Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe
-
Size
454KB
-
MD5
7570ea9a3cfbcac336ddc77fa7f781db
-
SHA1
549c44b407e917713dc70a141173d4505adef6e3
-
SHA256
8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142
-
SHA512
329019af00a32a09dd687b6cf2bcf631696ced0384932d6d912d6487bc593971f01ac576df3f89eed20fba5c2f1cfaea6b4a26d17e3d8040e15adcf0f65008e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeI:q7Tc2NYHUrAwfMp3CDI
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-979-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-1245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-1906-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1244 jvjdj.exe 2152 jpjpd.exe 2132 rxxxrrr.exe 4108 llxxffr.exe 2880 vdppj.exe 4212 6020482.exe 3652 48482.exe 3056 6804482.exe 4844 48606.exe 3344 djvpv.exe 688 nnhhbb.exe 1928 bbhhbb.exe 744 thtnnb.exe 3324 602222.exe 4704 5xfxrrl.exe 1624 5hhhbh.exe 3052 xrlfxxf.exe 1988 9lrrrrl.exe 1920 8240888.exe 2344 xrlrlrl.exe 4372 lxxrllf.exe 4100 rflrlrl.exe 4948 tnnhhh.exe 2536 48266.exe 2932 rfrllrl.exe 2720 3djdv.exe 2788 fxxrfxl.exe 3232 a2608.exe 2316 482608.exe 3512 m6086.exe 4696 9hbhtn.exe 1596 860448.exe 1924 vpdvj.exe 3416 842448.exe 3692 lllxlfr.exe 3924 lflflfl.exe 4816 hbbthb.exe 1636 86600.exe 416 4848484.exe 1536 dppjd.exe 2044 7thbnn.exe 3412 pjdpv.exe 3628 5bbnbb.exe 3684 ddjvj.exe 5016 tnnhtn.exe 3964 46208.exe 1964 5bbntn.exe 5012 bhbttt.exe 4088 lxxllfx.exe 3496 9bbnhb.exe 1200 flrfrrf.exe 4128 5rrffrf.exe 4980 5dpdp.exe 1316 606426.exe 1456 rlrfrlx.exe 400 nnthbn.exe 2816 vvpjj.exe 2176 646088.exe 4420 k40086.exe 4536 xxlfrlx.exe 3332 g2660.exe 2612 q86864.exe 1244 vjvjd.exe 2132 3hhbnn.exe -
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-979-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-1214-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 804206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 002688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1244 1520 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 83 PID 1520 wrote to memory of 1244 1520 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 83 PID 1520 wrote to memory of 1244 1520 8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe 83 PID 1244 wrote to memory of 2152 1244 jvjdj.exe 84 PID 1244 wrote to memory of 2152 1244 jvjdj.exe 84 PID 1244 wrote to memory of 2152 1244 jvjdj.exe 84 PID 2152 wrote to memory of 2132 2152 jpjpd.exe 85 PID 2152 wrote to memory of 2132 2152 jpjpd.exe 85 PID 2152 wrote to memory of 2132 2152 jpjpd.exe 85 PID 2132 wrote to memory of 4108 2132 rxxxrrr.exe 86 PID 2132 wrote to memory of 4108 2132 rxxxrrr.exe 86 PID 2132 wrote to memory of 4108 2132 rxxxrrr.exe 86 PID 4108 wrote to memory of 2880 4108 llxxffr.exe 87 PID 4108 wrote to memory of 2880 4108 llxxffr.exe 87 PID 4108 wrote to memory of 2880 4108 llxxffr.exe 87 PID 2880 wrote to memory of 4212 2880 vdppj.exe 88 PID 2880 wrote to memory of 4212 2880 vdppj.exe 88 PID 2880 wrote to memory of 4212 2880 vdppj.exe 88 PID 4212 wrote to memory of 3652 4212 6020482.exe 89 PID 4212 wrote to memory of 3652 4212 6020482.exe 89 PID 4212 wrote to memory of 3652 4212 6020482.exe 89 PID 3652 wrote to memory of 3056 3652 48482.exe 90 PID 3652 wrote to memory of 3056 3652 48482.exe 90 PID 3652 wrote to memory of 3056 3652 48482.exe 90 PID 3056 wrote to memory of 4844 3056 6804482.exe 91 PID 3056 wrote to memory of 4844 3056 6804482.exe 91 PID 3056 wrote to memory of 4844 3056 6804482.exe 91 PID 4844 wrote to memory of 3344 4844 48606.exe 92 PID 4844 wrote to memory of 3344 4844 48606.exe 92 PID 4844 wrote to memory of 3344 4844 48606.exe 92 PID 3344 wrote to memory of 688 3344 djvpv.exe 93 PID 3344 wrote to memory of 688 3344 djvpv.exe 93 PID 3344 wrote to memory of 688 3344 djvpv.exe 93 PID 688 wrote to memory of 1928 688 nnhhbb.exe 157 PID 688 wrote to memory of 1928 688 nnhhbb.exe 157 PID 688 wrote to memory of 1928 688 nnhhbb.exe 157 PID 1928 wrote to memory of 744 1928 bbhhbb.exe 95 PID 1928 wrote to memory of 744 1928 bbhhbb.exe 95 PID 1928 wrote to memory of 744 1928 bbhhbb.exe 95 PID 744 wrote to memory of 3324 744 thtnnb.exe 96 PID 744 wrote to memory of 3324 744 thtnnb.exe 96 PID 744 wrote to memory of 3324 744 thtnnb.exe 96 PID 3324 wrote to memory of 4704 3324 602222.exe 97 PID 3324 wrote to memory of 4704 3324 602222.exe 97 PID 3324 wrote to memory of 4704 3324 602222.exe 97 PID 4704 wrote to memory of 1624 4704 5xfxrrl.exe 98 PID 4704 wrote to memory of 1624 4704 5xfxrrl.exe 98 PID 4704 wrote to memory of 1624 4704 5xfxrrl.exe 98 PID 1624 wrote to memory of 3052 1624 5hhhbh.exe 99 PID 1624 wrote to memory of 3052 1624 5hhhbh.exe 99 PID 1624 wrote to memory of 3052 1624 5hhhbh.exe 99 PID 3052 wrote to memory of 1988 3052 xrlfxxf.exe 100 PID 3052 wrote to memory of 1988 3052 xrlfxxf.exe 100 PID 3052 wrote to memory of 1988 3052 xrlfxxf.exe 100 PID 1988 wrote to memory of 1920 1988 9lrrrrl.exe 101 PID 1988 wrote to memory of 1920 1988 9lrrrrl.exe 101 PID 1988 wrote to memory of 1920 1988 9lrrrrl.exe 101 PID 1920 wrote to memory of 2344 1920 8240888.exe 102 PID 1920 wrote to memory of 2344 1920 8240888.exe 102 PID 1920 wrote to memory of 2344 1920 8240888.exe 102 PID 2344 wrote to memory of 4372 2344 xrlrlrl.exe 103 PID 2344 wrote to memory of 4372 2344 xrlrlrl.exe 103 PID 2344 wrote to memory of 4372 2344 xrlrlrl.exe 103 PID 4372 wrote to memory of 4100 4372 lxxrllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe"C:\Users\Admin\AppData\Local\Temp\8affcbca29c69f519c07551b59f44c6820eb6a7244a22c8d404e2f56c0733142.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\jvjdj.exec:\jvjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\jpjpd.exec:\jpjpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\llxxffr.exec:\llxxffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\vdppj.exec:\vdppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\6020482.exec:\6020482.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\48482.exec:\48482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\6804482.exec:\6804482.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\48606.exec:\48606.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\djvpv.exec:\djvpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\nnhhbb.exec:\nnhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\bbhhbb.exec:\bbhhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\thtnnb.exec:\thtnnb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\602222.exec:\602222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\5hhhbh.exec:\5hhhbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\xrlfxxf.exec:\xrlfxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\9lrrrrl.exec:\9lrrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\8240888.exec:\8240888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\xrlrlrl.exec:\xrlrlrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\lxxrllf.exec:\lxxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\rflrlrl.exec:\rflrlrl.exe23⤵
- Executes dropped EXE
PID:4100 -
\??\c:\tnnhhh.exec:\tnnhhh.exe24⤵
- Executes dropped EXE
PID:4948 -
\??\c:\48266.exec:\48266.exe25⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rfrllrl.exec:\rfrllrl.exe26⤵
- Executes dropped EXE
PID:2932 -
\??\c:\3djdv.exec:\3djdv.exe27⤵
- Executes dropped EXE
PID:2720 -
\??\c:\fxxrfxl.exec:\fxxrfxl.exe28⤵
- Executes dropped EXE
PID:2788 -
\??\c:\a2608.exec:\a2608.exe29⤵
- Executes dropped EXE
PID:3232 -
\??\c:\482608.exec:\482608.exe30⤵
- Executes dropped EXE
PID:2316 -
\??\c:\m6086.exec:\m6086.exe31⤵
- Executes dropped EXE
PID:3512 -
\??\c:\9hbhtn.exec:\9hbhtn.exe32⤵
- Executes dropped EXE
PID:4696 -
\??\c:\860448.exec:\860448.exe33⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vpdvj.exec:\vpdvj.exe34⤵
- Executes dropped EXE
PID:1924 -
\??\c:\842448.exec:\842448.exe35⤵
- Executes dropped EXE
PID:3416 -
\??\c:\lllxlfr.exec:\lllxlfr.exe36⤵
- Executes dropped EXE
PID:3692 -
\??\c:\lflflfl.exec:\lflflfl.exe37⤵
- Executes dropped EXE
PID:3924 -
\??\c:\hbbthb.exec:\hbbthb.exe38⤵
- Executes dropped EXE
PID:4816 -
\??\c:\86600.exec:\86600.exe39⤵
- Executes dropped EXE
PID:1636 -
\??\c:\4848484.exec:\4848484.exe40⤵
- Executes dropped EXE
PID:416 -
\??\c:\dppjd.exec:\dppjd.exe41⤵
- Executes dropped EXE
PID:1536 -
\??\c:\7thbnn.exec:\7thbnn.exe42⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pjdpv.exec:\pjdpv.exe43⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5bbnbb.exec:\5bbnbb.exe44⤵
- Executes dropped EXE
PID:3628 -
\??\c:\ddjvj.exec:\ddjvj.exe45⤵
- Executes dropped EXE
PID:3684 -
\??\c:\tnnhtn.exec:\tnnhtn.exe46⤵
- Executes dropped EXE
PID:5016 -
\??\c:\46208.exec:\46208.exe47⤵
- Executes dropped EXE
PID:3964 -
\??\c:\5bbntn.exec:\5bbntn.exe48⤵
- Executes dropped EXE
PID:1964 -
\??\c:\bhbttt.exec:\bhbttt.exe49⤵
- Executes dropped EXE
PID:5012 -
\??\c:\lxxllfx.exec:\lxxllfx.exe50⤵
- Executes dropped EXE
PID:4088 -
\??\c:\9bbnhb.exec:\9bbnhb.exe51⤵
- Executes dropped EXE
PID:3496 -
\??\c:\flrfrrf.exec:\flrfrrf.exe52⤵
- Executes dropped EXE
PID:1200 -
\??\c:\5rrffrf.exec:\5rrffrf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128 -
\??\c:\5dpdp.exec:\5dpdp.exe54⤵
- Executes dropped EXE
PID:4980 -
\??\c:\606426.exec:\606426.exe55⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rlrfrlx.exec:\rlrfrlx.exe56⤵
- Executes dropped EXE
PID:1456 -
\??\c:\nnthbn.exec:\nnthbn.exe57⤵
- Executes dropped EXE
PID:400 -
\??\c:\vvpjj.exec:\vvpjj.exe58⤵
- Executes dropped EXE
PID:2816 -
\??\c:\646088.exec:\646088.exe59⤵
- Executes dropped EXE
PID:2176 -
\??\c:\k40086.exec:\k40086.exe60⤵
- Executes dropped EXE
PID:4420 -
\??\c:\xxlfrlx.exec:\xxlfrlx.exe61⤵
- Executes dropped EXE
PID:4536 -
\??\c:\g2660.exec:\g2660.exe62⤵
- Executes dropped EXE
PID:3332 -
\??\c:\q86864.exec:\q86864.exe63⤵
- Executes dropped EXE
PID:2612 -
\??\c:\vjvjd.exec:\vjvjd.exe64⤵
- Executes dropped EXE
PID:1244 -
\??\c:\3hhbnn.exec:\3hhbnn.exe65⤵
- Executes dropped EXE
PID:2132 -
\??\c:\8066688.exec:\8066688.exe66⤵PID:4204
-
\??\c:\ppdpd.exec:\ppdpd.exe67⤵PID:3968
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe68⤵PID:1128
-
\??\c:\642860.exec:\642860.exe69⤵PID:3196
-
\??\c:\bnhtnb.exec:\bnhtnb.exe70⤵PID:768
-
\??\c:\pddpd.exec:\pddpd.exe71⤵PID:2056
-
\??\c:\llrrrrx.exec:\llrrrrx.exe72⤵PID:1980
-
\??\c:\8620266.exec:\8620266.exe73⤵PID:4844
-
\??\c:\rllxlfx.exec:\rllxlfx.exe74⤵PID:1756
-
\??\c:\66208.exec:\66208.exe75⤵PID:3540
-
\??\c:\vjdvv.exec:\vjdvv.exe76⤵PID:1928
-
\??\c:\c620820.exec:\c620820.exe77⤵PID:1936
-
\??\c:\vpjvj.exec:\vpjvj.exe78⤵PID:1652
-
\??\c:\0620864.exec:\0620864.exe79⤵PID:696
-
\??\c:\2408822.exec:\2408822.exe80⤵PID:5060
-
\??\c:\204866.exec:\204866.exe81⤵PID:3052
-
\??\c:\0806482.exec:\0806482.exe82⤵PID:4936
-
\??\c:\80642.exec:\80642.exe83⤵PID:2164
-
\??\c:\648648.exec:\648648.exe84⤵PID:4372
-
\??\c:\lfxlfxf.exec:\lfxlfxf.exe85⤵PID:5020
-
\??\c:\664448.exec:\664448.exe86⤵PID:4124
-
\??\c:\64206.exec:\64206.exe87⤵PID:3648
-
\??\c:\ddjdv.exec:\ddjdv.exe88⤵PID:3440
-
\??\c:\k06426.exec:\k06426.exe89⤵PID:1412
-
\??\c:\28426.exec:\28426.exe90⤵PID:4728
-
\??\c:\00882.exec:\00882.exe91⤵PID:3492
-
\??\c:\428620.exec:\428620.exe92⤵PID:4584
-
\??\c:\vvdjj.exec:\vvdjj.exe93⤵PID:4860
-
\??\c:\lrflrxx.exec:\lrflrxx.exe94⤵PID:892
-
\??\c:\hnnbtn.exec:\hnnbtn.exe95⤵PID:3924
-
\??\c:\8226428.exec:\8226428.exe96⤵PID:4816
-
\??\c:\8004260.exec:\8004260.exe97⤵PID:1380
-
\??\c:\4260420.exec:\4260420.exe98⤵PID:4716
-
\??\c:\hnnbth.exec:\hnnbth.exe99⤵PID:1604
-
\??\c:\444860.exec:\444860.exe100⤵PID:2388
-
\??\c:\bbhnbt.exec:\bbhnbt.exe101⤵PID:3628
-
\??\c:\4226484.exec:\4226484.exe102⤵PID:60
-
\??\c:\i620660.exec:\i620660.exe103⤵PID:1476
-
\??\c:\00082.exec:\00082.exe104⤵PID:5072
-
\??\c:\s0048.exec:\s0048.exe105⤵PID:4624
-
\??\c:\dpvjj.exec:\dpvjj.exe106⤵PID:1200
-
\??\c:\k62444.exec:\k62444.exe107⤵PID:1204
-
\??\c:\02226.exec:\02226.exe108⤵PID:4588
-
\??\c:\260820.exec:\260820.exe109⤵PID:4688
-
\??\c:\60604.exec:\60604.exe110⤵PID:1456
-
\??\c:\468266.exec:\468266.exe111⤵PID:3444
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe112⤵PID:4872
-
\??\c:\066044.exec:\066044.exe113⤵PID:4428
-
\??\c:\frlxrlx.exec:\frlxrlx.exe114⤵PID:3000
-
\??\c:\g4642.exec:\g4642.exe115⤵PID:3976
-
\??\c:\ppvjv.exec:\ppvjv.exe116⤵PID:1656
-
\??\c:\868804.exec:\868804.exe117⤵PID:1376
-
\??\c:\6282042.exec:\6282042.exe118⤵PID:1780
-
\??\c:\bthttn.exec:\bthttn.exe119⤵PID:224
-
\??\c:\82648.exec:\82648.exe120⤵PID:2444
-
\??\c:\htnbtn.exec:\htnbtn.exe121⤵PID:1584
-
\??\c:\tntnbt.exec:\tntnbt.exe122⤵PID:636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-