Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe
-
Size
453KB
-
MD5
2cac169befdb02e6b0f8c9a518976570
-
SHA1
cc7a4be941eb3127a8b8ee5ac678b210288b2cd3
-
SHA256
05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aa
-
SHA512
ea73b308d2abbcd8c6a3c53f984823336fb1b7c3628189e6cf7c0716c8e0ff25588b6b42240d9c67194f170c8edde4028986a35d5bb9b01d4c1b536839f00a78
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2788-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-1155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-1581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-1909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2888 0088228.exe 2448 ffxxrrl.exe 2468 btttnn.exe 4948 24062.exe 4424 nbtbtb.exe 3036 8000826.exe 2280 0408406.exe 4540 468082.exe 4312 nbhtnh.exe 772 3bthtt.exe 1228 rflxlfr.exe 4040 0808888.exe 2736 pjjvj.exe 3140 068200.exe 4688 428204.exe 624 9pdpp.exe 3680 jdvjd.exe 4512 62620.exe 468 nbbhhn.exe 3708 g6862.exe 2368 o426486.exe 4840 422600.exe 2764 6880442.exe 5028 02448.exe 1736 840262.exe 4556 024880.exe 4520 80000.exe 3440 822822.exe 1792 ttnhbb.exe 1576 a4426.exe 1264 606044.exe 724 i026640.exe 2212 m0884.exe 2464 8286448.exe 1604 04486.exe 3132 bbhhth.exe 4932 088084.exe 2484 3ppdv.exe 1140 62444.exe 116 0484822.exe 3616 vvvpp.exe 3188 04448.exe 1600 s0648.exe 4420 800066.exe 1628 vpjvj.exe 2984 0488448.exe 3496 4400444.exe 2696 rflllll.exe 4744 vvdpj.exe 3488 lxxxxxx.exe 2080 s4266.exe 1960 fffffff.exe 628 xffxxrr.exe 4172 lxrlllf.exe 1348 64442.exe 2012 vpjdv.exe 968 jvppj.exe 4240 vpddp.exe 1588 82002.exe 1880 hnbtnn.exe 1444 ffrrffl.exe 1432 06466.exe 2432 4844042.exe 4504 428222.exe -
resource yara_rule behavioral2/memory/2788-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4004008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6488222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4066082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k26060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8888844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4060820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00842.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2888 2788 05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe 83 PID 2788 wrote to memory of 2888 2788 05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe 83 PID 2788 wrote to memory of 2888 2788 05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe 83 PID 2888 wrote to memory of 2448 2888 0088228.exe 84 PID 2888 wrote to memory of 2448 2888 0088228.exe 84 PID 2888 wrote to memory of 2448 2888 0088228.exe 84 PID 2448 wrote to memory of 2468 2448 ffxxrrl.exe 85 PID 2448 wrote to memory of 2468 2448 ffxxrrl.exe 85 PID 2448 wrote to memory of 2468 2448 ffxxrrl.exe 85 PID 2468 wrote to memory of 4948 2468 btttnn.exe 86 PID 2468 wrote to memory of 4948 2468 btttnn.exe 86 PID 2468 wrote to memory of 4948 2468 btttnn.exe 86 PID 4948 wrote to memory of 4424 4948 24062.exe 87 PID 4948 wrote to memory of 4424 4948 24062.exe 87 PID 4948 wrote to memory of 4424 4948 24062.exe 87 PID 4424 wrote to memory of 3036 4424 nbtbtb.exe 88 PID 4424 wrote to memory of 3036 4424 nbtbtb.exe 88 PID 4424 wrote to memory of 3036 4424 nbtbtb.exe 88 PID 3036 wrote to memory of 2280 3036 8000826.exe 89 PID 3036 wrote to memory of 2280 3036 8000826.exe 89 PID 3036 wrote to memory of 2280 3036 8000826.exe 89 PID 2280 wrote to memory of 4540 2280 0408406.exe 90 PID 2280 wrote to memory of 4540 2280 0408406.exe 90 PID 2280 wrote to memory of 4540 2280 0408406.exe 90 PID 4540 wrote to memory of 4312 4540 468082.exe 91 PID 4540 wrote to memory of 4312 4540 468082.exe 91 PID 4540 wrote to memory of 4312 4540 468082.exe 91 PID 4312 wrote to memory of 772 4312 nbhtnh.exe 92 PID 4312 wrote to memory of 772 4312 nbhtnh.exe 92 PID 4312 wrote to memory of 772 4312 nbhtnh.exe 92 PID 772 wrote to memory of 1228 772 3bthtt.exe 93 PID 772 wrote to memory of 1228 772 3bthtt.exe 93 PID 772 wrote to memory of 1228 772 3bthtt.exe 93 PID 1228 wrote to memory of 4040 1228 rflxlfr.exe 94 PID 1228 wrote to memory of 4040 1228 rflxlfr.exe 94 PID 1228 wrote to memory of 4040 1228 rflxlfr.exe 94 PID 4040 wrote to memory of 2736 4040 0808888.exe 95 PID 4040 wrote to memory of 2736 4040 0808888.exe 95 PID 4040 wrote to memory of 2736 4040 0808888.exe 95 PID 2736 wrote to memory of 3140 2736 pjjvj.exe 96 PID 2736 wrote to memory of 3140 2736 pjjvj.exe 96 PID 2736 wrote to memory of 3140 2736 pjjvj.exe 96 PID 3140 wrote to memory of 4688 3140 068200.exe 97 PID 3140 wrote to memory of 4688 3140 068200.exe 97 PID 3140 wrote to memory of 4688 3140 068200.exe 97 PID 4688 wrote to memory of 624 4688 428204.exe 98 PID 4688 wrote to memory of 624 4688 428204.exe 98 PID 4688 wrote to memory of 624 4688 428204.exe 98 PID 624 wrote to memory of 3680 624 9pdpp.exe 99 PID 624 wrote to memory of 3680 624 9pdpp.exe 99 PID 624 wrote to memory of 3680 624 9pdpp.exe 99 PID 3680 wrote to memory of 4512 3680 jdvjd.exe 100 PID 3680 wrote to memory of 4512 3680 jdvjd.exe 100 PID 3680 wrote to memory of 4512 3680 jdvjd.exe 100 PID 4512 wrote to memory of 468 4512 62620.exe 101 PID 4512 wrote to memory of 468 4512 62620.exe 101 PID 4512 wrote to memory of 468 4512 62620.exe 101 PID 468 wrote to memory of 3708 468 nbbhhn.exe 102 PID 468 wrote to memory of 3708 468 nbbhhn.exe 102 PID 468 wrote to memory of 3708 468 nbbhhn.exe 102 PID 3708 wrote to memory of 2368 3708 g6862.exe 103 PID 3708 wrote to memory of 2368 3708 g6862.exe 103 PID 3708 wrote to memory of 2368 3708 g6862.exe 103 PID 2368 wrote to memory of 4840 2368 o426486.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe"C:\Users\Admin\AppData\Local\Temp\05615e9ba5e736d79049f089a1adbd9abc433c80bd6aafad9d8c53a902ad84aaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\0088228.exec:\0088228.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\btttnn.exec:\btttnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\24062.exec:\24062.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\nbtbtb.exec:\nbtbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\8000826.exec:\8000826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\0408406.exec:\0408406.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\468082.exec:\468082.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\nbhtnh.exec:\nbhtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\3bthtt.exec:\3bthtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\rflxlfr.exec:\rflxlfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\0808888.exec:\0808888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\pjjvj.exec:\pjjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\068200.exec:\068200.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\428204.exec:\428204.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\9pdpp.exec:\9pdpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\jdvjd.exec:\jdvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\62620.exec:\62620.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\nbbhhn.exec:\nbbhhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\g6862.exec:\g6862.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\o426486.exec:\o426486.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\422600.exec:\422600.exe23⤵
- Executes dropped EXE
PID:4840 -
\??\c:\6880442.exec:\6880442.exe24⤵
- Executes dropped EXE
PID:2764 -
\??\c:\02448.exec:\02448.exe25⤵
- Executes dropped EXE
PID:5028 -
\??\c:\840262.exec:\840262.exe26⤵
- Executes dropped EXE
PID:1736 -
\??\c:\024880.exec:\024880.exe27⤵
- Executes dropped EXE
PID:4556 -
\??\c:\80000.exec:\80000.exe28⤵
- Executes dropped EXE
PID:4520 -
\??\c:\822822.exec:\822822.exe29⤵
- Executes dropped EXE
PID:3440 -
\??\c:\ttnhbb.exec:\ttnhbb.exe30⤵
- Executes dropped EXE
PID:1792 -
\??\c:\a4426.exec:\a4426.exe31⤵
- Executes dropped EXE
PID:1576 -
\??\c:\606044.exec:\606044.exe32⤵
- Executes dropped EXE
PID:1264 -
\??\c:\i026640.exec:\i026640.exe33⤵
- Executes dropped EXE
PID:724 -
\??\c:\m0884.exec:\m0884.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\8286448.exec:\8286448.exe35⤵
- Executes dropped EXE
PID:2464 -
\??\c:\04486.exec:\04486.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\bbhhth.exec:\bbhhth.exe37⤵
- Executes dropped EXE
PID:3132 -
\??\c:\088084.exec:\088084.exe38⤵
- Executes dropped EXE
PID:4932 -
\??\c:\3ppdv.exec:\3ppdv.exe39⤵
- Executes dropped EXE
PID:2484 -
\??\c:\62444.exec:\62444.exe40⤵
- Executes dropped EXE
PID:1140 -
\??\c:\0484822.exec:\0484822.exe41⤵
- Executes dropped EXE
PID:116 -
\??\c:\vvvpp.exec:\vvvpp.exe42⤵
- Executes dropped EXE
PID:3616 -
\??\c:\04448.exec:\04448.exe43⤵
- Executes dropped EXE
PID:3188 -
\??\c:\s0648.exec:\s0648.exe44⤵
- Executes dropped EXE
PID:1600 -
\??\c:\800066.exec:\800066.exe45⤵
- Executes dropped EXE
PID:4420 -
\??\c:\vpjvj.exec:\vpjvj.exe46⤵
- Executes dropped EXE
PID:1628 -
\??\c:\0488448.exec:\0488448.exe47⤵
- Executes dropped EXE
PID:2984 -
\??\c:\4400444.exec:\4400444.exe48⤵
- Executes dropped EXE
PID:3496 -
\??\c:\rflllll.exec:\rflllll.exe49⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvdpj.exec:\vvdpj.exe50⤵
- Executes dropped EXE
PID:4744 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe51⤵
- Executes dropped EXE
PID:3488 -
\??\c:\s4266.exec:\s4266.exe52⤵
- Executes dropped EXE
PID:2080 -
\??\c:\fffffff.exec:\fffffff.exe53⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xffxxrr.exec:\xffxxrr.exe54⤵
- Executes dropped EXE
PID:628 -
\??\c:\lxrlllf.exec:\lxrlllf.exe55⤵
- Executes dropped EXE
PID:4172 -
\??\c:\64442.exec:\64442.exe56⤵
- Executes dropped EXE
PID:1348 -
\??\c:\vpjdv.exec:\vpjdv.exe57⤵
- Executes dropped EXE
PID:2012 -
\??\c:\jvppj.exec:\jvppj.exe58⤵
- Executes dropped EXE
PID:968 -
\??\c:\vpddp.exec:\vpddp.exe59⤵
- Executes dropped EXE
PID:4240 -
\??\c:\82002.exec:\82002.exe60⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hnbtnn.exec:\hnbtnn.exe61⤵
- Executes dropped EXE
PID:1880 -
\??\c:\ffrrffl.exec:\ffrrffl.exe62⤵
- Executes dropped EXE
PID:1444 -
\??\c:\06466.exec:\06466.exe63⤵
- Executes dropped EXE
PID:1432 -
\??\c:\4844042.exec:\4844042.exe64⤵
- Executes dropped EXE
PID:2432 -
\??\c:\428222.exec:\428222.exe65⤵
- Executes dropped EXE
PID:4504 -
\??\c:\046626.exec:\046626.exe66⤵PID:4576
-
\??\c:\264080.exec:\264080.exe67⤵PID:4532
-
\??\c:\200288.exec:\200288.exe68⤵
- System Location Discovery: System Language Discovery
PID:3872 -
\??\c:\pvjdv.exec:\pvjdv.exe69⤵PID:4404
-
\??\c:\7rlfffx.exec:\7rlfffx.exe70⤵PID:2120
-
\??\c:\9vddj.exec:\9vddj.exe71⤵PID:5072
-
\??\c:\pjjpv.exec:\pjjpv.exe72⤵PID:3644
-
\??\c:\lxxrlff.exec:\lxxrlff.exe73⤵PID:2832
-
\??\c:\480406.exec:\480406.exe74⤵PID:5092
-
\??\c:\pjppp.exec:\pjppp.exe75⤵PID:2908
-
\??\c:\btttbn.exec:\btttbn.exe76⤵PID:4632
-
\??\c:\vddvv.exec:\vddvv.exe77⤵PID:420
-
\??\c:\8826880.exec:\8826880.exe78⤵PID:3708
-
\??\c:\40660.exec:\40660.exe79⤵PID:3888
-
\??\c:\2404446.exec:\2404446.exe80⤵PID:1988
-
\??\c:\tnnhbb.exec:\tnnhbb.exe81⤵PID:2156
-
\??\c:\nhtbtt.exec:\nhtbtt.exe82⤵PID:2344
-
\??\c:\62044.exec:\62044.exe83⤵PID:2856
-
\??\c:\frxrrrl.exec:\frxrrrl.exe84⤵PID:4856
-
\??\c:\2626000.exec:\2626000.exe85⤵PID:2008
-
\??\c:\802462.exec:\802462.exe86⤵PID:5020
-
\??\c:\bbbbtt.exec:\bbbbtt.exe87⤵PID:1904
-
\??\c:\8226600.exec:\8226600.exe88⤵PID:4344
-
\??\c:\xlrllll.exec:\xlrllll.exe89⤵PID:2108
-
\??\c:\pddvv.exec:\pddvv.exe90⤵PID:3484
-
\??\c:\62480.exec:\62480.exe91⤵PID:1732
-
\??\c:\nbnhnh.exec:\nbnhnh.exe92⤵PID:2808
-
\??\c:\vpppj.exec:\vpppj.exe93⤵PID:884
-
\??\c:\ppdjv.exec:\ppdjv.exe94⤵PID:1400
-
\??\c:\btnhhh.exec:\btnhhh.exe95⤵PID:748
-
\??\c:\pdjpd.exec:\pdjpd.exe96⤵PID:4648
-
\??\c:\g4444.exec:\g4444.exe97⤵PID:1764
-
\??\c:\lffxxxx.exec:\lffxxxx.exe98⤵PID:2464
-
\??\c:\682660.exec:\682660.exe99⤵PID:1604
-
\??\c:\k26060.exec:\k26060.exe100⤵
- System Location Discovery: System Language Discovery
PID:1776 -
\??\c:\vpppp.exec:\vpppp.exe101⤵PID:4036
-
\??\c:\04280.exec:\04280.exe102⤵PID:2484
-
\??\c:\2624800.exec:\2624800.exe103⤵PID:1140
-
\??\c:\vpvjp.exec:\vpvjp.exe104⤵PID:2568
-
\??\c:\8400444.exec:\8400444.exe105⤵PID:2316
-
\??\c:\2004822.exec:\2004822.exe106⤵PID:1208
-
\??\c:\82088.exec:\82088.exe107⤵PID:640
-
\??\c:\0848260.exec:\0848260.exe108⤵PID:5108
-
\??\c:\tnnbbh.exec:\tnnbbh.exe109⤵PID:1996
-
\??\c:\006082.exec:\006082.exe110⤵PID:1036
-
\??\c:\5ppjj.exec:\5ppjj.exe111⤵PID:2100
-
\??\c:\486000.exec:\486000.exe112⤵PID:4800
-
\??\c:\9vpjp.exec:\9vpjp.exe113⤵PID:1836
-
\??\c:\8466228.exec:\8466228.exe114⤵PID:3676
-
\??\c:\4004860.exec:\4004860.exe115⤵PID:3488
-
\??\c:\5jvpj.exec:\5jvpj.exe116⤵PID:2080
-
\??\c:\5ddpj.exec:\5ddpj.exe117⤵PID:1688
-
\??\c:\s6822.exec:\s6822.exe118⤵PID:1960
-
\??\c:\866604.exec:\866604.exe119⤵PID:2160
-
\??\c:\4420842.exec:\4420842.exe120⤵PID:4172
-
\??\c:\202060.exec:\202060.exe121⤵PID:1992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-