Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe
-
Size
453KB
-
MD5
4cf3e6eb9687bb03ff61c18d689afba1
-
SHA1
4c3745b1d69239817e992c5f632c2a6cd3d346ee
-
SHA256
6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7
-
SHA512
88b43fd3d7bbb6948bea88c8025f237b977092ab150c24dd935765a7bc92d0317f6c3a2cbbd1c529f5f35194be0a9a2e507c8885d99e34c68a2101ac87115c02
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3344-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-1047-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-1570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4496 o662086.exe 4768 ppjvj.exe 2896 642042.exe 4436 bnthbt.exe 3968 tbthth.exe 2136 flfrxrf.exe 1348 0666604.exe 3216 46084.exe 1420 26004.exe 3088 04666.exe 3840 9hhhbb.exe 3820 bthhnn.exe 3024 pdpvv.exe 2044 e24800.exe 2268 9nnnnn.exe 4704 lxxrlll.exe 2728 xxffllr.exe 760 488204.exe 4544 82206.exe 3204 xlfrxrf.exe 1172 w06882.exe 4696 24208.exe 544 4264264.exe 1132 rrrfrlx.exe 228 40086.exe 2308 884804.exe 3056 llxlfrx.exe 2696 dvvjv.exe 2072 e02044.exe 4108 jjpjd.exe 2812 e22828.exe 2084 88040.exe 4792 8028226.exe 2924 hnbnhn.exe 4140 86686.exe 4584 6440242.exe 2124 lfrlfxr.exe 3488 46226.exe 316 bbhbnn.exe 3988 9vvpd.exe 4088 2060882.exe 2440 24442.exe 1808 o460602.exe 5012 0242260.exe 5072 02604.exe 2060 424826.exe 3872 628200.exe 4068 6064226.exe 3220 nhhbtt.exe 4808 26004.exe 4848 60448.exe 444 6246820.exe 5008 xlxxrlf.exe 2248 26260.exe 3704 04404.exe 64 1vddj.exe 2960 866066.exe 2024 c486486.exe 1560 jddjd.exe 4692 66064.exe 1216 rlxrrrx.exe 4420 c686048.exe 1736 6222660.exe 4940 648866.exe -
resource yara_rule behavioral2/memory/3344-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-723-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-756-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8442646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 006426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0404222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0242260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0846462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4496 3344 6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe 85 PID 3344 wrote to memory of 4496 3344 6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe 85 PID 3344 wrote to memory of 4496 3344 6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe 85 PID 4496 wrote to memory of 4768 4496 o662086.exe 86 PID 4496 wrote to memory of 4768 4496 o662086.exe 86 PID 4496 wrote to memory of 4768 4496 o662086.exe 86 PID 4768 wrote to memory of 2896 4768 ppjvj.exe 87 PID 4768 wrote to memory of 2896 4768 ppjvj.exe 87 PID 4768 wrote to memory of 2896 4768 ppjvj.exe 87 PID 2896 wrote to memory of 4436 2896 642042.exe 88 PID 2896 wrote to memory of 4436 2896 642042.exe 88 PID 2896 wrote to memory of 4436 2896 642042.exe 88 PID 4436 wrote to memory of 3968 4436 bnthbt.exe 89 PID 4436 wrote to memory of 3968 4436 bnthbt.exe 89 PID 4436 wrote to memory of 3968 4436 bnthbt.exe 89 PID 3968 wrote to memory of 2136 3968 tbthth.exe 90 PID 3968 wrote to memory of 2136 3968 tbthth.exe 90 PID 3968 wrote to memory of 2136 3968 tbthth.exe 90 PID 2136 wrote to memory of 1348 2136 flfrxrf.exe 91 PID 2136 wrote to memory of 1348 2136 flfrxrf.exe 91 PID 2136 wrote to memory of 1348 2136 flfrxrf.exe 91 PID 1348 wrote to memory of 3216 1348 0666604.exe 92 PID 1348 wrote to memory of 3216 1348 0666604.exe 92 PID 1348 wrote to memory of 3216 1348 0666604.exe 92 PID 3216 wrote to memory of 1420 3216 46084.exe 93 PID 3216 wrote to memory of 1420 3216 46084.exe 93 PID 3216 wrote to memory of 1420 3216 46084.exe 93 PID 1420 wrote to memory of 3088 1420 26004.exe 94 PID 1420 wrote to memory of 3088 1420 26004.exe 94 PID 1420 wrote to memory of 3088 1420 26004.exe 94 PID 3088 wrote to memory of 3840 3088 04666.exe 95 PID 3088 wrote to memory of 3840 3088 04666.exe 95 PID 3088 wrote to memory of 3840 3088 04666.exe 95 PID 3840 wrote to memory of 3820 3840 9hhhbb.exe 96 PID 3840 wrote to memory of 3820 3840 9hhhbb.exe 96 PID 3840 wrote to memory of 3820 3840 9hhhbb.exe 96 PID 3820 wrote to memory of 3024 3820 bthhnn.exe 97 PID 3820 wrote to memory of 3024 3820 bthhnn.exe 97 PID 3820 wrote to memory of 3024 3820 bthhnn.exe 97 PID 3024 wrote to memory of 2044 3024 pdpvv.exe 98 PID 3024 wrote to memory of 2044 3024 pdpvv.exe 98 PID 3024 wrote to memory of 2044 3024 pdpvv.exe 98 PID 2044 wrote to memory of 2268 2044 e24800.exe 99 PID 2044 wrote to memory of 2268 2044 e24800.exe 99 PID 2044 wrote to memory of 2268 2044 e24800.exe 99 PID 2268 wrote to memory of 4704 2268 9nnnnn.exe 100 PID 2268 wrote to memory of 4704 2268 9nnnnn.exe 100 PID 2268 wrote to memory of 4704 2268 9nnnnn.exe 100 PID 4704 wrote to memory of 2728 4704 lxxrlll.exe 101 PID 4704 wrote to memory of 2728 4704 lxxrlll.exe 101 PID 4704 wrote to memory of 2728 4704 lxxrlll.exe 101 PID 2728 wrote to memory of 760 2728 xxffllr.exe 102 PID 2728 wrote to memory of 760 2728 xxffllr.exe 102 PID 2728 wrote to memory of 760 2728 xxffllr.exe 102 PID 760 wrote to memory of 4544 760 488204.exe 103 PID 760 wrote to memory of 4544 760 488204.exe 103 PID 760 wrote to memory of 4544 760 488204.exe 103 PID 4544 wrote to memory of 3204 4544 82206.exe 104 PID 4544 wrote to memory of 3204 4544 82206.exe 104 PID 4544 wrote to memory of 3204 4544 82206.exe 104 PID 3204 wrote to memory of 1172 3204 xlfrxrf.exe 105 PID 3204 wrote to memory of 1172 3204 xlfrxrf.exe 105 PID 3204 wrote to memory of 1172 3204 xlfrxrf.exe 105 PID 1172 wrote to memory of 4696 1172 w06882.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe"C:\Users\Admin\AppData\Local\Temp\6c19f1fa7c608066cc8fdb33de44972181724eedc232f7c39ec9ff315414a5b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\o662086.exec:\o662086.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\ppjvj.exec:\ppjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\642042.exec:\642042.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\bnthbt.exec:\bnthbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\tbthth.exec:\tbthth.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\flfrxrf.exec:\flfrxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\0666604.exec:\0666604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\46084.exec:\46084.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\26004.exec:\26004.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\04666.exec:\04666.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\9hhhbb.exec:\9hhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\bthhnn.exec:\bthhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\pdpvv.exec:\pdpvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\e24800.exec:\e24800.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\9nnnnn.exec:\9nnnnn.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\lxxrlll.exec:\lxxrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\xxffllr.exec:\xxffllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\488204.exec:\488204.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\82206.exec:\82206.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\xlfrxrf.exec:\xlfrxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\w06882.exec:\w06882.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\24208.exec:\24208.exe23⤵
- Executes dropped EXE
PID:4696 -
\??\c:\4264264.exec:\4264264.exe24⤵
- Executes dropped EXE
PID:544 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe25⤵
- Executes dropped EXE
PID:1132 -
\??\c:\40086.exec:\40086.exe26⤵
- Executes dropped EXE
PID:228 -
\??\c:\884804.exec:\884804.exe27⤵
- Executes dropped EXE
PID:2308 -
\??\c:\llxlfrx.exec:\llxlfrx.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\dvvjv.exec:\dvvjv.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
\??\c:\e02044.exec:\e02044.exe30⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jjpjd.exec:\jjpjd.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4108 -
\??\c:\e22828.exec:\e22828.exe32⤵
- Executes dropped EXE
PID:2812 -
\??\c:\88040.exec:\88040.exe33⤵
- Executes dropped EXE
PID:2084 -
\??\c:\8028226.exec:\8028226.exe34⤵
- Executes dropped EXE
PID:4792 -
\??\c:\hnbnhn.exec:\hnbnhn.exe35⤵
- Executes dropped EXE
PID:2924 -
\??\c:\86686.exec:\86686.exe36⤵
- Executes dropped EXE
PID:4140 -
\??\c:\6440242.exec:\6440242.exe37⤵
- Executes dropped EXE
PID:4584 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe38⤵
- Executes dropped EXE
PID:2124 -
\??\c:\46226.exec:\46226.exe39⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bbhbnn.exec:\bbhbnn.exe40⤵
- Executes dropped EXE
PID:316 -
\??\c:\9vvpd.exec:\9vvpd.exe41⤵
- Executes dropped EXE
PID:3988 -
\??\c:\2060882.exec:\2060882.exe42⤵
- Executes dropped EXE
PID:4088 -
\??\c:\24442.exec:\24442.exe43⤵
- Executes dropped EXE
PID:2440 -
\??\c:\o460602.exec:\o460602.exe44⤵
- Executes dropped EXE
PID:1808 -
\??\c:\0242260.exec:\0242260.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
\??\c:\02604.exec:\02604.exe46⤵
- Executes dropped EXE
PID:5072 -
\??\c:\424826.exec:\424826.exe47⤵
- Executes dropped EXE
PID:2060 -
\??\c:\628200.exec:\628200.exe48⤵
- Executes dropped EXE
PID:3872 -
\??\c:\6064226.exec:\6064226.exe49⤵
- Executes dropped EXE
PID:4068 -
\??\c:\nhhbtt.exec:\nhhbtt.exe50⤵
- Executes dropped EXE
PID:3220 -
\??\c:\26004.exec:\26004.exe51⤵
- Executes dropped EXE
PID:4808 -
\??\c:\60448.exec:\60448.exe52⤵
- Executes dropped EXE
PID:4848 -
\??\c:\6246820.exec:\6246820.exe53⤵
- Executes dropped EXE
PID:444 -
\??\c:\xlxxrlf.exec:\xlxxrlf.exe54⤵
- Executes dropped EXE
PID:5008 -
\??\c:\26260.exec:\26260.exe55⤵
- Executes dropped EXE
PID:2248 -
\??\c:\04404.exec:\04404.exe56⤵
- Executes dropped EXE
PID:3704 -
\??\c:\1vddj.exec:\1vddj.exe57⤵
- Executes dropped EXE
PID:64 -
\??\c:\866066.exec:\866066.exe58⤵
- Executes dropped EXE
PID:2960 -
\??\c:\c486486.exec:\c486486.exe59⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jddjd.exec:\jddjd.exe60⤵
- Executes dropped EXE
PID:1560 -
\??\c:\66064.exec:\66064.exe61⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rlxrrrx.exec:\rlxrrrx.exe62⤵
- Executes dropped EXE
PID:1216 -
\??\c:\c686048.exec:\c686048.exe63⤵
- Executes dropped EXE
PID:4420 -
\??\c:\6222660.exec:\6222660.exe64⤵
- Executes dropped EXE
PID:1736 -
\??\c:\648866.exec:\648866.exe65⤵
- Executes dropped EXE
PID:4940 -
\??\c:\g8064.exec:\g8064.exe66⤵PID:3372
-
\??\c:\684080.exec:\684080.exe67⤵PID:3820
-
\??\c:\406066.exec:\406066.exe68⤵PID:4520
-
\??\c:\64000.exec:\64000.exe69⤵PID:3024
-
\??\c:\hbnhhb.exec:\hbnhhb.exe70⤵PID:4824
-
\??\c:\8060886.exec:\8060886.exe71⤵PID:2996
-
\??\c:\262646.exec:\262646.exe72⤵PID:2268
-
\??\c:\6460040.exec:\6460040.exe73⤵PID:2320
-
\??\c:\624866.exec:\624866.exe74⤵PID:2728
-
\??\c:\jdvdv.exec:\jdvdv.exe75⤵PID:4104
-
\??\c:\0400488.exec:\0400488.exe76⤵PID:3152
-
\??\c:\nnnntt.exec:\nnnntt.exe77⤵PID:4800
-
\??\c:\fxllrrx.exec:\fxllrrx.exe78⤵PID:3180
-
\??\c:\pjpjd.exec:\pjpjd.exe79⤵PID:3528
-
\??\c:\lxrxllx.exec:\lxrxllx.exe80⤵PID:4996
-
\??\c:\9jjvp.exec:\9jjvp.exe81⤵PID:544
-
\??\c:\fllrfrl.exec:\fllrfrl.exe82⤵PID:352
-
\??\c:\6004262.exec:\6004262.exe83⤵PID:232
-
\??\c:\1flfxxr.exec:\1flfxxr.exe84⤵
- System Location Discovery: System Language Discovery
PID:2752 -
\??\c:\frxxrrr.exec:\frxxrrr.exe85⤵PID:4664
-
\??\c:\nbbtnh.exec:\nbbtnh.exe86⤵PID:636
-
\??\c:\6660484.exec:\6660484.exe87⤵PID:1644
-
\??\c:\flfxllf.exec:\flfxllf.exe88⤵PID:2324
-
\??\c:\vjvpp.exec:\vjvpp.exe89⤵PID:740
-
\??\c:\684882.exec:\684882.exe90⤵PID:3684
-
\??\c:\5lxrrxr.exec:\5lxrrxr.exe91⤵PID:3688
-
\??\c:\fllfrrf.exec:\fllfrrf.exe92⤵PID:4528
-
\??\c:\4804844.exec:\4804844.exe93⤵PID:380
-
\??\c:\08482.exec:\08482.exe94⤵PID:1416
-
\??\c:\u066488.exec:\u066488.exe95⤵PID:1016
-
\??\c:\208826.exec:\208826.exe96⤵PID:4384
-
\??\c:\rlffxrr.exec:\rlffxrr.exe97⤵PID:1716
-
\??\c:\fffxrlf.exec:\fffxrlf.exe98⤵PID:3496
-
\??\c:\6026228.exec:\6026228.exe99⤵PID:1452
-
\??\c:\pjppv.exec:\pjppv.exe100⤵PID:4628
-
\??\c:\k02262.exec:\k02262.exe101⤵PID:4088
-
\??\c:\9fxrllx.exec:\9fxrllx.exe102⤵PID:808
-
\??\c:\o426660.exec:\o426660.exe103⤵PID:4100
-
\??\c:\1nbtnh.exec:\1nbtnh.exe104⤵PID:4564
-
\??\c:\hbbtnn.exec:\hbbtnn.exe105⤵PID:4460
-
\??\c:\o882626.exec:\o882626.exe106⤵PID:4356
-
\??\c:\2060448.exec:\2060448.exe107⤵PID:1160
-
\??\c:\lxlrlfx.exec:\lxlrlfx.exe108⤵PID:860
-
\??\c:\btbtnh.exec:\btbtnh.exe109⤵PID:2820
-
\??\c:\68666.exec:\68666.exe110⤵PID:1788
-
\??\c:\9bhbbb.exec:\9bhbbb.exe111⤵PID:2624
-
\??\c:\006088.exec:\006088.exe112⤵PID:4964
-
\??\c:\88042.exec:\88042.exe113⤵PID:3968
-
\??\c:\rfrlllr.exec:\rfrlllr.exe114⤵PID:4960
-
\??\c:\rflfrlr.exec:\rflfrlr.exe115⤵PID:1696
-
\??\c:\dvvvv.exec:\dvvvv.exe116⤵PID:1560
-
\??\c:\m0004.exec:\m0004.exe117⤵PID:1424
-
\??\c:\68488.exec:\68488.exe118⤵PID:4280
-
\??\c:\4448644.exec:\4448644.exe119⤵PID:2408
-
\??\c:\k04640.exec:\k04640.exe120⤵PID:3760
-
\??\c:\lrrflxr.exec:\lrrflxr.exe121⤵PID:4632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-