Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe
-
Size
455KB
-
MD5
1cf07a7bc29c0b69fa0714ea16ac1cd6
-
SHA1
5cec6275f73ff29a9fe31319de813b6eccd9929f
-
SHA256
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535
-
SHA512
61c7b3d5ccc942c546ed4ce1989987577e011c8bed7ea81d487787715ae1b7a44b016ed170927d9f5b4e72a6c537c874b83894015ab98eed8868dc397b7e2c16
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeoc:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/2892-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-1216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-1361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2572 bhbhtn.exe 1432 7ddvp.exe 3276 i004260.exe 1140 s4404.exe 2204 w40600.exe 2400 622820.exe 5028 pdpdj.exe 2600 vjddv.exe 3144 rlxlrxl.exe 2392 q84644.exe 3732 1tthtn.exe 3968 thnhhh.exe 4208 002648.exe 1856 5ppdv.exe 4440 484848.exe 1796 xlllfxl.exe 4788 s8000.exe 4812 86864.exe 380 080866.exe 3100 g2482.exe 392 jdpvp.exe 1852 jpddv.exe 2992 2022660.exe 4872 lfrffll.exe 916 pjjdv.exe 4572 hhtnnn.exe 1316 048866.exe 888 nntthh.exe 700 rfrlfff.exe 3376 u082884.exe 2244 jdjdv.exe 3024 228602.exe 3012 4846000.exe 4040 6448448.exe 2948 vjjdp.exe 1308 04004.exe 840 vvjdp.exe 2988 k66260.exe 1036 806222.exe 4800 lxflfxf.exe 2292 m4804.exe 5036 62606.exe 4304 22268.exe 4408 pvdvp.exe 388 446066.exe 3688 402082.exe 1752 60448.exe 2192 bbhbtt.exe 4068 llffxxx.exe 952 682026.exe 3228 nnhhhn.exe 2432 62622.exe 2412 nbhbtb.exe 244 vpjjd.exe 2156 o084888.exe 4012 q04866.exe 2304 48628.exe 3496 jjvjj.exe 384 xlrfxff.exe 3732 2848200.exe 2336 g2204.exe 4428 200482.exe 4208 2048048.exe 4520 0662826.exe -
resource yara_rule behavioral2/memory/2892-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-1088-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxxxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6848600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o084888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 806824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2572 2892 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 85 PID 2892 wrote to memory of 2572 2892 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 85 PID 2892 wrote to memory of 2572 2892 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 85 PID 2572 wrote to memory of 1432 2572 bhbhtn.exe 86 PID 2572 wrote to memory of 1432 2572 bhbhtn.exe 86 PID 2572 wrote to memory of 1432 2572 bhbhtn.exe 86 PID 1432 wrote to memory of 3276 1432 7ddvp.exe 87 PID 1432 wrote to memory of 3276 1432 7ddvp.exe 87 PID 1432 wrote to memory of 3276 1432 7ddvp.exe 87 PID 3276 wrote to memory of 1140 3276 i004260.exe 88 PID 3276 wrote to memory of 1140 3276 i004260.exe 88 PID 3276 wrote to memory of 1140 3276 i004260.exe 88 PID 1140 wrote to memory of 2204 1140 s4404.exe 89 PID 1140 wrote to memory of 2204 1140 s4404.exe 89 PID 1140 wrote to memory of 2204 1140 s4404.exe 89 PID 2204 wrote to memory of 2400 2204 w40600.exe 90 PID 2204 wrote to memory of 2400 2204 w40600.exe 90 PID 2204 wrote to memory of 2400 2204 w40600.exe 90 PID 2400 wrote to memory of 5028 2400 622820.exe 91 PID 2400 wrote to memory of 5028 2400 622820.exe 91 PID 2400 wrote to memory of 5028 2400 622820.exe 91 PID 5028 wrote to memory of 2600 5028 pdpdj.exe 92 PID 5028 wrote to memory of 2600 5028 pdpdj.exe 92 PID 5028 wrote to memory of 2600 5028 pdpdj.exe 92 PID 2600 wrote to memory of 3144 2600 vjddv.exe 93 PID 2600 wrote to memory of 3144 2600 vjddv.exe 93 PID 2600 wrote to memory of 3144 2600 vjddv.exe 93 PID 3144 wrote to memory of 2392 3144 rlxlrxl.exe 94 PID 3144 wrote to memory of 2392 3144 rlxlrxl.exe 94 PID 3144 wrote to memory of 2392 3144 rlxlrxl.exe 94 PID 2392 wrote to memory of 3732 2392 q84644.exe 95 PID 2392 wrote to memory of 3732 2392 q84644.exe 95 PID 2392 wrote to memory of 3732 2392 q84644.exe 95 PID 3732 wrote to memory of 3968 3732 1tthtn.exe 96 PID 3732 wrote to memory of 3968 3732 1tthtn.exe 96 PID 3732 wrote to memory of 3968 3732 1tthtn.exe 96 PID 3968 wrote to memory of 4208 3968 thnhhh.exe 97 PID 3968 wrote to memory of 4208 3968 thnhhh.exe 97 PID 3968 wrote to memory of 4208 3968 thnhhh.exe 97 PID 4208 wrote to memory of 1856 4208 002648.exe 98 PID 4208 wrote to memory of 1856 4208 002648.exe 98 PID 4208 wrote to memory of 1856 4208 002648.exe 98 PID 1856 wrote to memory of 4440 1856 5ppdv.exe 99 PID 1856 wrote to memory of 4440 1856 5ppdv.exe 99 PID 1856 wrote to memory of 4440 1856 5ppdv.exe 99 PID 4440 wrote to memory of 1796 4440 484848.exe 100 PID 4440 wrote to memory of 1796 4440 484848.exe 100 PID 4440 wrote to memory of 1796 4440 484848.exe 100 PID 1796 wrote to memory of 4788 1796 xlllfxl.exe 101 PID 1796 wrote to memory of 4788 1796 xlllfxl.exe 101 PID 1796 wrote to memory of 4788 1796 xlllfxl.exe 101 PID 4788 wrote to memory of 4812 4788 s8000.exe 102 PID 4788 wrote to memory of 4812 4788 s8000.exe 102 PID 4788 wrote to memory of 4812 4788 s8000.exe 102 PID 4812 wrote to memory of 380 4812 86864.exe 103 PID 4812 wrote to memory of 380 4812 86864.exe 103 PID 4812 wrote to memory of 380 4812 86864.exe 103 PID 380 wrote to memory of 3100 380 080866.exe 104 PID 380 wrote to memory of 3100 380 080866.exe 104 PID 380 wrote to memory of 3100 380 080866.exe 104 PID 3100 wrote to memory of 392 3100 g2482.exe 105 PID 3100 wrote to memory of 392 3100 g2482.exe 105 PID 3100 wrote to memory of 392 3100 g2482.exe 105 PID 392 wrote to memory of 1852 392 jdpvp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe"C:\Users\Admin\AppData\Local\Temp\adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\bhbhtn.exec:\bhbhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\7ddvp.exec:\7ddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\i004260.exec:\i004260.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\s4404.exec:\s4404.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\w40600.exec:\w40600.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\622820.exec:\622820.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\pdpdj.exec:\pdpdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\vjddv.exec:\vjddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\rlxlrxl.exec:\rlxlrxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\q84644.exec:\q84644.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\1tthtn.exec:\1tthtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\thnhhh.exec:\thnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\002648.exec:\002648.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\5ppdv.exec:\5ppdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\484848.exec:\484848.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\xlllfxl.exec:\xlllfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\s8000.exec:\s8000.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\86864.exec:\86864.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\080866.exec:\080866.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\g2482.exec:\g2482.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\jdpvp.exec:\jdpvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\jpddv.exec:\jpddv.exe23⤵
- Executes dropped EXE
PID:1852 -
\??\c:\2022660.exec:\2022660.exe24⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lfrffll.exec:\lfrffll.exe25⤵
- Executes dropped EXE
PID:4872 -
\??\c:\pjjdv.exec:\pjjdv.exe26⤵
- Executes dropped EXE
PID:916 -
\??\c:\hhtnnn.exec:\hhtnnn.exe27⤵
- Executes dropped EXE
PID:4572 -
\??\c:\048866.exec:\048866.exe28⤵
- Executes dropped EXE
PID:1316 -
\??\c:\nntthh.exec:\nntthh.exe29⤵
- Executes dropped EXE
PID:888 -
\??\c:\rfrlfff.exec:\rfrlfff.exe30⤵
- Executes dropped EXE
PID:700 -
\??\c:\u082884.exec:\u082884.exe31⤵
- Executes dropped EXE
PID:3376 -
\??\c:\jdjdv.exec:\jdjdv.exe32⤵
- Executes dropped EXE
PID:2244 -
\??\c:\228602.exec:\228602.exe33⤵
- Executes dropped EXE
PID:3024 -
\??\c:\4846000.exec:\4846000.exe34⤵
- Executes dropped EXE
PID:3012 -
\??\c:\6448448.exec:\6448448.exe35⤵
- Executes dropped EXE
PID:4040 -
\??\c:\vjjdp.exec:\vjjdp.exe36⤵
- Executes dropped EXE
PID:2948 -
\??\c:\04004.exec:\04004.exe37⤵
- Executes dropped EXE
PID:1308 -
\??\c:\vvjdp.exec:\vvjdp.exe38⤵
- Executes dropped EXE
PID:840 -
\??\c:\k66260.exec:\k66260.exe39⤵
- Executes dropped EXE
PID:2988 -
\??\c:\806222.exec:\806222.exe40⤵
- Executes dropped EXE
PID:1036 -
\??\c:\lxflfxf.exec:\lxflfxf.exe41⤵
- Executes dropped EXE
PID:4800 -
\??\c:\m4804.exec:\m4804.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\62606.exec:\62606.exe43⤵
- Executes dropped EXE
PID:5036 -
\??\c:\22268.exec:\22268.exe44⤵
- Executes dropped EXE
PID:4304 -
\??\c:\pvdvp.exec:\pvdvp.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\446066.exec:\446066.exe46⤵
- Executes dropped EXE
PID:388 -
\??\c:\402082.exec:\402082.exe47⤵
- Executes dropped EXE
PID:3688 -
\??\c:\60448.exec:\60448.exe48⤵
- Executes dropped EXE
PID:1752 -
\??\c:\bbhbtt.exec:\bbhbtt.exe49⤵
- Executes dropped EXE
PID:2192 -
\??\c:\llffxxx.exec:\llffxxx.exe50⤵
- Executes dropped EXE
PID:4068 -
\??\c:\682026.exec:\682026.exe51⤵
- Executes dropped EXE
PID:952 -
\??\c:\nnhhhn.exec:\nnhhhn.exe52⤵
- Executes dropped EXE
PID:3228 -
\??\c:\62622.exec:\62622.exe53⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nbhbtb.exec:\nbhbtb.exe54⤵
- Executes dropped EXE
PID:2412 -
\??\c:\vpjjd.exec:\vpjjd.exe55⤵
- Executes dropped EXE
PID:244 -
\??\c:\o084888.exec:\o084888.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
\??\c:\q04866.exec:\q04866.exe57⤵
- Executes dropped EXE
PID:4012 -
\??\c:\48628.exec:\48628.exe58⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jjvjj.exec:\jjvjj.exe59⤵
- Executes dropped EXE
PID:3496 -
\??\c:\xlrfxff.exec:\xlrfxff.exe60⤵
- Executes dropped EXE
PID:384 -
\??\c:\2848200.exec:\2848200.exe61⤵
- Executes dropped EXE
PID:3732 -
\??\c:\g2204.exec:\g2204.exe62⤵
- Executes dropped EXE
PID:2336 -
\??\c:\200482.exec:\200482.exe63⤵
- Executes dropped EXE
PID:4428 -
\??\c:\2048048.exec:\2048048.exe64⤵
- Executes dropped EXE
PID:4208 -
\??\c:\0662826.exec:\0662826.exe65⤵
- Executes dropped EXE
PID:4520 -
\??\c:\fxrfxrf.exec:\fxrfxrf.exe66⤵PID:3292
-
\??\c:\hhnhhh.exec:\hhnhhh.exe67⤵PID:1220
-
\??\c:\20466.exec:\20466.exe68⤵PID:2712
-
\??\c:\6482482.exec:\6482482.exe69⤵PID:2640
-
\??\c:\xlrfrfr.exec:\xlrfrfr.exe70⤵PID:3988
-
\??\c:\q68200.exec:\q68200.exe71⤵PID:1144
-
\??\c:\60060.exec:\60060.exe72⤵PID:1640
-
\??\c:\7nthbb.exec:\7nthbb.exe73⤵PID:380
-
\??\c:\288644.exec:\288644.exe74⤵PID:3100
-
\??\c:\0482042.exec:\0482042.exe75⤵PID:2236
-
\??\c:\xlxrflx.exec:\xlxrflx.exe76⤵PID:4128
-
\??\c:\vpdvp.exec:\vpdvp.exe77⤵PID:4168
-
\??\c:\hhnbtt.exec:\hhnbtt.exe78⤵PID:3212
-
\??\c:\040422.exec:\040422.exe79⤵PID:4004
-
\??\c:\268804.exec:\268804.exe80⤵PID:2744
-
\??\c:\6400400.exec:\6400400.exe81⤵PID:1592
-
\??\c:\xfllflf.exec:\xfllflf.exe82⤵PID:2064
-
\??\c:\w20844.exec:\w20844.exe83⤵PID:2112
-
\??\c:\thhnhb.exec:\thhnhb.exe84⤵PID:3964
-
\??\c:\826608.exec:\826608.exe85⤵PID:2776
-
\??\c:\rlfxxrl.exec:\rlfxxrl.exe86⤵PID:2252
-
\??\c:\4060404.exec:\4060404.exe87⤵PID:2804
-
\??\c:\btbhnh.exec:\btbhnh.exe88⤵PID:1004
-
\??\c:\0440446.exec:\0440446.exe89⤵PID:2244
-
\??\c:\480486.exec:\480486.exe90⤵PID:3168
-
\??\c:\0682660.exec:\0682660.exe91⤵PID:1704
-
\??\c:\g4026.exec:\g4026.exe92⤵PID:2224
-
\??\c:\bnbnnh.exec:\bnbnnh.exe93⤵PID:1596
-
\??\c:\e66482.exec:\e66482.exe94⤵PID:3068
-
\??\c:\42428.exec:\42428.exe95⤵PID:1376
-
\??\c:\4060044.exec:\4060044.exe96⤵PID:1440
-
\??\c:\pdppj.exec:\pdppj.exe97⤵PID:5048
-
\??\c:\8042642.exec:\8042642.exe98⤵PID:1036
-
\??\c:\ddvpd.exec:\ddvpd.exe99⤵PID:4800
-
\??\c:\88864.exec:\88864.exe100⤵PID:4972
-
\??\c:\jdvjd.exec:\jdvjd.exe101⤵PID:5064
-
\??\c:\6848600.exec:\6848600.exe102⤵
- System Location Discovery: System Language Discovery
PID:4396 -
\??\c:\ddjvp.exec:\ddjvp.exe103⤵PID:964
-
\??\c:\44404.exec:\44404.exe104⤵PID:4056
-
\??\c:\662200.exec:\662200.exe105⤵PID:4140
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe106⤵PID:1664
-
\??\c:\rlrfxxl.exec:\rlrfxxl.exe107⤵PID:1988
-
\??\c:\nttnbt.exec:\nttnbt.exe108⤵PID:3516
-
\??\c:\vddvj.exec:\vddvj.exe109⤵PID:5052
-
\??\c:\pdpdd.exec:\pdpdd.exe110⤵PID:976
-
\??\c:\thhtnt.exec:\thhtnt.exe111⤵PID:1132
-
\??\c:\nhbnbt.exec:\nhbnbt.exe112⤵PID:4156
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe113⤵PID:2400
-
\??\c:\rfffrfx.exec:\rfffrfx.exe114⤵PID:3568
-
\??\c:\06446.exec:\06446.exe115⤵PID:4060
-
\??\c:\64682.exec:\64682.exe116⤵PID:2692
-
\??\c:\7xlfrrl.exec:\7xlfrrl.exe117⤵
- System Location Discovery: System Language Discovery
PID:428 -
\??\c:\nhhbnh.exec:\nhhbnh.exe118⤵PID:2600
-
\??\c:\606282.exec:\606282.exe119⤵PID:3532
-
\??\c:\006648.exec:\006648.exe120⤵PID:4968
-
\??\c:\m2462.exec:\m2462.exe121⤵PID:3968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-