Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe
-
Size
454KB
-
MD5
2def4c88d3f0849f21b1123579301a80
-
SHA1
1e28f0dce3e130a61d314b1c7b4b3c3cd89ba98b
-
SHA256
5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863
-
SHA512
55c63b186634d718e11eaae667603e2861ad617dd2f44c911aa7c7d0c90f69a396790c4dca81d7c343ce850cf6af3995e2199257b428045286cb6accd975678b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4988-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-952-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-1092-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-1575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2152 g6260.exe 468 846604.exe 1888 bbbthb.exe 2928 btthnh.exe 2768 hhnbnh.exe 2748 w08660.exe 3424 bnhbtt.exe 5044 082048.exe 4192 xllfffr.exe 4936 a8042.exe 4916 fllfrlf.exe 2744 2000044.exe 1468 thtnnn.exe 1052 068826.exe 3560 6460826.exe 3136 886468.exe 2164 htnbnh.exe 1736 jddvj.exe 4520 5flxxrl.exe 3928 pjppj.exe 5032 64060.exe 2732 88086.exe 1608 rfxflrl.exe 532 66820.exe 2072 86420.exe 2304 rlrlxrr.exe 1160 42820.exe 1280 662648.exe 2400 268822.exe 3388 hbthnn.exe 2772 g8606.exe 3216 20088.exe 1164 e02048.exe 3828 40826.exe 3248 s4004.exe 512 nhtnhh.exe 4424 64482.exe 980 jpjdv.exe 3856 42488.exe 1708 dpdvp.exe 2924 86262.exe 3748 a2060.exe 2376 u248244.exe 5080 ddddd.exe 2020 2848260.exe 4840 86428.exe 4540 g6226.exe 2204 2404006.exe 2132 9bbtnn.exe 1128 jdvpd.exe 2760 0886826.exe 3064 g0642.exe 1400 httntt.exe 2620 o682048.exe 548 pvjvd.exe 1852 48044.exe 4332 ddjdp.exe 3168 frxrlfx.exe 3948 vjvjp.exe 5072 pdpjd.exe 3744 406826.exe 4524 hnthtn.exe 2888 rxfrlfr.exe 1868 pvdjd.exe -
resource yara_rule behavioral2/memory/2152-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-680-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0444226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c828648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 866062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 2152 4988 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 83 PID 4988 wrote to memory of 2152 4988 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 83 PID 4988 wrote to memory of 2152 4988 5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe 83 PID 2152 wrote to memory of 468 2152 g6260.exe 84 PID 2152 wrote to memory of 468 2152 g6260.exe 84 PID 2152 wrote to memory of 468 2152 g6260.exe 84 PID 468 wrote to memory of 1888 468 846604.exe 85 PID 468 wrote to memory of 1888 468 846604.exe 85 PID 468 wrote to memory of 1888 468 846604.exe 85 PID 1888 wrote to memory of 2928 1888 bbbthb.exe 86 PID 1888 wrote to memory of 2928 1888 bbbthb.exe 86 PID 1888 wrote to memory of 2928 1888 bbbthb.exe 86 PID 2928 wrote to memory of 2768 2928 btthnh.exe 87 PID 2928 wrote to memory of 2768 2928 btthnh.exe 87 PID 2928 wrote to memory of 2768 2928 btthnh.exe 87 PID 2768 wrote to memory of 2748 2768 hhnbnh.exe 88 PID 2768 wrote to memory of 2748 2768 hhnbnh.exe 88 PID 2768 wrote to memory of 2748 2768 hhnbnh.exe 88 PID 2748 wrote to memory of 3424 2748 w08660.exe 89 PID 2748 wrote to memory of 3424 2748 w08660.exe 89 PID 2748 wrote to memory of 3424 2748 w08660.exe 89 PID 3424 wrote to memory of 5044 3424 bnhbtt.exe 90 PID 3424 wrote to memory of 5044 3424 bnhbtt.exe 90 PID 3424 wrote to memory of 5044 3424 bnhbtt.exe 90 PID 5044 wrote to memory of 4192 5044 082048.exe 91 PID 5044 wrote to memory of 4192 5044 082048.exe 91 PID 5044 wrote to memory of 4192 5044 082048.exe 91 PID 4192 wrote to memory of 4936 4192 xllfffr.exe 92 PID 4192 wrote to memory of 4936 4192 xllfffr.exe 92 PID 4192 wrote to memory of 4936 4192 xllfffr.exe 92 PID 4936 wrote to memory of 4916 4936 a8042.exe 93 PID 4936 wrote to memory of 4916 4936 a8042.exe 93 PID 4936 wrote to memory of 4916 4936 a8042.exe 93 PID 4916 wrote to memory of 2744 4916 fllfrlf.exe 94 PID 4916 wrote to memory of 2744 4916 fllfrlf.exe 94 PID 4916 wrote to memory of 2744 4916 fllfrlf.exe 94 PID 2744 wrote to memory of 1468 2744 2000044.exe 95 PID 2744 wrote to memory of 1468 2744 2000044.exe 95 PID 2744 wrote to memory of 1468 2744 2000044.exe 95 PID 1468 wrote to memory of 1052 1468 thtnnn.exe 96 PID 1468 wrote to memory of 1052 1468 thtnnn.exe 96 PID 1468 wrote to memory of 1052 1468 thtnnn.exe 96 PID 1052 wrote to memory of 3560 1052 068826.exe 97 PID 1052 wrote to memory of 3560 1052 068826.exe 97 PID 1052 wrote to memory of 3560 1052 068826.exe 97 PID 3560 wrote to memory of 3136 3560 6460826.exe 98 PID 3560 wrote to memory of 3136 3560 6460826.exe 98 PID 3560 wrote to memory of 3136 3560 6460826.exe 98 PID 3136 wrote to memory of 2164 3136 886468.exe 160 PID 3136 wrote to memory of 2164 3136 886468.exe 160 PID 3136 wrote to memory of 2164 3136 886468.exe 160 PID 2164 wrote to memory of 1736 2164 htnbnh.exe 100 PID 2164 wrote to memory of 1736 2164 htnbnh.exe 100 PID 2164 wrote to memory of 1736 2164 htnbnh.exe 100 PID 1736 wrote to memory of 4520 1736 jddvj.exe 101 PID 1736 wrote to memory of 4520 1736 jddvj.exe 101 PID 1736 wrote to memory of 4520 1736 jddvj.exe 101 PID 4520 wrote to memory of 3928 4520 5flxxrl.exe 163 PID 4520 wrote to memory of 3928 4520 5flxxrl.exe 163 PID 4520 wrote to memory of 3928 4520 5flxxrl.exe 163 PID 3928 wrote to memory of 5032 3928 pjppj.exe 164 PID 3928 wrote to memory of 5032 3928 pjppj.exe 164 PID 3928 wrote to memory of 5032 3928 pjppj.exe 164 PID 5032 wrote to memory of 2732 5032 64060.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe"C:\Users\Admin\AppData\Local\Temp\5a1a65eb2c5ddb16d8ad93c6e95be578e9ab00d9c95e6f1573fcbd8c66465863N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\g6260.exec:\g6260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\846604.exec:\846604.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bbbthb.exec:\bbbthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\btthnh.exec:\btthnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\hhnbnh.exec:\hhnbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\w08660.exec:\w08660.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\bnhbtt.exec:\bnhbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\082048.exec:\082048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\xllfffr.exec:\xllfffr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\a8042.exec:\a8042.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\fllfrlf.exec:\fllfrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\2000044.exec:\2000044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\thtnnn.exec:\thtnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\068826.exec:\068826.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\6460826.exec:\6460826.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\886468.exec:\886468.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\htnbnh.exec:\htnbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\jddvj.exec:\jddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\5flxxrl.exec:\5flxxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\pjppj.exec:\pjppj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\64060.exec:\64060.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\88086.exec:\88086.exe23⤵
- Executes dropped EXE
PID:2732 -
\??\c:\rfxflrl.exec:\rfxflrl.exe24⤵
- Executes dropped EXE
PID:1608 -
\??\c:\66820.exec:\66820.exe25⤵
- Executes dropped EXE
PID:532 -
\??\c:\86420.exec:\86420.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\rlrlxrr.exec:\rlrlxrr.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2304 -
\??\c:\42820.exec:\42820.exe28⤵
- Executes dropped EXE
PID:1160 -
\??\c:\662648.exec:\662648.exe29⤵
- Executes dropped EXE
PID:1280 -
\??\c:\268822.exec:\268822.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\hbthnn.exec:\hbthnn.exe31⤵
- Executes dropped EXE
PID:3388 -
\??\c:\g8606.exec:\g8606.exe32⤵
- Executes dropped EXE
PID:2772 -
\??\c:\20088.exec:\20088.exe33⤵
- Executes dropped EXE
PID:3216 -
\??\c:\e02048.exec:\e02048.exe34⤵
- Executes dropped EXE
PID:1164 -
\??\c:\40826.exec:\40826.exe35⤵
- Executes dropped EXE
PID:3828 -
\??\c:\s4004.exec:\s4004.exe36⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nhtnhh.exec:\nhtnhh.exe37⤵
- Executes dropped EXE
PID:512 -
\??\c:\64482.exec:\64482.exe38⤵
- Executes dropped EXE
PID:4424 -
\??\c:\jpjdv.exec:\jpjdv.exe39⤵
- Executes dropped EXE
PID:980 -
\??\c:\42488.exec:\42488.exe40⤵
- Executes dropped EXE
PID:3856 -
\??\c:\dpdvp.exec:\dpdvp.exe41⤵
- Executes dropped EXE
PID:1708 -
\??\c:\86262.exec:\86262.exe42⤵
- Executes dropped EXE
PID:2924 -
\??\c:\a2060.exec:\a2060.exe43⤵
- Executes dropped EXE
PID:3748 -
\??\c:\u248244.exec:\u248244.exe44⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ddddd.exec:\ddddd.exe45⤵
- Executes dropped EXE
PID:5080 -
\??\c:\2848260.exec:\2848260.exe46⤵
- Executes dropped EXE
PID:2020 -
\??\c:\86428.exec:\86428.exe47⤵
- Executes dropped EXE
PID:4840 -
\??\c:\g6226.exec:\g6226.exe48⤵
- Executes dropped EXE
PID:4540 -
\??\c:\2404006.exec:\2404006.exe49⤵
- Executes dropped EXE
PID:2204 -
\??\c:\9bbtnn.exec:\9bbtnn.exe50⤵
- Executes dropped EXE
PID:2132 -
\??\c:\jdvpd.exec:\jdvpd.exe51⤵
- Executes dropped EXE
PID:1128 -
\??\c:\0886826.exec:\0886826.exe52⤵
- Executes dropped EXE
PID:2760 -
\??\c:\g0642.exec:\g0642.exe53⤵
- Executes dropped EXE
PID:3064 -
\??\c:\httntt.exec:\httntt.exe54⤵
- Executes dropped EXE
PID:1400 -
\??\c:\o682048.exec:\o682048.exe55⤵
- Executes dropped EXE
PID:2620 -
\??\c:\pvjvd.exec:\pvjvd.exe56⤵
- Executes dropped EXE
PID:548 -
\??\c:\48044.exec:\48044.exe57⤵
- Executes dropped EXE
PID:1852 -
\??\c:\ddjdp.exec:\ddjdp.exe58⤵
- Executes dropped EXE
PID:4332 -
\??\c:\frxrlfx.exec:\frxrlfx.exe59⤵
- Executes dropped EXE
PID:3168 -
\??\c:\vjvjp.exec:\vjvjp.exe60⤵
- Executes dropped EXE
PID:3948 -
\??\c:\pdpjd.exec:\pdpjd.exe61⤵
- Executes dropped EXE
PID:5072 -
\??\c:\406826.exec:\406826.exe62⤵
- Executes dropped EXE
PID:3744 -
\??\c:\hnthtn.exec:\hnthtn.exe63⤵
- Executes dropped EXE
PID:4524 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe64⤵
- Executes dropped EXE
PID:2888 -
\??\c:\pvdjd.exec:\pvdjd.exe65⤵
- Executes dropped EXE
PID:1868 -
\??\c:\44820.exec:\44820.exe66⤵PID:2720
-
\??\c:\vpppd.exec:\vpppd.exe67⤵
- System Location Discovery: System Language Discovery
PID:2688 -
\??\c:\djvjv.exec:\djvjv.exe68⤵PID:1100
-
\??\c:\xflfrlf.exec:\xflfrlf.exe69⤵PID:1984
-
\??\c:\80222.exec:\80222.exe70⤵PID:384
-
\??\c:\0622806.exec:\0622806.exe71⤵PID:1388
-
\??\c:\4882604.exec:\4882604.exe72⤵PID:3592
-
\??\c:\88482.exec:\88482.exe73⤵PID:2576
-
\??\c:\7ffrrrx.exec:\7ffrrrx.exe74⤵PID:4748
-
\??\c:\bbbbbh.exec:\bbbbbh.exe75⤵PID:4516
-
\??\c:\0406224.exec:\0406224.exe76⤵PID:1316
-
\??\c:\dvpvd.exec:\dvpvd.exe77⤵PID:1268
-
\??\c:\3rlflll.exec:\3rlflll.exe78⤵PID:1172
-
\??\c:\008226.exec:\008226.exe79⤵PID:2164
-
\??\c:\c448008.exec:\c448008.exe80⤵PID:2388
-
\??\c:\nhbnhb.exec:\nhbnhb.exe81⤵PID:5000
-
\??\c:\a8660.exec:\a8660.exe82⤵PID:3928
-
\??\c:\288600.exec:\288600.exe83⤵PID:5032
-
\??\c:\vpdvj.exec:\vpdvj.exe84⤵PID:212
-
\??\c:\8006446.exec:\8006446.exe85⤵PID:2220
-
\??\c:\866062.exec:\866062.exe86⤵
- System Location Discovery: System Language Discovery
PID:4872 -
\??\c:\nntnbt.exec:\nntnbt.exe87⤵
- System Location Discovery: System Language Discovery
PID:3580 -
\??\c:\5jjvj.exec:\5jjvj.exe88⤵PID:2712
-
\??\c:\4800400.exec:\4800400.exe89⤵PID:3244
-
\??\c:\1hnhhh.exec:\1hnhhh.exe90⤵PID:1280
-
\??\c:\226626.exec:\226626.exe91⤵PID:3388
-
\??\c:\lrlfflr.exec:\lrlfflr.exe92⤵PID:3976
-
\??\c:\s4046.exec:\s4046.exe93⤵PID:1164
-
\??\c:\thhthb.exec:\thhthb.exe94⤵PID:3828
-
\??\c:\vjppp.exec:\vjppp.exe95⤵PID:5004
-
\??\c:\3xrllff.exec:\3xrllff.exe96⤵PID:4424
-
\??\c:\ththht.exec:\ththht.exe97⤵PID:1968
-
\??\c:\668680.exec:\668680.exe98⤵PID:3252
-
\??\c:\0686008.exec:\0686008.exe99⤵PID:4732
-
\??\c:\tbbbhb.exec:\tbbbhb.exe100⤵PID:3496
-
\??\c:\80404.exec:\80404.exe101⤵
- System Location Discovery: System Language Discovery
PID:4304 -
\??\c:\hhnhbt.exec:\hhnhbt.exe102⤵PID:4104
-
\??\c:\e88866.exec:\e88866.exe103⤵PID:348
-
\??\c:\0260486.exec:\0260486.exe104⤵PID:1564
-
\??\c:\vvdvj.exec:\vvdvj.exe105⤵
- System Location Discovery: System Language Discovery
PID:1148 -
\??\c:\vppdd.exec:\vppdd.exe106⤵PID:2204
-
\??\c:\400482.exec:\400482.exe107⤵PID:1788
-
\??\c:\lxxflxx.exec:\lxxflxx.exe108⤵PID:2536
-
\??\c:\062482.exec:\062482.exe109⤵PID:2760
-
\??\c:\202600.exec:\202600.exe110⤵PID:4768
-
\??\c:\hhhbnh.exec:\hhhbnh.exe111⤵PID:3984
-
\??\c:\24044.exec:\24044.exe112⤵PID:2404
-
\??\c:\3pdvj.exec:\3pdvj.exe113⤵PID:2128
-
\??\c:\u464488.exec:\u464488.exe114⤵PID:4508
-
\??\c:\rxrlfxx.exec:\rxrlfxx.exe115⤵
- System Location Discovery: System Language Discovery
PID:4332 -
\??\c:\nbnhbt.exec:\nbnhbt.exe116⤵PID:3168
-
\??\c:\dpvjv.exec:\dpvjv.exe117⤵PID:4212
-
\??\c:\02480.exec:\02480.exe118⤵PID:232
-
\??\c:\hnnnbh.exec:\hnnnbh.exe119⤵PID:1848
-
\??\c:\2604826.exec:\2604826.exe120⤵PID:4328
-
\??\c:\3vjvd.exec:\3vjvd.exe121⤵PID:3472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-