Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe
-
Size
455KB
-
MD5
d303d53e89b9dc18750207f05355fd61
-
SHA1
0c36b04dcef3f836c37f9a8d2f432afa1e37cd14
-
SHA256
b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca
-
SHA512
68fa61f864263a2c512d4bf0f50b40ee2fa36d9878e58098f96a26508b85606b7dec174d176603f05e2ba0d506178d51f0baeca2f46c884191f50ae65eff2710
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTSB:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/740-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-1052-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 740 1rxlxlf.exe 5004 dvvpj.exe 2096 llfrxrf.exe 444 dpvvv.exe 1820 hbnbbb.exe 3220 bhhbbb.exe 2164 bthbhb.exe 1908 bbnbtt.exe 1172 jjpvv.exe 1484 rrfxrll.exe 1032 htbbbb.exe 3480 fllllfx.exe 2028 hnhbhh.exe 2472 hnhbnt.exe 2332 vjppd.exe 3748 xrxxxxx.exe 2068 9nhbtt.exe 3208 jvdvv.exe 2352 jdpjd.exe 4864 fffxrrf.exe 3760 htbtnh.exe 1204 7thbhh.exe 2912 pjjpj.exe 1684 rxfxxxf.exe 3204 ffrrrxr.exe 4344 hbhbhb.exe 4172 1pvpj.exe 4220 jjpvp.exe 4064 rrrrllr.exe 3140 bbtttn.exe 4464 tthnhh.exe 4884 ppdvp.exe 872 fxfxrlf.exe 996 5llffrl.exe 3132 9tbhbb.exe 1348 jdppp.exe 4848 dvdvp.exe 1724 rfrlfxr.exe 4136 nhnhbt.exe 3084 5hnbbb.exe 1064 jdvpj.exe 2944 frrfllx.exe 4536 lfrlrrx.exe 4576 hntnhb.exe 4216 jjjjj.exe 1292 dvdvv.exe 4036 llrfxff.exe 1584 btnhbb.exe 5000 tnbbtt.exe 3048 vdvdd.exe 4444 xlxrrrf.exe 5112 lrxrlll.exe 4608 hbnhnn.exe 912 vpvvv.exe 3276 9jppv.exe 3740 xlfxxxr.exe 4916 rxrllff.exe 4044 nhtnhh.exe 2196 vpppj.exe 4016 bnbttn.exe 1956 1dvvv.exe 3040 xrlfffl.exe 3016 llxfxxx.exe 624 nhttnn.exe -
resource yara_rule behavioral2/memory/5004-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-867-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3096 wrote to memory of 740 3096 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 83 PID 3096 wrote to memory of 740 3096 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 83 PID 3096 wrote to memory of 740 3096 b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe 83 PID 740 wrote to memory of 5004 740 1rxlxlf.exe 84 PID 740 wrote to memory of 5004 740 1rxlxlf.exe 84 PID 740 wrote to memory of 5004 740 1rxlxlf.exe 84 PID 5004 wrote to memory of 2096 5004 dvvpj.exe 85 PID 5004 wrote to memory of 2096 5004 dvvpj.exe 85 PID 5004 wrote to memory of 2096 5004 dvvpj.exe 85 PID 2096 wrote to memory of 444 2096 llfrxrf.exe 86 PID 2096 wrote to memory of 444 2096 llfrxrf.exe 86 PID 2096 wrote to memory of 444 2096 llfrxrf.exe 86 PID 444 wrote to memory of 1820 444 dpvvv.exe 87 PID 444 wrote to memory of 1820 444 dpvvv.exe 87 PID 444 wrote to memory of 1820 444 dpvvv.exe 87 PID 1820 wrote to memory of 3220 1820 hbnbbb.exe 88 PID 1820 wrote to memory of 3220 1820 hbnbbb.exe 88 PID 1820 wrote to memory of 3220 1820 hbnbbb.exe 88 PID 3220 wrote to memory of 2164 3220 bhhbbb.exe 89 PID 3220 wrote to memory of 2164 3220 bhhbbb.exe 89 PID 3220 wrote to memory of 2164 3220 bhhbbb.exe 89 PID 2164 wrote to memory of 1908 2164 bthbhb.exe 90 PID 2164 wrote to memory of 1908 2164 bthbhb.exe 90 PID 2164 wrote to memory of 1908 2164 bthbhb.exe 90 PID 1908 wrote to memory of 1172 1908 bbnbtt.exe 91 PID 1908 wrote to memory of 1172 1908 bbnbtt.exe 91 PID 1908 wrote to memory of 1172 1908 bbnbtt.exe 91 PID 1172 wrote to memory of 1484 1172 jjpvv.exe 92 PID 1172 wrote to memory of 1484 1172 jjpvv.exe 92 PID 1172 wrote to memory of 1484 1172 jjpvv.exe 92 PID 1484 wrote to memory of 1032 1484 rrfxrll.exe 93 PID 1484 wrote to memory of 1032 1484 rrfxrll.exe 93 PID 1484 wrote to memory of 1032 1484 rrfxrll.exe 93 PID 1032 wrote to memory of 3480 1032 htbbbb.exe 94 PID 1032 wrote to memory of 3480 1032 htbbbb.exe 94 PID 1032 wrote to memory of 3480 1032 htbbbb.exe 94 PID 3480 wrote to memory of 2028 3480 fllllfx.exe 95 PID 3480 wrote to memory of 2028 3480 fllllfx.exe 95 PID 3480 wrote to memory of 2028 3480 fllllfx.exe 95 PID 2028 wrote to memory of 2472 2028 hnhbhh.exe 96 PID 2028 wrote to memory of 2472 2028 hnhbhh.exe 96 PID 2028 wrote to memory of 2472 2028 hnhbhh.exe 96 PID 2472 wrote to memory of 2332 2472 hnhbnt.exe 97 PID 2472 wrote to memory of 2332 2472 hnhbnt.exe 97 PID 2472 wrote to memory of 2332 2472 hnhbnt.exe 97 PID 2332 wrote to memory of 3748 2332 vjppd.exe 98 PID 2332 wrote to memory of 3748 2332 vjppd.exe 98 PID 2332 wrote to memory of 3748 2332 vjppd.exe 98 PID 3748 wrote to memory of 2068 3748 xrxxxxx.exe 99 PID 3748 wrote to memory of 2068 3748 xrxxxxx.exe 99 PID 3748 wrote to memory of 2068 3748 xrxxxxx.exe 99 PID 2068 wrote to memory of 3208 2068 9nhbtt.exe 100 PID 2068 wrote to memory of 3208 2068 9nhbtt.exe 100 PID 2068 wrote to memory of 3208 2068 9nhbtt.exe 100 PID 3208 wrote to memory of 2352 3208 jvdvv.exe 101 PID 3208 wrote to memory of 2352 3208 jvdvv.exe 101 PID 3208 wrote to memory of 2352 3208 jvdvv.exe 101 PID 2352 wrote to memory of 4864 2352 jdpjd.exe 102 PID 2352 wrote to memory of 4864 2352 jdpjd.exe 102 PID 2352 wrote to memory of 4864 2352 jdpjd.exe 102 PID 4864 wrote to memory of 3760 4864 fffxrrf.exe 103 PID 4864 wrote to memory of 3760 4864 fffxrrf.exe 103 PID 4864 wrote to memory of 3760 4864 fffxrrf.exe 103 PID 3760 wrote to memory of 1204 3760 htbtnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe"C:\Users\Admin\AppData\Local\Temp\b8994bc0a5bef5a98eb88e27a4795fe3653e232742788348cf0693c0cbc98aca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\1rxlxlf.exec:\1rxlxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\dvvpj.exec:\dvvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\llfrxrf.exec:\llfrxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\dpvvv.exec:\dpvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\hbnbbb.exec:\hbnbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\bhhbbb.exec:\bhhbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\bthbhb.exec:\bthbhb.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\bbnbtt.exec:\bbnbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\jjpvv.exec:\jjpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\rrfxrll.exec:\rrfxrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\htbbbb.exec:\htbbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\fllllfx.exec:\fllllfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\hnhbhh.exec:\hnhbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\hnhbnt.exec:\hnhbnt.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\vjppd.exec:\vjppd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\9nhbtt.exec:\9nhbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\jvdvv.exec:\jvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\jdpjd.exec:\jdpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\fffxrrf.exec:\fffxrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\htbtnh.exec:\htbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\7thbhh.exec:\7thbhh.exe23⤵
- Executes dropped EXE
PID:1204 -
\??\c:\pjjpj.exec:\pjjpj.exe24⤵
- Executes dropped EXE
PID:2912 -
\??\c:\rxfxxxf.exec:\rxfxxxf.exe25⤵
- Executes dropped EXE
PID:1684 -
\??\c:\ffrrrxr.exec:\ffrrrxr.exe26⤵
- Executes dropped EXE
PID:3204 -
\??\c:\hbhbhb.exec:\hbhbhb.exe27⤵
- Executes dropped EXE
PID:4344 -
\??\c:\1pvpj.exec:\1pvpj.exe28⤵
- Executes dropped EXE
PID:4172 -
\??\c:\jjpvp.exec:\jjpvp.exe29⤵
- Executes dropped EXE
PID:4220 -
\??\c:\rrrrllr.exec:\rrrrllr.exe30⤵
- Executes dropped EXE
PID:4064 -
\??\c:\bbtttn.exec:\bbtttn.exe31⤵
- Executes dropped EXE
PID:3140 -
\??\c:\tthnhh.exec:\tthnhh.exe32⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ppdvp.exec:\ppdvp.exe33⤵
- Executes dropped EXE
PID:4884 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe34⤵
- Executes dropped EXE
PID:872 -
\??\c:\5llffrl.exec:\5llffrl.exe35⤵
- Executes dropped EXE
PID:996 -
\??\c:\9tbhbb.exec:\9tbhbb.exe36⤵
- Executes dropped EXE
PID:3132 -
\??\c:\jdppp.exec:\jdppp.exe37⤵
- Executes dropped EXE
PID:1348 -
\??\c:\dvdvp.exec:\dvdvp.exe38⤵
- Executes dropped EXE
PID:4848 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe39⤵
- Executes dropped EXE
PID:1724 -
\??\c:\nhnhbt.exec:\nhnhbt.exe40⤵
- Executes dropped EXE
PID:4136 -
\??\c:\5hnbbb.exec:\5hnbbb.exe41⤵
- Executes dropped EXE
PID:3084 -
\??\c:\jdvpj.exec:\jdvpj.exe42⤵
- Executes dropped EXE
PID:1064 -
\??\c:\frrfllx.exec:\frrfllx.exe43⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe44⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hntnhb.exec:\hntnhb.exe45⤵
- Executes dropped EXE
PID:4576 -
\??\c:\jjjjj.exec:\jjjjj.exe46⤵
- Executes dropped EXE
PID:4216 -
\??\c:\dvdvv.exec:\dvdvv.exe47⤵
- Executes dropped EXE
PID:1292 -
\??\c:\llrfxff.exec:\llrfxff.exe48⤵
- Executes dropped EXE
PID:4036 -
\??\c:\btnhbb.exec:\btnhbb.exe49⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tnbbtt.exec:\tnbbtt.exe50⤵
- Executes dropped EXE
PID:5000 -
\??\c:\vdvdd.exec:\vdvdd.exe51⤵
- Executes dropped EXE
PID:3048 -
\??\c:\xlxrrrf.exec:\xlxrrrf.exe52⤵
- Executes dropped EXE
PID:4444 -
\??\c:\lrxrlll.exec:\lrxrlll.exe53⤵
- Executes dropped EXE
PID:5112 -
\??\c:\hbnhnn.exec:\hbnhnn.exe54⤵
- Executes dropped EXE
PID:4608 -
\??\c:\vpvvv.exec:\vpvvv.exe55⤵
- Executes dropped EXE
PID:912 -
\??\c:\9jppv.exec:\9jppv.exe56⤵
- Executes dropped EXE
PID:3276 -
\??\c:\xlfxxxr.exec:\xlfxxxr.exe57⤵
- Executes dropped EXE
PID:3740 -
\??\c:\rxrllff.exec:\rxrllff.exe58⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nhtnhh.exec:\nhtnhh.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044 -
\??\c:\vpppj.exec:\vpppj.exe60⤵
- Executes dropped EXE
PID:2196 -
\??\c:\bnbttn.exec:\bnbttn.exe61⤵
- Executes dropped EXE
PID:4016 -
\??\c:\1dvvv.exec:\1dvvv.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\xrlfffl.exec:\xrlfffl.exe63⤵
- Executes dropped EXE
PID:3040 -
\??\c:\llxfxxx.exec:\llxfxxx.exe64⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhttnn.exec:\nhttnn.exe65⤵
- Executes dropped EXE
PID:624 -
\??\c:\ppvvv.exec:\ppvvv.exe66⤵PID:4260
-
\??\c:\fffxrrr.exec:\fffxrrr.exe67⤵PID:2492
-
\??\c:\tbttbt.exec:\tbttbt.exe68⤵PID:4552
-
\??\c:\jpvjd.exec:\jpvjd.exe69⤵PID:3816
-
\??\c:\1dpdj.exec:\1dpdj.exe70⤵PID:1748
-
\??\c:\xxxrlff.exec:\xxxrlff.exe71⤵PID:2952
-
\??\c:\nhnhhb.exec:\nhnhhb.exe72⤵PID:2548
-
\??\c:\ddvpd.exec:\ddvpd.exe73⤵PID:4400
-
\??\c:\llrlffx.exec:\llrlffx.exe74⤵PID:4332
-
\??\c:\7tthbb.exec:\7tthbb.exe75⤵PID:828
-
\??\c:\vjvpp.exec:\vjvpp.exe76⤵PID:2772
-
\??\c:\1xrlfxr.exec:\1xrlfxr.exe77⤵PID:3208
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe78⤵PID:1932
-
\??\c:\jjdvj.exec:\jjdvj.exe79⤵PID:440
-
\??\c:\vpvpj.exec:\vpvpj.exe80⤵PID:3944
-
\??\c:\xrrlxlx.exec:\xrrlxlx.exe81⤵PID:2236
-
\??\c:\bnhbtt.exec:\bnhbtt.exe82⤵PID:2724
-
\??\c:\vppdd.exec:\vppdd.exe83⤵PID:1452
-
\??\c:\hbthbt.exec:\hbthbt.exe84⤵PID:2632
-
\??\c:\pppdj.exec:\pppdj.exe85⤵
- System Location Discovery: System Language Discovery
PID:3296 -
\??\c:\7pjvj.exec:\7pjvj.exe86⤵PID:4220
-
\??\c:\rrxllfl.exec:\rrxllfl.exe87⤵PID:1900
-
\??\c:\thnhhb.exec:\thnhhb.exe88⤵PID:2776
-
\??\c:\5ppjv.exec:\5ppjv.exe89⤵PID:1328
-
\??\c:\lllfrlf.exec:\lllfrlf.exe90⤵PID:4340
-
\??\c:\tbtthh.exec:\tbtthh.exe91⤵PID:5076
-
\??\c:\vvdpd.exec:\vvdpd.exe92⤵PID:2384
-
\??\c:\lflffxl.exec:\lflffxl.exe93⤵PID:2012
-
\??\c:\bbbthb.exec:\bbbthb.exe94⤵PID:364
-
\??\c:\jvvvd.exec:\jvvvd.exe95⤵PID:2804
-
\??\c:\ffxrlll.exec:\ffxrlll.exe96⤵PID:1152
-
\??\c:\7hnnnn.exec:\7hnnnn.exe97⤵PID:4136
-
\??\c:\nhnnnn.exec:\nhnnnn.exe98⤵PID:3100
-
\??\c:\vjddv.exec:\vjddv.exe99⤵PID:1460
-
\??\c:\fxrlffl.exec:\fxrlffl.exe100⤵PID:2280
-
\??\c:\xlxrlll.exec:\xlxrlll.exe101⤵PID:1560
-
\??\c:\tbhbtn.exec:\tbhbtn.exe102⤵PID:2552
-
\??\c:\lffxllf.exec:\lffxllf.exe103⤵PID:4176
-
\??\c:\3bbttb.exec:\3bbttb.exe104⤵PID:3512
-
\??\c:\1hthnn.exec:\1hthnn.exe105⤵PID:940
-
\??\c:\pjjdv.exec:\pjjdv.exe106⤵PID:3704
-
\??\c:\rlxrffx.exec:\rlxrffx.exe107⤵PID:4592
-
\??\c:\jjjjp.exec:\jjjjp.exe108⤵PID:1708
-
\??\c:\bttnbt.exec:\bttnbt.exe109⤵PID:4868
-
\??\c:\pvdpp.exec:\pvdpp.exe110⤵PID:4760
-
\??\c:\rfllxxx.exec:\rfllxxx.exe111⤵PID:408
-
\??\c:\5bbtnt.exec:\5bbtnt.exe112⤵PID:4568
-
\??\c:\dvvpp.exec:\dvvpp.exe113⤵PID:2468
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe114⤵PID:3128
-
\??\c:\1lfxflx.exec:\1lfxflx.exe115⤵PID:3288
-
\??\c:\hhtbnt.exec:\hhtbnt.exe116⤵PID:2092
-
\??\c:\vpvvp.exec:\vpvvp.exe117⤵PID:1332
-
\??\c:\flxrlxx.exec:\flxrlxx.exe118⤵PID:4152
-
\??\c:\btnnhh.exec:\btnnhh.exe119⤵PID:4952
-
\??\c:\llxrlrl.exec:\llxrlrl.exe120⤵PID:3120
-
\??\c:\pjvpd.exec:\pjvpd.exe121⤵PID:3188
-
\??\c:\7tbbtt.exec:\7tbbtt.exe122⤵PID:2096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-