blackmoon | 2fed663d5100094b2de550aad4937e18e2096e55fe7424616736b94b7435d04f

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
Size

1.5MB
MD5

8beb6e8902a9cdc119d58a0fb94b1d3c
SHA1

5fe78eb9fea0b94d2510ee28fea653d1f477bed7
SHA256

2fed663d5100094b2de550aad4937e18e2096e55fe7424616736b94b7435d04f
SHA512

844e56d7a9423850a86fde7d7dc3fab82426d07a15775765cd62218153be94e683d5fe463645ea42a96c5786f22b7f3f707db86244176a3773c43b39f06ad26a
SSDEEP

24576:0++ZwJfwCI8Ddfs/kMUftLGZ98FlE6wI+gfnlRIfaE3JRd5:01/kjtPlERDGnlRANRd5

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 25 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d97-8.dat	family_blackmoon
behavioral1/files/0x0008000000016d1a-29.dat	family_blackmoon
behavioral1/files/0x0037000000015d09-43.dat	family_blackmoon
behavioral1/files/0x000600000001720f-54.dat	family_blackmoon
behavioral1/files/0x00060000000173b4-67.dat	family_blackmoon
behavioral1/memory/1700-76-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-77-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/files/0x00060000000173d3-82.dat	family_blackmoon
behavioral1/files/0x00060000000173d6-95.dat	family_blackmoon
behavioral1/files/0x0006000000017568-114.dat	family_blackmoon
behavioral1/files/0x00050000000186ff-129.dat	family_blackmoon
behavioral1/files/0x0005000000018701-142.dat	family_blackmoon
behavioral1/files/0x000500000001870d-155.dat	family_blackmoon
behavioral1/memory/2648-159-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/files/0x0005000000018711-164.dat	family_blackmoon
behavioral1/memory/2648-197-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-227-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-735-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-901-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1275-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1327-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1353-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1387-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1413-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon
behavioral1/memory/2648-1439-0x0000000000400000-0x000000000059A000-memory.dmp	family_blackmoon

Executes dropped EXE 64 IoCs

pid	Process
2916	DouTuDaShi.exe
2604	ohsybf.exe
2648	ohsybf.exe
2224	484149.exe
2504	484149.exe
2844	269222.exe
2596	269222.exe
1304	490503.exe
2300	490503.exe
3052	513764.exe
2960	513764.exe
1988	230399.exe
1156	230399.exe
1484	473559.exe
1084	473559.exe
408	830362.exe
2344	830362.exe
1612	557097.exe
288	557097.exe
1116	698158.exe
2412	698158.exe
2052	117885.exe
1756	117885.exe
1588	538964.exe
2588	538964.exe
2640	771034.exe
2732	771034.exe
2784	298752.exe
2220	298752.exe
2492	662757.exe
2388	662757.exe
2872	640184.exe
2596	640184.exe
3056	067811.exe
3004	067811.exe
3064	270992.exe
3020	270992.exe
536	907607.exe
664	907607.exe
2836	130788.exe
2872	130788.exe
1332	657415.exe
3004	657415.exe
3060	970574.exe
1296	970574.exe
2960	252760.exe
2096	252760.exe
768	485840.exe
996	485840.exe
1392	092555.exe
584	092555.exe
2872	225636.exe
1064	225636.exe
1300	466807.exe
1304	466807.exe
2592	620792.exe
2776	620792.exe
2676	192796.exe
2308	192796.exe
2176	611423.exe
1684	611423.exe
2188	007216.exe
2476	007216.exe
996	310394.exe

Loads dropped DLL 64 IoCs

pid	Process
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
2604	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2224	484149.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DouTu\DouTuDaShi.exe	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000fd7c0cabdbcadd5ebc2fa03c02553d49f398c3b57629947136374e53b8e9d64d000000000e80000000020000200000006d7ae3db3f39787b73060183c43e9aad94e423d976ac5af7d431789046f8076d20000000cf6b17575a8431c402f6ca7334649a3e9613cdc2bfb49609d3642f069d5e49f94000000028e71b386ef0216743a7c257d60f8d7d6e6beaf2dde71a8a40b8287329dadbedacfd9600c8bd55861e733345f6084ffe2e6e29f707ffe6de8de6cebb4da1ca5b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000027a19f99be844e10a05aa9c506bb38011d46072e01180e9cf98f47ec73b437a7000000000e8000000002000020000000622b678052b156dec4b5acc86cc73ce376fdc20356a73ad6fcb6968351cb4e3d90000000296b324b77df0e51a472cf744ebceaa489c73e49fc9b78d5edc89907469d58149b76dbd53e771110e34f586db2ca3c4142487ac48b25a1734a0503dffe5727f1c754a597b12f7fd6a9e17ddc52aad54742b6fb06287d6f6671b082d32a628ec572950e344dc73a3b2a74cb03e8b3a91ed75007e86bb09b22545320990067597c8c44e766ea73ec1a2dda6cc7110d65f2400000009028337f809963c7dfeb7fdf76c861e56052d635c2e2a94064f1a4078f6116ffc22de24b4a3961ed291631e79d2e505d9432a72a6329677e93913143d7152058	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0b56883c5b2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423258229"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95D3DBC1-1EB8-11EF-BB21-6AD47596CE83} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe
2648	ohsybf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2916	DouTuDaShi.exe
2916	DouTuDaShi.exe
2916	DouTuDaShi.exe
2916	DouTuDaShi.exe
2900	iexplore.exe
2900	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2916	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	29
PID 1700 wrote to memory of 2916	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	29
PID 1700 wrote to memory of 2916	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	29
PID 1700 wrote to memory of 2916	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	29
PID 1700 wrote to memory of 2604	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	30
PID 1700 wrote to memory of 2604	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	30
PID 1700 wrote to memory of 2604	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	30
PID 1700 wrote to memory of 2604	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	30
PID 2604 wrote to memory of 2648	2604	ohsybf.exe	31
PID 2604 wrote to memory of 2648	2604	ohsybf.exe	31
PID 2604 wrote to memory of 2648	2604	ohsybf.exe	31
PID 2604 wrote to memory of 2648	2604	ohsybf.exe	31
PID 2648 wrote to memory of 2224	2648	ohsybf.exe	32
PID 2648 wrote to memory of 2224	2648	ohsybf.exe	32
PID 2648 wrote to memory of 2224	2648	ohsybf.exe	32
PID 2648 wrote to memory of 2224	2648	ohsybf.exe	32
PID 2224 wrote to memory of 2504	2224	484149.exe	33
PID 2224 wrote to memory of 2504	2224	484149.exe	33
PID 2224 wrote to memory of 2504	2224	484149.exe	33
PID 2224 wrote to memory of 2504	2224	484149.exe	33
PID 2648 wrote to memory of 2844	2648	ohsybf.exe	35
PID 2648 wrote to memory of 2844	2648	ohsybf.exe	35
PID 2648 wrote to memory of 2844	2648	ohsybf.exe	35
PID 2648 wrote to memory of 2844	2648	ohsybf.exe	35
PID 2844 wrote to memory of 2596	2844	269222.exe	36
PID 2844 wrote to memory of 2596	2844	269222.exe	36
PID 2844 wrote to memory of 2596	2844	269222.exe	36
PID 2844 wrote to memory of 2596	2844	269222.exe	36
PID 1700 wrote to memory of 2900	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	37
PID 1700 wrote to memory of 2900	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	37
PID 1700 wrote to memory of 2900	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	37
PID 1700 wrote to memory of 2900	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	37
PID 1700 wrote to memory of 1832	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	38
PID 1700 wrote to memory of 1832	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	38
PID 1700 wrote to memory of 1832	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	38
PID 1700 wrote to memory of 1832	1700	2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe	38
PID 2900 wrote to memory of 1752	2900	iexplore.exe	40
PID 2900 wrote to memory of 1752	2900	iexplore.exe	40
PID 2900 wrote to memory of 1752	2900	iexplore.exe	40
PID 2900 wrote to memory of 1752	2900	iexplore.exe	40
PID 2172 wrote to memory of 1748	2172	explorer.exe	41
PID 2172 wrote to memory of 1748	2172	explorer.exe	41
PID 2172 wrote to memory of 1748	2172	explorer.exe	41
PID 2648 wrote to memory of 1304	2648	ohsybf.exe	43
PID 2648 wrote to memory of 1304	2648	ohsybf.exe	43
PID 2648 wrote to memory of 1304	2648	ohsybf.exe	43
PID 2648 wrote to memory of 1304	2648	ohsybf.exe	43
PID 1304 wrote to memory of 2300	1304	490503.exe	44
PID 1304 wrote to memory of 2300	1304	490503.exe	44
PID 1304 wrote to memory of 2300	1304	490503.exe	44
PID 1304 wrote to memory of 2300	1304	490503.exe	44
PID 2648 wrote to memory of 3052	2648	ohsybf.exe	45
PID 2648 wrote to memory of 3052	2648	ohsybf.exe	45
PID 2648 wrote to memory of 3052	2648	ohsybf.exe	45
PID 2648 wrote to memory of 3052	2648	ohsybf.exe	45
PID 3052 wrote to memory of 2960	3052	513764.exe	46
PID 3052 wrote to memory of 2960	3052	513764.exe	46
PID 3052 wrote to memory of 2960	3052	513764.exe	46
PID 3052 wrote to memory of 2960	3052	513764.exe	46
PID 2648 wrote to memory of 1988	2648	ohsybf.exe	47
PID 2648 wrote to memory of 1988	2648	ohsybf.exe	47
PID 2648 wrote to memory of 1988	2648	ohsybf.exe	47
PID 2648 wrote to memory of 1988	2648	ohsybf.exe	47
PID 1988 wrote to memory of 1156	1988	230399.exe	48

C:\Users\Admin\AppData\Local\Temp\2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8beb6e8902a9cdc119d58a0fb94b1d3c_icedid.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Program Files (x86)\DouTu\DouTuDaShi.exe
  "C:\Program Files (x86)\DouTu\DouTuDaShi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\ohsybf.exe
  "C:\Users\Admin\AppData\Local\Temp\ohsybf.exe" /jscxyxztjkl
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\ohsybf.exe
    "C:\Users\Admin\AppData\Local\Temp\ohsybf.exe" /jsjczxztcq
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\Download\484149.exe
      "C:\Users\Admin\AppData\Roaming\Download\484149.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Roaming\Download\484149.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\484149.exe"
        5⤵
        Executes dropped EXE
        
        PID:2504
  - - C:\Users\Admin\AppData\Roaming\Download\269222.exe
      "C:\Users\Admin\AppData\Roaming\Download\269222.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Roaming\Download\269222.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\269222.exe"
        5⤵
        Executes dropped EXE
        
        PID:2596
  - - C:\Users\Admin\AppData\Roaming\Download\490503.exe
      "C:\Users\Admin\AppData\Roaming\Download\490503.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Roaming\Download\490503.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\490503.exe"
        5⤵
        Executes dropped EXE
        
        PID:2300
  - - C:\Users\Admin\AppData\Roaming\Download\513764.exe
      "C:\Users\Admin\AppData\Roaming\Download\513764.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Users\Admin\AppData\Roaming\Download\513764.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\513764.exe"
        5⤵
        Executes dropped EXE
        
        PID:2960
  - - C:\Users\Admin\AppData\Roaming\Download\230399.exe
      "C:\Users\Admin\AppData\Roaming\Download\230399.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Users\Admin\AppData\Roaming\Download\230399.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\230399.exe"
        5⤵
        Executes dropped EXE
        
        PID:1156
  - - C:\Users\Admin\AppData\Roaming\Download\473559.exe
      "C:\Users\Admin\AppData\Roaming\Download\473559.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1484
    - - C:\Users\Admin\AppData\Roaming\Download\473559.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\473559.exe"
        5⤵
        Executes dropped EXE
        
        PID:1084
  - - C:\Users\Admin\AppData\Roaming\Download\830362.exe
      "C:\Users\Admin\AppData\Roaming\Download\830362.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:408
    - - C:\Users\Admin\AppData\Roaming\Download\830362.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\830362.exe"
        5⤵
        Executes dropped EXE
        
        PID:2344
  - - C:\Users\Admin\AppData\Roaming\Download\557097.exe
      "C:\Users\Admin\AppData\Roaming\Download\557097.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1612
    - - C:\Users\Admin\AppData\Roaming\Download\557097.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\557097.exe"
        5⤵
        Executes dropped EXE
        
        PID:288
  - - C:\Users\Admin\AppData\Roaming\Download\698158.exe
      "C:\Users\Admin\AppData\Roaming\Download\698158.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1116
    - - C:\Users\Admin\AppData\Roaming\Download\698158.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\698158.exe"
        5⤵
        Executes dropped EXE
        
        PID:2412
  - - C:\Users\Admin\AppData\Roaming\Download\117885.exe
      "C:\Users\Admin\AppData\Roaming\Download\117885.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2052
    - - C:\Users\Admin\AppData\Roaming\Download\117885.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\117885.exe"
        5⤵
        Executes dropped EXE
        
        PID:1756
  - - C:\Users\Admin\AppData\Roaming\Download\538964.exe
      "C:\Users\Admin\AppData\Roaming\Download\538964.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1588
    - - C:\Users\Admin\AppData\Roaming\Download\538964.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\538964.exe"
        5⤵
        Executes dropped EXE
        
        PID:2588
  - - C:\Users\Admin\AppData\Roaming\Download\771034.exe
      "C:\Users\Admin\AppData\Roaming\Download\771034.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2640
    - - C:\Users\Admin\AppData\Roaming\Download\771034.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\771034.exe"
        5⤵
        Executes dropped EXE
        
        PID:2732
  - - C:\Users\Admin\AppData\Roaming\Download\298752.exe
      "C:\Users\Admin\AppData\Roaming\Download\298752.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2784
    - - C:\Users\Admin\AppData\Roaming\Download\298752.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\298752.exe"
        5⤵
        Executes dropped EXE
        
        PID:2220
  - - C:\Users\Admin\AppData\Roaming\Download\662757.exe
      "C:\Users\Admin\AppData\Roaming\Download\662757.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2492
    - - C:\Users\Admin\AppData\Roaming\Download\662757.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\662757.exe"
        5⤵
        Executes dropped EXE
        
        PID:2388
  - - C:\Users\Admin\AppData\Roaming\Download\640184.exe
      "C:\Users\Admin\AppData\Roaming\Download\640184.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2872
    - - C:\Users\Admin\AppData\Roaming\Download\640184.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\640184.exe"
        5⤵
        Executes dropped EXE
        
        PID:2596
  - - C:\Users\Admin\AppData\Roaming\Download\067811.exe
      "C:\Users\Admin\AppData\Roaming\Download\067811.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:3056
    - - C:\Users\Admin\AppData\Roaming\Download\067811.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\067811.exe"
        5⤵
        Executes dropped EXE
        
        PID:3004
  - - C:\Users\Admin\AppData\Roaming\Download\270992.exe
      "C:\Users\Admin\AppData\Roaming\Download\270992.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:3064
    - - C:\Users\Admin\AppData\Roaming\Download\270992.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\270992.exe"
        5⤵
        Executes dropped EXE
        
        PID:3020
  - - C:\Users\Admin\AppData\Roaming\Download\907607.exe
      "C:\Users\Admin\AppData\Roaming\Download\907607.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:536
    - - C:\Users\Admin\AppData\Roaming\Download\907607.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\907607.exe"
        5⤵
        Executes dropped EXE
        
        PID:664
  - - C:\Users\Admin\AppData\Roaming\Download\130788.exe
      "C:\Users\Admin\AppData\Roaming\Download\130788.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2836
    - - C:\Users\Admin\AppData\Roaming\Download\130788.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\130788.exe"
        5⤵
        Executes dropped EXE
        
        PID:2872
  - - C:\Users\Admin\AppData\Roaming\Download\657415.exe
      "C:\Users\Admin\AppData\Roaming\Download\657415.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1332
    - - C:\Users\Admin\AppData\Roaming\Download\657415.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\657415.exe"
        5⤵
        Executes dropped EXE
        
        PID:3004
  - - C:\Users\Admin\AppData\Roaming\Download\970574.exe
      "C:\Users\Admin\AppData\Roaming\Download\970574.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:3060
    - - C:\Users\Admin\AppData\Roaming\Download\970574.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\970574.exe"
        5⤵
        Executes dropped EXE
        
        PID:1296
  - - C:\Users\Admin\AppData\Roaming\Download\252760.exe
      "C:\Users\Admin\AppData\Roaming\Download\252760.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2960
    - - C:\Users\Admin\AppData\Roaming\Download\252760.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\252760.exe"
        5⤵
        Executes dropped EXE
        
        PID:2096
  - - C:\Users\Admin\AppData\Roaming\Download\485840.exe
      "C:\Users\Admin\AppData\Roaming\Download\485840.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:768
    - - C:\Users\Admin\AppData\Roaming\Download\485840.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\485840.exe"
        5⤵
        Executes dropped EXE
        
        PID:996
  - - C:\Users\Admin\AppData\Roaming\Download\092555.exe
      "C:\Users\Admin\AppData\Roaming\Download\092555.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1392
    - - C:\Users\Admin\AppData\Roaming\Download\092555.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\092555.exe"
        5⤵
        Executes dropped EXE
        
        PID:584
  - - C:\Users\Admin\AppData\Roaming\Download\225636.exe
      "C:\Users\Admin\AppData\Roaming\Download\225636.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2872
    - - C:\Users\Admin\AppData\Roaming\Download\225636.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\225636.exe"
        5⤵
        Executes dropped EXE
        
        PID:1064
  - - C:\Users\Admin\AppData\Roaming\Download\466807.exe
      "C:\Users\Admin\AppData\Roaming\Download\466807.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:1300
    - - C:\Users\Admin\AppData\Roaming\Download\466807.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\466807.exe"
        5⤵
        Executes dropped EXE
        
        PID:1304
  - - C:\Users\Admin\AppData\Roaming\Download\620792.exe
      "C:\Users\Admin\AppData\Roaming\Download\620792.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2592
    - - C:\Users\Admin\AppData\Roaming\Download\620792.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\620792.exe"
        5⤵
        Executes dropped EXE
        
        PID:2776
  - - C:\Users\Admin\AppData\Roaming\Download\192796.exe
      "C:\Users\Admin\AppData\Roaming\Download\192796.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2676
    - - C:\Users\Admin\AppData\Roaming\Download\192796.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\192796.exe"
        5⤵
        Executes dropped EXE
        
        PID:2308
  - - C:\Users\Admin\AppData\Roaming\Download\611423.exe
      "C:\Users\Admin\AppData\Roaming\Download\611423.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2176
    - - C:\Users\Admin\AppData\Roaming\Download\611423.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\611423.exe"
        5⤵
        Executes dropped EXE
        
        PID:1684
  - - C:\Users\Admin\AppData\Roaming\Download\007216.exe
      "C:\Users\Admin\AppData\Roaming\Download\007216.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:2188
    - - C:\Users\Admin\AppData\Roaming\Download\007216.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\007216.exe"
        5⤵
        Executes dropped EXE
        
        PID:2476
  - - C:\Users\Admin\AppData\Roaming\Download\310394.exe
      "C:\Users\Admin\AppData\Roaming\Download\310394.exe" /Shorttailedrestart
      4⤵
      Executes dropped EXE
      PID:996
    - - C:\Users\Admin\AppData\Roaming\Download\310394.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\310394.exe"
        5⤵
        
        PID:2536
  - - C:\Users\Admin\AppData\Roaming\Download\705286.exe
      "C:\Users\Admin\AppData\Roaming\Download\705286.exe" /Shorttailedrestart
      4⤵
      PID:2940
    - - C:\Users\Admin\AppData\Roaming\Download\705286.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\705286.exe"
        5⤵
        
        PID:1392
  - - C:\Users\Admin\AppData\Roaming\Download\938375.exe
      "C:\Users\Admin\AppData\Roaming\Download\938375.exe" /Shorttailedrestart
      4⤵
      PID:1376
    - - C:\Users\Admin\AppData\Roaming\Download\938375.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\938375.exe"
        5⤵
        
        PID:748
  - - C:\Users\Admin\AppData\Roaming\Download\665092.exe
      "C:\Users\Admin\AppData\Roaming\Download\665092.exe" /Shorttailedrestart
      4⤵
      PID:1144
    - - C:\Users\Admin\AppData\Roaming\Download\665092.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\665092.exe"
        5⤵
        
        PID:2288
  - - C:\Users\Admin\AppData\Roaming\Download\878163.exe
      "C:\Users\Admin\AppData\Roaming\Download\878163.exe" /Shorttailedrestart
      4⤵
      PID:1348
    - - C:\Users\Admin\AppData\Roaming\Download\878163.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\878163.exe"
        5⤵
        
        PID:604
  - - C:\Users\Admin\AppData\Roaming\Download\295888.exe
      "C:\Users\Admin\AppData\Roaming\Download\295888.exe" /Shorttailedrestart
      4⤵
      PID:904
    - - C:\Users\Admin\AppData\Roaming\Download\295888.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\295888.exe"
        5⤵
        
        PID:2352
  - - C:\Users\Admin\AppData\Roaming\Download\438979.exe
      "C:\Users\Admin\AppData\Roaming\Download\438979.exe" /Shorttailedrestart
      4⤵
      PID:316
    - - C:\Users\Admin\AppData\Roaming\Download\438979.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\438979.exe"
        5⤵
        
        PID:2816
  - - C:\Users\Admin\AppData\Roaming\Download\990945.exe
      "C:\Users\Admin\AppData\Roaming\Download\990945.exe" /Shorttailedrestart
      4⤵
      PID:2936
    - - C:\Users\Admin\AppData\Roaming\Download\990945.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\990945.exe"
        5⤵
        
        PID:1704
  - - C:\Users\Admin\AppData\Roaming\Download\023225.exe
      "C:\Users\Admin\AppData\Roaming\Download\023225.exe" /Shorttailedrestart
      4⤵
      PID:1712
    - - C:\Users\Admin\AppData\Roaming\Download\023225.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\023225.exe"
        5⤵
        
        PID:2280
  - - C:\Users\Admin\AppData\Roaming\Download\550950.exe
      "C:\Users\Admin\AppData\Roaming\Download\550950.exe" /Shorttailedrestart
      4⤵
      PID:2692
    - - C:\Users\Admin\AppData\Roaming\Download\550950.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\550950.exe"
        5⤵
        
        PID:2944
  - - C:\Users\Admin\AppData\Roaming\Download\963011.exe
      "C:\Users\Admin\AppData\Roaming\Download\963011.exe" /Shorttailedrestart
      4⤵
      PID:1808
    - - C:\Users\Admin\AppData\Roaming\Download\963011.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\963011.exe"
        5⤵
        
        PID:2548
  - - C:\Users\Admin\AppData\Roaming\Download\480748.exe
      "C:\Users\Admin\AppData\Roaming\Download\480748.exe" /Shorttailedrestart
      4⤵
      PID:2608
    - - C:\Users\Admin\AppData\Roaming\Download\480748.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\480748.exe"
        5⤵
        
        PID:2680
  - - C:\Users\Admin\AppData\Roaming\Download\623827.exe
      "C:\Users\Admin\AppData\Roaming\Download\623827.exe" /Shorttailedrestart
      4⤵
      PID:2824
    - - C:\Users\Admin\AppData\Roaming\Download\623827.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\623827.exe"
        5⤵
        
        PID:2556
  - - C:\Users\Admin\AppData\Roaming\Download\085803.exe
      "C:\Users\Admin\AppData\Roaming\Download\085803.exe" /Shorttailedrestart
      4⤵
      PID:1064
    - - C:\Users\Admin\AppData\Roaming\Download\085803.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\085803.exe"
        5⤵
        
        PID:1404
  - - C:\Users\Admin\AppData\Roaming\Download\228983.exe
      "C:\Users\Admin\AppData\Roaming\Download\228983.exe" /Shorttailedrestart
      4⤵
      PID:3004
    - - C:\Users\Admin\AppData\Roaming\Download\228983.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\228983.exe"
        5⤵
        
        PID:3056
  - - C:\Users\Admin\AppData\Roaming\Download\745619.exe
      "C:\Users\Admin\AppData\Roaming\Download\745619.exe" /Shorttailedrestart
      4⤵
      PID:1912
    - - C:\Users\Admin\AppData\Roaming\Download\745619.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\745619.exe"
        5⤵
        
        PID:2024
  - - C:\Users\Admin\AppData\Roaming\Download\858779.exe
      "C:\Users\Admin\AppData\Roaming\Download\858779.exe" /Shorttailedrestart
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Roaming\Download\858779.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\858779.exe"
        5⤵
        
        PID:1952
  - - C:\Users\Admin\AppData\Roaming\Download\330765.exe
      "C:\Users\Admin\AppData\Roaming\Download\330765.exe" /Shorttailedrestart
      4⤵
      PID:2612
    - - C:\Users\Admin\AppData\Roaming\Download\330765.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\330765.exe"
        5⤵
        
        PID:1736
  - - C:\Users\Admin\AppData\Roaming\Download\573853.exe
      "C:\Users\Admin\AppData\Roaming\Download\573853.exe" /Shorttailedrestart
      4⤵
      PID:776
    - - C:\Users\Admin\AppData\Roaming\Download\573853.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\573853.exe"
        5⤵
        
        PID:2856
  - - C:\Users\Admin\AppData\Roaming\Download\090551.exe
      "C:\Users\Admin\AppData\Roaming\Download\090551.exe" /Shorttailedrestart
      4⤵
      PID:2572
    - - C:\Users\Admin\AppData\Roaming\Download\090551.exe
        
        "C:\Users\Admin\AppData\Roaming\Download\090551.exe"
        5⤵
        
        PID:2544
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://hao.360.cn/?src=lm&ls=n6abbbb598c
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1752
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat
  2⤵
  PID:1832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat" "
  2⤵
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b7b275e749ce60afda9403c5731d697

SHA1
fee4abf4b579b4125760d3cdbfddcefeeb0944db

SHA256
40eafeaa580301cd165a31b1b31f93a9ca87c37d716d538ff86fc21ffc387e79

SHA512
765ae800b8b7854b7e2fcc7008f22632b8404536ba271d05b7deec0705bbd9921f455f377ef5cc73be44de8cc731bba48418000bad6bae549ef4bb43317b3d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7621ba98060a91bc897dbb08e3cd84b

SHA1
fd1a3f77f9f1d3f07ccb0aaa2c17bba98adde936

SHA256
8ec52cfb997a371a3c998b0bd93bb8b9bf97895e06bb5c2a0c6213ffbcaed4e4

SHA512
4636265d96a01010e9d861b4872204968ee2cfcbafaf374867376637ca7b642dea100bd514fe0a29db8bba672c0a5401517e4b80cb3a4d11386d16d34d0708f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79f4bff05a0fbb2de5ed4b956ced25cc

SHA1
d9263390122e05694e2cfedfa54ebc5d4250d90d

SHA256
bf8990bbcc59e1d8bffafd8f760eccee4b88a0f09d247695c89437f695321da0

SHA512
15b29bef839dd3b3f2ce6d87bfe68348994c6c5e9e8e66035e309a6b8d3a3901766d0c3cc7705d750b03221f6864351a15317017846f98cf7104c1fd929e0728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f9292956f478b84e791b2a5d53d707d

SHA1
2873ba2c1c04d72dda5241e639b61270d43a0576

SHA256
ed901f003696c45050730d0d0596797d4540f481daa5ada7551daea0ae4dee7b

SHA512
4edea2f7a94290e3bb5d12c1ea6e0e5f3f3e3563985f81c78962aebb6008513a85901474b4828a0df0d6caa4bc6c12911ef547fb65d4b3dc9c3fac3f74290eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b683b3eff6421f4eb66a55c0048d7883

SHA1
ae510d7ed19e983cd801196cfa9a13f64274dd35

SHA256
a8c6d2b2c0741856f9b6002036099508f0e0ab43656c69980d0785c130b33214

SHA512
17e7602ccb7f491f14788abb336b0087e51b780f40a5beafe1768aa0a66d3f0ee97e7d25c3f7e245380c16684742b1777266022cf789b17282784dac426e3515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07408821acc9e1ad4ff6b8169cb0420d

SHA1
55e8f1e4d5b695239c46641fd668472bd3321458

SHA256
782ecb251048248cb2fb1b7975b6d4d74f5c2c37ea6c7ac923da37242480c247

SHA512
1768c0af18821a0224c4e0b5544119f7ebe7fb2a58a768f202230e628eb5185cfca0e474cb0aef0e951840e5249e0f943b088098f828ed8dadfd16954f0a7c14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
718415d3a42d651a8d423f9a5a581e34

SHA1
2438cc8d03d898699b63ad640d398177a4687ca4

SHA256
c3d1a1d9502602b5bb31c0d547ed4628aa1015a81f59408c08ece0b09135b354

SHA512
a7015795796046a40acd82da819b21b2968595e924a6623f04a4295d4286ac102e73cca4c366b2a2b8d85b7cf446d4df0e839d50341df0a62f076ca432b06576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89fc54d5523a93400bb4b986743fce89

SHA1
a005ac5a42766ee4af8fbbbd31cc77bbb96c1f19

SHA256
d93e3662001cecff421c50d0f51916d42a35c04bd72738688b2cb3257e4b0584

SHA512
5bd4fa5ad016f100b5ccbd961ebdf4945cef216867e8891cd69d74c46bc36acd8206b9d66cc31b583c9ec6e9454dda42a3c298141c9f969dcc8d34cf15caa4b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae2e95403b8170d7058363d255823a2d

SHA1
f8541662fb7d098e5ce8918071143c5ddd62e188

SHA256
3576f44763968b8c393d898edef0210d3f9427616568a87bf7be93b6c9696b9e

SHA512
d495bedd894a39b0428fda512839fd7845176f30056c74ac8ad9c38e7347616b7bb01aea69efd2c4e0d317826394df6d368e10c7c2979956e08efb23a4c0d653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc9b0cf18c9e1a984eeb79f9450e392

SHA1
7459e5582ef60df01487dfeed869947dec76bb90

SHA256
64dd89bfb15ea274ccd45cee8ae0bdd752b1bc95c4268cb8bdeb2ff8c1030457

SHA512
20b3754860bec614446a56249c10e944ecd82b938750c564f12d0fa4b6315f0839f06918495f07396170d0157adbc7c841ea1632edfc1a491cc27d2e7605b9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0278b7fc54e285dbbe76d61866d8600

SHA1
88566f49aefade85b58b324d0a2831d26e55449a

SHA256
c1c9a78a758de49cec0697276082d826219749cc8985dc1938797bd8f0e7a634

SHA512
0bb53709f21c0d3fbfa862190e748ebee1e7ba32f971c6816e4d95b443ad213e891ed55bdab2cca98666f829974625a871f7c911f714fadde85360af2d33c818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2fdfcb14f62160aa0e5e440a2a826e4

SHA1
952799945285ac854211c7b328496c28e2519e6e

SHA256
9bc6a858c7a376e8594b0a390fb814d84ccc29e0d2848e5d4bd9fbcccb1ff26b

SHA512
a6afe883ef01c2d3b0cd84d56a2c453ea61285482cd791eb0996696a563820c4059068f695bd49731916fb220fae24a48b8ad206ac16bdb0f0d1a863e643bec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
593341ccfadec2984240ff82c1f9ebf9

SHA1
ed05d916e0c9284e2b6aed49a703111b9e8b1ae0

SHA256
dabec048353223c6566209337ae432d3eae14facf4c544cf8d6549607daf0d59

SHA512
43520528914b0528f6c9135f3749b589832b35e755249d56dd3efaffb3e547c8f56b42cc04b7ef218eba90baa97104964c42b1af732e6dd1591a2e4d9a356165

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d04501c57a0f56e4ea20d869f3337eda

SHA1
19058b8863932235748e5af9e39ce7f1ed6d8973

SHA256
6f375491fbd02e093be659709e31dac7cf410504a9373ec98692e7a3c0b9643e

SHA512
711e207d8385a5da446b940f06a6f06ec89239b8fc00fca2c68eeaae8e88bba5ff541dfc7878a27fa958e74297d6b94820460ef128e4b4f34a56a245bfe48c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7ecae919fc8a0f3346e0fbea3b2fa44

SHA1
86360d58d890a07285516f3d1542298cf5e56ae0

SHA256
7254dbe37a780dae594921ad66e81a3a0f59f7ca96745acf9cd8e72a27f1e964

SHA512
eb457cff888290ad297e2666cf8de8d3e311f596d26c2b58c672f8a96f56341dfcbb261bcc66120be08de9256384a49ae9d29f82a1869cb189f14c3a4417cb9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348d7a72ad325c06c667462b73086920

SHA1
0c10735fdefc55d3f49eb3ad674e7c5ddba29087

SHA256
ef0aa1b01c30c526ff69910dd158e4cb77084612471fc08c96cafe7d811a673f

SHA512
bbc9d5b9f59e7928b6ae0dc5f426fe14dfaf7dc0f983d075654186b344442ff8fae384c7e766fc298344f253c4c652294ef91ca8b6d13771a9686a3912c7a939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0d7d98464cdcc984c78b9a93388b722

SHA1
0e3b53a7a19a9d40402cc3df35e3bee4b86885e6

SHA256
df879817201734aec0649fad747d3fce0a132a65594316f82a5d13786b6dbae0

SHA512
eb49a19b768a7c4dc6fecfc1fe5d486b69ad3f0d9bd0b702d21b44e01b7404f4cd1e245fc6ec25094619d9ce2278540737fbf44f2a24a76db4c92528fda7e0b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0544b4ac995ab346a69d7e45744b94ec

SHA1
ab31fab901b17328a70bf270e6728fe4072db085

SHA256
6f6e6cad2f73554f558be354061c3b6ee3b85a8933fc00c36eabc835c0e152db

SHA512
e98f22813e86212ad0010e1535e18b8af45b217a45de043dbcca57c29af9ebe6b94cd0745aa274c7d80f130a3e0566dc73f5e77bc1d05f89aeffd4e2d02ecaa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
561b353dccceebee10d74f38ad2115fc

SHA1
164336a005dfd41dff432993c581809f5438de19

SHA256
dacb4d6fe417a92112000334401a87b48b6534d81efa45e345c3c4acc8e085e0

SHA512
cd3e3fbd6e797ba471ebd1ee725d2038face54b470898027365b592fe57895999fe0bef4b5c2acad6a1ba66a9d7e4df01016164902250de59bf8c82186e83d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE679.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE70A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE71E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat

Filesize
589B

MD5
8d429a42926ee993fd964b694d838812

SHA1
39695db3362a18889277c80871a511029ca62ef2

SHA256
20cefb599f8c1acaed3c65ce14b8adb23f0ffdd0eb65a511dc614aa74cee02dd

SHA512
f6979caaf41cbe5b5ee1e6fd5fce7027ba6102470cd13bdfe3b3aaf441539b158f626c3b990567cf8a82dcb129dcc718f9408830280b793f995de89bddafe322

Download Submit
C:\Users\Admin\AppData\Roaming\Download\117885.exe

Filesize
1.5MB

MD5
7b7c8374afdf31197d78dad09065fad4

SHA1
2683472ef28fdca9b555706ffcf019c21e51f26a

SHA256
87dc7e5a612d0b2fd77b80441f0eed51f37177fae037a637f5f2f06938fce46e

SHA512
79714e49c538e4eff28e13823a219d64f43d9c27f78924a99ad5294ee0616b555e664a24a601f3b37de0ad3d145c6befc293e0c484396c0f3361d75358588ede

Download Submit
C:\Users\Admin\AppData\Roaming\Download\269222.exe

Filesize
1.5MB

MD5
21cef9496df008d2ebd549a84eb2a0a8

SHA1
8289f6a7d4485eae2ef122e7c529abf3979069dc

SHA256
b20e6dd07b854cec8fb27f00be45043680fe0f53da31dff94b5379f685ff1dc9

SHA512
827a4cba24d4b0323fe9df2aa3dcf25003efc00c7e566e911ec127a6aed2456f5039b15722f734aefc3ec212ac599422c7275dbb37b24ad3364b185546c40130

Download Submit
C:\Users\Admin\AppData\Roaming\Download\484149.exe

Filesize
1.5MB

MD5
d6a712d12e6151ce13f7c1377539dd05

SHA1
482670da90f714e0775e270e9798846a8c322f2c

SHA256
d100ff6c31b51c726fb72e68bc6a03ef0468ba18f6780980bc17c48fdfc8a714

SHA512
6adeb5f222bfef47d3d497e916cbeab50047635eaecfd05376684ddf9538c167000037005f62f13adc3a46e5f9c8fd01285f8e7edd6c984e44e11d97de6c5748

Download Submit
C:\Users\Admin\AppData\Roaming\Download\557097.exe

Filesize
1.5MB

MD5
202c8433e4cb083ebc7951e6487c0919

SHA1
dbb9637c862a58776f57b47cf8e188b7e946fe76

SHA256
01977561a6edf36c92a7a93a9e534815e286351aabc0fe8ae9caf78304c24fb1

SHA512
ec91e2fd7afc59db1882470b2d88fed9994c29d0e938726f669b148c92d5ce41d0cb0d1342a7b8ee96374d87d8f637674a4062be3b740bb8f3678a6d54ccfb2b

Download Submit
C:\Users\Admin\AppData\Roaming\Download\698158.exe

Filesize
1.5MB

MD5
01a46fbf3fe8b2fcdf23ee651f074a12

SHA1
ce1cb339881aadf9bf5bb3546543d565224d5b40

SHA256
2b0f24aec0e9fecc341a665ed5cc2f13db4c3208829d084c244e10507c19c3bd

SHA512
b5de607b45604c51c20074e54c6c3a839d9a901341b144ce0ef2739afaad07a0de207252268c0732c0ab89b4335d74c53ef03025b3b356689c96659dc279b875

Download Submit
C:\Users\Admin\AppData\Roaming\Download\830362.exe

Filesize
1.5MB

MD5
32bb32d18bcda93696a2d398568a0cf9

SHA1
2fd0db5b517187d9c83b3f913aa75235d5de918b

SHA256
860b6199a08500360af52f83cf3706674c174662274e6228e7b518b3ccd4ddf5

SHA512
cc7689a8fffe35f63afa0f1995a2c2e95b0d7d3b220f3fc962a84111ef6d2ff1feba507b007e06136376f7254b6ae476b3a33ab22ebb8970ee2edc1db87bcd51

Download Submit
\Program Files (x86)\DouTu\DouTuDaShi.exe

Filesize
1.1MB

MD5
ab71d658fafe7acc09e7de2116a85f89

SHA1
d1dd1a053f2c970bc4d0043bf3e682fbf2ea405f

SHA256
f84de427eb42b4815369a0fd1576c0d31dcbc6335e786cc5189837278a9bd24f

SHA512
18651fbc489a877400b92beb95dd66c85285586bcbd84c392e2f67dbca9608ec207004a5ad7d8164c9c515cce45ee7628403300eae56786d556305725b9e9e27

Download Submit
\Users\Admin\AppData\Local\Temp\ohsybf.exe

Filesize
1.5MB

MD5
8beb6e8902a9cdc119d58a0fb94b1d3c

SHA1
5fe78eb9fea0b94d2510ee28fea653d1f477bed7

SHA256
2fed663d5100094b2de550aad4937e18e2096e55fe7424616736b94b7435d04f

SHA512
844e56d7a9423850a86fde7d7dc3fab82426d07a15775765cd62218153be94e683d5fe463645ea42a96c5786f22b7f3f707db86244176a3773c43b39f06ad26a

Download Submit
\Users\Admin\AppData\Roaming\Download\230399.exe

Filesize
1.5MB

MD5
f56315a3ecba450c340e80e34bde7ad5

SHA1
426975da596bb294aae9c77ae30e96cb71dd757c

SHA256
c2df484bddfae05aa7dee73480437ebc67e0ccd01016c7c90567188adb837019

SHA512
8e59ca846b194de8a04daf5148c720528a687e523035dd72ac6396359ab5ffd33db3c8f4295c16dd948730a71b1ae01901c2974ce3e0af303a598feb2b37a945

Download Submit
\Users\Admin\AppData\Roaming\Download\473559.exe

Filesize
1.5MB

MD5
c91d3bb991f34ec5224e792b7ecaa29d

SHA1
e60dd75630416ff693464ef1724f6fca60e49eac

SHA256
7aedf0099f3e0de5c437fb0c7f1f13db91fb55f9db47ad576ed680537825608f

SHA512
4e9736280d8438fabc7417ba553ed2fee45af45ae7ee68ab82bf1d8de1f09f86aae5046e9f94c82e5e6ad68fc021c3f0df2d1b18d6000701be2349351fcccd64

Download Submit
\Users\Admin\AppData\Roaming\Download\490503.exe

Filesize
1.5MB

MD5
4413c202c8100ad2e4af9d05a7391f9e

SHA1
31b0cfbf4a9c8fb3ea6fec554d9b47ffc27c078e

SHA256
2ca140ba2f51620adec6f1e1ebfd72a87bfa02f5e7512270500d6271abd93d18

SHA512
75ddb46f53a6d63e61348f5959b1cfd495e2d062d3a8f3985c005586414ae014d308b6d951a1340b678e960f4121db21ab971ddfcea9bb6ba2d2d04b3b450a1d

Download Submit
\Users\Admin\AppData\Roaming\Download\513764.exe

Filesize
1.5MB

MD5
a1b9123321f9430dcc4905b36933252d

SHA1
68b8120e23b68706c03da78e1d18a41925a7639e

SHA256
2943688bcfd33816f9630139ef56e8516d86ebc002b84f24951191650e032dd2

SHA512
6941bf40631301b2e5594fa47619b5608a4dbe336ad3eed5666736c56f581708bc53007e0e19c73fc2b930ec2ae42ea8d9699336097684e04d9d2e84058457a4

Download Submit
\Users\Admin\AppData\Roaming\Download\538964.exe

Filesize
1.5MB

MD5
666f90cec78565e16941da7fc20392cf

SHA1
b7732b502bd15c70e456a50825b700f6f49caadf

SHA256
ec7af612141f6cebca3c9b8a0f48fbe4fef83b93f55034766428bdd68475c9d9

SHA512
8a85f91a3e4d16a98ee07f549d3c64ca00c2c9787b5a5a78fa82fc7a04fceef4d0f6a007193e52bccba802eba30f10878a3ae9f07713792a6f27d376173a497e

Download Submit
memory/1700-76-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-901-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-77-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-735-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-197-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-159-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-227-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1275-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1327-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1353-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1387-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1413-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1439-0x0000000000400000-0x000000000059A000-memory.dmp

Filesize
1.6MB

Download