Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
-
Size
455KB
-
MD5
7574fc0a1572fdde00fdedfd50cd1185
-
SHA1
f26a39e92474d33a229570fab2ae3da84717d8d3
-
SHA256
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5
-
SHA512
86028168a543d043a52ee24890ad5f6b9478d8b765c0a6fd77aca982f2d898e86607f3e776ed6a3150f84df363694a2b97877c47a8bb87905a354d7bcaee707b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0K:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3888-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-1069-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-1191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-1408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 740 bntnbb.exe 4856 pjppp.exe 1404 8664084.exe 4492 xxflfll.exe 4032 jpppj.exe 3928 4242660.exe 3196 7vjpd.exe 2860 482600.exe 1704 nttnhb.exe 3404 44222.exe 692 9flfllr.exe 1376 lxrlfrl.exe 5104 0866660.exe 2240 dpdpj.exe 2244 86860.exe 4812 802660.exe 3416 660048.exe 4660 c688888.exe 3164 822666.exe 4056 m0664.exe 2368 802288.exe 4936 040400.exe 3556 nhhbbt.exe 1008 1tttnn.exe 4352 tbnnhh.exe 2444 044888.exe 2700 42088.exe 1596 w80802.exe 2248 6820820.exe 3692 q22082.exe 3632 jdjdd.exe 4988 8804260.exe 3988 e88648.exe 4200 pvdvd.exe 3996 2282086.exe 1984 280048.exe 1236 lfrxfxf.exe 3612 jvdpj.exe 2344 hnnbnb.exe 2160 024664.exe 1184 800686.exe 3128 2482226.exe 4448 xflllfr.exe 3152 6484264.exe 2260 0660886.exe 780 64264.exe 1628 vvvpv.exe 316 rfrlxxx.exe 4220 1jvjd.exe 2420 pdjdv.exe 3360 nnnbhb.exe 3476 djdpv.exe 3708 rxrlfxx.exe 1528 xrrlxff.exe 2080 0864220.exe 1840 464000.exe 5040 08482.exe 3212 428060.exe 3596 424888.exe 4212 tnnbnh.exe 948 rllxrll.exe 1960 200604.exe 4940 s6202.exe 2956 ttbhnb.exe -
resource yara_rule behavioral2/memory/3888-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-850-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6644400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o282260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3888 wrote to memory of 740 3888 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 85 PID 3888 wrote to memory of 740 3888 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 85 PID 3888 wrote to memory of 740 3888 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 85 PID 740 wrote to memory of 4856 740 bntnbb.exe 86 PID 740 wrote to memory of 4856 740 bntnbb.exe 86 PID 740 wrote to memory of 4856 740 bntnbb.exe 86 PID 4856 wrote to memory of 1404 4856 pjppp.exe 87 PID 4856 wrote to memory of 1404 4856 pjppp.exe 87 PID 4856 wrote to memory of 1404 4856 pjppp.exe 87 PID 1404 wrote to memory of 4492 1404 8664084.exe 88 PID 1404 wrote to memory of 4492 1404 8664084.exe 88 PID 1404 wrote to memory of 4492 1404 8664084.exe 88 PID 4492 wrote to memory of 4032 4492 xxflfll.exe 89 PID 4492 wrote to memory of 4032 4492 xxflfll.exe 89 PID 4492 wrote to memory of 4032 4492 xxflfll.exe 89 PID 4032 wrote to memory of 3928 4032 jpppj.exe 90 PID 4032 wrote to memory of 3928 4032 jpppj.exe 90 PID 4032 wrote to memory of 3928 4032 jpppj.exe 90 PID 3928 wrote to memory of 3196 3928 4242660.exe 91 PID 3928 wrote to memory of 3196 3928 4242660.exe 91 PID 3928 wrote to memory of 3196 3928 4242660.exe 91 PID 3196 wrote to memory of 2860 3196 7vjpd.exe 92 PID 3196 wrote to memory of 2860 3196 7vjpd.exe 92 PID 3196 wrote to memory of 2860 3196 7vjpd.exe 92 PID 2860 wrote to memory of 1704 2860 482600.exe 93 PID 2860 wrote to memory of 1704 2860 482600.exe 93 PID 2860 wrote to memory of 1704 2860 482600.exe 93 PID 1704 wrote to memory of 3404 1704 nttnhb.exe 94 PID 1704 wrote to memory of 3404 1704 nttnhb.exe 94 PID 1704 wrote to memory of 3404 1704 nttnhb.exe 94 PID 3404 wrote to memory of 692 3404 44222.exe 95 PID 3404 wrote to memory of 692 3404 44222.exe 95 PID 3404 wrote to memory of 692 3404 44222.exe 95 PID 692 wrote to memory of 1376 692 9flfllr.exe 96 PID 692 wrote to memory of 1376 692 9flfllr.exe 96 PID 692 wrote to memory of 1376 692 9flfllr.exe 96 PID 1376 wrote to memory of 5104 1376 lxrlfrl.exe 97 PID 1376 wrote to memory of 5104 1376 lxrlfrl.exe 97 PID 1376 wrote to memory of 5104 1376 lxrlfrl.exe 97 PID 5104 wrote to memory of 2240 5104 0866660.exe 98 PID 5104 wrote to memory of 2240 5104 0866660.exe 98 PID 5104 wrote to memory of 2240 5104 0866660.exe 98 PID 2240 wrote to memory of 2244 2240 dpdpj.exe 99 PID 2240 wrote to memory of 2244 2240 dpdpj.exe 99 PID 2240 wrote to memory of 2244 2240 dpdpj.exe 99 PID 2244 wrote to memory of 4812 2244 86860.exe 100 PID 2244 wrote to memory of 4812 2244 86860.exe 100 PID 2244 wrote to memory of 4812 2244 86860.exe 100 PID 4812 wrote to memory of 3416 4812 802660.exe 101 PID 4812 wrote to memory of 3416 4812 802660.exe 101 PID 4812 wrote to memory of 3416 4812 802660.exe 101 PID 3416 wrote to memory of 4660 3416 660048.exe 102 PID 3416 wrote to memory of 4660 3416 660048.exe 102 PID 3416 wrote to memory of 4660 3416 660048.exe 102 PID 4660 wrote to memory of 3164 4660 c688888.exe 103 PID 4660 wrote to memory of 3164 4660 c688888.exe 103 PID 4660 wrote to memory of 3164 4660 c688888.exe 103 PID 3164 wrote to memory of 4056 3164 822666.exe 104 PID 3164 wrote to memory of 4056 3164 822666.exe 104 PID 3164 wrote to memory of 4056 3164 822666.exe 104 PID 4056 wrote to memory of 2368 4056 m0664.exe 105 PID 4056 wrote to memory of 2368 4056 m0664.exe 105 PID 4056 wrote to memory of 2368 4056 m0664.exe 105 PID 2368 wrote to memory of 4936 2368 802288.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\bntnbb.exec:\bntnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\pjppp.exec:\pjppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\8664084.exec:\8664084.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\xxflfll.exec:\xxflfll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\jpppj.exec:\jpppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\4242660.exec:\4242660.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\7vjpd.exec:\7vjpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\482600.exec:\482600.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\nttnhb.exec:\nttnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\44222.exec:\44222.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\9flfllr.exec:\9flfllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\lxrlfrl.exec:\lxrlfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\0866660.exec:\0866660.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\dpdpj.exec:\dpdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\86860.exec:\86860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\802660.exec:\802660.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\660048.exec:\660048.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\c688888.exec:\c688888.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\822666.exec:\822666.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\m0664.exec:\m0664.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\802288.exec:\802288.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\040400.exec:\040400.exe23⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nhhbbt.exec:\nhhbbt.exe24⤵
- Executes dropped EXE
PID:3556 -
\??\c:\1tttnn.exec:\1tttnn.exe25⤵
- Executes dropped EXE
PID:1008 -
\??\c:\tbnnhh.exec:\tbnnhh.exe26⤵
- Executes dropped EXE
PID:4352 -
\??\c:\044888.exec:\044888.exe27⤵
- Executes dropped EXE
PID:2444 -
\??\c:\42088.exec:\42088.exe28⤵
- Executes dropped EXE
PID:2700 -
\??\c:\w80802.exec:\w80802.exe29⤵
- Executes dropped EXE
PID:1596 -
\??\c:\6820820.exec:\6820820.exe30⤵
- Executes dropped EXE
PID:2248 -
\??\c:\q22082.exec:\q22082.exe31⤵
- Executes dropped EXE
PID:3692 -
\??\c:\jdjdd.exec:\jdjdd.exe32⤵
- Executes dropped EXE
PID:3632 -
\??\c:\8804260.exec:\8804260.exe33⤵
- Executes dropped EXE
PID:4988 -
\??\c:\e88648.exec:\e88648.exe34⤵
- Executes dropped EXE
PID:3988 -
\??\c:\pvdvd.exec:\pvdvd.exe35⤵
- Executes dropped EXE
PID:4200 -
\??\c:\2282086.exec:\2282086.exe36⤵
- Executes dropped EXE
PID:3996 -
\??\c:\280048.exec:\280048.exe37⤵
- Executes dropped EXE
PID:1984 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe38⤵
- Executes dropped EXE
PID:1236 -
\??\c:\jvdpj.exec:\jvdpj.exe39⤵
- Executes dropped EXE
PID:3612 -
\??\c:\hnnbnb.exec:\hnnbnb.exe40⤵
- Executes dropped EXE
PID:2344 -
\??\c:\024664.exec:\024664.exe41⤵
- Executes dropped EXE
PID:2160 -
\??\c:\800686.exec:\800686.exe42⤵
- Executes dropped EXE
PID:1184 -
\??\c:\2482226.exec:\2482226.exe43⤵
- Executes dropped EXE
PID:3128 -
\??\c:\xflllfr.exec:\xflllfr.exe44⤵
- Executes dropped EXE
PID:4448 -
\??\c:\6484264.exec:\6484264.exe45⤵
- Executes dropped EXE
PID:3152 -
\??\c:\0660886.exec:\0660886.exe46⤵
- Executes dropped EXE
PID:2260 -
\??\c:\64264.exec:\64264.exe47⤵
- Executes dropped EXE
PID:780 -
\??\c:\vvvpv.exec:\vvvpv.exe48⤵
- Executes dropped EXE
PID:1628 -
\??\c:\rfrlxxx.exec:\rfrlxxx.exe49⤵
- Executes dropped EXE
PID:316 -
\??\c:\1jvjd.exec:\1jvjd.exe50⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pdjdv.exec:\pdjdv.exe51⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nnnbhb.exec:\nnnbhb.exe52⤵
- Executes dropped EXE
PID:3360 -
\??\c:\djdpv.exec:\djdpv.exe53⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rxrlfxx.exec:\rxrlfxx.exe54⤵
- Executes dropped EXE
PID:3708 -
\??\c:\xrrlxff.exec:\xrrlxff.exe55⤵
- Executes dropped EXE
PID:1528 -
\??\c:\0864220.exec:\0864220.exe56⤵
- Executes dropped EXE
PID:2080 -
\??\c:\464000.exec:\464000.exe57⤵
- Executes dropped EXE
PID:1840 -
\??\c:\08482.exec:\08482.exe58⤵
- Executes dropped EXE
PID:5040 -
\??\c:\428060.exec:\428060.exe59⤵
- Executes dropped EXE
PID:3212 -
\??\c:\424888.exec:\424888.exe60⤵
- Executes dropped EXE
PID:3596 -
\??\c:\tnnbnh.exec:\tnnbnh.exe61⤵
- Executes dropped EXE
PID:4212 -
\??\c:\rllxrll.exec:\rllxrll.exe62⤵
- Executes dropped EXE
PID:948 -
\??\c:\200604.exec:\200604.exe63⤵
- Executes dropped EXE
PID:1960 -
\??\c:\s6202.exec:\s6202.exe64⤵
- Executes dropped EXE
PID:4940 -
\??\c:\ttbhnb.exec:\ttbhnb.exe65⤵
- Executes dropped EXE
PID:2956 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe66⤵PID:5028
-
\??\c:\u004228.exec:\u004228.exe67⤵PID:2240
-
\??\c:\4620482.exec:\4620482.exe68⤵PID:2244
-
\??\c:\bnnhbb.exec:\bnnhbb.exe69⤵PID:1224
-
\??\c:\q62244.exec:\q62244.exe70⤵PID:3508
-
\??\c:\htthtt.exec:\htthtt.exe71⤵PID:2416
-
\??\c:\nbtbnb.exec:\nbtbnb.exe72⤵PID:2636
-
\??\c:\llfxrlf.exec:\llfxrlf.exe73⤵PID:4392
-
\??\c:\2848204.exec:\2848204.exe74⤵PID:4852
-
\??\c:\vppjd.exec:\vppjd.exe75⤵PID:1340
-
\??\c:\9ffxllx.exec:\9ffxllx.exe76⤵PID:5088
-
\??\c:\fxrrlfx.exec:\fxrrlfx.exe77⤵PID:5060
-
\??\c:\jpvdd.exec:\jpvdd.exe78⤵PID:5112
-
\??\c:\4224826.exec:\4224826.exe79⤵PID:4532
-
\??\c:\08808.exec:\08808.exe80⤵PID:3016
-
\??\c:\7xrlffx.exec:\7xrlffx.exe81⤵PID:2680
-
\??\c:\5nbtnh.exec:\5nbtnh.exe82⤵PID:4352
-
\??\c:\dvjvj.exec:\dvjvj.exe83⤵PID:3552
-
\??\c:\pdvdp.exec:\pdvdp.exe84⤵PID:4196
-
\??\c:\jjvvv.exec:\jjvvv.exe85⤵PID:452
-
\??\c:\u460448.exec:\u460448.exe86⤵PID:1596
-
\??\c:\20046.exec:\20046.exe87⤵PID:4596
-
\??\c:\vpjdp.exec:\vpjdp.exe88⤵PID:4308
-
\??\c:\66202.exec:\66202.exe89⤵PID:2716
-
\??\c:\rlfllrr.exec:\rlfllrr.exe90⤵PID:4616
-
\??\c:\rxrfrlx.exec:\rxrfrlx.exe91⤵PID:2900
-
\??\c:\202048.exec:\202048.exe92⤵PID:3968
-
\??\c:\q44020.exec:\q44020.exe93⤵PID:2188
-
\??\c:\1bthtn.exec:\1bthtn.exe94⤵
- System Location Discovery: System Language Discovery
PID:4064 -
\??\c:\8640642.exec:\8640642.exe95⤵PID:4348
-
\??\c:\hnnhnn.exec:\hnnhnn.exe96⤵PID:2816
-
\??\c:\082648.exec:\082648.exe97⤵PID:1176
-
\??\c:\tnbtbb.exec:\tnbtbb.exe98⤵PID:4116
-
\??\c:\9djvj.exec:\9djvj.exe99⤵PID:4984
-
\??\c:\9lffxxx.exec:\9lffxxx.exe100⤵PID:1284
-
\??\c:\224422.exec:\224422.exe101⤵PID:1184
-
\??\c:\062844.exec:\062844.exe102⤵PID:4112
-
\??\c:\0884848.exec:\0884848.exe103⤵PID:220
-
\??\c:\e02666.exec:\e02666.exe104⤵PID:4500
-
\??\c:\462082.exec:\462082.exe105⤵PID:2952
-
\??\c:\9xxrrxf.exec:\9xxrrxf.exe106⤵PID:3232
-
\??\c:\824860.exec:\824860.exe107⤵PID:780
-
\??\c:\g6804.exec:\g6804.exe108⤵PID:3948
-
\??\c:\5xlrlrr.exec:\5xlrlrr.exe109⤵PID:2568
-
\??\c:\m2448.exec:\m2448.exe110⤵PID:4732
-
\??\c:\2844826.exec:\2844826.exe111⤵PID:1248
-
\??\c:\04808.exec:\04808.exe112⤵PID:1936
-
\??\c:\bhbtbh.exec:\bhbtbh.exe113⤵PID:5036
-
\??\c:\84602.exec:\84602.exe114⤵PID:3928
-
\??\c:\frrfrlf.exec:\frrfrlf.exe115⤵PID:3132
-
\??\c:\lffxrlf.exec:\lffxrlf.exe116⤵PID:3196
-
\??\c:\1rrlxrf.exec:\1rrlxrf.exe117⤵PID:1172
-
\??\c:\m4448.exec:\m4448.exe118⤵PID:4888
-
\??\c:\u686282.exec:\u686282.exe119⤵PID:3316
-
\??\c:\4806044.exec:\4806044.exe120⤵PID:1188
-
\??\c:\648262.exec:\648262.exe121⤵PID:4436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-