Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
-
Size
454KB
-
MD5
1c977ccb5393f8f5cff03b6ce0871d9f
-
SHA1
bc0d6f2e5733d0192033a4a1a6f543443a5cf2b1
-
SHA256
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b
-
SHA512
91fbe701f28ae8552ad002b1e2219708b451aeb3048d42346bb3b5edd10cd6c569004290c0a85396464dd9512054909bfadb40b428f6e7b5395686d0b82bce0b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe83:q7Tc2NYHUrAwfMp3CD83
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1820-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-965-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-1082-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-1164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1036 4844822.exe 3332 462604.exe 4748 888204.exe 4948 tnhhhb.exe 1660 c660822.exe 2720 4860484.exe 3408 862668.exe 4160 pdjjd.exe 4540 m4008.exe 4312 bthhtn.exe 4092 862826.exe 4300 26226.exe 880 nhhnhh.exe 4168 864204.exe 1692 m0048.exe 4360 vjpvp.exe 2120 djpjd.exe 2936 thnhhh.exe 4708 fffffxx.exe 3416 60648.exe 1468 bnbtbb.exe 3768 djdvp.exe 1920 262604.exe 2816 488822.exe 2344 llxxrrr.exe 912 rxffxrl.exe 1584 fffrxxf.exe 5020 066644.exe 2284 pjpjp.exe 1904 nhhbbb.exe 3944 rxllflf.exe 4184 vppjd.exe 552 6026048.exe 3152 6884888.exe 884 0848226.exe 4444 xxrxlfr.exe 2784 6844488.exe 2076 xrrlfrl.exe 452 dpjjd.exe 3856 224822.exe 4932 04600.exe 2484 w02606.exe 1708 e46422.exe 4872 jvdvd.exe 2352 2882664.exe 1436 tbhbbt.exe 1600 lfxrlfx.exe 4428 lfrxfxf.exe 336 244822.exe 1808 6882266.exe 2448 9vvdd.exe 3088 0664826.exe 4100 c004260.exe 3648 4426404.exe 4948 k60426.exe 628 626080.exe 3940 5htnhh.exe 1608 vvpjv.exe 4500 206482.exe 2432 6226482.exe 1520 ntthtt.exe 4300 226040.exe 1380 9xxlxrl.exe 3140 ntbhtn.exe -
resource yara_rule behavioral2/memory/1820-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-810-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u666008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o464482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2882664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0244660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6882266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8004404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o060004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0622004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6820484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4828282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 206442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i400620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnhb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1036 1820 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 83 PID 1820 wrote to memory of 1036 1820 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 83 PID 1820 wrote to memory of 1036 1820 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 83 PID 1036 wrote to memory of 3332 1036 4844822.exe 84 PID 1036 wrote to memory of 3332 1036 4844822.exe 84 PID 1036 wrote to memory of 3332 1036 4844822.exe 84 PID 3332 wrote to memory of 4748 3332 462604.exe 85 PID 3332 wrote to memory of 4748 3332 462604.exe 85 PID 3332 wrote to memory of 4748 3332 462604.exe 85 PID 4748 wrote to memory of 4948 4748 888204.exe 137 PID 4748 wrote to memory of 4948 4748 888204.exe 137 PID 4748 wrote to memory of 4948 4748 888204.exe 137 PID 4948 wrote to memory of 1660 4948 tnhhhb.exe 87 PID 4948 wrote to memory of 1660 4948 tnhhhb.exe 87 PID 4948 wrote to memory of 1660 4948 tnhhhb.exe 87 PID 1660 wrote to memory of 2720 1660 c660822.exe 88 PID 1660 wrote to memory of 2720 1660 c660822.exe 88 PID 1660 wrote to memory of 2720 1660 c660822.exe 88 PID 2720 wrote to memory of 3408 2720 4860484.exe 89 PID 2720 wrote to memory of 3408 2720 4860484.exe 89 PID 2720 wrote to memory of 3408 2720 4860484.exe 89 PID 3408 wrote to memory of 4160 3408 862668.exe 90 PID 3408 wrote to memory of 4160 3408 862668.exe 90 PID 3408 wrote to memory of 4160 3408 862668.exe 90 PID 4160 wrote to memory of 4540 4160 pdjjd.exe 91 PID 4160 wrote to memory of 4540 4160 pdjjd.exe 91 PID 4160 wrote to memory of 4540 4160 pdjjd.exe 91 PID 4540 wrote to memory of 4312 4540 m4008.exe 92 PID 4540 wrote to memory of 4312 4540 m4008.exe 92 PID 4540 wrote to memory of 4312 4540 m4008.exe 92 PID 4312 wrote to memory of 4092 4312 bthhtn.exe 93 PID 4312 wrote to memory of 4092 4312 bthhtn.exe 93 PID 4312 wrote to memory of 4092 4312 bthhtn.exe 93 PID 4092 wrote to memory of 4300 4092 862826.exe 94 PID 4092 wrote to memory of 4300 4092 862826.exe 94 PID 4092 wrote to memory of 4300 4092 862826.exe 94 PID 4300 wrote to memory of 880 4300 26226.exe 95 PID 4300 wrote to memory of 880 4300 26226.exe 95 PID 4300 wrote to memory of 880 4300 26226.exe 95 PID 880 wrote to memory of 4168 880 nhhnhh.exe 96 PID 880 wrote to memory of 4168 880 nhhnhh.exe 96 PID 880 wrote to memory of 4168 880 nhhnhh.exe 96 PID 4168 wrote to memory of 1692 4168 864204.exe 97 PID 4168 wrote to memory of 1692 4168 864204.exe 97 PID 4168 wrote to memory of 1692 4168 864204.exe 97 PID 1692 wrote to memory of 4360 1692 m0048.exe 98 PID 1692 wrote to memory of 4360 1692 m0048.exe 98 PID 1692 wrote to memory of 4360 1692 m0048.exe 98 PID 4360 wrote to memory of 2120 4360 vjpvp.exe 99 PID 4360 wrote to memory of 2120 4360 vjpvp.exe 99 PID 4360 wrote to memory of 2120 4360 vjpvp.exe 99 PID 2120 wrote to memory of 2936 2120 djpjd.exe 100 PID 2120 wrote to memory of 2936 2120 djpjd.exe 100 PID 2120 wrote to memory of 2936 2120 djpjd.exe 100 PID 2936 wrote to memory of 4708 2936 thnhhh.exe 101 PID 2936 wrote to memory of 4708 2936 thnhhh.exe 101 PID 2936 wrote to memory of 4708 2936 thnhhh.exe 101 PID 4708 wrote to memory of 3416 4708 fffffxx.exe 102 PID 4708 wrote to memory of 3416 4708 fffffxx.exe 102 PID 4708 wrote to memory of 3416 4708 fffffxx.exe 102 PID 3416 wrote to memory of 1468 3416 60648.exe 103 PID 3416 wrote to memory of 1468 3416 60648.exe 103 PID 3416 wrote to memory of 1468 3416 60648.exe 103 PID 1468 wrote to memory of 3768 1468 bnbtbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\4844822.exec:\4844822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\462604.exec:\462604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\888204.exec:\888204.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\tnhhhb.exec:\tnhhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\c660822.exec:\c660822.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\4860484.exec:\4860484.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\862668.exec:\862668.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\pdjjd.exec:\pdjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\m4008.exec:\m4008.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\bthhtn.exec:\bthhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\862826.exec:\862826.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\26226.exec:\26226.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\nhhnhh.exec:\nhhnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\864204.exec:\864204.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\m0048.exec:\m0048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\vjpvp.exec:\vjpvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\djpjd.exec:\djpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\thnhhh.exec:\thnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\fffffxx.exec:\fffffxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\60648.exec:\60648.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\bnbtbb.exec:\bnbtbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\djdvp.exec:\djdvp.exe23⤵
- Executes dropped EXE
PID:3768 -
\??\c:\262604.exec:\262604.exe24⤵
- Executes dropped EXE
PID:1920 -
\??\c:\488822.exec:\488822.exe25⤵
- Executes dropped EXE
PID:2816 -
\??\c:\llxxrrr.exec:\llxxrrr.exe26⤵
- Executes dropped EXE
PID:2344 -
\??\c:\rxffxrl.exec:\rxffxrl.exe27⤵
- Executes dropped EXE
PID:912 -
\??\c:\fffrxxf.exec:\fffrxxf.exe28⤵
- Executes dropped EXE
PID:1584 -
\??\c:\066644.exec:\066644.exe29⤵
- Executes dropped EXE
PID:5020 -
\??\c:\pjpjp.exec:\pjpjp.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nhhbbb.exec:\nhhbbb.exe31⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rxllflf.exec:\rxllflf.exe32⤵
- Executes dropped EXE
PID:3944 -
\??\c:\vppjd.exec:\vppjd.exe33⤵
- Executes dropped EXE
PID:4184 -
\??\c:\6026048.exec:\6026048.exe34⤵
- Executes dropped EXE
PID:552 -
\??\c:\6884888.exec:\6884888.exe35⤵
- Executes dropped EXE
PID:3152 -
\??\c:\0848226.exec:\0848226.exe36⤵
- Executes dropped EXE
PID:884 -
\??\c:\xxrxlfr.exec:\xxrxlfr.exe37⤵
- Executes dropped EXE
PID:4444 -
\??\c:\6844488.exec:\6844488.exe38⤵
- Executes dropped EXE
PID:2784 -
\??\c:\xrrlfrl.exec:\xrrlfrl.exe39⤵
- Executes dropped EXE
PID:2076 -
\??\c:\dpjjd.exec:\dpjjd.exe40⤵
- Executes dropped EXE
PID:452 -
\??\c:\224822.exec:\224822.exe41⤵
- Executes dropped EXE
PID:3856 -
\??\c:\04600.exec:\04600.exe42⤵
- Executes dropped EXE
PID:4932 -
\??\c:\w02606.exec:\w02606.exe43⤵
- Executes dropped EXE
PID:2484 -
\??\c:\e46422.exec:\e46422.exe44⤵
- Executes dropped EXE
PID:1708 -
\??\c:\jvdvd.exec:\jvdvd.exe45⤵
- Executes dropped EXE
PID:4872 -
\??\c:\2882664.exec:\2882664.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
\??\c:\tbhbbt.exec:\tbhbbt.exe47⤵
- Executes dropped EXE
PID:1436 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe48⤵
- Executes dropped EXE
PID:1600 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\244822.exec:\244822.exe50⤵
- Executes dropped EXE
PID:336 -
\??\c:\6882266.exec:\6882266.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
\??\c:\9vvdd.exec:\9vvdd.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\0664826.exec:\0664826.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
\??\c:\c004260.exec:\c004260.exe54⤵
- Executes dropped EXE
PID:4100 -
\??\c:\4426404.exec:\4426404.exe55⤵
- Executes dropped EXE
PID:3648 -
\??\c:\k60426.exec:\k60426.exe56⤵
- Executes dropped EXE
PID:4948 -
\??\c:\626080.exec:\626080.exe57⤵
- Executes dropped EXE
PID:628 -
\??\c:\5htnhh.exec:\5htnhh.exe58⤵
- Executes dropped EXE
PID:3940 -
\??\c:\vvpjv.exec:\vvpjv.exe59⤵
- Executes dropped EXE
PID:1608 -
\??\c:\206482.exec:\206482.exe60⤵
- Executes dropped EXE
PID:4500 -
\??\c:\6226482.exec:\6226482.exe61⤵
- Executes dropped EXE
PID:2432 -
\??\c:\ntthtt.exec:\ntthtt.exe62⤵
- Executes dropped EXE
PID:1520 -
\??\c:\226040.exec:\226040.exe63⤵
- Executes dropped EXE
PID:4300 -
\??\c:\9xxlxrl.exec:\9xxlxrl.exe64⤵
- Executes dropped EXE
PID:1380 -
\??\c:\ntbhtn.exec:\ntbhtn.exe65⤵
- Executes dropped EXE
PID:3140 -
\??\c:\fxrlfxl.exec:\fxrlfxl.exe66⤵PID:4132
-
\??\c:\884864.exec:\884864.exe67⤵PID:4360
-
\??\c:\i020482.exec:\i020482.exe68⤵PID:408
-
\??\c:\640840.exec:\640840.exe69⤵PID:1088
-
\??\c:\4224822.exec:\4224822.exe70⤵PID:832
-
\??\c:\222648.exec:\222648.exe71⤵PID:2832
-
\??\c:\5tbttn.exec:\5tbttn.exe72⤵PID:3260
-
\??\c:\640204.exec:\640204.exe73⤵PID:1700
-
\??\c:\82804.exec:\82804.exe74⤵PID:4940
-
\??\c:\428208.exec:\428208.exe75⤵PID:940
-
\??\c:\lfxlllf.exec:\lfxlllf.exe76⤵PID:2344
-
\??\c:\pjdvj.exec:\pjdvj.exe77⤵PID:4136
-
\??\c:\28420.exec:\28420.exe78⤵PID:4820
-
\??\c:\hbthbb.exec:\hbthbb.exe79⤵PID:2764
-
\??\c:\btbnbt.exec:\btbnbt.exe80⤵PID:2284
-
\??\c:\xrxlxrx.exec:\xrxlxrx.exe81⤵PID:1792
-
\??\c:\5hbttn.exec:\5hbttn.exe82⤵PID:3944
-
\??\c:\btbnbb.exec:\btbnbb.exe83⤵PID:4284
-
\??\c:\jpjvj.exec:\jpjvj.exe84⤵PID:552
-
\??\c:\dvjdj.exec:\dvjdj.exe85⤵PID:2464
-
\??\c:\3tnbnh.exec:\3tnbnh.exe86⤵PID:1764
-
\??\c:\2820820.exec:\2820820.exe87⤵PID:2040
-
\??\c:\602460.exec:\602460.exe88⤵PID:2492
-
\??\c:\u620820.exec:\u620820.exe89⤵PID:3856
-
\??\c:\c804042.exec:\c804042.exe90⤵PID:3424
-
\??\c:\688204.exec:\688204.exe91⤵PID:1220
-
\??\c:\bbhbbn.exec:\bbhbbn.exe92⤵PID:4896
-
\??\c:\448446.exec:\448446.exe93⤵PID:4560
-
\??\c:\0626442.exec:\0626442.exe94⤵PID:664
-
\??\c:\8426048.exec:\8426048.exe95⤵PID:1612
-
\??\c:\1lrfxrf.exec:\1lrfxrf.exe96⤵PID:4848
-
\??\c:\06826.exec:\06826.exe97⤵PID:4228
-
\??\c:\606040.exec:\606040.exe98⤵PID:3504
-
\??\c:\hbnnbh.exec:\hbnnbh.exe99⤵
- System Location Discovery: System Language Discovery
PID:3012 -
\??\c:\frlxlfr.exec:\frlxlfr.exe100⤵PID:2980
-
\??\c:\622228.exec:\622228.exe101⤵PID:4992
-
\??\c:\284264.exec:\284264.exe102⤵PID:3496
-
\??\c:\lfxlfxr.exec:\lfxlfxr.exe103⤵PID:1664
-
\??\c:\3pvpp.exec:\3pvpp.exe104⤵PID:4412
-
\??\c:\nnnhtn.exec:\nnnhtn.exe105⤵PID:640
-
\??\c:\08664.exec:\08664.exe106⤵PID:752
-
\??\c:\lfrfffl.exec:\lfrfffl.exe107⤵PID:2172
-
\??\c:\0846640.exec:\0846640.exe108⤵PID:768
-
\??\c:\lxfrlfr.exec:\lxfrlfr.exe109⤵PID:1588
-
\??\c:\26260.exec:\26260.exe110⤵PID:1520
-
\??\c:\hhttnb.exec:\hhttnb.exe111⤵PID:4048
-
\??\c:\o604820.exec:\o604820.exe112⤵PID:1044
-
\??\c:\48862.exec:\48862.exe113⤵PID:4744
-
\??\c:\62620.exec:\62620.exe114⤵PID:4692
-
\??\c:\fflrffx.exec:\fflrffx.exe115⤵PID:3292
-
\??\c:\66208.exec:\66208.exe116⤵PID:1536
-
\??\c:\btnhhh.exec:\btnhhh.exe117⤵PID:1880
-
\??\c:\htnbnh.exec:\htnbnh.exe118⤵PID:2472
-
\??\c:\hbbthb.exec:\hbbthb.exe119⤵PID:832
-
\??\c:\e00204.exec:\e00204.exe120⤵PID:2684
-
\??\c:\3fllfff.exec:\3fllfff.exe121⤵PID:4584
-
\??\c:\600264.exec:\600264.exe122⤵PID:3680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-