Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe
-
Size
454KB
-
MD5
bd034bde03aeae3dfc4e999843582098
-
SHA1
b703a817be891793e0a538a7ae30b68ca764da21
-
SHA256
be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7
-
SHA512
7f5815f671ff81a7a071789c37fb28120cabd6b3481c02a8252a984532de6847a538024f011be9ecd02d85bae9c25b708d267d8e0c0148c60335d7551f857806
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetd:q7Tc2NYHUrAwfMp3CDtd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/540-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-1453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 540 248682.exe 436 k40066.exe 3448 thtbnb.exe 756 jdvvd.exe 1840 tbntnb.exe 4440 pjdvp.exe 1124 4440442.exe 2064 8404488.exe 3580 ttnhbt.exe 4692 thtnhh.exe 5108 86082.exe 5096 400488.exe 3684 604428.exe 1228 4282488.exe 3640 jvpjv.exe 4996 626448.exe 1528 6048822.exe 2776 1bbnbt.exe 2892 06604.exe 4160 fllfxrl.exe 2504 086448.exe 3336 k22648.exe 64 fxlfrlx.exe 964 i846486.exe 3736 dppdv.exe 5004 pvpvp.exe 2024 82204.exe 3340 vjjvj.exe 1516 66226.exe 2368 7nhtnh.exe 2608 s4086.exe 2856 dpvpj.exe 4104 4244486.exe 2716 6268068.exe 3592 u282820.exe 4376 thhnhb.exe 2276 848202.exe 3892 rlfrfxl.exe 1836 3lfrffr.exe 3520 rfxlfrx.exe 4940 662042.exe 4652 2622222.exe 4736 20642.exe 1488 3ntnbt.exe 4432 nhhhbb.exe 1944 8882048.exe 1768 2286486.exe 3496 xffrfxx.exe 4420 lfrfrlx.exe 4908 7dpjj.exe 2384 bnnhtt.exe 3116 pjjdv.exe 756 djdvj.exe 4440 3ddpj.exe 3512 3lxlxxl.exe 1076 2486048.exe 4188 ppvpd.exe 3000 w88664.exe 3680 ddjdp.exe 4956 c408604.exe 3028 dvdpd.exe 456 q40866.exe 2772 040860.exe 2100 o888260.exe -
resource yara_rule behavioral2/memory/540-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-600-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 848202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8882048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w88664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2660420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 540 2124 be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe 85 PID 2124 wrote to memory of 540 2124 be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe 85 PID 2124 wrote to memory of 540 2124 be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe 85 PID 540 wrote to memory of 436 540 248682.exe 86 PID 540 wrote to memory of 436 540 248682.exe 86 PID 540 wrote to memory of 436 540 248682.exe 86 PID 436 wrote to memory of 3448 436 k40066.exe 87 PID 436 wrote to memory of 3448 436 k40066.exe 87 PID 436 wrote to memory of 3448 436 k40066.exe 87 PID 3448 wrote to memory of 756 3448 thtbnb.exe 88 PID 3448 wrote to memory of 756 3448 thtbnb.exe 88 PID 3448 wrote to memory of 756 3448 thtbnb.exe 88 PID 756 wrote to memory of 1840 756 jdvvd.exe 89 PID 756 wrote to memory of 1840 756 jdvvd.exe 89 PID 756 wrote to memory of 1840 756 jdvvd.exe 89 PID 1840 wrote to memory of 4440 1840 tbntnb.exe 90 PID 1840 wrote to memory of 4440 1840 tbntnb.exe 90 PID 1840 wrote to memory of 4440 1840 tbntnb.exe 90 PID 4440 wrote to memory of 1124 4440 pjdvp.exe 91 PID 4440 wrote to memory of 1124 4440 pjdvp.exe 91 PID 4440 wrote to memory of 1124 4440 pjdvp.exe 91 PID 1124 wrote to memory of 2064 1124 4440442.exe 92 PID 1124 wrote to memory of 2064 1124 4440442.exe 92 PID 1124 wrote to memory of 2064 1124 4440442.exe 92 PID 2064 wrote to memory of 3580 2064 8404488.exe 93 PID 2064 wrote to memory of 3580 2064 8404488.exe 93 PID 2064 wrote to memory of 3580 2064 8404488.exe 93 PID 3580 wrote to memory of 4692 3580 ttnhbt.exe 94 PID 3580 wrote to memory of 4692 3580 ttnhbt.exe 94 PID 3580 wrote to memory of 4692 3580 ttnhbt.exe 94 PID 4692 wrote to memory of 5108 4692 thtnhh.exe 95 PID 4692 wrote to memory of 5108 4692 thtnhh.exe 95 PID 4692 wrote to memory of 5108 4692 thtnhh.exe 95 PID 5108 wrote to memory of 5096 5108 86082.exe 96 PID 5108 wrote to memory of 5096 5108 86082.exe 96 PID 5108 wrote to memory of 5096 5108 86082.exe 96 PID 5096 wrote to memory of 3684 5096 400488.exe 97 PID 5096 wrote to memory of 3684 5096 400488.exe 97 PID 5096 wrote to memory of 3684 5096 400488.exe 97 PID 3684 wrote to memory of 1228 3684 604428.exe 98 PID 3684 wrote to memory of 1228 3684 604428.exe 98 PID 3684 wrote to memory of 1228 3684 604428.exe 98 PID 1228 wrote to memory of 3640 1228 4282488.exe 99 PID 1228 wrote to memory of 3640 1228 4282488.exe 99 PID 1228 wrote to memory of 3640 1228 4282488.exe 99 PID 3640 wrote to memory of 4996 3640 jvpjv.exe 100 PID 3640 wrote to memory of 4996 3640 jvpjv.exe 100 PID 3640 wrote to memory of 4996 3640 jvpjv.exe 100 PID 4996 wrote to memory of 1528 4996 626448.exe 101 PID 4996 wrote to memory of 1528 4996 626448.exe 101 PID 4996 wrote to memory of 1528 4996 626448.exe 101 PID 1528 wrote to memory of 2776 1528 6048822.exe 102 PID 1528 wrote to memory of 2776 1528 6048822.exe 102 PID 1528 wrote to memory of 2776 1528 6048822.exe 102 PID 2776 wrote to memory of 2892 2776 1bbnbt.exe 103 PID 2776 wrote to memory of 2892 2776 1bbnbt.exe 103 PID 2776 wrote to memory of 2892 2776 1bbnbt.exe 103 PID 2892 wrote to memory of 4160 2892 06604.exe 104 PID 2892 wrote to memory of 4160 2892 06604.exe 104 PID 2892 wrote to memory of 4160 2892 06604.exe 104 PID 4160 wrote to memory of 2504 4160 fllfxrl.exe 105 PID 4160 wrote to memory of 2504 4160 fllfxrl.exe 105 PID 4160 wrote to memory of 2504 4160 fllfxrl.exe 105 PID 2504 wrote to memory of 3336 2504 086448.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe"C:\Users\Admin\AppData\Local\Temp\be69c3de2b4792a80ad4fdd92627e97b9c88829bdddc163c69882dd457e3c8a7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\248682.exec:\248682.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\k40066.exec:\k40066.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\thtbnb.exec:\thtbnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\jdvvd.exec:\jdvvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\tbntnb.exec:\tbntnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\pjdvp.exec:\pjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\4440442.exec:\4440442.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\8404488.exec:\8404488.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\ttnhbt.exec:\ttnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\thtnhh.exec:\thtnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\86082.exec:\86082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\400488.exec:\400488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\604428.exec:\604428.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\4282488.exec:\4282488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\jvpjv.exec:\jvpjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\626448.exec:\626448.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\6048822.exec:\6048822.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\1bbnbt.exec:\1bbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\06604.exec:\06604.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\fllfxrl.exec:\fllfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\086448.exec:\086448.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\k22648.exec:\k22648.exe23⤵
- Executes dropped EXE
PID:3336 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe24⤵
- Executes dropped EXE
PID:64 -
\??\c:\i846486.exec:\i846486.exe25⤵
- Executes dropped EXE
PID:964 -
\??\c:\dppdv.exec:\dppdv.exe26⤵
- Executes dropped EXE
PID:3736 -
\??\c:\pvpvp.exec:\pvpvp.exe27⤵
- Executes dropped EXE
PID:5004 -
\??\c:\82204.exec:\82204.exe28⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vjjvj.exec:\vjjvj.exe29⤵
- Executes dropped EXE
PID:3340 -
\??\c:\66226.exec:\66226.exe30⤵
- Executes dropped EXE
PID:1516 -
\??\c:\7nhtnh.exec:\7nhtnh.exe31⤵
- Executes dropped EXE
PID:2368 -
\??\c:\s4086.exec:\s4086.exe32⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dpvpj.exec:\dpvpj.exe33⤵
- Executes dropped EXE
PID:2856 -
\??\c:\4244486.exec:\4244486.exe34⤵
- Executes dropped EXE
PID:4104 -
\??\c:\6268068.exec:\6268068.exe35⤵
- Executes dropped EXE
PID:2716 -
\??\c:\u282820.exec:\u282820.exe36⤵
- Executes dropped EXE
PID:3592 -
\??\c:\thhnhb.exec:\thhnhb.exe37⤵
- Executes dropped EXE
PID:4376 -
\??\c:\848202.exec:\848202.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\rlfrfxl.exec:\rlfrfxl.exe39⤵
- Executes dropped EXE
PID:3892 -
\??\c:\3lfrffr.exec:\3lfrffr.exe40⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rfxlfrx.exec:\rfxlfrx.exe41⤵
- Executes dropped EXE
PID:3520 -
\??\c:\662042.exec:\662042.exe42⤵
- Executes dropped EXE
PID:4940 -
\??\c:\2622222.exec:\2622222.exe43⤵
- Executes dropped EXE
PID:4652 -
\??\c:\20642.exec:\20642.exe44⤵
- Executes dropped EXE
PID:4736 -
\??\c:\3ntnbt.exec:\3ntnbt.exe45⤵
- Executes dropped EXE
PID:1488 -
\??\c:\nhhhbb.exec:\nhhhbb.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\8882048.exec:\8882048.exe47⤵
- Executes dropped EXE
PID:1944 -
\??\c:\bbbthh.exec:\bbbthh.exe48⤵PID:3240
-
\??\c:\2286486.exec:\2286486.exe49⤵
- Executes dropped EXE
PID:1768 -
\??\c:\xffrfxx.exec:\xffrfxx.exe50⤵
- Executes dropped EXE
PID:3496 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe51⤵
- Executes dropped EXE
PID:4420 -
\??\c:\7dpjj.exec:\7dpjj.exe52⤵
- Executes dropped EXE
PID:4908 -
\??\c:\bnnhtt.exec:\bnnhtt.exe53⤵
- Executes dropped EXE
PID:2384 -
\??\c:\pjjdv.exec:\pjjdv.exe54⤵
- Executes dropped EXE
PID:3116 -
\??\c:\djdvj.exec:\djdvj.exe55⤵
- Executes dropped EXE
PID:756 -
\??\c:\3ddpj.exec:\3ddpj.exe56⤵
- Executes dropped EXE
PID:4440 -
\??\c:\3lxlxxl.exec:\3lxlxxl.exe57⤵
- Executes dropped EXE
PID:3512 -
\??\c:\2486048.exec:\2486048.exe58⤵
- Executes dropped EXE
PID:1076 -
\??\c:\ppvpd.exec:\ppvpd.exe59⤵
- Executes dropped EXE
PID:4188 -
\??\c:\w88664.exec:\w88664.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
\??\c:\ddjdp.exec:\ddjdp.exe61⤵
- Executes dropped EXE
PID:3680 -
\??\c:\c408604.exec:\c408604.exe62⤵
- Executes dropped EXE
PID:4956 -
\??\c:\dvdpd.exec:\dvdpd.exe63⤵
- Executes dropped EXE
PID:3028 -
\??\c:\q40866.exec:\q40866.exe64⤵
- Executes dropped EXE
PID:456 -
\??\c:\040860.exec:\040860.exe65⤵
- Executes dropped EXE
PID:2772 -
\??\c:\o888260.exec:\o888260.exe66⤵
- Executes dropped EXE
PID:2100 -
\??\c:\4402608.exec:\4402608.exe67⤵PID:3468
-
\??\c:\c848264.exec:\c848264.exe68⤵PID:3640
-
\??\c:\0860804.exec:\0860804.exe69⤵PID:2552
-
\??\c:\jppdv.exec:\jppdv.exe70⤵PID:3992
-
\??\c:\024282.exec:\024282.exe71⤵PID:4852
-
\??\c:\vpddp.exec:\vpddp.exe72⤵PID:3528
-
\??\c:\rlfrfff.exec:\rlfrfff.exe73⤵PID:4676
-
\??\c:\xflxlxr.exec:\xflxlxr.exe74⤵PID:1096
-
\??\c:\nnnthb.exec:\nnnthb.exe75⤵PID:4160
-
\??\c:\dvpjp.exec:\dvpjp.exe76⤵PID:740
-
\??\c:\3tnbbt.exec:\3tnbbt.exe77⤵PID:2972
-
\??\c:\g8820.exec:\g8820.exe78⤵PID:3336
-
\??\c:\860420.exec:\860420.exe79⤵PID:64
-
\??\c:\288600.exec:\288600.exe80⤵PID:2304
-
\??\c:\40660.exec:\40660.exe81⤵PID:4888
-
\??\c:\lxfrrll.exec:\lxfrrll.exe82⤵PID:2816
-
\??\c:\64460.exec:\64460.exe83⤵PID:4016
-
\??\c:\9btthb.exec:\9btthb.exe84⤵PID:4340
-
\??\c:\rfffrll.exec:\rfffrll.exe85⤵PID:884
-
\??\c:\48048.exec:\48048.exe86⤵PID:2388
-
\??\c:\2482660.exec:\2482660.exe87⤵PID:1132
-
\??\c:\0848660.exec:\0848660.exe88⤵PID:1560
-
\??\c:\nbbnnn.exec:\nbbnnn.exe89⤵PID:2368
-
\??\c:\5xfxlfx.exec:\5xfxlfx.exe90⤵PID:1724
-
\??\c:\08820.exec:\08820.exe91⤵PID:1992
-
\??\c:\w66422.exec:\w66422.exe92⤵PID:3432
-
\??\c:\rllfrlf.exec:\rllfrlf.exe93⤵PID:2616
-
\??\c:\flxlxrl.exec:\flxlxrl.exe94⤵PID:2768
-
\??\c:\600488.exec:\600488.exe95⤵PID:3392
-
\??\c:\46020.exec:\46020.exe96⤵PID:1568
-
\??\c:\c486848.exec:\c486848.exe97⤵PID:1440
-
\??\c:\66660.exec:\66660.exe98⤵PID:2524
-
\??\c:\62204.exec:\62204.exe99⤵PID:4060
-
\??\c:\ppdpj.exec:\ppdpj.exe100⤵PID:3644
-
\??\c:\5dvjj.exec:\5dvjj.exe101⤵PID:4652
-
\??\c:\btttnn.exec:\btttnn.exe102⤵PID:3180
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe103⤵PID:4504
-
\??\c:\826604.exec:\826604.exe104⤵PID:428
-
\??\c:\7jjdp.exec:\7jjdp.exe105⤵PID:540
-
\??\c:\64020.exec:\64020.exe106⤵PID:396
-
\??\c:\dppdp.exec:\dppdp.exe107⤵PID:3912
-
\??\c:\s0086.exec:\s0086.exe108⤵PID:3972
-
\??\c:\806428.exec:\806428.exe109⤵PID:1424
-
\??\c:\440426.exec:\440426.exe110⤵PID:3712
-
\??\c:\8666686.exec:\8666686.exe111⤵PID:3612
-
\??\c:\q62640.exec:\q62640.exe112⤵PID:816
-
\??\c:\bbbthb.exec:\bbbthb.exe113⤵PID:4248
-
\??\c:\q00860.exec:\q00860.exe114⤵PID:1996
-
\??\c:\044248.exec:\044248.exe115⤵PID:4240
-
\??\c:\06260.exec:\06260.exe116⤵PID:1968
-
\??\c:\42800.exec:\42800.exe117⤵PID:5032
-
\??\c:\i848604.exec:\i848604.exe118⤵PID:3000
-
\??\c:\7xffxfx.exec:\7xffxfx.exe119⤵PID:5108
-
\??\c:\a6242.exec:\a6242.exe120⤵PID:872
-
\??\c:\8686226.exec:\8686226.exe121⤵PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-