4760 nhhhhh.exe 3900 ddjvd.exe 2272 xxrlflf.exe 2824 hbbtht.exe -
resource yara_rule behavioral2/memory/1388-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-930-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2100 1388 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 84 PID 1388 wrote to memory of 2100 1388 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 84 PID 1388 wrote to memory of 2100 1388 cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe 84 PID 2100 wrote to memory of 2624 2100 ffffxff.exe 85 PID 2100 wrote to memory of 2624 2100 ffffxff.exe 85 PID 2100 wrote to memory of 2624 2100 ffffxff.exe 85 PID 2624 wrote to memory of 1392 2624 bbhbtt.exe 86 PID 2624 wrote to memory of 1392 2624 bbhbtt.exe 86 PID 2624 wrote to memory of 1392 2624 bbhbtt.exe 86 PID 1392 wrote to memory of 3124 1392 9rlrlll.exe 87 PID 1392 wrote to memory of 3124 1392 9rlrlll.exe 87 PID 1392 wrote to memory of 3124 1392 9rlrlll.exe 87 PID 3124 wrote to memory of 4360 3124 bhtnnh.exe 88 PID 3124 wrote to memory of 4360 3124 bhtnnh.exe 88 PID 3124 wrote to memory of 4360 3124 bhtnnh.exe 88 PID 4360 wrote to memory of 2216 4360 vjpjd.exe 89 PID 4360 wrote to memory of 2216 4360 vjpjd.exe 89 PID 4360 wrote to memory of 2216 4360 vjpjd.exe 89 PID 2216 wrote to memory of 2180 2216 7ttnhh.exe 90 PID 2216 wrote to memory of 2180 2216 7ttnhh.exe 90 PID 2216 wrote to memory of 2180 2216 7ttnhh.exe 90 PID 2180 wrote to memory of 3904 2180 htttnn.exe 91 PID 2180 wrote to memory of 3904 2180 htttnn.exe 91 PID 2180 wrote to memory of 3904 2180 htttnn.exe 91 PID 3904 wrote to memory of 4844 3904 lxxrrlf.exe 92 PID 3904 wrote to memory of 4844 3904 lxxrrlf.exe 92 PID 3904 wrote to memory of 4844 3904 lxxrrlf.exe 92 PID 4844 wrote to memory of 2172 4844 frxrllf.exe 93 PID 4844 wrote to memory of 2172 4844 frxrllf.exe 93 PID 4844 wrote to memory of 2172 4844 frxrllf.exe 93 PID 2172 wrote to memory of 2272 2172 fxlfxxr.exe 94 PID 2172 wrote to memory of 2272 2172 fxlfxxr.exe 94 PID 2172 wrote to memory of 2272 2172 fxlfxxr.exe 94 PID 2272 wrote to memory of 4480 2272 dvdjj.exe 95 PID 2272 wrote to memory of 4480 2272 dvdjj.exe 95 PID 2272 wrote to memory of 4480 2272 dvdjj.exe 95 PID 4480 wrote to memory of 4900 4480 pjdvp.exe 96 PID 4480 wrote to memory of 4900 4480 pjdvp.exe 96 PID 4480 wrote to memory of 4900 4480 pjdvp.exe 96 PID 4900 wrote to memory of 768 4900 vdjjd.exe 97 PID 4900 wrote to memory of 768 4900 vdjjd.exe 97 PID 4900 wrote to memory of 768 4900 vdjjd.exe 97 PID 768 wrote to memory of 456 768 xxlfrrr.exe 98 PID 768 wrote to memory of 456 768 xxlfrrr.exe 98 PID 768 wrote to memory of 456 768 xxlfrrr.exe 98 PID 456 wrote to memory of 2500 456 pdpjd.exe 99 PID 456 wrote to memory of 2500 456 pdpjd.exe 99 PID 456 wrote to memory of 2500 456 pdpjd.exe 99 PID 2500 wrote to memory of 2932 2500 djpjd.exe 100 PID 2500 wrote to memory of 2932 2500 djpjd.exe 100 PID 2500 wrote to memory of 2932 2500 djpjd.exe 100 PID 2932 wrote to memory of 4416 2932 bttnnn.exe 101 PID 2932 wrote to memory of 4416 2932 bttnnn.exe 101 PID 2932 wrote to memory of 4416 2932 bttnnn.exe 101 PID 4416 wrote to memory of 3532 4416 3vdvj.exe 102 PID 4416 wrote to memory of 3532 4416 3vdvj.exe 102 PID 4416 wrote to memory of 3532 4416 3vdvj.exe 102 PID 3532 wrote to memory of 2112 3532 rllffxx.exe 103 PID 3532 wrote to memory of 2112 3532 rllffxx.exe 103 PID 3532 wrote to memory of 2112 3532 rllffxx.exe 103 PID 2112 wrote to memory of 5012 2112 pjjjd.exe 104 PID 2112 wrote to memory of 5012 2112 pjjjd.exe 104 PID 2112 wrote to memory of 5012 2112 pjjjd.exe 104 PID 5012 wrote to memory of 2088 5012 bbnhhh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe"C:\Users\Admin\AppData\Local\Temp\cb763f1ff39c6d227d1976e7d6a00c18d2a86d7009de795dee8476498d794d5c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\ffffxff.exec:\ffffxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\bbhbtt.exec:\bbhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\9rlrlll.exec:\9rlrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\bhtnnh.exec:\bhtnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\vjpjd.exec:\vjpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\7ttnhh.exec:\7ttnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\htttnn.exec:\htttnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\lxxrrlf.exec:\lxxrrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\frxrllf.exec:\frxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\fxlfxxr.exec:\fxlfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\dvdjj.exec:\dvdjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\pjdvp.exec:\pjdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\vdjjd.exec:\vdjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\xxlfrrr.exec:\xxlfrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\pdpjd.exec:\pdpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\djpjd.exec:\djpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\bttnnn.exec:\bttnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\3vdvj.exec:\3vdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\rllffxx.exec:\rllffxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\pjjjd.exec:\pjjjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\bbnhhh.exec:\bbnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\fflrfxf.exec:\fflrfxf.exe23⤵
- Executes dropped EXE
PID:2088 -
\??\c:\pppvd.exec:\pppvd.exe24⤵
- Executes dropped EXE
PID:2016 -
\??\c:\thhbtn.exec:\thhbtn.exe25⤵
- Executes dropped EXE
PID:732 -
\??\c:\htthbb.exec:\htthbb.exe26⤵
- Executes dropped EXE
PID:3220 -
\??\c:\jdpjd.exec:\jdpjd.exe27⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nhhbtt.exec:\nhhbtt.exe28⤵
- Executes dropped EXE
PID:2168 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe29⤵
- Executes dropped EXE
PID:4640 -
\??\c:\vpjpj.exec:\vpjpj.exe30⤵
- Executes dropped EXE
PID:4476 -
\??\c:\1llfxrx.exec:\1llfxrx.exe31⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bhnhhh.exec:\bhnhhh.exe32⤵
- Executes dropped EXE
PID:4352 -
\??\c:\rlfrxxf.exec:\rlfrxxf.exe33⤵
- Executes dropped EXE
PID:2260 -
\??\c:\htbnhb.exec:\htbnhb.exe34⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe35⤵
- Executes dropped EXE
PID:2084 -
\??\c:\llrlxrl.exec:\llrlxrl.exe36⤵
- Executes dropped EXE
PID:4332 -
\??\c:\bhtnbb.exec:\bhtnbb.exe37⤵
- Executes dropped EXE
PID:1368 -
\??\c:\ddpvj.exec:\ddpvj.exe38⤵
- Executes dropped EXE
PID:1064 -
\??\c:\rflxrlf.exec:\rflxrlf.exe39⤵
- Executes dropped EXE
PID:1812 -
\??\c:\9bnhbb.exec:\9bnhbb.exe40⤵
- Executes dropped EXE
PID:3104 -
\??\c:\vjvjd.exec:\vjvjd.exe41⤵
- Executes dropped EXE
PID:2916 -
\??\c:\pdddv.exec:\pdddv.exe42⤵
- Executes dropped EXE
PID:4824 -
\??\c:\3lffxxr.exec:\3lffxxr.exe43⤵
- Executes dropped EXE
PID:1504 -
\??\c:\nhnhhb.exec:\nhnhhb.exe44⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jddvp.exec:\jddvp.exe45⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ffffxlf.exec:\ffffxlf.exe46⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lfffxrl.exec:\lfffxrl.exe47⤵
- Executes dropped EXE
PID:4296 -
\??\c:\9btbtn.exec:\9btbtn.exe48⤵
- Executes dropped EXE
PID:4308 -
\??\c:\5vvpj.exec:\5vvpj.exe49⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfflffx.exec:\lfflffx.exe50⤵
- Executes dropped EXE
PID:4876 -
\??\c:\nhnnnt.exec:\nhnnnt.exe51⤵
- Executes dropped EXE
PID:3428 -
\??\c:\9dvvj.exec:\9dvvj.exe52⤵
- Executes dropped EXE
PID:3912 -
\??\c:\lflfxxr.exec:\lflfxxr.exe53⤵
- Executes dropped EXE
PID:2128 -
\??\c:\flrrrrl.exec:\flrrrrl.exe54⤵
- Executes dropped EXE
PID:4512 -
\??\c:\hnhbnn.exec:\hnhbnn.exe55⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vjpjj.exec:\vjpjj.exe56⤵
- Executes dropped EXE
PID:964 -
\??\c:\xxrrlll.exec:\xxrrlll.exe57⤵
- Executes dropped EXE
PID:3420 -
\??\c:\1bhtth.exec:\1bhtth.exe58⤵
- Executes dropped EXE
PID:3612 -
\??\c:\nntnhh.exec:\nntnhh.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vpjjd.exec:\vpjjd.exe60⤵
- Executes dropped EXE
PID:3904 -
\??\c:\lflrllx.exec:\lflrllx.exe61⤵
- Executes dropped EXE
PID:1524 -
\??\c:\nhhhhh.exec:\nhhhhh.exe62⤵
- Executes dropped EXE
PID:4760 -
\??\c:\ddjvd.exec:\ddjvd.exe63⤵
- Executes dropped EXE
PID:3900 -
\??\c:\xxrlflf.exec:\xxrlflf.exe64⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hbbtht.exec:\hbbtht.exe65⤵
- Executes dropped EXE
PID:2824 -
\??\c:\vpvpv.exec:\vpvpv.exe66⤵
- System Location Discovery: System Language Discovery
PID:2116 -
\??\c:\jvvpj.exec:\jvvpj.exe67⤵PID:4708
-
\??\c:\xxlffxf.exec:\xxlffxf.exe68⤵PID:4900
-
\??\c:\1ntntt.exec:\1ntntt.exe69⤵PID:4660
-
\??\c:\ppppv.exec:\ppppv.exe70⤵PID:456
-
\??\c:\1dppj.exec:\1dppj.exe71⤵PID:1364
-
\??\c:\frxlfxr.exec:\frxlfxr.exe72⤵PID:1956
-
\??\c:\tttnhb.exec:\tttnhb.exe73⤵PID:5060
-
\??\c:\jdddj.exec:\jdddj.exe74⤵PID:5080
-
\??\c:\lfffxxr.exec:\lfffxxr.exe75⤵PID:3852
-
\??\c:\tbbtnh.exec:\tbbtnh.exe76⤵PID:3636
-
\??\c:\jddvp.exec:\jddvp.exe77⤵PID:2808
-
\??\c:\vpjvv.exec:\vpjvv.exe78⤵PID:1448
-
\??\c:\fllfxxr.exec:\fllfxxr.exe79⤵PID:4388
-
\??\c:\1hbtnt.exec:\1hbtnt.exe80⤵PID:2628
-
\??\c:\jdjdj.exec:\jdjdj.exe81⤵PID:2088
-
\??\c:\3llfxxr.exec:\3llfxxr.exe82⤵PID:2740
-
\??\c:\bthhbt.exec:\bthhbt.exe83⤵PID:1516
-
\??\c:\dvjpj.exec:\dvjpj.exe84⤵PID:3216
-
\??\c:\vdjdp.exec:\vdjdp.exe85⤵PID:2472
-
\??\c:\5rrrrrr.exec:\5rrrrrr.exe86⤵PID:1056
-
\??\c:\bthbth.exec:\bthbth.exe87⤵PID:1708
-
\??\c:\djdjj.exec:\djdjj.exe88⤵PID:4344
-
\??\c:\lflfllx.exec:\lflfllx.exe89⤵PID:216
-
\??\c:\hntnhh.exec:\hntnhh.exe90⤵PID:3240
-
\??\c:\hbbtnn.exec:\hbbtnn.exe91⤵PID:940
-
\??\c:\vpjdp.exec:\vpjdp.exe92⤵PID:220
-
\??\c:\9llrlrx.exec:\9llrlrx.exe93⤵PID:4492
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe94⤵PID:2260
-
\??\c:\bthbtt.exec:\bthbtt.exe95⤵PID:1512
-
\??\c:\3jpjd.exec:\3jpjd.exe96⤵PID:4220
-
\??\c:\xxxlllf.exec:\xxxlllf.exe97⤵PID:4864
-
\??\c:\nbhbtn.exec:\nbhbtn.exe98⤵PID:1808
-
\??\c:\hhnnbh.exec:\hhnnbh.exe99⤵PID:1456
-
\??\c:\ppddd.exec:\ppddd.exe100⤵PID:1376
-
\??\c:\lxffxxx.exec:\lxffxxx.exe101⤵PID:3640
-
\??\c:\hntnhh.exec:\hntnhh.exe102⤵PID:2576
-
\??\c:\jjpdd.exec:\jjpdd.exe103⤵PID:3704
-
\??\c:\7frlllf.exec:\7frlllf.exe104⤵PID:1552
-
\??\c:\7bhbtt.exec:\7bhbtt.exe105⤵PID:4596
-
\??\c:\3nnnhn.exec:\3nnnhn.exe106⤵PID:2240
-
\??\c:\vjvpj.exec:\vjvpj.exe107⤵PID:3192
-
\??\c:\xlffxxx.exec:\xlffxxx.exe108⤵PID:4812
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe109⤵PID:4840
-
\??\c:\5hnnnn.exec:\5hnnnn.exe110⤵PID:1028
-
\??\c:\dvjdj.exec:\dvjdj.exe111⤵PID:1720
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe112⤵PID:1392
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe113⤵PID:3428
-
\??\c:\thtnhb.exec:\thtnhb.exe114⤵PID:3912
-
\??\c:\9ddjd.exec:\9ddjd.exe115⤵PID:1544
-
\??\c:\fflfrrl.exec:\fflfrrl.exe116⤵PID:4832
-
\??\c:\nhttbt.exec:\nhttbt.exe117⤵PID:4360
-
\??\c:\vvvdv.exec:\vvvdv.exe118⤵PID:2216
-
\??\c:\5fxrrxr.exec:\5fxrrxr.exe119⤵PID:3260
-
\??\c:\xflfxxr.exec:\xflfxxr.exe120⤵PID:552
-
\??\c:\bttbnn.exec:\bttbnn.exe121⤵PID:1672
-
\??\c:\vjdpj.exec:\vjdpj.exe122⤵PID:4604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-