Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe
-
Size
454KB
-
MD5
bf23a4b63186a191b3a9c48695803290
-
SHA1
5368199573132895dc66ba1c69e76e39423f30e7
-
SHA256
8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4fa
-
SHA512
06d2c72fef456c7509f5a5fd7a1741379ccddffb637145f42cb283e5ac73f789a4ec254f5034b4e828e63a6bda788f4c629cc360cfc8605bf4fde57877efff0d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2080-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2284 lfrfxrf.exe 2856 xxxrrrr.exe 3668 vdvjd.exe 3928 vdjvp.exe 3604 htbbtt.exe 1220 frllfll.exe 4404 jvvvp.exe 3272 xrrlffx.exe 1092 lflfllf.exe 1280 ttbhbb.exe 1596 lrxrffr.exe 1100 frrlllf.exe 224 ddpdd.exe 2616 9djdv.exe 4292 hhnhnn.exe 528 dpvvp.exe 5040 9llfxfx.exe 1264 pdvpj.exe 396 rlllxrr.exe 4128 hhtnbn.exe 4684 7jpjd.exe 4548 bbbhbb.exe 1328 pvdvv.exe 2364 rfllffx.exe 1836 pjpjj.exe 3836 3vvpp.exe 3444 hntnhh.exe 4284 ddjjp.exe 3648 rxllrxx.exe 1816 9dppd.exe 3076 ntbthb.exe 4856 lxrrfrr.exe 924 rlrxxxx.exe 3508 vvjpv.exe 228 xfffrrf.exe 4064 7ttnhh.exe 2268 pvddd.exe 4352 fflllrr.exe 3532 tntbtt.exe 5116 vdvjd.exe 3112 vjpvd.exe 3132 btbhhh.exe 4616 djvpp.exe 4676 jdjdv.exe 4104 fxxrllf.exe 3316 9ffxffl.exe 4256 bntnnn.exe 428 jdpjj.exe 3028 rxfxrrr.exe 4088 hntnhh.exe 2532 pdvvd.exe 5088 jjjdv.exe 4376 rfrlrrx.exe 4688 hhnhhn.exe 2816 dpvvp.exe 2284 5jppp.exe 1988 fxffxfr.exe 4936 3btttb.exe 3528 ppvjv.exe 4768 1flfxxx.exe 3660 tnttnn.exe 2160 7vvpp.exe 2880 xrfffff.exe 1948 tbhttt.exe -
resource yara_rule behavioral2/memory/2080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-943-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2284 2080 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 82 PID 2080 wrote to memory of 2284 2080 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 82 PID 2080 wrote to memory of 2284 2080 8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe 82 PID 2284 wrote to memory of 2856 2284 lfrfxrf.exe 83 PID 2284 wrote to memory of 2856 2284 lfrfxrf.exe 83 PID 2284 wrote to memory of 2856 2284 lfrfxrf.exe 83 PID 2856 wrote to memory of 3668 2856 xxxrrrr.exe 84 PID 2856 wrote to memory of 3668 2856 xxxrrrr.exe 84 PID 2856 wrote to memory of 3668 2856 xxxrrrr.exe 84 PID 3668 wrote to memory of 3928 3668 vdvjd.exe 85 PID 3668 wrote to memory of 3928 3668 vdvjd.exe 85 PID 3668 wrote to memory of 3928 3668 vdvjd.exe 85 PID 3928 wrote to memory of 3604 3928 vdjvp.exe 86 PID 3928 wrote to memory of 3604 3928 vdjvp.exe 86 PID 3928 wrote to memory of 3604 3928 vdjvp.exe 86 PID 3604 wrote to memory of 1220 3604 htbbtt.exe 87 PID 3604 wrote to memory of 1220 3604 htbbtt.exe 87 PID 3604 wrote to memory of 1220 3604 htbbtt.exe 87 PID 1220 wrote to memory of 4404 1220 frllfll.exe 88 PID 1220 wrote to memory of 4404 1220 frllfll.exe 88 PID 1220 wrote to memory of 4404 1220 frllfll.exe 88 PID 4404 wrote to memory of 3272 4404 jvvvp.exe 89 PID 4404 wrote to memory of 3272 4404 jvvvp.exe 89 PID 4404 wrote to memory of 3272 4404 jvvvp.exe 89 PID 3272 wrote to memory of 1092 3272 xrrlffx.exe 90 PID 3272 wrote to memory of 1092 3272 xrrlffx.exe 90 PID 3272 wrote to memory of 1092 3272 xrrlffx.exe 90 PID 1092 wrote to memory of 1280 1092 lflfllf.exe 91 PID 1092 wrote to memory of 1280 1092 lflfllf.exe 91 PID 1092 wrote to memory of 1280 1092 lflfllf.exe 91 PID 1280 wrote to memory of 1596 1280 ttbhbb.exe 92 PID 1280 wrote to memory of 1596 1280 ttbhbb.exe 92 PID 1280 wrote to memory of 1596 1280 ttbhbb.exe 92 PID 1596 wrote to memory of 1100 1596 lrxrffr.exe 93 PID 1596 wrote to memory of 1100 1596 lrxrffr.exe 93 PID 1596 wrote to memory of 1100 1596 lrxrffr.exe 93 PID 1100 wrote to memory of 224 1100 frrlllf.exe 94 PID 1100 wrote to memory of 224 1100 frrlllf.exe 94 PID 1100 wrote to memory of 224 1100 frrlllf.exe 94 PID 224 wrote to memory of 2616 224 ddpdd.exe 95 PID 224 wrote to memory of 2616 224 ddpdd.exe 95 PID 224 wrote to memory of 2616 224 ddpdd.exe 95 PID 2616 wrote to memory of 4292 2616 9djdv.exe 96 PID 2616 wrote to memory of 4292 2616 9djdv.exe 96 PID 2616 wrote to memory of 4292 2616 9djdv.exe 96 PID 4292 wrote to memory of 528 4292 hhnhnn.exe 97 PID 4292 wrote to memory of 528 4292 hhnhnn.exe 97 PID 4292 wrote to memory of 528 4292 hhnhnn.exe 97 PID 528 wrote to memory of 5040 528 dpvvp.exe 98 PID 528 wrote to memory of 5040 528 dpvvp.exe 98 PID 528 wrote to memory of 5040 528 dpvvp.exe 98 PID 5040 wrote to memory of 1264 5040 9llfxfx.exe 99 PID 5040 wrote to memory of 1264 5040 9llfxfx.exe 99 PID 5040 wrote to memory of 1264 5040 9llfxfx.exe 99 PID 1264 wrote to memory of 396 1264 pdvpj.exe 100 PID 1264 wrote to memory of 396 1264 pdvpj.exe 100 PID 1264 wrote to memory of 396 1264 pdvpj.exe 100 PID 396 wrote to memory of 4128 396 rlllxrr.exe 101 PID 396 wrote to memory of 4128 396 rlllxrr.exe 101 PID 396 wrote to memory of 4128 396 rlllxrr.exe 101 PID 4128 wrote to memory of 4684 4128 hhtnbn.exe 102 PID 4128 wrote to memory of 4684 4128 hhtnbn.exe 102 PID 4128 wrote to memory of 4684 4128 hhtnbn.exe 102 PID 4684 wrote to memory of 4548 4684 7jpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe"C:\Users\Admin\AppData\Local\Temp\8c0beaea82bb3fe4f5fe0959a11cd230480f8c6660bde164c5b4092fb6aaa4faN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lfrfxrf.exec:\lfrfxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\vdvjd.exec:\vdvjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\vdjvp.exec:\vdjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\htbbtt.exec:\htbbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\frllfll.exec:\frllfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\jvvvp.exec:\jvvvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\xrrlffx.exec:\xrrlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\lflfllf.exec:\lflfllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\ttbhbb.exec:\ttbhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\lrxrffr.exec:\lrxrffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\frrlllf.exec:\frrlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\ddpdd.exec:\ddpdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\9djdv.exec:\9djdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\hhnhnn.exec:\hhnhnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\dpvvp.exec:\dpvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\9llfxfx.exec:\9llfxfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\pdvpj.exec:\pdvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\rlllxrr.exec:\rlllxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\hhtnbn.exec:\hhtnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\7jpjd.exec:\7jpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\bbbhbb.exec:\bbbhbb.exe23⤵
- Executes dropped EXE
PID:4548 -
\??\c:\pvdvv.exec:\pvdvv.exe24⤵
- Executes dropped EXE
PID:1328 -
\??\c:\rfllffx.exec:\rfllffx.exe25⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pjpjj.exec:\pjpjj.exe26⤵
- Executes dropped EXE
PID:1836 -
\??\c:\3vvpp.exec:\3vvpp.exe27⤵
- Executes dropped EXE
PID:3836 -
\??\c:\hntnhh.exec:\hntnhh.exe28⤵
- Executes dropped EXE
PID:3444 -
\??\c:\ddjjp.exec:\ddjjp.exe29⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rxllrxx.exec:\rxllrxx.exe30⤵
- Executes dropped EXE
PID:3648 -
\??\c:\9dppd.exec:\9dppd.exe31⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ntbthb.exec:\ntbthb.exe32⤵
- Executes dropped EXE
PID:3076 -
\??\c:\lxrrfrr.exec:\lxrrfrr.exe33⤵
- Executes dropped EXE
PID:4856 -
\??\c:\rlrxxxx.exec:\rlrxxxx.exe34⤵
- Executes dropped EXE
PID:924 -
\??\c:\vvjpv.exec:\vvjpv.exe35⤵
- Executes dropped EXE
PID:3508 -
\??\c:\xfffrrf.exec:\xfffrrf.exe36⤵
- Executes dropped EXE
PID:228 -
\??\c:\7ttnhh.exec:\7ttnhh.exe37⤵
- Executes dropped EXE
PID:4064 -
\??\c:\pvddd.exec:\pvddd.exe38⤵
- Executes dropped EXE
PID:2268 -
\??\c:\fflllrr.exec:\fflllrr.exe39⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tntbtt.exec:\tntbtt.exe40⤵
- Executes dropped EXE
PID:3532 -
\??\c:\vdvjd.exec:\vdvjd.exe41⤵
- Executes dropped EXE
PID:5116 -
\??\c:\vjpvd.exec:\vjpvd.exe42⤵
- Executes dropped EXE
PID:3112 -
\??\c:\btbhhh.exec:\btbhhh.exe43⤵
- Executes dropped EXE
PID:3132 -
\??\c:\djvpp.exec:\djvpp.exe44⤵
- Executes dropped EXE
PID:4616 -
\??\c:\jdjdv.exec:\jdjdv.exe45⤵
- Executes dropped EXE
PID:4676 -
\??\c:\fxxrllf.exec:\fxxrllf.exe46⤵
- Executes dropped EXE
PID:4104 -
\??\c:\9ffxffl.exec:\9ffxffl.exe47⤵
- Executes dropped EXE
PID:3316 -
\??\c:\bntnnn.exec:\bntnnn.exe48⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jdpjj.exec:\jdpjj.exe49⤵
- Executes dropped EXE
PID:428 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe50⤵
- Executes dropped EXE
PID:3028 -
\??\c:\hntnhh.exec:\hntnhh.exe51⤵
- Executes dropped EXE
PID:4088 -
\??\c:\pdvvd.exec:\pdvvd.exe52⤵
- Executes dropped EXE
PID:2532 -
\??\c:\jjjdv.exec:\jjjdv.exe53⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe54⤵
- Executes dropped EXE
PID:4376 -
\??\c:\hhnhhn.exec:\hhnhhn.exe55⤵
- Executes dropped EXE
PID:4688 -
\??\c:\dpvvp.exec:\dpvvp.exe56⤵
- Executes dropped EXE
PID:2816 -
\??\c:\5jppp.exec:\5jppp.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\fxffxfr.exec:\fxffxfr.exe58⤵
- Executes dropped EXE
PID:1988 -
\??\c:\3btttb.exec:\3btttb.exe59⤵
- Executes dropped EXE
PID:4936 -
\??\c:\ppvjv.exec:\ppvjv.exe60⤵
- Executes dropped EXE
PID:3528 -
\??\c:\1flfxxx.exec:\1flfxxx.exe61⤵
- Executes dropped EXE
PID:4768 -
\??\c:\tnttnn.exec:\tnttnn.exe62⤵
- Executes dropped EXE
PID:3660 -
\??\c:\7vvpp.exec:\7vvpp.exe63⤵
- Executes dropped EXE
PID:2160 -
\??\c:\xrfffff.exec:\xrfffff.exe64⤵
- Executes dropped EXE
PID:2880 -
\??\c:\tbhttt.exec:\tbhttt.exe65⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vjdvp.exec:\vjdvp.exe66⤵PID:4404
-
\??\c:\flrrlrx.exec:\flrrlrx.exe67⤵PID:3456
-
\??\c:\xfrxlff.exec:\xfrxlff.exe68⤵
- System Location Discovery: System Language Discovery
PID:3324 -
\??\c:\1thtbn.exec:\1thtbn.exe69⤵PID:2908
-
\??\c:\vvjdd.exec:\vvjdd.exe70⤵PID:2420
-
\??\c:\xxfllrr.exec:\xxfllrr.exe71⤵PID:1132
-
\??\c:\bnbbbb.exec:\bnbbbb.exe72⤵PID:2596
-
\??\c:\ddddp.exec:\ddddp.exe73⤵PID:4132
-
\??\c:\rxfflrr.exec:\rxfflrr.exe74⤵PID:344
-
\??\c:\tnhhnn.exec:\tnhhnn.exe75⤵PID:208
-
\??\c:\pvjjp.exec:\pvjjp.exe76⤵PID:5044
-
\??\c:\djjpj.exec:\djjpj.exe77⤵PID:5064
-
\??\c:\5llllfl.exec:\5llllfl.exe78⤵PID:4472
-
\??\c:\nnbnnh.exec:\nnbnnh.exe79⤵PID:1740
-
\??\c:\jpjpv.exec:\jpjpv.exe80⤵PID:2288
-
\??\c:\xfflrxl.exec:\xfflrxl.exe81⤵PID:3108
-
\??\c:\flrxxff.exec:\flrxxff.exe82⤵PID:4532
-
\??\c:\tnhbbn.exec:\tnhbbn.exe83⤵PID:2260
-
\??\c:\1dpvv.exec:\1dpvv.exe84⤵PID:2748
-
\??\c:\rxfrrll.exec:\rxfrrll.exe85⤵PID:2676
-
\??\c:\hnbhnt.exec:\hnbhnt.exe86⤵PID:4048
-
\??\c:\jjddj.exec:\jjddj.exe87⤵PID:1520
-
\??\c:\5xllrxx.exec:\5xllrxx.exe88⤵PID:1328
-
\??\c:\flxffll.exec:\flxffll.exe89⤵PID:4460
-
\??\c:\9tbnnh.exec:\9tbnnh.exe90⤵PID:848
-
\??\c:\jdppp.exec:\jdppp.exe91⤵PID:3180
-
\??\c:\9lrrrxx.exec:\9lrrrxx.exe92⤵PID:3816
-
\??\c:\tbtbhn.exec:\tbtbhn.exe93⤵PID:3444
-
\??\c:\rrfxxlr.exec:\rrfxxlr.exe94⤵PID:432
-
\??\c:\hthnnn.exec:\hthnnn.exe95⤵PID:1652
-
\??\c:\vjdvj.exec:\vjdvj.exe96⤵PID:3844
-
\??\c:\llxxxff.exec:\llxxxff.exe97⤵PID:3892
-
\??\c:\xrxxxfx.exec:\xrxxxfx.exe98⤵PID:4516
-
\??\c:\nhhbhh.exec:\nhhbhh.exe99⤵PID:740
-
\??\c:\jdjdv.exec:\jdjdv.exe100⤵PID:3152
-
\??\c:\xxxrllx.exec:\xxxrllx.exe101⤵PID:720
-
\??\c:\nnhbhh.exec:\nnhbhh.exe102⤵PID:1692
-
\??\c:\vpvpj.exec:\vpvpj.exe103⤵PID:1732
-
\??\c:\xxllllf.exec:\xxllllf.exe104⤵PID:1516
-
\??\c:\bbtbhb.exec:\bbtbhb.exe105⤵PID:4484
-
\??\c:\nnnhhn.exec:\nnnhhn.exe106⤵PID:4420
-
\??\c:\ddjdv.exec:\ddjdv.exe107⤵PID:2076
-
\??\c:\fffxxxx.exec:\fffxxxx.exe108⤵PID:3796
-
\??\c:\nthbbh.exec:\nthbbh.exe109⤵PID:4896
-
\??\c:\vpdjj.exec:\vpdjj.exe110⤵PID:3112
-
\??\c:\lfrlrxr.exec:\lfrlrxr.exe111⤵PID:3036
-
\??\c:\ntbbhh.exec:\ntbbhh.exe112⤵PID:4616
-
\??\c:\pppjp.exec:\pppjp.exe113⤵PID:1968
-
\??\c:\fxfxxll.exec:\fxfxxll.exe114⤵PID:4104
-
\??\c:\fflrrff.exec:\fflrrff.exe115⤵PID:1476
-
\??\c:\bhhhbb.exec:\bhhhbb.exe116⤵PID:4256
-
\??\c:\vdjvp.exec:\vdjvp.exe117⤵PID:428
-
\??\c:\flxxxfx.exec:\flxxxfx.exe118⤵PID:3028
-
\??\c:\bhbhht.exec:\bhbhht.exe119⤵PID:4088
-
\??\c:\pvjdd.exec:\pvjdd.exe120⤵PID:2532
-
\??\c:\llrrrrr.exec:\llrrrrr.exe121⤵PID:2352
-
\??\c:\hbtbnt.exec:\hbtbnt.exe122⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-