Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe
-
Size
455KB
-
MD5
7574fc0a1572fdde00fdedfd50cd1185
-
SHA1
f26a39e92474d33a229570fab2ae3da84717d8d3
-
SHA256
adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5
-
SHA512
86028168a543d043a52ee24890ad5f6b9478d8b765c0a6fd77aca982f2d898e86607f3e776ed6a3150f84df363694a2b97877c47a8bb87905a354d7bcaee707b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0K:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3124-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-1097-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-1215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-1566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3060 3nhbbt.exe 4340 5rxrrxx.exe 2396 3hbhbh.exe 4048 thbtnt.exe 4500 lxfffff.exe 4068 nbhtbt.exe 3648 rlxrxrx.exe 464 9dppd.exe 3700 fffxrrl.exe 2412 djpvj.exe 3792 bhbbtn.exe 3036 pppdp.exe 1484 thnhbb.exe 388 dvpjd.exe 4452 lxrlfxr.exe 3484 ntnnbt.exe 3996 vjdpj.exe 4948 xrfrrlx.exe 3588 9jpjp.exe 3580 7vjjp.exe 2516 nhbhtn.exe 5056 jdjdj.exe 3524 rlrrrrr.exe 1488 1bnhhh.exe 1328 lfxlrrx.exe 1036 hbbttt.exe 748 nntnhh.exe 4072 rlrlrrx.exe 376 hhnnhh.exe 4572 jjjdv.exe 724 3hhthb.exe 3216 dpvjv.exe 4540 5tbnbn.exe 4568 vvvvj.exe 5008 fxlfllr.exe 2112 tbnnbt.exe 676 tbbthh.exe 3440 vdpdd.exe 2224 lllxlfx.exe 5104 nnnhbh.exe 4748 djjjj.exe 1336 lfxflxf.exe 4360 hbbtnt.exe 3432 5pppd.exe 2228 xfrlrrx.exe 4036 btnhtt.exe 4128 7pjdp.exe 2032 jdpjj.exe 864 rflxrfr.exe 2068 5hhbtt.exe 3668 vvjdv.exe 4904 vjpdp.exe 3548 lllrlxx.exe 1220 1hbtnn.exe 792 djpdp.exe 4064 3pjvj.exe 1604 5lrffxx.exe 464 hbbtnh.exe 1376 nbnhbb.exe 2740 5jjvp.exe 868 xfrlfff.exe 2180 bttnbb.exe 1000 bbhbnn.exe 1088 jvdpd.exe -
resource yara_rule behavioral2/memory/3124-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-724-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frflxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3124 wrote to memory of 3060 3124 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 82 PID 3124 wrote to memory of 3060 3124 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 82 PID 3124 wrote to memory of 3060 3124 adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe 82 PID 3060 wrote to memory of 4340 3060 3nhbbt.exe 83 PID 3060 wrote to memory of 4340 3060 3nhbbt.exe 83 PID 3060 wrote to memory of 4340 3060 3nhbbt.exe 83 PID 4340 wrote to memory of 2396 4340 5rxrrxx.exe 84 PID 4340 wrote to memory of 2396 4340 5rxrrxx.exe 84 PID 4340 wrote to memory of 2396 4340 5rxrrxx.exe 84 PID 2396 wrote to memory of 4048 2396 3hbhbh.exe 85 PID 2396 wrote to memory of 4048 2396 3hbhbh.exe 85 PID 2396 wrote to memory of 4048 2396 3hbhbh.exe 85 PID 4048 wrote to memory of 4500 4048 thbtnt.exe 86 PID 4048 wrote to memory of 4500 4048 thbtnt.exe 86 PID 4048 wrote to memory of 4500 4048 thbtnt.exe 86 PID 4500 wrote to memory of 4068 4500 lxfffff.exe 87 PID 4500 wrote to memory of 4068 4500 lxfffff.exe 87 PID 4500 wrote to memory of 4068 4500 lxfffff.exe 87 PID 4068 wrote to memory of 3648 4068 nbhtbt.exe 88 PID 4068 wrote to memory of 3648 4068 nbhtbt.exe 88 PID 4068 wrote to memory of 3648 4068 nbhtbt.exe 88 PID 3648 wrote to memory of 464 3648 rlxrxrx.exe 89 PID 3648 wrote to memory of 464 3648 rlxrxrx.exe 89 PID 3648 wrote to memory of 464 3648 rlxrxrx.exe 89 PID 464 wrote to memory of 3700 464 9dppd.exe 90 PID 464 wrote to memory of 3700 464 9dppd.exe 90 PID 464 wrote to memory of 3700 464 9dppd.exe 90 PID 3700 wrote to memory of 2412 3700 fffxrrl.exe 91 PID 3700 wrote to memory of 2412 3700 fffxrrl.exe 91 PID 3700 wrote to memory of 2412 3700 fffxrrl.exe 91 PID 2412 wrote to memory of 3792 2412 djpvj.exe 92 PID 2412 wrote to memory of 3792 2412 djpvj.exe 92 PID 2412 wrote to memory of 3792 2412 djpvj.exe 92 PID 3792 wrote to memory of 3036 3792 bhbbtn.exe 93 PID 3792 wrote to memory of 3036 3792 bhbbtn.exe 93 PID 3792 wrote to memory of 3036 3792 bhbbtn.exe 93 PID 3036 wrote to memory of 1484 3036 pppdp.exe 94 PID 3036 wrote to memory of 1484 3036 pppdp.exe 94 PID 3036 wrote to memory of 1484 3036 pppdp.exe 94 PID 1484 wrote to memory of 388 1484 thnhbb.exe 95 PID 1484 wrote to memory of 388 1484 thnhbb.exe 95 PID 1484 wrote to memory of 388 1484 thnhbb.exe 95 PID 388 wrote to memory of 4452 388 dvpjd.exe 96 PID 388 wrote to memory of 4452 388 dvpjd.exe 96 PID 388 wrote to memory of 4452 388 dvpjd.exe 96 PID 4452 wrote to memory of 3484 4452 lxrlfxr.exe 97 PID 4452 wrote to memory of 3484 4452 lxrlfxr.exe 97 PID 4452 wrote to memory of 3484 4452 lxrlfxr.exe 97 PID 3484 wrote to memory of 3996 3484 ntnnbt.exe 98 PID 3484 wrote to memory of 3996 3484 ntnnbt.exe 98 PID 3484 wrote to memory of 3996 3484 ntnnbt.exe 98 PID 3996 wrote to memory of 4948 3996 vjdpj.exe 99 PID 3996 wrote to memory of 4948 3996 vjdpj.exe 99 PID 3996 wrote to memory of 4948 3996 vjdpj.exe 99 PID 4948 wrote to memory of 3588 4948 xrfrrlx.exe 100 PID 4948 wrote to memory of 3588 4948 xrfrrlx.exe 100 PID 4948 wrote to memory of 3588 4948 xrfrrlx.exe 100 PID 3588 wrote to memory of 3580 3588 9jpjp.exe 101 PID 3588 wrote to memory of 3580 3588 9jpjp.exe 101 PID 3588 wrote to memory of 3580 3588 9jpjp.exe 101 PID 3580 wrote to memory of 2516 3580 7vjjp.exe 102 PID 3580 wrote to memory of 2516 3580 7vjjp.exe 102 PID 3580 wrote to memory of 2516 3580 7vjjp.exe 102 PID 2516 wrote to memory of 5056 2516 nhbhtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"C:\Users\Admin\AppData\Local\Temp\adcadb69832657c4673c0678d72021c16796516839c66004153be758f2bfeed5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\3nhbbt.exec:\3nhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\5rxrrxx.exec:\5rxrrxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\3hbhbh.exec:\3hbhbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\thbtnt.exec:\thbtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\lxfffff.exec:\lxfffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\nbhtbt.exec:\nbhtbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\rlxrxrx.exec:\rlxrxrx.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\9dppd.exec:\9dppd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\fffxrrl.exec:\fffxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\djpvj.exec:\djpvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\bhbbtn.exec:\bhbbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\pppdp.exec:\pppdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\thnhbb.exec:\thnhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\dvpjd.exec:\dvpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\ntnnbt.exec:\ntnnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\vjdpj.exec:\vjdpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\xrfrrlx.exec:\xrfrrlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\9jpjp.exec:\9jpjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\7vjjp.exec:\7vjjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\nhbhtn.exec:\nhbhtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\jdjdj.exec:\jdjdj.exe23⤵
- Executes dropped EXE
PID:5056 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe24⤵
- Executes dropped EXE
PID:3524 -
\??\c:\1bnhhh.exec:\1bnhhh.exe25⤵
- Executes dropped EXE
PID:1488 -
\??\c:\lfxlrrx.exec:\lfxlrrx.exe26⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hbbttt.exec:\hbbttt.exe27⤵
- Executes dropped EXE
PID:1036 -
\??\c:\nntnhh.exec:\nntnhh.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe29⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hhnnhh.exec:\hhnnhh.exe30⤵
- Executes dropped EXE
PID:376 -
\??\c:\jjjdv.exec:\jjjdv.exe31⤵
- Executes dropped EXE
PID:4572 -
\??\c:\3hhthb.exec:\3hhthb.exe32⤵
- Executes dropped EXE
PID:724 -
\??\c:\dpvjv.exec:\dpvjv.exe33⤵
- Executes dropped EXE
PID:3216 -
\??\c:\5tbnbn.exec:\5tbnbn.exe34⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vvvvj.exec:\vvvvj.exe35⤵
- Executes dropped EXE
PID:4568 -
\??\c:\fxlfllr.exec:\fxlfllr.exe36⤵
- Executes dropped EXE
PID:5008 -
\??\c:\tbnnbt.exec:\tbnnbt.exe37⤵
- Executes dropped EXE
PID:2112 -
\??\c:\tbbthh.exec:\tbbthh.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\vdpdd.exec:\vdpdd.exe39⤵
- Executes dropped EXE
PID:3440 -
\??\c:\lllxlfx.exec:\lllxlfx.exe40⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nnnhbh.exec:\nnnhbh.exe41⤵
- Executes dropped EXE
PID:5104 -
\??\c:\djjjj.exec:\djjjj.exe42⤵
- Executes dropped EXE
PID:4748 -
\??\c:\lfxflxf.exec:\lfxflxf.exe43⤵
- Executes dropped EXE
PID:1336 -
\??\c:\hbbtnt.exec:\hbbtnt.exe44⤵
- Executes dropped EXE
PID:4360 -
\??\c:\5pppd.exec:\5pppd.exe45⤵
- Executes dropped EXE
PID:3432 -
\??\c:\xfrlrrx.exec:\xfrlrrx.exe46⤵
- Executes dropped EXE
PID:2228 -
\??\c:\btnhtt.exec:\btnhtt.exe47⤵
- Executes dropped EXE
PID:4036 -
\??\c:\7pjdp.exec:\7pjdp.exe48⤵
- Executes dropped EXE
PID:4128 -
\??\c:\jdpjj.exec:\jdpjj.exe49⤵
- Executes dropped EXE
PID:2032 -
\??\c:\rflxrfr.exec:\rflxrfr.exe50⤵
- Executes dropped EXE
PID:864 -
\??\c:\5hhbtt.exec:\5hhbtt.exe51⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vvjdv.exec:\vvjdv.exe52⤵
- Executes dropped EXE
PID:3668 -
\??\c:\vjpdp.exec:\vjpdp.exe53⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lllrlxx.exec:\lllrlxx.exe54⤵
- Executes dropped EXE
PID:3548 -
\??\c:\1hbtnn.exec:\1hbtnn.exe55⤵
- Executes dropped EXE
PID:1220 -
\??\c:\djpdp.exec:\djpdp.exe56⤵
- Executes dropped EXE
PID:792 -
\??\c:\3pjvj.exec:\3pjvj.exe57⤵
- Executes dropped EXE
PID:4064 -
\??\c:\5lrffxx.exec:\5lrffxx.exe58⤵
- Executes dropped EXE
PID:1604 -
\??\c:\hbbtnh.exec:\hbbtnh.exe59⤵
- Executes dropped EXE
PID:464 -
\??\c:\nbnhbb.exec:\nbnhbb.exe60⤵
- Executes dropped EXE
PID:1376 -
\??\c:\5jjvp.exec:\5jjvp.exe61⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xfrlfff.exec:\xfrlfff.exe62⤵
- Executes dropped EXE
PID:868 -
\??\c:\bttnbb.exec:\bttnbb.exe63⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bbhbnn.exec:\bbhbnn.exe64⤵
- Executes dropped EXE
PID:1000 -
\??\c:\jvdpd.exec:\jvdpd.exe65⤵
- Executes dropped EXE
PID:1088 -
\??\c:\fllfrlf.exec:\fllfrlf.exe66⤵PID:2352
-
\??\c:\btbttt.exec:\btbttt.exe67⤵PID:2776
-
\??\c:\3bbthh.exec:\3bbthh.exe68⤵PID:244
-
\??\c:\5jpjd.exec:\5jpjd.exe69⤵PID:3032
-
\??\c:\jjvjp.exec:\jjvjp.exe70⤵PID:1156
-
\??\c:\llxllfx.exec:\llxllfx.exe71⤵PID:2996
-
\??\c:\htthth.exec:\htthth.exe72⤵PID:2148
-
\??\c:\vppjv.exec:\vppjv.exe73⤵PID:3064
-
\??\c:\pdjvj.exec:\pdjvj.exe74⤵PID:3528
-
\??\c:\rlllffx.exec:\rlllffx.exe75⤵PID:3592
-
\??\c:\bbnbbt.exec:\bbnbbt.exe76⤵PID:3460
-
\??\c:\jvvjd.exec:\jvvjd.exe77⤵PID:4960
-
\??\c:\fffrfrl.exec:\fffrfrl.exe78⤵PID:3756
-
\??\c:\ntbhtt.exec:\ntbhtt.exe79⤵PID:4996
-
\??\c:\9tbtnh.exec:\9tbtnh.exe80⤵PID:1464
-
\??\c:\dvdpp.exec:\dvdpp.exe81⤵PID:3020
-
\??\c:\llfrffr.exec:\llfrffr.exe82⤵PID:1348
-
\??\c:\tbbbbt.exec:\tbbbbt.exe83⤵PID:3620
-
\??\c:\jddpj.exec:\jddpj.exe84⤵PID:372
-
\??\c:\xrrfxrf.exec:\xrrfxrf.exe85⤵PID:1176
-
\??\c:\lxxfxxl.exec:\lxxfxxl.exe86⤵PID:4072
-
\??\c:\9hhbnt.exec:\9hhbnt.exe87⤵PID:3344
-
\??\c:\btnhtn.exec:\btnhtn.exe88⤵PID:2700
-
\??\c:\djjpd.exec:\djjpd.exe89⤵PID:2388
-
\??\c:\5frflxl.exec:\5frflxl.exe90⤵
- System Location Discovery: System Language Discovery
PID:724 -
\??\c:\bhtnbn.exec:\bhtnbn.exe91⤵PID:3272
-
\??\c:\vjjvj.exec:\vjjvj.exe92⤵PID:3216
-
\??\c:\ppdpj.exec:\ppdpj.exe93⤵PID:1072
-
\??\c:\lfxxxrf.exec:\lfxxxrf.exe94⤵
- System Location Discovery: System Language Discovery
PID:2056 -
\??\c:\nhtntn.exec:\nhtntn.exe95⤵PID:5008
-
\??\c:\vdpvj.exec:\vdpvj.exe96⤵PID:3052
-
\??\c:\xffrxlf.exec:\xffrxlf.exe97⤵PID:3412
-
\??\c:\1lfrlfr.exec:\1lfrlfr.exe98⤵PID:652
-
\??\c:\hhhhtn.exec:\hhhhtn.exe99⤵PID:4136
-
\??\c:\vdjvj.exec:\vdjvj.exe100⤵PID:5020
-
\??\c:\frfxllf.exec:\frfxllf.exe101⤵PID:1912
-
\??\c:\xffxllx.exec:\xffxllx.exe102⤵PID:4368
-
\??\c:\nnnnbh.exec:\nnnnbh.exe103⤵PID:3504
-
\??\c:\vjdpj.exec:\vjdpj.exe104⤵PID:3240
-
\??\c:\xrfxffr.exec:\xrfxffr.exe105⤵PID:696
-
\??\c:\tnnhtn.exec:\tnnhtn.exe106⤵PID:4984
-
\??\c:\7bbnbt.exec:\7bbnbt.exe107⤵PID:4864
-
\??\c:\dpdpd.exec:\dpdpd.exe108⤵PID:3748
-
\??\c:\lxlxlfr.exec:\lxlxlfr.exe109⤵PID:4484
-
\??\c:\5bnhtb.exec:\5bnhtb.exe110⤵PID:3744
-
\??\c:\hhbnhb.exec:\hhbnhb.exe111⤵PID:4288
-
\??\c:\9dpvd.exec:\9dpvd.exe112⤵PID:1280
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe113⤵PID:1452
-
\??\c:\3hbnbb.exec:\3hbnbb.exe114⤵PID:4396
-
\??\c:\bbbhnh.exec:\bbbhnh.exe115⤵PID:4912
-
\??\c:\jjdpd.exec:\jjdpd.exe116⤵PID:3712
-
\??\c:\9frflfx.exec:\9frflfx.exe117⤵PID:3512
-
\??\c:\3hhtnh.exec:\3hhtnh.exe118⤵PID:2660
-
\??\c:\hbhttn.exec:\hbhttn.exe119⤵PID:732
-
\??\c:\vppvj.exec:\vppvj.exe120⤵PID:1668
-
\??\c:\5ffrxrf.exec:\5ffrxrf.exe121⤵PID:760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-