Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe
-
Size
456KB
-
MD5
7edef74913d652319fac40c96e24e4b0
-
SHA1
5657b507961f28c44a750dced0e7c3b0c816be35
-
SHA256
23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acf
-
SHA512
dfe80a6481147049bcb142d69c88d0d921b4a8a5e893182319704d6812abb0d3e2f2485a3de1500efac09b3524d2b284cf1643e3fdd6c5f1e2e2986e6cbc08cb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRk:q7Tc2NYHUrAwfMp3CDRk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2716-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-1076-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-1282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-1325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-1499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4684 bttttt.exe 4900 o686004.exe 1056 jddvp.exe 4164 866844.exe 4912 u648844.exe 2432 jjjdv.exe 2764 ffllrrx.exe 2812 nhhbbt.exe 2088 btthhb.exe 3460 4002604.exe 5040 bh8226.exe 552 k62488.exe 1172 flfxllf.exe 4784 888600.exe 3852 vvvvp.exe 2936 2660802.exe 3660 lflfffx.exe 1668 28000.exe 2152 7jddj.exe 5024 606040.exe 4076 688822.exe 4412 ntbbbt.exe 5116 44662.exe 1788 i642444.exe 4400 4224060.exe 4500 pdpjj.exe 1144 hbhhbb.exe 4836 00048.exe 408 dvpjd.exe 3764 nbnnhh.exe 4820 fxxrlll.exe 3280 e68600.exe 3968 tnbbhb.exe 4792 24004.exe 2908 llfffrx.exe 1944 484822.exe 4224 1ddvj.exe 2996 0288226.exe 968 ffrlrlr.exe 4244 048844.exe 4636 nbtnnh.exe 4332 8282884.exe 536 nnhnht.exe 2972 lrxxrrr.exe 216 ttbbtn.exe 4940 dvddj.exe 1576 60262.exe 3032 9rxrllf.exe 3272 8006048.exe 2548 280600.exe 4912 hthbbb.exe 4588 hbthtt.exe 2376 rxxxrrr.exe 2276 ddvdv.exe 436 7nthtn.exe 4944 8028226.exe 4800 xfxxrrr.exe 3156 g4086.exe 4744 c482086.exe 3076 q22642.exe 4688 7rxrllf.exe 1172 6844882.exe 3592 262248.exe 4216 xfrlxrl.exe -
resource yara_rule behavioral2/memory/2716-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-1023-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-1182-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0022008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6248604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o066444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6848226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0626044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 4684 2716 23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe 85 PID 2716 wrote to memory of 4684 2716 23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe 85 PID 2716 wrote to memory of 4684 2716 23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe 85 PID 4684 wrote to memory of 4900 4684 bttttt.exe 86 PID 4684 wrote to memory of 4900 4684 bttttt.exe 86 PID 4684 wrote to memory of 4900 4684 bttttt.exe 86 PID 4900 wrote to memory of 1056 4900 o686004.exe 87 PID 4900 wrote to memory of 1056 4900 o686004.exe 87 PID 4900 wrote to memory of 1056 4900 o686004.exe 87 PID 1056 wrote to memory of 4164 1056 jddvp.exe 88 PID 1056 wrote to memory of 4164 1056 jddvp.exe 88 PID 1056 wrote to memory of 4164 1056 jddvp.exe 88 PID 4164 wrote to memory of 4912 4164 866844.exe 89 PID 4164 wrote to memory of 4912 4164 866844.exe 89 PID 4164 wrote to memory of 4912 4164 866844.exe 89 PID 4912 wrote to memory of 2432 4912 u648844.exe 90 PID 4912 wrote to memory of 2432 4912 u648844.exe 90 PID 4912 wrote to memory of 2432 4912 u648844.exe 90 PID 2432 wrote to memory of 2764 2432 jjjdv.exe 91 PID 2432 wrote to memory of 2764 2432 jjjdv.exe 91 PID 2432 wrote to memory of 2764 2432 jjjdv.exe 91 PID 2764 wrote to memory of 2812 2764 ffllrrx.exe 92 PID 2764 wrote to memory of 2812 2764 ffllrrx.exe 92 PID 2764 wrote to memory of 2812 2764 ffllrrx.exe 92 PID 2812 wrote to memory of 2088 2812 nhhbbt.exe 93 PID 2812 wrote to memory of 2088 2812 nhhbbt.exe 93 PID 2812 wrote to memory of 2088 2812 nhhbbt.exe 93 PID 2088 wrote to memory of 3460 2088 btthhb.exe 94 PID 2088 wrote to memory of 3460 2088 btthhb.exe 94 PID 2088 wrote to memory of 3460 2088 btthhb.exe 94 PID 3460 wrote to memory of 5040 3460 4002604.exe 95 PID 3460 wrote to memory of 5040 3460 4002604.exe 95 PID 3460 wrote to memory of 5040 3460 4002604.exe 95 PID 5040 wrote to memory of 552 5040 bh8226.exe 96 PID 5040 wrote to memory of 552 5040 bh8226.exe 96 PID 5040 wrote to memory of 552 5040 bh8226.exe 96 PID 552 wrote to memory of 1172 552 k62488.exe 97 PID 552 wrote to memory of 1172 552 k62488.exe 97 PID 552 wrote to memory of 1172 552 k62488.exe 97 PID 1172 wrote to memory of 4784 1172 flfxllf.exe 98 PID 1172 wrote to memory of 4784 1172 flfxllf.exe 98 PID 1172 wrote to memory of 4784 1172 flfxllf.exe 98 PID 4784 wrote to memory of 3852 4784 888600.exe 99 PID 4784 wrote to memory of 3852 4784 888600.exe 99 PID 4784 wrote to memory of 3852 4784 888600.exe 99 PID 3852 wrote to memory of 2936 3852 vvvvp.exe 100 PID 3852 wrote to memory of 2936 3852 vvvvp.exe 100 PID 3852 wrote to memory of 2936 3852 vvvvp.exe 100 PID 2936 wrote to memory of 3660 2936 2660802.exe 101 PID 2936 wrote to memory of 3660 2936 2660802.exe 101 PID 2936 wrote to memory of 3660 2936 2660802.exe 101 PID 3660 wrote to memory of 1668 3660 lflfffx.exe 102 PID 3660 wrote to memory of 1668 3660 lflfffx.exe 102 PID 3660 wrote to memory of 1668 3660 lflfffx.exe 102 PID 1668 wrote to memory of 2152 1668 28000.exe 103 PID 1668 wrote to memory of 2152 1668 28000.exe 103 PID 1668 wrote to memory of 2152 1668 28000.exe 103 PID 2152 wrote to memory of 5024 2152 7jddj.exe 104 PID 2152 wrote to memory of 5024 2152 7jddj.exe 104 PID 2152 wrote to memory of 5024 2152 7jddj.exe 104 PID 5024 wrote to memory of 4076 5024 606040.exe 105 PID 5024 wrote to memory of 4076 5024 606040.exe 105 PID 5024 wrote to memory of 4076 5024 606040.exe 105 PID 4076 wrote to memory of 4412 4076 688822.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe"C:\Users\Admin\AppData\Local\Temp\23be7236f6b96fb7436ae6cda68fbe0915dc9adeda5cdcecb53a5933b1813acfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\bttttt.exec:\bttttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\o686004.exec:\o686004.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\jddvp.exec:\jddvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\866844.exec:\866844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\u648844.exec:\u648844.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\jjjdv.exec:\jjjdv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\ffllrrx.exec:\ffllrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\nhhbbt.exec:\nhhbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\btthhb.exec:\btthhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\4002604.exec:\4002604.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\bh8226.exec:\bh8226.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\k62488.exec:\k62488.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\flfxllf.exec:\flfxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\888600.exec:\888600.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\vvvvp.exec:\vvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\2660802.exec:\2660802.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\lflfffx.exec:\lflfffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\28000.exec:\28000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\7jddj.exec:\7jddj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\606040.exec:\606040.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\688822.exec:\688822.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\ntbbbt.exec:\ntbbbt.exe23⤵
- Executes dropped EXE
PID:4412 -
\??\c:\44662.exec:\44662.exe24⤵
- Executes dropped EXE
PID:5116 -
\??\c:\i642444.exec:\i642444.exe25⤵
- Executes dropped EXE
PID:1788 -
\??\c:\4224060.exec:\4224060.exe26⤵
- Executes dropped EXE
PID:4400 -
\??\c:\pdpjj.exec:\pdpjj.exe27⤵
- Executes dropped EXE
PID:4500 -
\??\c:\hbhhbb.exec:\hbhhbb.exe28⤵
- Executes dropped EXE
PID:1144 -
\??\c:\00048.exec:\00048.exe29⤵
- Executes dropped EXE
PID:4836 -
\??\c:\dvpjd.exec:\dvpjd.exe30⤵
- Executes dropped EXE
PID:408 -
\??\c:\nbnnhh.exec:\nbnnhh.exe31⤵
- Executes dropped EXE
PID:3764 -
\??\c:\fxxrlll.exec:\fxxrlll.exe32⤵
- Executes dropped EXE
PID:4820 -
\??\c:\e68600.exec:\e68600.exe33⤵
- Executes dropped EXE
PID:3280 -
\??\c:\tnbbhb.exec:\tnbbhb.exe34⤵
- Executes dropped EXE
PID:3968 -
\??\c:\24004.exec:\24004.exe35⤵
- Executes dropped EXE
PID:4792 -
\??\c:\llfffrx.exec:\llfffrx.exe36⤵
- Executes dropped EXE
PID:2908 -
\??\c:\484822.exec:\484822.exe37⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1ddvj.exec:\1ddvj.exe38⤵
- Executes dropped EXE
PID:4224 -
\??\c:\0288226.exec:\0288226.exe39⤵
- Executes dropped EXE
PID:2996 -
\??\c:\ffrlrlr.exec:\ffrlrlr.exe40⤵
- Executes dropped EXE
PID:968 -
\??\c:\048844.exec:\048844.exe41⤵
- Executes dropped EXE
PID:4244 -
\??\c:\nbtnnh.exec:\nbtnnh.exe42⤵
- Executes dropped EXE
PID:4636 -
\??\c:\8282884.exec:\8282884.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nnhnht.exec:\nnhnht.exe44⤵
- Executes dropped EXE
PID:536 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe45⤵
- Executes dropped EXE
PID:2972 -
\??\c:\ttbbtn.exec:\ttbbtn.exe46⤵
- Executes dropped EXE
PID:216 -
\??\c:\dvddj.exec:\dvddj.exe47⤵
- Executes dropped EXE
PID:4940 -
\??\c:\60262.exec:\60262.exe48⤵
- Executes dropped EXE
PID:1576 -
\??\c:\9rxrllf.exec:\9rxrllf.exe49⤵
- Executes dropped EXE
PID:3032 -
\??\c:\8006048.exec:\8006048.exe50⤵
- Executes dropped EXE
PID:3272 -
\??\c:\280600.exec:\280600.exe51⤵
- Executes dropped EXE
PID:2548 -
\??\c:\hthbbb.exec:\hthbbb.exe52⤵
- Executes dropped EXE
PID:4912 -
\??\c:\hbthtt.exec:\hbthtt.exe53⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rxxxrrr.exec:\rxxxrrr.exe54⤵
- Executes dropped EXE
PID:2376 -
\??\c:\ddvdv.exec:\ddvdv.exe55⤵
- Executes dropped EXE
PID:2276 -
\??\c:\7nthtn.exec:\7nthtn.exe56⤵
- Executes dropped EXE
PID:436 -
\??\c:\8028226.exec:\8028226.exe57⤵
- Executes dropped EXE
PID:4944 -
\??\c:\xfxxrrr.exec:\xfxxrrr.exe58⤵
- Executes dropped EXE
PID:4800 -
\??\c:\g4086.exec:\g4086.exe59⤵
- Executes dropped EXE
PID:3156 -
\??\c:\c482086.exec:\c482086.exe60⤵
- Executes dropped EXE
PID:4744 -
\??\c:\q22642.exec:\q22642.exe61⤵
- Executes dropped EXE
PID:3076 -
\??\c:\7rxrllf.exec:\7rxrllf.exe62⤵
- Executes dropped EXE
PID:4688 -
\??\c:\6844882.exec:\6844882.exe63⤵
- Executes dropped EXE
PID:1172 -
\??\c:\262248.exec:\262248.exe64⤵
- Executes dropped EXE
PID:3592 -
\??\c:\xfrlxrl.exec:\xfrlxrl.exe65⤵
- Executes dropped EXE
PID:4216 -
\??\c:\bhtnnn.exec:\bhtnnn.exe66⤵PID:2116
-
\??\c:\9rrlxxr.exec:\9rrlxxr.exe67⤵PID:4728
-
\??\c:\bthbbt.exec:\bthbbt.exe68⤵PID:3952
-
\??\c:\0664208.exec:\0664208.exe69⤵PID:836
-
\??\c:\3xfxffl.exec:\3xfxffl.exe70⤵PID:4220
-
\??\c:\5nbtbt.exec:\5nbtbt.exe71⤵PID:2516
-
\??\c:\vjdpd.exec:\vjdpd.exe72⤵PID:4692
-
\??\c:\08048.exec:\08048.exe73⤵PID:3036
-
\??\c:\5llxfxf.exec:\5llxfxf.exe74⤵PID:4876
-
\??\c:\422606.exec:\422606.exe75⤵PID:3160
-
\??\c:\2800820.exec:\2800820.exe76⤵PID:3948
-
\??\c:\20802.exec:\20802.exe77⤵PID:1096
-
\??\c:\nbbnbt.exec:\nbbnbt.exe78⤵PID:2668
-
\??\c:\66086.exec:\66086.exe79⤵PID:3664
-
\??\c:\4242446.exec:\4242446.exe80⤵PID:1428
-
\??\c:\7tbtbb.exec:\7tbtbb.exe81⤵PID:2108
-
\??\c:\5pjvd.exec:\5pjvd.exe82⤵PID:1588
-
\??\c:\jvddp.exec:\jvddp.exe83⤵PID:3264
-
\??\c:\jvvpd.exec:\jvvpd.exe84⤵PID:3216
-
\??\c:\7jdpv.exec:\7jdpv.exe85⤵PID:2608
-
\??\c:\7fxlrlx.exec:\7fxlrlx.exe86⤵PID:1708
-
\??\c:\406082.exec:\406082.exe87⤵PID:4712
-
\??\c:\04042.exec:\04042.exe88⤵PID:3764
-
\??\c:\llrlxrl.exec:\llrlxrl.exe89⤵PID:3988
-
\??\c:\6048604.exec:\6048604.exe90⤵PID:3620
-
\??\c:\bnhntn.exec:\bnhntn.exe91⤵
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\tnhbtn.exec:\tnhbtn.exe92⤵PID:4764
-
\??\c:\lffrffx.exec:\lffrffx.exe93⤵PID:396
-
\??\c:\7hbthb.exec:\7hbthb.exe94⤵PID:1688
-
\??\c:\9tbthh.exec:\9tbthh.exe95⤵
- System Location Discovery: System Language Discovery
PID:2200 -
\??\c:\9rxlrlf.exec:\9rxlrlf.exe96⤵PID:2148
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe97⤵PID:348
-
\??\c:\g8422.exec:\g8422.exe98⤵PID:968
-
\??\c:\a0642.exec:\a0642.exe99⤵PID:1628
-
\??\c:\42864.exec:\42864.exe100⤵PID:1640
-
\??\c:\08264.exec:\08264.exe101⤵PID:4376
-
\??\c:\64820.exec:\64820.exe102⤵PID:224
-
\??\c:\rllfrxl.exec:\rllfrxl.exe103⤵PID:2848
-
\??\c:\nhbbnt.exec:\nhbbnt.exe104⤵PID:3416
-
\??\c:\6060444.exec:\6060444.exe105⤵PID:2576
-
\??\c:\3xlfrfx.exec:\3xlfrfx.exe106⤵PID:5060
-
\??\c:\48426.exec:\48426.exe107⤵PID:4272
-
\??\c:\62204.exec:\62204.exe108⤵PID:3316
-
\??\c:\828642.exec:\828642.exe109⤵PID:4164
-
\??\c:\dpvvj.exec:\dpvvj.exe110⤵PID:1028
-
\??\c:\fllxffr.exec:\fllxffr.exe111⤵PID:2548
-
\??\c:\pdvjd.exec:\pdvjd.exe112⤵PID:4912
-
\??\c:\dpvpv.exec:\dpvpv.exe113⤵PID:4588
-
\??\c:\pvvpj.exec:\pvvpj.exe114⤵PID:2376
-
\??\c:\40042.exec:\40042.exe115⤵PID:4888
-
\??\c:\46642.exec:\46642.exe116⤵PID:2640
-
\??\c:\nnnbnh.exec:\nnnbnh.exe117⤵PID:2812
-
\??\c:\e20400.exec:\e20400.exe118⤵PID:3328
-
\??\c:\u248882.exec:\u248882.exe119⤵PID:3508
-
\??\c:\s6264.exec:\s6264.exe120⤵PID:4800
-
\??\c:\hhnthb.exec:\hhnthb.exe121⤵PID:5040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-