Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe
-
Size
454KB
-
MD5
f28ff665dc553e1c7fe1439ff331ebd0
-
SHA1
0e633892c6a6a94f01d16beae87b208b92dd3e08
-
SHA256
008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26
-
SHA512
0ce85b33f1de57b99607e253107459713a356bafc5f46bec82debe23f5f3b2b238e85ec521bd990f6bb71bab334129e0278b54fa5b88f02e6c4861cee4274055
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1C:q7Tc2NYHUrAwfMp3CD1C
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4024-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-1268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-1932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 rlrlfff.exe 4800 0240068.exe 1088 82260.exe 1640 jvpdv.exe 2040 xlxlrxx.exe 4536 pvjjd.exe 1892 262622.exe 5020 m8826.exe 5064 686080.exe 1712 ffrfrxl.exe 3492 vvdpj.exe 1996 thnbhn.exe 2296 hbbnbt.exe 3184 llrflxr.exe 4824 vjjdv.exe 4044 nhbtht.exe 3744 dpvdd.exe 112 pdvjv.exe 3244 ffflfxr.exe 228 rrrrffl.exe 3996 pjvpp.exe 1484 pvdvv.exe 2020 0622660.exe 932 686604.exe 3604 40444.exe 2848 6644448.exe 3408 2660444.exe 2280 4888226.exe 232 466048.exe 3024 822606.exe 2092 q02480.exe 372 066040.exe 3568 8444882.exe 2324 nhbbhh.exe 3728 lxfxxxf.exe 3432 804448.exe 3836 8000480.exe 3528 rffxxxf.exe 2828 vvjvd.exe 4088 5ttnnh.exe 4696 nbhbtt.exe 448 htnbbt.exe 3268 rrxlfxr.exe 4680 4004006.exe 1340 08866.exe 4400 ppvjv.exe 1652 rllxrlr.exe 1908 jjvjd.exe 4228 ttnhnn.exe 1380 244826.exe 1668 s2808.exe 2536 28224.exe 2144 fxlxfxl.exe 1500 2482004.exe 2768 jvjvj.exe 2184 060426.exe 2004 086482.exe 1480 3fxrfrf.exe 1644 2664886.exe 3056 6442644.exe 396 3dvvp.exe 5096 g4042.exe 632 0682660.exe 2308 422228.exe -
resource yara_rule behavioral2/memory/4024-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-633-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0402660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k60482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8460482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2444888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4024 wrote to memory of 2024 4024 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 83 PID 4024 wrote to memory of 2024 4024 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 83 PID 4024 wrote to memory of 2024 4024 008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe 83 PID 2024 wrote to memory of 4800 2024 rlrlfff.exe 84 PID 2024 wrote to memory of 4800 2024 rlrlfff.exe 84 PID 2024 wrote to memory of 4800 2024 rlrlfff.exe 84 PID 4800 wrote to memory of 1088 4800 0240068.exe 85 PID 4800 wrote to memory of 1088 4800 0240068.exe 85 PID 4800 wrote to memory of 1088 4800 0240068.exe 85 PID 1088 wrote to memory of 1640 1088 82260.exe 86 PID 1088 wrote to memory of 1640 1088 82260.exe 86 PID 1088 wrote to memory of 1640 1088 82260.exe 86 PID 1640 wrote to memory of 2040 1640 jvpdv.exe 87 PID 1640 wrote to memory of 2040 1640 jvpdv.exe 87 PID 1640 wrote to memory of 2040 1640 jvpdv.exe 87 PID 2040 wrote to memory of 4536 2040 xlxlrxx.exe 88 PID 2040 wrote to memory of 4536 2040 xlxlrxx.exe 88 PID 2040 wrote to memory of 4536 2040 xlxlrxx.exe 88 PID 4536 wrote to memory of 1892 4536 pvjjd.exe 89 PID 4536 wrote to memory of 1892 4536 pvjjd.exe 89 PID 4536 wrote to memory of 1892 4536 pvjjd.exe 89 PID 1892 wrote to memory of 5020 1892 262622.exe 90 PID 1892 wrote to memory of 5020 1892 262622.exe 90 PID 1892 wrote to memory of 5020 1892 262622.exe 90 PID 5020 wrote to memory of 5064 5020 m8826.exe 91 PID 5020 wrote to memory of 5064 5020 m8826.exe 91 PID 5020 wrote to memory of 5064 5020 m8826.exe 91 PID 5064 wrote to memory of 1712 5064 686080.exe 92 PID 5064 wrote to memory of 1712 5064 686080.exe 92 PID 5064 wrote to memory of 1712 5064 686080.exe 92 PID 1712 wrote to memory of 3492 1712 ffrfrxl.exe 93 PID 1712 wrote to memory of 3492 1712 ffrfrxl.exe 93 PID 1712 wrote to memory of 3492 1712 ffrfrxl.exe 93 PID 3492 wrote to memory of 1996 3492 vvdpj.exe 94 PID 3492 wrote to memory of 1996 3492 vvdpj.exe 94 PID 3492 wrote to memory of 1996 3492 vvdpj.exe 94 PID 1996 wrote to memory of 2296 1996 thnbhn.exe 95 PID 1996 wrote to memory of 2296 1996 thnbhn.exe 95 PID 1996 wrote to memory of 2296 1996 thnbhn.exe 95 PID 2296 wrote to memory of 3184 2296 hbbnbt.exe 96 PID 2296 wrote to memory of 3184 2296 hbbnbt.exe 96 PID 2296 wrote to memory of 3184 2296 hbbnbt.exe 96 PID 3184 wrote to memory of 4824 3184 llrflxr.exe 97 PID 3184 wrote to memory of 4824 3184 llrflxr.exe 97 PID 3184 wrote to memory of 4824 3184 llrflxr.exe 97 PID 4824 wrote to memory of 4044 4824 vjjdv.exe 98 PID 4824 wrote to memory of 4044 4824 vjjdv.exe 98 PID 4824 wrote to memory of 4044 4824 vjjdv.exe 98 PID 4044 wrote to memory of 3744 4044 nhbtht.exe 99 PID 4044 wrote to memory of 3744 4044 nhbtht.exe 99 PID 4044 wrote to memory of 3744 4044 nhbtht.exe 99 PID 3744 wrote to memory of 112 3744 dpvdd.exe 100 PID 3744 wrote to memory of 112 3744 dpvdd.exe 100 PID 3744 wrote to memory of 112 3744 dpvdd.exe 100 PID 112 wrote to memory of 3244 112 pdvjv.exe 101 PID 112 wrote to memory of 3244 112 pdvjv.exe 101 PID 112 wrote to memory of 3244 112 pdvjv.exe 101 PID 3244 wrote to memory of 228 3244 ffflfxr.exe 102 PID 3244 wrote to memory of 228 3244 ffflfxr.exe 102 PID 3244 wrote to memory of 228 3244 ffflfxr.exe 102 PID 228 wrote to memory of 3996 228 rrrrffl.exe 103 PID 228 wrote to memory of 3996 228 rrrrffl.exe 103 PID 228 wrote to memory of 3996 228 rrrrffl.exe 103 PID 3996 wrote to memory of 1484 3996 pjvpp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe"C:\Users\Admin\AppData\Local\Temp\008eeb77dc15030a134e9192ed12a3d968e9a13aab647a0b6b6f077f9828fd26N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\rlrlfff.exec:\rlrlfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\0240068.exec:\0240068.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\82260.exec:\82260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\jvpdv.exec:\jvpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\xlxlrxx.exec:\xlxlrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\pvjjd.exec:\pvjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\262622.exec:\262622.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\m8826.exec:\m8826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\686080.exec:\686080.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\ffrfrxl.exec:\ffrfrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\vvdpj.exec:\vvdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\thnbhn.exec:\thnbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\hbbnbt.exec:\hbbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\llrflxr.exec:\llrflxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\vjjdv.exec:\vjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\nhbtht.exec:\nhbtht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\dpvdd.exec:\dpvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\pdvjv.exec:\pdvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\ffflfxr.exec:\ffflfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\rrrrffl.exec:\rrrrffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\pjvpp.exec:\pjvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\pvdvv.exec:\pvdvv.exe23⤵
- Executes dropped EXE
PID:1484 -
\??\c:\0622660.exec:\0622660.exe24⤵
- Executes dropped EXE
PID:2020 -
\??\c:\686604.exec:\686604.exe25⤵
- Executes dropped EXE
PID:932 -
\??\c:\40444.exec:\40444.exe26⤵
- Executes dropped EXE
PID:3604 -
\??\c:\6644448.exec:\6644448.exe27⤵
- Executes dropped EXE
PID:2848 -
\??\c:\2660444.exec:\2660444.exe28⤵
- Executes dropped EXE
PID:3408 -
\??\c:\4888226.exec:\4888226.exe29⤵
- Executes dropped EXE
PID:2280 -
\??\c:\466048.exec:\466048.exe30⤵
- Executes dropped EXE
PID:232 -
\??\c:\822606.exec:\822606.exe31⤵
- Executes dropped EXE
PID:3024 -
\??\c:\q02480.exec:\q02480.exe32⤵
- Executes dropped EXE
PID:2092 -
\??\c:\066040.exec:\066040.exe33⤵
- Executes dropped EXE
PID:372 -
\??\c:\8444882.exec:\8444882.exe34⤵
- Executes dropped EXE
PID:3568 -
\??\c:\nhbbhh.exec:\nhbbhh.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe36⤵
- Executes dropped EXE
PID:3728 -
\??\c:\804448.exec:\804448.exe37⤵
- Executes dropped EXE
PID:3432 -
\??\c:\8000480.exec:\8000480.exe38⤵
- Executes dropped EXE
PID:3836 -
\??\c:\rffxxxf.exec:\rffxxxf.exe39⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vvjvd.exec:\vvjvd.exe40⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5ttnnh.exec:\5ttnnh.exe41⤵
- Executes dropped EXE
PID:4088 -
\??\c:\nbhbtt.exec:\nbhbtt.exe42⤵
- Executes dropped EXE
PID:4696 -
\??\c:\htnbbt.exec:\htnbbt.exe43⤵
- Executes dropped EXE
PID:448 -
\??\c:\rrxlfxr.exec:\rrxlfxr.exe44⤵
- Executes dropped EXE
PID:3268 -
\??\c:\4004006.exec:\4004006.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\08866.exec:\08866.exe46⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ppvjv.exec:\ppvjv.exe47⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rllxrlr.exec:\rllxrlr.exe48⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jjvjd.exec:\jjvjd.exe49⤵
- Executes dropped EXE
PID:1908 -
\??\c:\ttnhnn.exec:\ttnhnn.exe50⤵
- Executes dropped EXE
PID:4228 -
\??\c:\244826.exec:\244826.exe51⤵
- Executes dropped EXE
PID:1380 -
\??\c:\s2808.exec:\s2808.exe52⤵
- Executes dropped EXE
PID:1668 -
\??\c:\28224.exec:\28224.exe53⤵
- Executes dropped EXE
PID:2536 -
\??\c:\fxlxfxl.exec:\fxlxfxl.exe54⤵
- Executes dropped EXE
PID:2144 -
\??\c:\2482004.exec:\2482004.exe55⤵
- Executes dropped EXE
PID:1500 -
\??\c:\jvjvj.exec:\jvjvj.exe56⤵
- Executes dropped EXE
PID:2768 -
\??\c:\060426.exec:\060426.exe57⤵
- Executes dropped EXE
PID:2184 -
\??\c:\086482.exec:\086482.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\3fxrfrf.exec:\3fxrfrf.exe59⤵
- Executes dropped EXE
PID:1480 -
\??\c:\2664886.exec:\2664886.exe60⤵
- Executes dropped EXE
PID:1644 -
\??\c:\6442644.exec:\6442644.exe61⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3dvvp.exec:\3dvvp.exe62⤵
- Executes dropped EXE
PID:396 -
\??\c:\g4042.exec:\g4042.exe63⤵
- Executes dropped EXE
PID:5096 -
\??\c:\0682660.exec:\0682660.exe64⤵
- Executes dropped EXE
PID:632 -
\??\c:\422228.exec:\422228.exe65⤵
- Executes dropped EXE
PID:2308 -
\??\c:\ttnhth.exec:\ttnhth.exe66⤵PID:2400
-
\??\c:\840488.exec:\840488.exe67⤵PID:3532
-
\??\c:\ffxlffx.exec:\ffxlffx.exe68⤵PID:4484
-
\??\c:\xffxrxr.exec:\xffxrxr.exe69⤵PID:3516
-
\??\c:\rfllfrl.exec:\rfllfrl.exe70⤵PID:4436
-
\??\c:\044208.exec:\044208.exe71⤵PID:2168
-
\??\c:\lffxllf.exec:\lffxllf.exe72⤵PID:4260
-
\??\c:\fxfxfxx.exec:\fxfxfxx.exe73⤵PID:3744
-
\??\c:\42204.exec:\42204.exe74⤵PID:112
-
\??\c:\0864620.exec:\0864620.exe75⤵PID:3428
-
\??\c:\c664204.exec:\c664204.exe76⤵PID:4272
-
\??\c:\frfxlrf.exec:\frfxlrf.exe77⤵PID:4784
-
\??\c:\5ddvv.exec:\5ddvv.exe78⤵PID:552
-
\??\c:\xrlrlxr.exec:\xrlrlxr.exe79⤵PID:2476
-
\??\c:\206482.exec:\206482.exe80⤵PID:2348
-
\??\c:\nbhbbt.exec:\nbhbbt.exe81⤵PID:4004
-
\??\c:\c660208.exec:\c660208.exe82⤵PID:5012
-
\??\c:\nhbttt.exec:\nhbttt.exe83⤵PID:2524
-
\??\c:\ttbthh.exec:\ttbthh.exe84⤵PID:2076
-
\??\c:\pdvvj.exec:\pdvvj.exe85⤵PID:1820
-
\??\c:\rrrlfxr.exec:\rrrlfxr.exe86⤵PID:2072
-
\??\c:\pjvvp.exec:\pjvvp.exe87⤵PID:4312
-
\??\c:\nnbbnh.exec:\nnbbnh.exe88⤵PID:3976
-
\??\c:\tbbtnn.exec:\tbbtnn.exe89⤵PID:4920
-
\??\c:\pvdvv.exec:\pvdvv.exe90⤵PID:1520
-
\??\c:\jdvdd.exec:\jdvdd.exe91⤵PID:4816
-
\??\c:\88448.exec:\88448.exe92⤵PID:3024
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe93⤵PID:1620
-
\??\c:\3jjjd.exec:\3jjjd.exe94⤵PID:1512
-
\??\c:\hhhbtn.exec:\hhhbtn.exe95⤵PID:640
-
\??\c:\fxlxlfr.exec:\fxlxlfr.exe96⤵PID:3284
-
\??\c:\pddpd.exec:\pddpd.exe97⤵
- System Location Discovery: System Language Discovery
PID:1880 -
\??\c:\k60482.exec:\k60482.exe98⤵
- System Location Discovery: System Language Discovery
PID:4032 -
\??\c:\0804882.exec:\0804882.exe99⤵PID:4452
-
\??\c:\nhnnnt.exec:\nhnnnt.exe100⤵PID:4796
-
\??\c:\o282664.exec:\o282664.exe101⤵
- System Location Discovery: System Language Discovery
PID:1468 -
\??\c:\288260.exec:\288260.exe102⤵PID:2828
-
\??\c:\1lrlrlf.exec:\1lrlrlf.exe103⤵PID:4080
-
\??\c:\jvpjp.exec:\jvpjp.exe104⤵PID:4696
-
\??\c:\xllxlfr.exec:\xllxlfr.exe105⤵PID:4268
-
\??\c:\fxffrlf.exec:\fxffrlf.exe106⤵PID:3464
-
\??\c:\bntnht.exec:\bntnht.exe107⤵PID:2620
-
\??\c:\jdpdp.exec:\jdpdp.exe108⤵PID:4328
-
\??\c:\bttnhb.exec:\bttnhb.exe109⤵
- System Location Discovery: System Language Discovery
PID:4280 -
\??\c:\a2826.exec:\a2826.exe110⤵PID:4024
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe111⤵PID:2024
-
\??\c:\4620264.exec:\4620264.exe112⤵PID:1476
-
\??\c:\8460482.exec:\8460482.exe113⤵
- System Location Discovery: System Language Discovery
PID:3280 -
\??\c:\dpjjd.exec:\dpjjd.exe114⤵PID:1424
-
\??\c:\pvjpd.exec:\pvjpd.exe115⤵PID:2536
-
\??\c:\68426.exec:\68426.exe116⤵PID:1640
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe117⤵PID:436
-
\??\c:\rxxrllf.exec:\rxxrllf.exe118⤵PID:2676
-
\??\c:\8084002.exec:\8084002.exe119⤵PID:1152
-
\??\c:\dvppd.exec:\dvppd.exe120⤵PID:3576
-
\??\c:\60604.exec:\60604.exe121⤵PID:3396
-
\??\c:\lxfrllf.exec:\lxfrllf.exe122⤵PID:1480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-