Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe
-
Size
456KB
-
MD5
b8b06189ddbb0454b6b3fd2c8261bd22
-
SHA1
a011dc28a25e5eef6deb7470f087a9a6f63d158b
-
SHA256
52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb
-
SHA512
e25cd2652e59b314e54b4920690f697dcec1f66eee3cb7eddeb3934577f6b9afe94ac2f54d16dcce91727f56ef7753bb8106d0d91ba09ae8e62cf44372de4d4b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSi:q7Tc2NYHUrAwfMp3CDSi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3104-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-1387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-1493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-1582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2380 482086.exe 628 9vjvj.exe 4880 e80226.exe 2404 862648.exe 3612 404260.exe 2800 4682442.exe 4284 84484.exe 4692 4684608.exe 1656 7jjdj.exe 1408 86086.exe 208 pdjvj.exe 2672 lffxlfr.exe 212 g6642.exe 1528 dvdpj.exe 3648 2008604.exe 5032 66082.exe 4884 08824.exe 924 082642.exe 1640 rrlflfx.exe 3784 22608.exe 4888 3ddpd.exe 1148 88220.exe 4780 884822.exe 1968 7lrrfff.exe 4908 jpdpj.exe 3980 3rrlllf.exe 3860 9llfxxr.exe 3148 vvpjj.exe 4000 068866.exe 2068 8088666.exe 1716 btnhbb.exe 3012 6662644.exe 4196 206000.exe 2180 684660.exe 4024 e00488.exe 4752 228262.exe 4028 28482.exe 1728 2884888.exe 2872 88660.exe 4964 nhthbh.exe 4620 60282.exe 4080 dppjv.exe 2364 862200.exe 3544 9pppj.exe 4456 8222222.exe 3316 k20266.exe 4208 26260.exe 1948 48428.exe 4204 8800882.exe 1776 pdjpp.exe 2504 hhbbtt.exe 2184 2844844.exe 1520 6008226.exe 4320 446248.exe 3396 4840446.exe 4628 2822888.exe 4612 thnnnh.exe 3104 0888660.exe 4288 84004.exe 3604 lxfxlll.exe 2912 dvjjd.exe 2428 9jdvp.exe 3596 bttnbb.exe 4344 8864468.exe -
resource yara_rule behavioral2/memory/3104-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-962-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u608604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0282266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3104 wrote to memory of 2380 3104 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 86 PID 3104 wrote to memory of 2380 3104 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 86 PID 3104 wrote to memory of 2380 3104 52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe 86 PID 2380 wrote to memory of 628 2380 482086.exe 87 PID 2380 wrote to memory of 628 2380 482086.exe 87 PID 2380 wrote to memory of 628 2380 482086.exe 87 PID 628 wrote to memory of 4880 628 9vjvj.exe 88 PID 628 wrote to memory of 4880 628 9vjvj.exe 88 PID 628 wrote to memory of 4880 628 9vjvj.exe 88 PID 4880 wrote to memory of 2404 4880 e80226.exe 89 PID 4880 wrote to memory of 2404 4880 e80226.exe 89 PID 4880 wrote to memory of 2404 4880 e80226.exe 89 PID 2404 wrote to memory of 3612 2404 862648.exe 90 PID 2404 wrote to memory of 3612 2404 862648.exe 90 PID 2404 wrote to memory of 3612 2404 862648.exe 90 PID 3612 wrote to memory of 2800 3612 404260.exe 91 PID 3612 wrote to memory of 2800 3612 404260.exe 91 PID 3612 wrote to memory of 2800 3612 404260.exe 91 PID 2800 wrote to memory of 4284 2800 4682442.exe 92 PID 2800 wrote to memory of 4284 2800 4682442.exe 92 PID 2800 wrote to memory of 4284 2800 4682442.exe 92 PID 4284 wrote to memory of 4692 4284 84484.exe 93 PID 4284 wrote to memory of 4692 4284 84484.exe 93 PID 4284 wrote to memory of 4692 4284 84484.exe 93 PID 4692 wrote to memory of 1656 4692 4684608.exe 94 PID 4692 wrote to memory of 1656 4692 4684608.exe 94 PID 4692 wrote to memory of 1656 4692 4684608.exe 94 PID 1656 wrote to memory of 1408 1656 7jjdj.exe 95 PID 1656 wrote to memory of 1408 1656 7jjdj.exe 95 PID 1656 wrote to memory of 1408 1656 7jjdj.exe 95 PID 1408 wrote to memory of 208 1408 86086.exe 96 PID 1408 wrote to memory of 208 1408 86086.exe 96 PID 1408 wrote to memory of 208 1408 86086.exe 96 PID 208 wrote to memory of 2672 208 pdjvj.exe 97 PID 208 wrote to memory of 2672 208 pdjvj.exe 97 PID 208 wrote to memory of 2672 208 pdjvj.exe 97 PID 2672 wrote to memory of 212 2672 lffxlfr.exe 98 PID 2672 wrote to memory of 212 2672 lffxlfr.exe 98 PID 2672 wrote to memory of 212 2672 lffxlfr.exe 98 PID 212 wrote to memory of 1528 212 g6642.exe 157 PID 212 wrote to memory of 1528 212 g6642.exe 157 PID 212 wrote to memory of 1528 212 g6642.exe 157 PID 1528 wrote to memory of 3648 1528 dvdpj.exe 100 PID 1528 wrote to memory of 3648 1528 dvdpj.exe 100 PID 1528 wrote to memory of 3648 1528 dvdpj.exe 100 PID 3648 wrote to memory of 5032 3648 2008604.exe 158 PID 3648 wrote to memory of 5032 3648 2008604.exe 158 PID 3648 wrote to memory of 5032 3648 2008604.exe 158 PID 5032 wrote to memory of 4884 5032 66082.exe 102 PID 5032 wrote to memory of 4884 5032 66082.exe 102 PID 5032 wrote to memory of 4884 5032 66082.exe 102 PID 4884 wrote to memory of 924 4884 08824.exe 103 PID 4884 wrote to memory of 924 4884 08824.exe 103 PID 4884 wrote to memory of 924 4884 08824.exe 103 PID 924 wrote to memory of 1640 924 082642.exe 104 PID 924 wrote to memory of 1640 924 082642.exe 104 PID 924 wrote to memory of 1640 924 082642.exe 104 PID 1640 wrote to memory of 3784 1640 rrlflfx.exe 105 PID 1640 wrote to memory of 3784 1640 rrlflfx.exe 105 PID 1640 wrote to memory of 3784 1640 rrlflfx.exe 105 PID 3784 wrote to memory of 4888 3784 22608.exe 106 PID 3784 wrote to memory of 4888 3784 22608.exe 106 PID 3784 wrote to memory of 4888 3784 22608.exe 106 PID 4888 wrote to memory of 1148 4888 3ddpd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"C:\Users\Admin\AppData\Local\Temp\52825affd9856594d5140fd5a80d8571fd116cce412985f713cf61063a0d4fdb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\482086.exec:\482086.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\9vjvj.exec:\9vjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\e80226.exec:\e80226.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\862648.exec:\862648.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\404260.exec:\404260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\4682442.exec:\4682442.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\84484.exec:\84484.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\4684608.exec:\4684608.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\7jjdj.exec:\7jjdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\86086.exec:\86086.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\pdjvj.exec:\pdjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\lffxlfr.exec:\lffxlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\g6642.exec:\g6642.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\dvdpj.exec:\dvdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\2008604.exec:\2008604.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\66082.exec:\66082.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\08824.exec:\08824.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\082642.exec:\082642.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\rrlflfx.exec:\rrlflfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\22608.exec:\22608.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\3ddpd.exec:\3ddpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\88220.exec:\88220.exe23⤵
- Executes dropped EXE
PID:1148 -
\??\c:\884822.exec:\884822.exe24⤵
- Executes dropped EXE
PID:4780 -
\??\c:\7lrrfff.exec:\7lrrfff.exe25⤵
- Executes dropped EXE
PID:1968 -
\??\c:\jpdpj.exec:\jpdpj.exe26⤵
- Executes dropped EXE
PID:4908 -
\??\c:\3rrlllf.exec:\3rrlllf.exe27⤵
- Executes dropped EXE
PID:3980 -
\??\c:\9llfxxr.exec:\9llfxxr.exe28⤵
- Executes dropped EXE
PID:3860 -
\??\c:\vvpjj.exec:\vvpjj.exe29⤵
- Executes dropped EXE
PID:3148 -
\??\c:\068866.exec:\068866.exe30⤵
- Executes dropped EXE
PID:4000 -
\??\c:\8088666.exec:\8088666.exe31⤵
- Executes dropped EXE
PID:2068 -
\??\c:\btnhbb.exec:\btnhbb.exe32⤵
- Executes dropped EXE
PID:1716 -
\??\c:\6662644.exec:\6662644.exe33⤵
- Executes dropped EXE
PID:3012 -
\??\c:\206000.exec:\206000.exe34⤵
- Executes dropped EXE
PID:4196 -
\??\c:\684660.exec:\684660.exe35⤵
- Executes dropped EXE
PID:2180 -
\??\c:\e00488.exec:\e00488.exe36⤵
- Executes dropped EXE
PID:4024 -
\??\c:\228262.exec:\228262.exe37⤵
- Executes dropped EXE
PID:4752 -
\??\c:\28482.exec:\28482.exe38⤵
- Executes dropped EXE
PID:4028 -
\??\c:\2884888.exec:\2884888.exe39⤵
- Executes dropped EXE
PID:1728 -
\??\c:\88660.exec:\88660.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\nhthbh.exec:\nhthbh.exe41⤵
- Executes dropped EXE
PID:4964 -
\??\c:\60282.exec:\60282.exe42⤵
- Executes dropped EXE
PID:4620 -
\??\c:\dppjv.exec:\dppjv.exe43⤵
- Executes dropped EXE
PID:4080 -
\??\c:\862200.exec:\862200.exe44⤵
- Executes dropped EXE
PID:2364 -
\??\c:\9pppj.exec:\9pppj.exe45⤵
- Executes dropped EXE
PID:3544 -
\??\c:\8222222.exec:\8222222.exe46⤵
- Executes dropped EXE
PID:4456 -
\??\c:\k20266.exec:\k20266.exe47⤵
- Executes dropped EXE
PID:3316 -
\??\c:\26260.exec:\26260.exe48⤵
- Executes dropped EXE
PID:4208 -
\??\c:\48428.exec:\48428.exe49⤵
- Executes dropped EXE
PID:1948 -
\??\c:\8800882.exec:\8800882.exe50⤵
- Executes dropped EXE
PID:4204 -
\??\c:\pdjpp.exec:\pdjpp.exe51⤵
- Executes dropped EXE
PID:1776 -
\??\c:\hhbbtt.exec:\hhbbtt.exe52⤵
- Executes dropped EXE
PID:2504 -
\??\c:\2844844.exec:\2844844.exe53⤵
- Executes dropped EXE
PID:2184 -
\??\c:\6008226.exec:\6008226.exe54⤵
- Executes dropped EXE
PID:1520 -
\??\c:\446248.exec:\446248.exe55⤵
- Executes dropped EXE
PID:4320 -
\??\c:\4840446.exec:\4840446.exe56⤵
- Executes dropped EXE
PID:3396 -
\??\c:\2822888.exec:\2822888.exe57⤵
- Executes dropped EXE
PID:4628 -
\??\c:\thnnnh.exec:\thnnnh.exe58⤵
- Executes dropped EXE
PID:4612 -
\??\c:\0888660.exec:\0888660.exe59⤵
- Executes dropped EXE
PID:3104 -
\??\c:\84004.exec:\84004.exe60⤵
- Executes dropped EXE
PID:4288 -
\??\c:\lxfxlll.exec:\lxfxlll.exe61⤵
- Executes dropped EXE
PID:3604 -
\??\c:\dvjjd.exec:\dvjjd.exe62⤵
- Executes dropped EXE
PID:2912 -
\??\c:\9jdvp.exec:\9jdvp.exe63⤵
- Executes dropped EXE
PID:2428 -
\??\c:\bttnbb.exec:\bttnbb.exe64⤵
- Executes dropped EXE
PID:3596 -
\??\c:\8864468.exec:\8864468.exe65⤵
- Executes dropped EXE
PID:4344 -
\??\c:\tbbbnn.exec:\tbbbnn.exe66⤵PID:2616
-
\??\c:\k80080.exec:\k80080.exe67⤵PID:3240
-
\??\c:\i226004.exec:\i226004.exe68⤵PID:1220
-
\??\c:\6888226.exec:\6888226.exe69⤵PID:1656
-
\??\c:\tbbttt.exec:\tbbttt.exe70⤵PID:3780
-
\??\c:\0448888.exec:\0448888.exe71⤵PID:2016
-
\??\c:\lxxrlff.exec:\lxxrlff.exe72⤵PID:1652
-
\??\c:\vvdjd.exec:\vvdjd.exe73⤵PID:1528
-
\??\c:\3rlfxrr.exec:\3rlfxrr.exe74⤵PID:5032
-
\??\c:\hhnhbb.exec:\hhnhbb.exe75⤵PID:4756
-
\??\c:\64808.exec:\64808.exe76⤵PID:1848
-
\??\c:\9xfxxxr.exec:\9xfxxxr.exe77⤵PID:336
-
\??\c:\c220480.exec:\c220480.exe78⤵PID:408
-
\??\c:\s0600.exec:\s0600.exe79⤵PID:3500
-
\??\c:\5xxxxrr.exec:\5xxxxrr.exe80⤵PID:5068
-
\??\c:\bttnhh.exec:\bttnhh.exe81⤵PID:3108
-
\??\c:\28826.exec:\28826.exe82⤵PID:2772
-
\??\c:\4000466.exec:\4000466.exe83⤵PID:1560
-
\??\c:\bbhbtt.exec:\bbhbtt.exe84⤵PID:4264
-
\??\c:\84004.exec:\84004.exe85⤵PID:2596
-
\??\c:\9tnhbb.exec:\9tnhbb.exe86⤵PID:3408
-
\??\c:\4800448.exec:\4800448.exe87⤵PID:4392
-
\??\c:\22282.exec:\22282.exe88⤵PID:2088
-
\??\c:\g2822.exec:\g2822.exe89⤵PID:4824
-
\??\c:\5lrfflf.exec:\5lrfflf.exe90⤵PID:1824
-
\??\c:\2006060.exec:\2006060.exe91⤵PID:4752
-
\??\c:\40626.exec:\40626.exe92⤵PID:1876
-
\??\c:\bbbthh.exec:\bbbthh.exe93⤵PID:1900
-
\??\c:\822882.exec:\822882.exe94⤵PID:1216
-
\??\c:\46604.exec:\46604.exe95⤵PID:4080
-
\??\c:\88426.exec:\88426.exe96⤵PID:1192
-
\??\c:\488868.exec:\488868.exe97⤵PID:2336
-
\??\c:\o400882.exec:\o400882.exe98⤵PID:4068
-
\??\c:\2066004.exec:\2066004.exe99⤵PID:5044
-
\??\c:\8806282.exec:\8806282.exe100⤵PID:2960
-
\??\c:\8040222.exec:\8040222.exe101⤵PID:3664
-
\??\c:\640488.exec:\640488.exe102⤵PID:1224
-
\??\c:\bnntnn.exec:\bnntnn.exe103⤵PID:3716
-
\??\c:\4226004.exec:\4226004.exe104⤵PID:1888
-
\??\c:\i882660.exec:\i882660.exe105⤵PID:1504
-
\??\c:\6448440.exec:\6448440.exe106⤵PID:3156
-
\??\c:\5ppjd.exec:\5ppjd.exe107⤵PID:1268
-
\??\c:\pjjdp.exec:\pjjdp.exe108⤵PID:4624
-
\??\c:\8222666.exec:\8222666.exe109⤵PID:1740
-
\??\c:\7btbtt.exec:\7btbtt.exe110⤵PID:3348
-
\??\c:\02480.exec:\02480.exe111⤵PID:2380
-
\??\c:\fxffrrr.exec:\fxffrrr.exe112⤵PID:3632
-
\??\c:\686044.exec:\686044.exe113⤵PID:2820
-
\??\c:\6060488.exec:\6060488.exe114⤵PID:696
-
\??\c:\068822.exec:\068822.exe115⤵PID:2384
-
\??\c:\6468260.exec:\6468260.exe116⤵PID:4060
-
\??\c:\28826.exec:\28826.exe117⤵PID:2144
-
\??\c:\bhbtnb.exec:\bhbtnb.exe118⤵PID:3380
-
\??\c:\ffxrrrx.exec:\ffxrrrx.exe119⤵PID:3812
-
\??\c:\nbbhnt.exec:\nbbhnt.exe120⤵PID:2396
-
\??\c:\lllffff.exec:\lllffff.exe121⤵PID:3576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-