Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:32
Behavioral task
behavioral1
Sample
b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe
-
Size
335KB
-
MD5
68dcfb28633b2e07c6eb42f10e53c5d0
-
SHA1
7243f8edb45339bc3e8c6257068b78a8fbd46879
-
SHA256
b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85
-
SHA512
5164ae48d8239a2f7b97799741d94d6c7621bd9c5fa1cb5800b4bab9f439809b02d91fd8735752acb9f5c69258ed7111d9b7c88b69017b2a53f912419c977662
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRn:R4wFHoSHYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4824-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4724-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3220-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3844-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1676-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2428-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3896-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2740-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/592-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1072-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2244-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3360-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2944-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2676-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1904-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4408-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3208-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2920-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-349-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2256-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-407-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/244-455-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1868-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-747-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4480-758-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4576-1177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4724 0046026.exe 1336 hhbttn.exe 2932 222826.exe 4276 60022.exe 3220 bbthtn.exe 4296 44442.exe 3652 22028.exe 3844 frrfflf.exe 2416 llrrrrr.exe 1676 0200448.exe 2428 04488.exe 4152 442880.exe 392 226862.exe 2796 ppdpj.exe 920 tnbhbn.exe 2676 08482.exe 2944 vpvdd.exe 4364 c848826.exe 4368 nthntb.exe 4472 00602.exe 3360 4240044.exe 3896 682266.exe 3436 tnhnnn.exe 3636 242260.exe 2244 xxrlrfr.exe 4580 u200066.exe 2256 60042.exe 1072 04602.exe 4828 406200.exe 1608 0246824.exe 4576 022666.exe 1996 0448888.exe 2472 46840.exe 2740 pvddd.exe 836 5llfrlx.exe 4944 1rffxxr.exe 3628 624404.exe 5040 026280.exe 3512 fffxxxx.exe 4948 jdjdp.exe 2992 llxxxxx.exe 4476 5btnhh.exe 2252 w46488.exe 4760 pjvpv.exe 4320 jjvpj.exe 1364 jvvdv.exe 2508 hbbbbb.exe 1792 084422.exe 4928 dppjj.exe 1008 4684482.exe 2396 80884.exe 3604 xlxflfx.exe 592 2682002.exe 4440 nhhhbb.exe 4040 3rlfxxx.exe 60 rffrffx.exe 2564 pjpjd.exe 3632 80086.exe 1752 5rfxxfl.exe 1596 xflfxxf.exe 3856 486404.exe 1356 hhtthh.exe 1904 48662.exe 4408 rlrlrrr.exe -
resource yara_rule behavioral2/memory/4824-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023cb5-3.dat upx behavioral2/memory/4824-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-9.dat upx behavioral2/memory/4724-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-11.dat upx behavioral2/memory/1336-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-18.dat upx behavioral2/memory/2932-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-24.dat upx behavioral2/memory/4276-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-28.dat upx behavioral2/memory/4296-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3220-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3652-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-35.dat upx behavioral2/files/0x0007000000023cc1-39.dat upx behavioral2/files/0x0007000000023cc2-43.dat upx behavioral2/memory/2416-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3844-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cb8-48.dat upx behavioral2/files/0x0007000000023cc3-53.dat upx behavioral2/memory/1676-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-58.dat upx behavioral2/memory/2428-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-65.dat upx behavioral2/memory/392-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-69.dat upx behavioral2/files/0x0007000000023cc8-74.dat upx behavioral2/memory/4152-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/920-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-83.dat upx behavioral2/files/0x0007000000023ccb-89.dat upx behavioral2/files/0x0007000000023ccc-93.dat upx behavioral2/files/0x0007000000023cce-102.dat upx behavioral2/memory/3896-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd0-113.dat upx behavioral2/files/0x0007000000023cd1-116.dat upx behavioral2/files/0x0007000000023cd2-121.dat upx behavioral2/memory/2740-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2992-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/592-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3604-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2508-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2252-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3628-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd9-153.dat upx behavioral2/files/0x0007000000023cd8-149.dat upx behavioral2/memory/1608-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd7-144.dat upx behavioral2/files/0x0007000000023cd6-140.dat upx behavioral2/memory/1072-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd5-135.dat upx behavioral2/files/0x0007000000023cd4-131.dat upx behavioral2/memory/4580-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd3-126.dat upx behavioral2/memory/2244-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3360-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-107.dat upx behavioral2/memory/4368-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-97.dat upx behavioral2/memory/2944-87-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0200448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o448404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u200066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2046468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 064422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4244068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4066660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6000444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4066660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04042.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4824 wrote to memory of 4724 4824 b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe 82 PID 4824 wrote to memory of 4724 4824 b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe 82 PID 4824 wrote to memory of 4724 4824 b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe 82 PID 4724 wrote to memory of 1336 4724 0046026.exe 83 PID 4724 wrote to memory of 1336 4724 0046026.exe 83 PID 4724 wrote to memory of 1336 4724 0046026.exe 83 PID 1336 wrote to memory of 2932 1336 hhbttn.exe 84 PID 1336 wrote to memory of 2932 1336 hhbttn.exe 84 PID 1336 wrote to memory of 2932 1336 hhbttn.exe 84 PID 2932 wrote to memory of 4276 2932 222826.exe 85 PID 2932 wrote to memory of 4276 2932 222826.exe 85 PID 2932 wrote to memory of 4276 2932 222826.exe 85 PID 4276 wrote to memory of 3220 4276 60022.exe 86 PID 4276 wrote to memory of 3220 4276 60022.exe 86 PID 4276 wrote to memory of 3220 4276 60022.exe 86 PID 3220 wrote to memory of 4296 3220 bbthtn.exe 87 PID 3220 wrote to memory of 4296 3220 bbthtn.exe 87 PID 3220 wrote to memory of 4296 3220 bbthtn.exe 87 PID 4296 wrote to memory of 3652 4296 44442.exe 88 PID 4296 wrote to memory of 3652 4296 44442.exe 88 PID 4296 wrote to memory of 3652 4296 44442.exe 88 PID 3652 wrote to memory of 3844 3652 22028.exe 89 PID 3652 wrote to memory of 3844 3652 22028.exe 89 PID 3652 wrote to memory of 3844 3652 22028.exe 89 PID 3844 wrote to memory of 2416 3844 frrfflf.exe 90 PID 3844 wrote to memory of 2416 3844 frrfflf.exe 90 PID 3844 wrote to memory of 2416 3844 frrfflf.exe 90 PID 2416 wrote to memory of 1676 2416 llrrrrr.exe 91 PID 2416 wrote to memory of 1676 2416 llrrrrr.exe 91 PID 2416 wrote to memory of 1676 2416 llrrrrr.exe 91 PID 1676 wrote to memory of 2428 1676 0200448.exe 92 PID 1676 wrote to memory of 2428 1676 0200448.exe 92 PID 1676 wrote to memory of 2428 1676 0200448.exe 92 PID 2428 wrote to memory of 4152 2428 04488.exe 93 PID 2428 wrote to memory of 4152 2428 04488.exe 93 PID 2428 wrote to memory of 4152 2428 04488.exe 93 PID 4152 wrote to memory of 392 4152 442880.exe 94 PID 4152 wrote to memory of 392 4152 442880.exe 94 PID 4152 wrote to memory of 392 4152 442880.exe 94 PID 392 wrote to memory of 2796 392 226862.exe 95 PID 392 wrote to memory of 2796 392 226862.exe 95 PID 392 wrote to memory of 2796 392 226862.exe 95 PID 2796 wrote to memory of 920 2796 ppdpj.exe 96 PID 2796 wrote to memory of 920 2796 ppdpj.exe 96 PID 2796 wrote to memory of 920 2796 ppdpj.exe 96 PID 920 wrote to memory of 2676 920 tnbhbn.exe 97 PID 920 wrote to memory of 2676 920 tnbhbn.exe 97 PID 920 wrote to memory of 2676 920 tnbhbn.exe 97 PID 2676 wrote to memory of 2944 2676 08482.exe 98 PID 2676 wrote to memory of 2944 2676 08482.exe 98 PID 2676 wrote to memory of 2944 2676 08482.exe 98 PID 2944 wrote to memory of 4364 2944 vpvdd.exe 99 PID 2944 wrote to memory of 4364 2944 vpvdd.exe 99 PID 2944 wrote to memory of 4364 2944 vpvdd.exe 99 PID 4364 wrote to memory of 4368 4364 c848826.exe 100 PID 4364 wrote to memory of 4368 4364 c848826.exe 100 PID 4364 wrote to memory of 4368 4364 c848826.exe 100 PID 4368 wrote to memory of 4472 4368 nthntb.exe 101 PID 4368 wrote to memory of 4472 4368 nthntb.exe 101 PID 4368 wrote to memory of 4472 4368 nthntb.exe 101 PID 4472 wrote to memory of 3360 4472 00602.exe 102 PID 4472 wrote to memory of 3360 4472 00602.exe 102 PID 4472 wrote to memory of 3360 4472 00602.exe 102 PID 3360 wrote to memory of 3896 3360 4240044.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe"C:\Users\Admin\AppData\Local\Temp\b9e05be5be5f8e167a54ec8dad56861516f8370241dc7069899ab4c525e5ab85N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\0046026.exec:\0046026.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\hhbttn.exec:\hhbttn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\222826.exec:\222826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\60022.exec:\60022.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\bbthtn.exec:\bbthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\44442.exec:\44442.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\22028.exec:\22028.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\frrfflf.exec:\frrfflf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\llrrrrr.exec:\llrrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\0200448.exec:\0200448.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\04488.exec:\04488.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\442880.exec:\442880.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\226862.exec:\226862.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\ppdpj.exec:\ppdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\tnbhbn.exec:\tnbhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\08482.exec:\08482.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\vpvdd.exec:\vpvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\c848826.exec:\c848826.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\nthntb.exec:\nthntb.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\00602.exec:\00602.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\4240044.exec:\4240044.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\682266.exec:\682266.exe23⤵
- Executes dropped EXE
PID:3896 -
\??\c:\tnhnnn.exec:\tnhnnn.exe24⤵
- Executes dropped EXE
PID:3436 -
\??\c:\242260.exec:\242260.exe25⤵
- Executes dropped EXE
PID:3636 -
\??\c:\xxrlrfr.exec:\xxrlrfr.exe26⤵
- Executes dropped EXE
PID:2244 -
\??\c:\u200066.exec:\u200066.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
\??\c:\60042.exec:\60042.exe28⤵
- Executes dropped EXE
PID:2256 -
\??\c:\04602.exec:\04602.exe29⤵
- Executes dropped EXE
PID:1072 -
\??\c:\406200.exec:\406200.exe30⤵
- Executes dropped EXE
PID:4828 -
\??\c:\0246824.exec:\0246824.exe31⤵
- Executes dropped EXE
PID:1608 -
\??\c:\022666.exec:\022666.exe32⤵
- Executes dropped EXE
PID:4576 -
\??\c:\0448888.exec:\0448888.exe33⤵
- Executes dropped EXE
PID:1996 -
\??\c:\46840.exec:\46840.exe34⤵
- Executes dropped EXE
PID:2472 -
\??\c:\pvddd.exec:\pvddd.exe35⤵
- Executes dropped EXE
PID:2740 -
\??\c:\5llfrlx.exec:\5llfrlx.exe36⤵
- Executes dropped EXE
PID:836 -
\??\c:\1rffxxr.exec:\1rffxxr.exe37⤵
- Executes dropped EXE
PID:4944 -
\??\c:\624404.exec:\624404.exe38⤵
- Executes dropped EXE
PID:3628 -
\??\c:\026280.exec:\026280.exe39⤵
- Executes dropped EXE
PID:5040 -
\??\c:\fffxxxx.exec:\fffxxxx.exe40⤵
- Executes dropped EXE
PID:3512 -
\??\c:\jdjdp.exec:\jdjdp.exe41⤵
- Executes dropped EXE
PID:4948 -
\??\c:\llxxxxx.exec:\llxxxxx.exe42⤵
- Executes dropped EXE
PID:2992 -
\??\c:\5btnhh.exec:\5btnhh.exe43⤵
- Executes dropped EXE
PID:4476 -
\??\c:\w46488.exec:\w46488.exe44⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pjvpv.exec:\pjvpv.exe45⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jjvpj.exec:\jjvpj.exe46⤵
- Executes dropped EXE
PID:4320 -
\??\c:\jvvdv.exec:\jvvdv.exe47⤵
- Executes dropped EXE
PID:1364 -
\??\c:\hbbbbb.exec:\hbbbbb.exe48⤵
- Executes dropped EXE
PID:2508 -
\??\c:\084422.exec:\084422.exe49⤵
- Executes dropped EXE
PID:1792 -
\??\c:\dppjj.exec:\dppjj.exe50⤵
- Executes dropped EXE
PID:4928 -
\??\c:\4684482.exec:\4684482.exe51⤵
- Executes dropped EXE
PID:1008 -
\??\c:\80884.exec:\80884.exe52⤵
- Executes dropped EXE
PID:2396 -
\??\c:\xlxflfx.exec:\xlxflfx.exe53⤵
- Executes dropped EXE
PID:3604 -
\??\c:\2682002.exec:\2682002.exe54⤵
- Executes dropped EXE
PID:592 -
\??\c:\nhhhbb.exec:\nhhhbb.exe55⤵
- Executes dropped EXE
PID:4440 -
\??\c:\3rlfxxx.exec:\3rlfxxx.exe56⤵
- Executes dropped EXE
PID:4040 -
\??\c:\rffrffx.exec:\rffrffx.exe57⤵
- Executes dropped EXE
PID:60 -
\??\c:\pjpjd.exec:\pjpjd.exe58⤵
- Executes dropped EXE
PID:2564 -
\??\c:\80086.exec:\80086.exe59⤵
- Executes dropped EXE
PID:3632 -
\??\c:\5rfxxfl.exec:\5rfxxfl.exe60⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xflfxxf.exec:\xflfxxf.exe61⤵
- Executes dropped EXE
PID:1596 -
\??\c:\486404.exec:\486404.exe62⤵
- Executes dropped EXE
PID:3856 -
\??\c:\hhtthh.exec:\hhtthh.exe63⤵
- Executes dropped EXE
PID:1356 -
\??\c:\48662.exec:\48662.exe64⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rlrlrrr.exec:\rlrlrrr.exe65⤵
- Executes dropped EXE
PID:4408 -
\??\c:\04024.exec:\04024.exe66⤵PID:2972
-
\??\c:\rlxllll.exec:\rlxllll.exe67⤵PID:3208
-
\??\c:\rflfxxr.exec:\rflfxxr.exe68⤵PID:2064
-
\??\c:\rxrllxf.exec:\rxrllxf.exe69⤵PID:2920
-
\??\c:\2828400.exec:\2828400.exe70⤵PID:964
-
\??\c:\vdvdd.exec:\vdvdd.exe71⤵PID:3484
-
\??\c:\444880.exec:\444880.exe72⤵PID:3648
-
\??\c:\jdjpd.exec:\jdjpd.exe73⤵PID:3220
-
\??\c:\24262.exec:\24262.exe74⤵PID:4848
-
\??\c:\fxrllfx.exec:\fxrllfx.exe75⤵PID:3324
-
\??\c:\86202.exec:\86202.exe76⤵PID:3992
-
\??\c:\xrxfflx.exec:\xrxfflx.exe77⤵PID:3692
-
\??\c:\802666.exec:\802666.exe78⤵PID:3056
-
\??\c:\ddvvp.exec:\ddvvp.exe79⤵PID:1832
-
\??\c:\s6646.exec:\s6646.exe80⤵PID:1124
-
\??\c:\2844888.exec:\2844888.exe81⤵PID:8
-
\??\c:\bttnhh.exec:\bttnhh.exe82⤵PID:1088
-
\??\c:\04648.exec:\04648.exe83⤵PID:4816
-
\??\c:\k64666.exec:\k64666.exe84⤵PID:396
-
\??\c:\fxfrfrf.exec:\fxfrfrf.exe85⤵PID:4416
-
\??\c:\2844442.exec:\2844442.exe86⤵PID:3272
-
\??\c:\662284.exec:\662284.exe87⤵PID:2948
-
\??\c:\xrxrlxr.exec:\xrxrlxr.exe88⤵PID:920
-
\??\c:\288226.exec:\288226.exe89⤵PID:3068
-
\??\c:\fxrlfxl.exec:\fxrlfxl.exe90⤵PID:3248
-
\??\c:\lfxlxrx.exec:\lfxlxrx.exe91⤵PID:4496
-
\??\c:\04262.exec:\04262.exe92⤵PID:4808
-
\??\c:\xrrlffx.exec:\xrrlffx.exe93⤵PID:3264
-
\??\c:\e40808.exec:\e40808.exe94⤵PID:4832
-
\??\c:\pvjvj.exec:\pvjvj.exe95⤵PID:2700
-
\??\c:\2004882.exec:\2004882.exe96⤵PID:2968
-
\??\c:\84044.exec:\84044.exe97⤵PID:3420
-
\??\c:\26260.exec:\26260.exe98⤵PID:544
-
\??\c:\042660.exec:\042660.exe99⤵PID:2448
-
\??\c:\lfrrffl.exec:\lfrrffl.exe100⤵PID:4196
-
\??\c:\xrfxffx.exec:\xrfxffx.exe101⤵PID:1768
-
\??\c:\fxxxffr.exec:\fxxxffr.exe102⤵PID:4828
-
\??\c:\4860884.exec:\4860884.exe103⤵PID:5108
-
\??\c:\004042.exec:\004042.exe104⤵PID:1600
-
\??\c:\0226420.exec:\0226420.exe105⤵PID:2988
-
\??\c:\228822.exec:\228822.exe106⤵PID:2472
-
\??\c:\bnttnt.exec:\bnttnt.exe107⤵PID:4648
-
\??\c:\46086.exec:\46086.exe108⤵PID:2528
-
\??\c:\468882.exec:\468882.exe109⤵PID:3628
-
\??\c:\vdppp.exec:\vdppp.exe110⤵PID:3488
-
\??\c:\pvvvv.exec:\pvvvv.exe111⤵PID:4800
-
\??\c:\dpdjj.exec:\dpdjj.exe112⤵PID:1716
-
\??\c:\s6826.exec:\s6826.exe113⤵PID:2004
-
\??\c:\pdpjd.exec:\pdpjd.exe114⤵PID:3752
-
\??\c:\1dvdp.exec:\1dvdp.exe115⤵PID:2252
-
\??\c:\3pjdd.exec:\3pjdd.exe116⤵PID:5092
-
\??\c:\2680444.exec:\2680444.exe117⤵PID:4780
-
\??\c:\044880.exec:\044880.exe118⤵PID:2268
-
\??\c:\rrrllrl.exec:\rrrllrl.exe119⤵PID:1568
-
\??\c:\pjppj.exec:\pjppj.exe120⤵PID:1792
-
\??\c:\xrxxxxl.exec:\xrxxxxl.exe121⤵PID:1756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-