Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:17
Behavioral task
behavioral1
Sample
145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe
-
Size
142KB
-
MD5
b525ca3a5f9eea968a3a509ac6998560
-
SHA1
96706651ceeefd6bf2564c61d2693a64eaa30982
-
SHA256
145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0
-
SHA512
d0191aa932932f80689948529e5e1ef7eff9f76f752aa9ff4052c0a4c8f247f398984350dfadaac667efa42debcaef7a5795e4884b3ca521e8d6ea298518a222
-
SSDEEP
3072:khOmTsF93UYfwC6GIoutpYcvrqrE66kropO6BfDKPeGrR+G:kcm4FmowdHoSphraHcpOaKHcG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3984-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1692-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2792-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/512-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/332-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2496-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2308-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1012-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2488-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3416-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4424-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2164-256-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3476-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1348-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4304-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4968-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3248-390-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-530-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-555-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-595-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3628-602-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-639-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-773-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2500-951-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-1181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-1566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-1977-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-2108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1828 28206.exe 1692 btbttt.exe 3476 62844.exe 2792 48822.exe 3000 66240.exe 2788 2046844.exe 512 086220.exe 1804 882846.exe 2888 bhhbbn.exe 5060 26226.exe 1612 djjvd.exe 4848 pdvpv.exe 332 8828868.exe 2840 bhttnb.exe 2496 xfxlrrl.exe 4880 226642.exe 2344 ddvvp.exe 3868 8040468.exe 768 00002.exe 3640 o800006.exe 760 6404864.exe 3120 62004.exe 2308 hbbhbn.exe 5084 484622.exe 4356 nnbhbn.exe 4708 80220.exe 4792 fffxxxf.exe 4212 4648082.exe 3520 o864826.exe 1012 5flrlll.exe 4496 6068288.exe 3600 06280.exe 3288 hhbthn.exe 4928 vpjdv.exe 2488 vpvjj.exe 1596 nhtthh.exe 1048 42866.exe 1088 fxxxrrr.exe 4364 jvvvv.exe 1080 4260482.exe 840 pvpjd.exe 4036 80406.exe 3416 xlxllfr.exe 3648 448888.exe 2512 xllrlrr.exe 4652 808648.exe 2756 2284666.exe 32 vdpdj.exe 4424 602402.exe 1112 q22246.exe 2164 fllxfrr.exe 1828 808260.exe 1696 nhhhnt.exe 3476 080826.exe 1196 86004.exe 2916 bnnbnt.exe 232 jvvvv.exe 2552 bbhhhh.exe 2684 dpvvp.exe 3808 vdddv.exe 512 42682.exe 2820 hbhhnt.exe 1348 s6442.exe 3108 dvvvp.exe -
resource yara_rule behavioral2/memory/3984-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c49-3.dat upx behavioral2/memory/3984-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca1-9.dat upx behavioral2/memory/1828-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-13.dat upx behavioral2/memory/3476-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-23.dat upx behavioral2/memory/1692-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-27.dat upx behavioral2/memory/2792-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-35.dat upx behavioral2/memory/3000-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2788-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-41.dat upx behavioral2/memory/2788-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/512-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-50.dat upx behavioral2/memory/512-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-53.dat upx behavioral2/memory/2888-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-58.dat upx behavioral2/files/0x0007000000023cae-64.dat upx behavioral2/memory/5060-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-70.dat upx behavioral2/memory/4848-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-82.dat upx behavioral2/memory/332-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-76.dat upx behavioral2/files/0x0007000000023cb2-88.dat upx behavioral2/files/0x0007000000023cb4-92.dat upx behavioral2/memory/2496-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca2-98.dat upx behavioral2/memory/4880-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-107.dat upx behavioral2/memory/2344-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-111.dat upx behavioral2/files/0x0007000000023cb7-118.dat upx behavioral2/memory/768-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-123.dat upx behavioral2/files/0x0007000000023cb9-128.dat upx behavioral2/memory/3120-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-135.dat upx behavioral2/files/0x0007000000023cbb-138.dat upx behavioral2/memory/2308-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbc-144.dat upx behavioral2/files/0x0007000000023cbd-151.dat upx behavioral2/memory/4356-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-155.dat upx behavioral2/memory/4708-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-161.dat upx behavioral2/files/0x0007000000023cc0-166.dat upx behavioral2/files/0x0007000000023cc1-171.dat upx behavioral2/memory/3520-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc2-177.dat upx behavioral2/memory/1012-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-185.dat upx behavioral2/memory/3600-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4928-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2488-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1080-217-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-224-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8880800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o864826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8446820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82208.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0442204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48844.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 1828 3984 145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe 83 PID 3984 wrote to memory of 1828 3984 145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe 83 PID 3984 wrote to memory of 1828 3984 145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe 83 PID 1828 wrote to memory of 1692 1828 28206.exe 84 PID 1828 wrote to memory of 1692 1828 28206.exe 84 PID 1828 wrote to memory of 1692 1828 28206.exe 84 PID 1692 wrote to memory of 3476 1692 btbttt.exe 85 PID 1692 wrote to memory of 3476 1692 btbttt.exe 85 PID 1692 wrote to memory of 3476 1692 btbttt.exe 85 PID 3476 wrote to memory of 2792 3476 62844.exe 86 PID 3476 wrote to memory of 2792 3476 62844.exe 86 PID 3476 wrote to memory of 2792 3476 62844.exe 86 PID 2792 wrote to memory of 3000 2792 48822.exe 87 PID 2792 wrote to memory of 3000 2792 48822.exe 87 PID 2792 wrote to memory of 3000 2792 48822.exe 87 PID 3000 wrote to memory of 2788 3000 66240.exe 88 PID 3000 wrote to memory of 2788 3000 66240.exe 88 PID 3000 wrote to memory of 2788 3000 66240.exe 88 PID 2788 wrote to memory of 512 2788 2046844.exe 89 PID 2788 wrote to memory of 512 2788 2046844.exe 89 PID 2788 wrote to memory of 512 2788 2046844.exe 89 PID 512 wrote to memory of 1804 512 086220.exe 90 PID 512 wrote to memory of 1804 512 086220.exe 90 PID 512 wrote to memory of 1804 512 086220.exe 90 PID 1804 wrote to memory of 2888 1804 882846.exe 91 PID 1804 wrote to memory of 2888 1804 882846.exe 91 PID 1804 wrote to memory of 2888 1804 882846.exe 91 PID 2888 wrote to memory of 5060 2888 bhhbbn.exe 92 PID 2888 wrote to memory of 5060 2888 bhhbbn.exe 92 PID 2888 wrote to memory of 5060 2888 bhhbbn.exe 92 PID 5060 wrote to memory of 1612 5060 26226.exe 93 PID 5060 wrote to memory of 1612 5060 26226.exe 93 PID 5060 wrote to memory of 1612 5060 26226.exe 93 PID 1612 wrote to memory of 4848 1612 djjvd.exe 94 PID 1612 wrote to memory of 4848 1612 djjvd.exe 94 PID 1612 wrote to memory of 4848 1612 djjvd.exe 94 PID 4848 wrote to memory of 332 4848 pdvpv.exe 95 PID 4848 wrote to memory of 332 4848 pdvpv.exe 95 PID 4848 wrote to memory of 332 4848 pdvpv.exe 95 PID 332 wrote to memory of 2840 332 8828868.exe 96 PID 332 wrote to memory of 2840 332 8828868.exe 96 PID 332 wrote to memory of 2840 332 8828868.exe 96 PID 2840 wrote to memory of 2496 2840 bhttnb.exe 97 PID 2840 wrote to memory of 2496 2840 bhttnb.exe 97 PID 2840 wrote to memory of 2496 2840 bhttnb.exe 97 PID 2496 wrote to memory of 4880 2496 xfxlrrl.exe 98 PID 2496 wrote to memory of 4880 2496 xfxlrrl.exe 98 PID 2496 wrote to memory of 4880 2496 xfxlrrl.exe 98 PID 4880 wrote to memory of 2344 4880 226642.exe 99 PID 4880 wrote to memory of 2344 4880 226642.exe 99 PID 4880 wrote to memory of 2344 4880 226642.exe 99 PID 2344 wrote to memory of 3868 2344 ddvvp.exe 100 PID 2344 wrote to memory of 3868 2344 ddvvp.exe 100 PID 2344 wrote to memory of 3868 2344 ddvvp.exe 100 PID 3868 wrote to memory of 768 3868 8040468.exe 101 PID 3868 wrote to memory of 768 3868 8040468.exe 101 PID 3868 wrote to memory of 768 3868 8040468.exe 101 PID 768 wrote to memory of 3640 768 00002.exe 102 PID 768 wrote to memory of 3640 768 00002.exe 102 PID 768 wrote to memory of 3640 768 00002.exe 102 PID 3640 wrote to memory of 760 3640 o800006.exe 103 PID 3640 wrote to memory of 760 3640 o800006.exe 103 PID 3640 wrote to memory of 760 3640 o800006.exe 103 PID 760 wrote to memory of 3120 760 6404864.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe"C:\Users\Admin\AppData\Local\Temp\145a6da3d5d1d025e246c26267f6b9c318df1aa23ec2d703f108b1dceec479e0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\28206.exec:\28206.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\btbttt.exec:\btbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\62844.exec:\62844.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\48822.exec:\48822.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\66240.exec:\66240.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\2046844.exec:\2046844.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\086220.exec:\086220.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\882846.exec:\882846.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\bhhbbn.exec:\bhhbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\26226.exec:\26226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\djjvd.exec:\djjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\pdvpv.exec:\pdvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\8828868.exec:\8828868.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332 -
\??\c:\bhttnb.exec:\bhttnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\xfxlrrl.exec:\xfxlrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\226642.exec:\226642.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\ddvvp.exec:\ddvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\8040468.exec:\8040468.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\00002.exec:\00002.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\o800006.exec:\o800006.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\6404864.exec:\6404864.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\62004.exec:\62004.exe23⤵
- Executes dropped EXE
PID:3120 -
\??\c:\hbbhbn.exec:\hbbhbn.exe24⤵
- Executes dropped EXE
PID:2308 -
\??\c:\484622.exec:\484622.exe25⤵
- Executes dropped EXE
PID:5084 -
\??\c:\nnbhbn.exec:\nnbhbn.exe26⤵
- Executes dropped EXE
PID:4356 -
\??\c:\80220.exec:\80220.exe27⤵
- Executes dropped EXE
PID:4708 -
\??\c:\fffxxxf.exec:\fffxxxf.exe28⤵
- Executes dropped EXE
PID:4792 -
\??\c:\4648082.exec:\4648082.exe29⤵
- Executes dropped EXE
PID:4212 -
\??\c:\o864826.exec:\o864826.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520 -
\??\c:\5flrlll.exec:\5flrlll.exe31⤵
- Executes dropped EXE
PID:1012 -
\??\c:\6068288.exec:\6068288.exe32⤵
- Executes dropped EXE
PID:4496 -
\??\c:\06280.exec:\06280.exe33⤵
- Executes dropped EXE
PID:3600 -
\??\c:\hhbthn.exec:\hhbthn.exe34⤵
- Executes dropped EXE
PID:3288 -
\??\c:\vpjdv.exec:\vpjdv.exe35⤵
- Executes dropped EXE
PID:4928 -
\??\c:\vpvjj.exec:\vpvjj.exe36⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nhtthh.exec:\nhtthh.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\42866.exec:\42866.exe38⤵
- Executes dropped EXE
PID:1048 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe39⤵
- Executes dropped EXE
PID:1088 -
\??\c:\jvvvv.exec:\jvvvv.exe40⤵
- Executes dropped EXE
PID:4364 -
\??\c:\4260482.exec:\4260482.exe41⤵
- Executes dropped EXE
PID:1080 -
\??\c:\pvpjd.exec:\pvpjd.exe42⤵
- Executes dropped EXE
PID:840 -
\??\c:\80406.exec:\80406.exe43⤵
- Executes dropped EXE
PID:4036 -
\??\c:\xlxllfr.exec:\xlxllfr.exe44⤵
- Executes dropped EXE
PID:3416 -
\??\c:\448888.exec:\448888.exe45⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xllrlrr.exec:\xllrlrr.exe46⤵
- Executes dropped EXE
PID:2512 -
\??\c:\808648.exec:\808648.exe47⤵
- Executes dropped EXE
PID:4652 -
\??\c:\2284666.exec:\2284666.exe48⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vdpdj.exec:\vdpdj.exe49⤵
- Executes dropped EXE
PID:32 -
\??\c:\602402.exec:\602402.exe50⤵
- Executes dropped EXE
PID:4424 -
\??\c:\q22246.exec:\q22246.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\fllxfrr.exec:\fllxfrr.exe52⤵
- Executes dropped EXE
PID:2164 -
\??\c:\808260.exec:\808260.exe53⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nhhhnt.exec:\nhhhnt.exe54⤵
- Executes dropped EXE
PID:1696 -
\??\c:\080826.exec:\080826.exe55⤵
- Executes dropped EXE
PID:3476 -
\??\c:\86004.exec:\86004.exe56⤵
- Executes dropped EXE
PID:1196 -
\??\c:\bnnbnt.exec:\bnnbnt.exe57⤵
- Executes dropped EXE
PID:2916 -
\??\c:\jvvvv.exec:\jvvvv.exe58⤵
- Executes dropped EXE
PID:232 -
\??\c:\bbhhhh.exec:\bbhhhh.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\dpvvp.exec:\dpvvp.exe60⤵
- Executes dropped EXE
PID:2684 -
\??\c:\vdddv.exec:\vdddv.exe61⤵
- Executes dropped EXE
PID:3808 -
\??\c:\42682.exec:\42682.exe62⤵
- Executes dropped EXE
PID:512 -
\??\c:\hbhhnt.exec:\hbhhnt.exe63⤵
- Executes dropped EXE
PID:2820 -
\??\c:\s6442.exec:\s6442.exe64⤵
- Executes dropped EXE
PID:1348 -
\??\c:\dvvvp.exec:\dvvvp.exe65⤵
- Executes dropped EXE
PID:3108 -
\??\c:\dpjdp.exec:\dpjdp.exe66⤵PID:5008
-
\??\c:\bhtbht.exec:\bhtbht.exe67⤵PID:1612
-
\??\c:\88008.exec:\88008.exe68⤵PID:2212
-
\??\c:\4084802.exec:\4084802.exe69⤵PID:4976
-
\??\c:\hnbhnb.exec:\hnbhnb.exe70⤵PID:868
-
\??\c:\dpvpp.exec:\dpvpp.exe71⤵PID:1364
-
\??\c:\262468.exec:\262468.exe72⤵PID:1772
-
\??\c:\2220202.exec:\2220202.exe73⤵PID:2496
-
\??\c:\ffrllfr.exec:\ffrllfr.exe74⤵PID:3624
-
\??\c:\6466288.exec:\6466288.exe75⤵PID:3876
-
\??\c:\bthhhn.exec:\bthhhn.exe76⤵PID:1124
-
\??\c:\hthnhb.exec:\hthnhb.exe77⤵PID:3868
-
\??\c:\tttnnn.exec:\tttnnn.exe78⤵PID:3308
-
\??\c:\m0868.exec:\m0868.exe79⤵PID:4304
-
\??\c:\bthhbh.exec:\bthhbh.exe80⤵PID:4968
-
\??\c:\4648022.exec:\4648022.exe81⤵PID:2372
-
\??\c:\nttbbh.exec:\nttbbh.exe82⤵PID:1988
-
\??\c:\068880.exec:\068880.exe83⤵PID:2072
-
\??\c:\vdjvj.exec:\vdjvj.exe84⤵PID:2300
-
\??\c:\xrxxffl.exec:\xrxxffl.exe85⤵PID:3992
-
\??\c:\nhhbtt.exec:\nhhbtt.exe86⤵PID:4532
-
\??\c:\hhhhhh.exec:\hhhhhh.exe87⤵PID:4208
-
\??\c:\04440.exec:\04440.exe88⤵PID:1972
-
\??\c:\2682442.exec:\2682442.exe89⤵PID:2540
-
\??\c:\00228.exec:\00228.exe90⤵PID:1848
-
\??\c:\hnnhbb.exec:\hnnhbb.exe91⤵PID:456
-
\??\c:\hbhhbh.exec:\hbhhbh.exe92⤵PID:3248
-
\??\c:\jjddj.exec:\jjddj.exe93⤵PID:3340
-
\??\c:\vjppj.exec:\vjppj.exe94⤵PID:1108
-
\??\c:\ppvvj.exec:\ppvvj.exe95⤵PID:1780
-
\??\c:\26004.exec:\26004.exe96⤵PID:60
-
\??\c:\60882.exec:\60882.exe97⤵PID:3288
-
\??\c:\206048.exec:\206048.exe98⤵PID:4928
-
\??\c:\rlflfff.exec:\rlflfff.exe99⤵PID:1668
-
\??\c:\62020.exec:\62020.exe100⤵PID:4752
-
\??\c:\lxlfllr.exec:\lxlfllr.exe101⤵PID:2492
-
\??\c:\8046466.exec:\8046466.exe102⤵PID:4332
-
\??\c:\ddjjd.exec:\ddjjd.exe103⤵PID:3104
-
\??\c:\2604460.exec:\2604460.exe104⤵PID:4828
-
\??\c:\060826.exec:\060826.exe105⤵PID:1184
-
\??\c:\hntbtt.exec:\hntbtt.exe106⤵PID:3660
-
\??\c:\xllllfr.exec:\xllllfr.exe107⤵PID:3968
-
\??\c:\vdjjd.exec:\vdjjd.exe108⤵PID:3556
-
\??\c:\hbhtnt.exec:\hbhtnt.exe109⤵PID:1492
-
\??\c:\64288.exec:\64288.exe110⤵
- System Location Discovery: System Language Discovery
PID:2512 -
\??\c:\k06604.exec:\k06604.exe111⤵PID:448
-
\??\c:\0026044.exec:\0026044.exe112⤵PID:4244
-
\??\c:\64688.exec:\64688.exe113⤵PID:2116
-
\??\c:\dpvvv.exec:\dpvvv.exe114⤵PID:4384
-
\??\c:\rrrlxxr.exec:\rrrlxxr.exe115⤵PID:4724
-
\??\c:\0682266.exec:\0682266.exe116⤵PID:5116
-
\??\c:\ttthbn.exec:\ttthbn.exe117⤵PID:2588
-
\??\c:\c862840.exec:\c862840.exe118⤵PID:1692
-
\??\c:\djjjv.exec:\djjjv.exe119⤵PID:992
-
\??\c:\060262.exec:\060262.exe120⤵PID:4660
-
\??\c:\88442.exec:\88442.exe121⤵PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-