Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe
-
Size
454KB
-
MD5
25a2e6a8fd35969e3ca18cbdb3a5bb9a
-
SHA1
c355fbdd06e963bf879d94738fba4bb00f3dc336
-
SHA256
ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33
-
SHA512
f0153211e745fb1ec0c0f8c11f495ad26eaa8f650b82c6e389d55e0f2315d1bbd892a03e4f4619a2628bfeca470bfe799f1f0c4ccf8e1801cacca6543f6ccf88
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3048-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-1252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2164 5lrfrxr.exe 3972 jjjdp.exe 5004 7lfrlfx.exe 2876 824444.exe 1960 ntbbht.exe 3048 1rxlxrf.exe 5028 frxlfrf.exe 5024 bbnhtb.exe 1884 pjvjd.exe 3520 3jpjj.exe 2180 jddvp.exe 3172 26648.exe 3828 jjvdp.exe 3480 84086.exe 1180 060086.exe 4432 3pdjp.exe 3404 2046026.exe 4012 1hhtnn.exe 1524 hnhbnn.exe 3036 7jjvd.exe 2616 7xxrrll.exe 1052 8222662.exe 1508 tnthtn.exe 2564 6848604.exe 3864 600488.exe 3868 466482.exe 3248 bnttnn.exe 4584 pjjdp.exe 4760 nnbhtb.exe 984 o820204.exe 4312 lfxrffr.exe 3188 xxfrlfr.exe 2192 064860.exe 2916 6288662.exe 2608 jpjvj.exe 3844 jdvpv.exe 960 vddvj.exe 4404 0660486.exe 3692 20048.exe 1168 thtnbt.exe 2072 7nhthb.exe 3944 64048.exe 2540 6686048.exe 4932 7hnhbh.exe 1584 3llxlfx.exe 2644 rfxrrlf.exe 4772 bbbtnh.exe 2880 jpvdp.exe 4824 026086.exe 1232 6284604.exe 1852 200482.exe 3428 9ntbhh.exe 1832 vpdvj.exe 4348 nhthtt.exe 1576 ffffxlf.exe 3048 662648.exe 2620 9bnbnh.exe 2632 48860.exe 4184 nhthbt.exe 3440 6468204.exe 2696 jda64.exe 4564 862086.exe 2492 jvvjv.exe 2432 g0486.exe -
resource yara_rule behavioral2/memory/3048-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-794-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2164 2920 ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe 83 PID 2920 wrote to memory of 2164 2920 ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe 83 PID 2920 wrote to memory of 2164 2920 ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe 83 PID 2164 wrote to memory of 3972 2164 5lrfrxr.exe 84 PID 2164 wrote to memory of 3972 2164 5lrfrxr.exe 84 PID 2164 wrote to memory of 3972 2164 5lrfrxr.exe 84 PID 3972 wrote to memory of 5004 3972 jjjdp.exe 85 PID 3972 wrote to memory of 5004 3972 jjjdp.exe 85 PID 3972 wrote to memory of 5004 3972 jjjdp.exe 85 PID 5004 wrote to memory of 2876 5004 7lfrlfx.exe 86 PID 5004 wrote to memory of 2876 5004 7lfrlfx.exe 86 PID 5004 wrote to memory of 2876 5004 7lfrlfx.exe 86 PID 2876 wrote to memory of 1960 2876 824444.exe 87 PID 2876 wrote to memory of 1960 2876 824444.exe 87 PID 2876 wrote to memory of 1960 2876 824444.exe 87 PID 1960 wrote to memory of 3048 1960 ntbbht.exe 88 PID 1960 wrote to memory of 3048 1960 ntbbht.exe 88 PID 1960 wrote to memory of 3048 1960 ntbbht.exe 88 PID 3048 wrote to memory of 5028 3048 1rxlxrf.exe 89 PID 3048 wrote to memory of 5028 3048 1rxlxrf.exe 89 PID 3048 wrote to memory of 5028 3048 1rxlxrf.exe 89 PID 5028 wrote to memory of 5024 5028 frxlfrf.exe 90 PID 5028 wrote to memory of 5024 5028 frxlfrf.exe 90 PID 5028 wrote to memory of 5024 5028 frxlfrf.exe 90 PID 5024 wrote to memory of 1884 5024 bbnhtb.exe 91 PID 5024 wrote to memory of 1884 5024 bbnhtb.exe 91 PID 5024 wrote to memory of 1884 5024 bbnhtb.exe 91 PID 1884 wrote to memory of 3520 1884 pjvjd.exe 92 PID 1884 wrote to memory of 3520 1884 pjvjd.exe 92 PID 1884 wrote to memory of 3520 1884 pjvjd.exe 92 PID 3520 wrote to memory of 2180 3520 3jpjj.exe 93 PID 3520 wrote to memory of 2180 3520 3jpjj.exe 93 PID 3520 wrote to memory of 2180 3520 3jpjj.exe 93 PID 2180 wrote to memory of 3172 2180 jddvp.exe 94 PID 2180 wrote to memory of 3172 2180 jddvp.exe 94 PID 2180 wrote to memory of 3172 2180 jddvp.exe 94 PID 3172 wrote to memory of 3828 3172 26648.exe 95 PID 3172 wrote to memory of 3828 3172 26648.exe 95 PID 3172 wrote to memory of 3828 3172 26648.exe 95 PID 3828 wrote to memory of 3480 3828 jjvdp.exe 96 PID 3828 wrote to memory of 3480 3828 jjvdp.exe 96 PID 3828 wrote to memory of 3480 3828 jjvdp.exe 96 PID 3480 wrote to memory of 1180 3480 84086.exe 97 PID 3480 wrote to memory of 1180 3480 84086.exe 97 PID 3480 wrote to memory of 1180 3480 84086.exe 97 PID 1180 wrote to memory of 4432 1180 060086.exe 98 PID 1180 wrote to memory of 4432 1180 060086.exe 98 PID 1180 wrote to memory of 4432 1180 060086.exe 98 PID 4432 wrote to memory of 3404 4432 3pdjp.exe 99 PID 4432 wrote to memory of 3404 4432 3pdjp.exe 99 PID 4432 wrote to memory of 3404 4432 3pdjp.exe 99 PID 3404 wrote to memory of 4012 3404 2046026.exe 100 PID 3404 wrote to memory of 4012 3404 2046026.exe 100 PID 3404 wrote to memory of 4012 3404 2046026.exe 100 PID 4012 wrote to memory of 1524 4012 1hhtnn.exe 101 PID 4012 wrote to memory of 1524 4012 1hhtnn.exe 101 PID 4012 wrote to memory of 1524 4012 1hhtnn.exe 101 PID 1524 wrote to memory of 3036 1524 hnhbnn.exe 102 PID 1524 wrote to memory of 3036 1524 hnhbnn.exe 102 PID 1524 wrote to memory of 3036 1524 hnhbnn.exe 102 PID 3036 wrote to memory of 2616 3036 7jjvd.exe 103 PID 3036 wrote to memory of 2616 3036 7jjvd.exe 103 PID 3036 wrote to memory of 2616 3036 7jjvd.exe 103 PID 2616 wrote to memory of 1052 2616 7xxrrll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe"C:\Users\Admin\AppData\Local\Temp\ade0ceace78becebb69541b72b3336d421d4455e9540f96b16b12169a3dbfa33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\5lrfrxr.exec:\5lrfrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\jjjdp.exec:\jjjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\7lfrlfx.exec:\7lfrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\824444.exec:\824444.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\ntbbht.exec:\ntbbht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\1rxlxrf.exec:\1rxlxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\frxlfrf.exec:\frxlfrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\bbnhtb.exec:\bbnhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\pjvjd.exec:\pjvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\3jpjj.exec:\3jpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\jddvp.exec:\jddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\26648.exec:\26648.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\jjvdp.exec:\jjvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3828 -
\??\c:\84086.exec:\84086.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\060086.exec:\060086.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\3pdjp.exec:\3pdjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\2046026.exec:\2046026.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\1hhtnn.exec:\1hhtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\hnhbnn.exec:\hnhbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\7jjvd.exec:\7jjvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\7xxrrll.exec:\7xxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\8222662.exec:\8222662.exe23⤵
- Executes dropped EXE
PID:1052 -
\??\c:\tnthtn.exec:\tnthtn.exe24⤵
- Executes dropped EXE
PID:1508 -
\??\c:\6848604.exec:\6848604.exe25⤵
- Executes dropped EXE
PID:2564 -
\??\c:\600488.exec:\600488.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3864 -
\??\c:\466482.exec:\466482.exe27⤵
- Executes dropped EXE
PID:3868 -
\??\c:\bnttnn.exec:\bnttnn.exe28⤵
- Executes dropped EXE
PID:3248 -
\??\c:\pjjdp.exec:\pjjdp.exe29⤵
- Executes dropped EXE
PID:4584 -
\??\c:\nnbhtb.exec:\nnbhtb.exe30⤵
- Executes dropped EXE
PID:4760 -
\??\c:\o820204.exec:\o820204.exe31⤵
- Executes dropped EXE
PID:984 -
\??\c:\lfxrffr.exec:\lfxrffr.exe32⤵
- Executes dropped EXE
PID:4312 -
\??\c:\xxfrlfr.exec:\xxfrlfr.exe33⤵
- Executes dropped EXE
PID:3188 -
\??\c:\064860.exec:\064860.exe34⤵
- Executes dropped EXE
PID:2192 -
\??\c:\6288662.exec:\6288662.exe35⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jpjvj.exec:\jpjvj.exe36⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jdvpv.exec:\jdvpv.exe37⤵
- Executes dropped EXE
PID:3844 -
\??\c:\vddvj.exec:\vddvj.exe38⤵
- Executes dropped EXE
PID:960 -
\??\c:\0660486.exec:\0660486.exe39⤵
- Executes dropped EXE
PID:4404 -
\??\c:\20048.exec:\20048.exe40⤵
- Executes dropped EXE
PID:3692 -
\??\c:\thtnbt.exec:\thtnbt.exe41⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7nhthb.exec:\7nhthb.exe42⤵
- Executes dropped EXE
PID:2072 -
\??\c:\64048.exec:\64048.exe43⤵
- Executes dropped EXE
PID:3944 -
\??\c:\6686048.exec:\6686048.exe44⤵
- Executes dropped EXE
PID:2540 -
\??\c:\7hnhbh.exec:\7hnhbh.exe45⤵
- Executes dropped EXE
PID:4932 -
\??\c:\3llxlfx.exec:\3llxlfx.exe46⤵
- Executes dropped EXE
PID:1584 -
\??\c:\rfxrrlf.exec:\rfxrrlf.exe47⤵
- Executes dropped EXE
PID:2644 -
\??\c:\bbbtnh.exec:\bbbtnh.exe48⤵
- Executes dropped EXE
PID:4772 -
\??\c:\jpvdp.exec:\jpvdp.exe49⤵
- Executes dropped EXE
PID:2880 -
\??\c:\026086.exec:\026086.exe50⤵
- Executes dropped EXE
PID:4824 -
\??\c:\6284604.exec:\6284604.exe51⤵
- Executes dropped EXE
PID:1232 -
\??\c:\200482.exec:\200482.exe52⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9ntbhh.exec:\9ntbhh.exe53⤵
- Executes dropped EXE
PID:3428 -
\??\c:\vpdvj.exec:\vpdvj.exe54⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nhthtt.exec:\nhthtt.exe55⤵
- Executes dropped EXE
PID:4348 -
\??\c:\ffffxlf.exec:\ffffxlf.exe56⤵
- Executes dropped EXE
PID:1576 -
\??\c:\662648.exec:\662648.exe57⤵
- Executes dropped EXE
PID:3048 -
\??\c:\9bnbnh.exec:\9bnbnh.exe58⤵
- Executes dropped EXE
PID:2620 -
\??\c:\48860.exec:\48860.exe59⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nhthbt.exec:\nhthbt.exe60⤵
- Executes dropped EXE
PID:4184 -
\??\c:\6468204.exec:\6468204.exe61⤵
- Executes dropped EXE
PID:3440 -
\??\c:\jda64.exec:\jda64.exe62⤵
- Executes dropped EXE
PID:2696 -
\??\c:\862086.exec:\862086.exe63⤵
- Executes dropped EXE
PID:4564 -
\??\c:\jvvjv.exec:\jvvjv.exe64⤵
- Executes dropped EXE
PID:2492 -
\??\c:\g0486.exec:\g0486.exe65⤵
- Executes dropped EXE
PID:2432 -
\??\c:\dpvjd.exec:\dpvjd.exe66⤵PID:2888
-
\??\c:\2060640.exec:\2060640.exe67⤵PID:3940
-
\??\c:\pjjdd.exec:\pjjdd.exe68⤵PID:2472
-
\??\c:\644282.exec:\644282.exe69⤵PID:232
-
\??\c:\u622604.exec:\u622604.exe70⤵PID:704
-
\??\c:\7hnbnh.exec:\7hnbnh.exe71⤵PID:3936
-
\??\c:\i400220.exec:\i400220.exe72⤵PID:1208
-
\??\c:\vpdvj.exec:\vpdvj.exe73⤵PID:3780
-
\??\c:\28622.exec:\28622.exe74⤵PID:3956
-
\??\c:\dvvjv.exec:\dvvjv.exe75⤵PID:1580
-
\??\c:\2886482.exec:\2886482.exe76⤵PID:616
-
\??\c:\0860820.exec:\0860820.exe77⤵PID:1524
-
\??\c:\26806.exec:\26806.exe78⤵PID:1032
-
\??\c:\480822.exec:\480822.exe79⤵PID:4208
-
\??\c:\228200.exec:\228200.exe80⤵PID:5056
-
\??\c:\htnnbb.exec:\htnnbb.exe81⤵PID:4324
-
\??\c:\2664860.exec:\2664860.exe82⤵PID:2736
-
\??\c:\3rxxrrl.exec:\3rxxrrl.exe83⤵PID:1556
-
\??\c:\04482.exec:\04482.exe84⤵PID:1484
-
\??\c:\680482.exec:\680482.exe85⤵PID:4108
-
\??\c:\bbhhnh.exec:\bbhhnh.exe86⤵PID:4028
-
\??\c:\4282604.exec:\4282604.exe87⤵PID:3008
-
\??\c:\042448.exec:\042448.exe88⤵PID:4460
-
\??\c:\jjjvp.exec:\jjjvp.exe89⤵PID:4008
-
\??\c:\24040.exec:\24040.exe90⤵PID:2260
-
\??\c:\bnthbt.exec:\bnthbt.exe91⤵PID:1644
-
\??\c:\64468.exec:\64468.exe92⤵PID:4480
-
\??\c:\4662882.exec:\4662882.exe93⤵PID:1984
-
\??\c:\088488.exec:\088488.exe94⤵PID:4464
-
\??\c:\nnhhbb.exec:\nnhhbb.exe95⤵PID:1184
-
\??\c:\264226.exec:\264226.exe96⤵PID:2248
-
\??\c:\5pvjd.exec:\5pvjd.exe97⤵PID:1804
-
\??\c:\60260.exec:\60260.exe98⤵PID:2004
-
\??\c:\jpdjd.exec:\jpdjd.exe99⤵PID:1496
-
\??\c:\pjvvd.exec:\pjvvd.exe100⤵PID:3844
-
\??\c:\bhbtnb.exec:\bhbtnb.exe101⤵PID:4504
-
\??\c:\6622222.exec:\6622222.exe102⤵PID:2864
-
\??\c:\vppjv.exec:\vppjv.exe103⤵PID:2604
-
\??\c:\660060.exec:\660060.exe104⤵PID:2484
-
\??\c:\0042042.exec:\0042042.exe105⤵PID:2072
-
\??\c:\84660.exec:\84660.exe106⤵PID:3944
-
\??\c:\7tnhbn.exec:\7tnhbn.exe107⤵PID:1952
-
\??\c:\nntnhh.exec:\nntnhh.exe108⤵PID:2144
-
\??\c:\vpjdd.exec:\vpjdd.exe109⤵
- System Location Discovery: System Language Discovery
PID:1584 -
\??\c:\6806064.exec:\6806064.exe110⤵PID:4648
-
\??\c:\jdpjv.exec:\jdpjv.exe111⤵PID:1216
-
\??\c:\04004.exec:\04004.exe112⤵PID:4356
-
\??\c:\260022.exec:\260022.exe113⤵PID:1280
-
\??\c:\jjjjd.exec:\jjjjd.exe114⤵PID:3968
-
\??\c:\djpjp.exec:\djpjp.exe115⤵PID:632
-
\??\c:\c042660.exec:\c042660.exe116⤵PID:3428
-
\??\c:\2246000.exec:\2246000.exe117⤵PID:4748
-
\??\c:\pjjjd.exec:\pjjjd.exe118⤵PID:2132
-
\??\c:\hththh.exec:\hththh.exe119⤵PID:2480
-
\??\c:\00626.exec:\00626.exe120⤵PID:1736
-
\??\c:\6400460.exec:\6400460.exe121⤵PID:3984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-