Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe
-
Size
457KB
-
MD5
555e8cb22d88948be0c1e26c92f470e9
-
SHA1
4c04fd08e9c423defad367e5a5d9ab17140c1ef4
-
SHA256
adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde
-
SHA512
b1f840645311046e49dd4aa92a2bae2e279e02077eaf846578ede524d3f110e52d6ac1ffbd43abf43e7b43110bd1fa5cf6b58a52763b35e41cba3da8811eada4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA8:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1924-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-1041-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-1213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3068 04448.exe 4324 000240.exe 4640 ttbthh.exe 2924 ddppj.exe 3524 dvvjp.exe 2436 nbbtnh.exe 3368 2468806.exe 2172 06660.exe 1888 xflfrrr.exe 4520 lxlfllx.exe 5064 rxxfxxr.exe 1992 ththtn.exe 2996 pdvjv.exe 2100 64208.exe 2816 404860.exe 3852 xllfxxr.exe 752 86642.exe 2552 1bnhnn.exe 1828 8226048.exe 3608 64044.exe 2548 hntnhb.exe 4428 606622.exe 1416 8604824.exe 3340 e80422.exe 1360 w40448.exe 2636 hhnhhh.exe 5028 u286042.exe 3532 pdvvj.exe 2400 xlffxlf.exe 2908 vpvjd.exe 868 w80426.exe 2752 024886.exe 932 tnbtbh.exe 1708 xlrlllf.exe 3576 248820.exe 4128 7tbbtt.exe 4036 hhtttn.exe 2176 w02600.exe 548 40882.exe 1016 lfxffff.exe 2024 8866448.exe 3100 jddvp.exe 400 rxxxrll.exe 3768 fllfrrl.exe 4916 vdpdv.exe 2692 nhnnbh.exe 2336 06282.exe 2104 ffrlxxr.exe 4352 nbbtnn.exe 1388 pdjjj.exe 4788 2820820.exe 3068 5bnhbb.exe 452 vddvj.exe 5032 7ttnnn.exe 3452 9lxrlfr.exe 3936 8666044.exe 3588 pvdvv.exe 1804 rlrlrlx.exe 2872 008226.exe 32 vjjdd.exe 1224 28882.exe 1384 thttnn.exe 5016 nhhbtn.exe 1756 pjjvp.exe -
resource yara_rule behavioral2/memory/3068-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u804882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0666004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 422048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 484048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0888082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 3068 1924 adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe 83 PID 1924 wrote to memory of 3068 1924 adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe 83 PID 1924 wrote to memory of 3068 1924 adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe 83 PID 3068 wrote to memory of 4324 3068 04448.exe 84 PID 3068 wrote to memory of 4324 3068 04448.exe 84 PID 3068 wrote to memory of 4324 3068 04448.exe 84 PID 4324 wrote to memory of 4640 4324 000240.exe 85 PID 4324 wrote to memory of 4640 4324 000240.exe 85 PID 4324 wrote to memory of 4640 4324 000240.exe 85 PID 4640 wrote to memory of 2924 4640 ttbthh.exe 86 PID 4640 wrote to memory of 2924 4640 ttbthh.exe 86 PID 4640 wrote to memory of 2924 4640 ttbthh.exe 86 PID 2924 wrote to memory of 3524 2924 ddppj.exe 87 PID 2924 wrote to memory of 3524 2924 ddppj.exe 87 PID 2924 wrote to memory of 3524 2924 ddppj.exe 87 PID 3524 wrote to memory of 2436 3524 dvvjp.exe 88 PID 3524 wrote to memory of 2436 3524 dvvjp.exe 88 PID 3524 wrote to memory of 2436 3524 dvvjp.exe 88 PID 2436 wrote to memory of 3368 2436 nbbtnh.exe 89 PID 2436 wrote to memory of 3368 2436 nbbtnh.exe 89 PID 2436 wrote to memory of 3368 2436 nbbtnh.exe 89 PID 3368 wrote to memory of 2172 3368 2468806.exe 90 PID 3368 wrote to memory of 2172 3368 2468806.exe 90 PID 3368 wrote to memory of 2172 3368 2468806.exe 90 PID 2172 wrote to memory of 1888 2172 06660.exe 91 PID 2172 wrote to memory of 1888 2172 06660.exe 91 PID 2172 wrote to memory of 1888 2172 06660.exe 91 PID 1888 wrote to memory of 4520 1888 xflfrrr.exe 92 PID 1888 wrote to memory of 4520 1888 xflfrrr.exe 92 PID 1888 wrote to memory of 4520 1888 xflfrrr.exe 92 PID 4520 wrote to memory of 5064 4520 lxlfllx.exe 93 PID 4520 wrote to memory of 5064 4520 lxlfllx.exe 93 PID 4520 wrote to memory of 5064 4520 lxlfllx.exe 93 PID 5064 wrote to memory of 1992 5064 rxxfxxr.exe 94 PID 5064 wrote to memory of 1992 5064 rxxfxxr.exe 94 PID 5064 wrote to memory of 1992 5064 rxxfxxr.exe 94 PID 1992 wrote to memory of 2996 1992 ththtn.exe 95 PID 1992 wrote to memory of 2996 1992 ththtn.exe 95 PID 1992 wrote to memory of 2996 1992 ththtn.exe 95 PID 2996 wrote to memory of 2100 2996 pdvjv.exe 96 PID 2996 wrote to memory of 2100 2996 pdvjv.exe 96 PID 2996 wrote to memory of 2100 2996 pdvjv.exe 96 PID 2100 wrote to memory of 2816 2100 64208.exe 97 PID 2100 wrote to memory of 2816 2100 64208.exe 97 PID 2100 wrote to memory of 2816 2100 64208.exe 97 PID 2816 wrote to memory of 3852 2816 404860.exe 98 PID 2816 wrote to memory of 3852 2816 404860.exe 98 PID 2816 wrote to memory of 3852 2816 404860.exe 98 PID 3852 wrote to memory of 752 3852 xllfxxr.exe 99 PID 3852 wrote to memory of 752 3852 xllfxxr.exe 99 PID 3852 wrote to memory of 752 3852 xllfxxr.exe 99 PID 752 wrote to memory of 2552 752 86642.exe 100 PID 752 wrote to memory of 2552 752 86642.exe 100 PID 752 wrote to memory of 2552 752 86642.exe 100 PID 2552 wrote to memory of 1828 2552 1bnhnn.exe 101 PID 2552 wrote to memory of 1828 2552 1bnhnn.exe 101 PID 2552 wrote to memory of 1828 2552 1bnhnn.exe 101 PID 1828 wrote to memory of 3608 1828 8226048.exe 102 PID 1828 wrote to memory of 3608 1828 8226048.exe 102 PID 1828 wrote to memory of 3608 1828 8226048.exe 102 PID 3608 wrote to memory of 2548 3608 64044.exe 103 PID 3608 wrote to memory of 2548 3608 64044.exe 103 PID 3608 wrote to memory of 2548 3608 64044.exe 103 PID 2548 wrote to memory of 4428 2548 hntnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe"C:\Users\Admin\AppData\Local\Temp\adf0bf3c7b01a36dbb022bcbd8563c185b9f326c7e5cf51a32ac104d62be2cde.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\04448.exec:\04448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\000240.exec:\000240.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\ttbthh.exec:\ttbthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\ddppj.exec:\ddppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\dvvjp.exec:\dvvjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\nbbtnh.exec:\nbbtnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\2468806.exec:\2468806.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\06660.exec:\06660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\xflfrrr.exec:\xflfrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\lxlfllx.exec:\lxlfllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\rxxfxxr.exec:\rxxfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\ththtn.exec:\ththtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\pdvjv.exec:\pdvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\64208.exec:\64208.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\404860.exec:\404860.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\xllfxxr.exec:\xllfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\86642.exec:\86642.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\1bnhnn.exec:\1bnhnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\8226048.exec:\8226048.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\64044.exec:\64044.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\hntnhb.exec:\hntnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\606622.exec:\606622.exe23⤵
- Executes dropped EXE
PID:4428 -
\??\c:\8604824.exec:\8604824.exe24⤵
- Executes dropped EXE
PID:1416 -
\??\c:\e80422.exec:\e80422.exe25⤵
- Executes dropped EXE
PID:3340 -
\??\c:\w40448.exec:\w40448.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\hhnhhh.exec:\hhnhhh.exe27⤵
- Executes dropped EXE
PID:2636 -
\??\c:\u286042.exec:\u286042.exe28⤵
- Executes dropped EXE
PID:5028 -
\??\c:\pdvvj.exec:\pdvvj.exe29⤵
- Executes dropped EXE
PID:3532 -
\??\c:\xlffxlf.exec:\xlffxlf.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\vpvjd.exec:\vpvjd.exe31⤵
- Executes dropped EXE
PID:2908 -
\??\c:\w80426.exec:\w80426.exe32⤵
- Executes dropped EXE
PID:868 -
\??\c:\024886.exec:\024886.exe33⤵
- Executes dropped EXE
PID:2752 -
\??\c:\tnbtbh.exec:\tnbtbh.exe34⤵
- Executes dropped EXE
PID:932 -
\??\c:\xlrlllf.exec:\xlrlllf.exe35⤵
- Executes dropped EXE
PID:1708 -
\??\c:\248820.exec:\248820.exe36⤵
- Executes dropped EXE
PID:3576 -
\??\c:\7tbbtt.exec:\7tbbtt.exe37⤵
- Executes dropped EXE
PID:4128 -
\??\c:\hhtttn.exec:\hhtttn.exe38⤵
- Executes dropped EXE
PID:4036 -
\??\c:\w02600.exec:\w02600.exe39⤵
- Executes dropped EXE
PID:2176 -
\??\c:\40882.exec:\40882.exe40⤵
- Executes dropped EXE
PID:548 -
\??\c:\lfxffff.exec:\lfxffff.exe41⤵
- Executes dropped EXE
PID:1016 -
\??\c:\8866448.exec:\8866448.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jddvp.exec:\jddvp.exe43⤵
- Executes dropped EXE
PID:3100 -
\??\c:\rxxxrll.exec:\rxxxrll.exe44⤵
- Executes dropped EXE
PID:400 -
\??\c:\fllfrrl.exec:\fllfrrl.exe45⤵
- Executes dropped EXE
PID:3768 -
\??\c:\vdpdv.exec:\vdpdv.exe46⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nhnnbh.exec:\nhnnbh.exe47⤵
- Executes dropped EXE
PID:2692 -
\??\c:\06282.exec:\06282.exe48⤵
- Executes dropped EXE
PID:2336 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe49⤵
- Executes dropped EXE
PID:2104 -
\??\c:\nbbtnn.exec:\nbbtnn.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pdjjj.exec:\pdjjj.exe51⤵
- Executes dropped EXE
PID:1388 -
\??\c:\2820820.exec:\2820820.exe52⤵
- Executes dropped EXE
PID:4788 -
\??\c:\5bnhbb.exec:\5bnhbb.exe53⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vddvj.exec:\vddvj.exe54⤵
- Executes dropped EXE
PID:452 -
\??\c:\7ttnnn.exec:\7ttnnn.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5032 -
\??\c:\9lxrlfr.exec:\9lxrlfr.exe56⤵
- Executes dropped EXE
PID:3452 -
\??\c:\8666044.exec:\8666044.exe57⤵
- Executes dropped EXE
PID:3936 -
\??\c:\pvdvv.exec:\pvdvv.exe58⤵
- Executes dropped EXE
PID:3588 -
\??\c:\rlrlrlx.exec:\rlrlrlx.exe59⤵
- Executes dropped EXE
PID:1804 -
\??\c:\008226.exec:\008226.exe60⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vjjdd.exec:\vjjdd.exe61⤵
- Executes dropped EXE
PID:32 -
\??\c:\28882.exec:\28882.exe62⤵
- Executes dropped EXE
PID:1224 -
\??\c:\thttnn.exec:\thttnn.exe63⤵
- Executes dropped EXE
PID:1384 -
\??\c:\nhhbtn.exec:\nhhbtn.exe64⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pjjvp.exec:\pjjvp.exe65⤵
- Executes dropped EXE
PID:1756 -
\??\c:\7pjpj.exec:\7pjpj.exe66⤵PID:3668
-
\??\c:\fflxrrx.exec:\fflxrrx.exe67⤵PID:3360
-
\??\c:\60044.exec:\60044.exe68⤵PID:968
-
\??\c:\62086.exec:\62086.exe69⤵PID:412
-
\??\c:\5djdj.exec:\5djdj.exe70⤵PID:2700
-
\??\c:\tnttnn.exec:\tnttnn.exe71⤵PID:1064
-
\??\c:\244868.exec:\244868.exe72⤵PID:1444
-
\??\c:\8882684.exec:\8882684.exe73⤵PID:3376
-
\??\c:\9ddpj.exec:\9ddpj.exe74⤵PID:3252
-
\??\c:\xrffrll.exec:\xrffrll.exe75⤵PID:2244
-
\??\c:\btnhhh.exec:\btnhhh.exe76⤵PID:4368
-
\??\c:\jdvpj.exec:\jdvpj.exe77⤵PID:864
-
\??\c:\02864.exec:\02864.exe78⤵PID:4484
-
\??\c:\tnbbnn.exec:\tnbbnn.exe79⤵PID:3212
-
\??\c:\68220.exec:\68220.exe80⤵PID:4084
-
\??\c:\608624.exec:\608624.exe81⤵PID:1208
-
\??\c:\2060004.exec:\2060004.exe82⤵PID:3460
-
\??\c:\044600.exec:\044600.exe83⤵PID:976
-
\??\c:\068866.exec:\068866.exe84⤵PID:3432
-
\??\c:\488266.exec:\488266.exe85⤵PID:1360
-
\??\c:\vpdvv.exec:\vpdvv.exe86⤵PID:2488
-
\??\c:\vdppj.exec:\vdppj.exe87⤵PID:4756
-
\??\c:\1hthtb.exec:\1hthtb.exe88⤵PID:4148
-
\??\c:\jvvjv.exec:\jvvjv.exe89⤵PID:1076
-
\??\c:\nbthbb.exec:\nbthbb.exe90⤵PID:1284
-
\??\c:\c060044.exec:\c060044.exe91⤵PID:4356
-
\??\c:\bhnhbb.exec:\bhnhbb.exe92⤵PID:1832
-
\??\c:\thnhnh.exec:\thnhnh.exe93⤵PID:1996
-
\??\c:\8808200.exec:\8808200.exe94⤵PID:2528
-
\??\c:\64880.exec:\64880.exe95⤵PID:1004
-
\??\c:\vdpjv.exec:\vdpjv.exe96⤵PID:1752
-
\??\c:\httnbb.exec:\httnbb.exe97⤵PID:2668
-
\??\c:\lrxfxfx.exec:\lrxfxfx.exe98⤵PID:1680
-
\??\c:\66260.exec:\66260.exe99⤵PID:2556
-
\??\c:\jdvpd.exec:\jdvpd.exe100⤵PID:4036
-
\??\c:\btbbtt.exec:\btbbtt.exe101⤵PID:2176
-
\??\c:\hhhhtb.exec:\hhhhtb.exe102⤵PID:548
-
\??\c:\u044842.exec:\u044842.exe103⤵PID:1540
-
\??\c:\26488.exec:\26488.exe104⤵PID:2024
-
\??\c:\vddjp.exec:\vddjp.exe105⤵PID:3448
-
\??\c:\dpvpj.exec:\dpvpj.exe106⤵PID:400
-
\??\c:\0888660.exec:\0888660.exe107⤵PID:3224
-
\??\c:\lrflfff.exec:\lrflfff.exe108⤵PID:3332
-
\??\c:\4248260.exec:\4248260.exe109⤵PID:2692
-
\??\c:\06822.exec:\06822.exe110⤵PID:3116
-
\??\c:\626082.exec:\626082.exe111⤵PID:4276
-
\??\c:\6208604.exec:\6208604.exe112⤵PID:4744
-
\??\c:\68222.exec:\68222.exe113⤵PID:4732
-
\??\c:\jvdvd.exec:\jvdvd.exe114⤵PID:3828
-
\??\c:\pdjjp.exec:\pdjjp.exe115⤵PID:388
-
\??\c:\vdjvj.exec:\vdjvj.exe116⤵PID:4204
-
\??\c:\2028664.exec:\2028664.exe117⤵PID:4332
-
\??\c:\4226048.exec:\4226048.exe118⤵PID:3512
-
\??\c:\5xxrllx.exec:\5xxrllx.exe119⤵PID:2568
-
\??\c:\6220448.exec:\6220448.exe120⤵PID:2608
-
\??\c:\vdppp.exec:\vdppp.exe121⤵PID:2436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-