Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
-
Size
454KB
-
MD5
077a90a0acacb4e6ae62b1f89f6a5a9c
-
SHA1
a40c636cb09249a0e5ea47909dd52c95cdd228f5
-
SHA256
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59
-
SHA512
d23d7773dddbd7e2e3f9da9ef4ae8e5031493b3243e02219af35d4ceababa70dab1f445099f5e6cfbd877223de4c42f99c4db4731f8c3b0ed9ae2941ead07069
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1412-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-878-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-1060-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-1332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4580 486480.exe 2812 6804848.exe 1200 bntnnn.exe 4500 28826.exe 2572 s8688.exe 4488 22800.exe 2384 488260.exe 768 0822824.exe 4032 fxffxxr.exe 944 7xxrffr.exe 1940 hbhtnh.exe 3152 6660826.exe 2440 206482.exe 4440 0804662.exe 3436 bnthbt.exe 2264 c026048.exe 3416 xfrffxx.exe 1512 8282660.exe 2988 02422.exe 1936 0404400.exe 452 6860482.exe 2968 860488.exe 3260 0686606.exe 4980 lflrlrl.exe 448 680440.exe 3188 g8486.exe 3292 64600.exe 2692 9jjdv.exe 1180 jvvpp.exe 5000 0066004.exe 4420 tnbtnb.exe 4216 bnhbtn.exe 3548 fffxlfx.exe 4036 rllrlll.exe 3096 q86660.exe 3532 7xlrlll.exe 3948 82828.exe 4404 628266.exe 2084 04048.exe 4716 7ppdv.exe 4580 lfffxrx.exe 5048 044482.exe 4644 xxlxffl.exe 1924 vjjjd.exe 4372 thtnhh.exe 1200 1dvjd.exe 5096 lllffxx.exe 1684 c064882.exe 3196 5lfrllx.exe 1444 fxrlffx.exe 3348 llffxrx.exe 960 pjpjj.exe 536 xrxrrrr.exe 3228 g8640.exe 4536 e46040.exe 2708 686448.exe 4084 hnhbtt.exe 4136 nbnthh.exe 3720 640422.exe 2340 8460448.exe 4440 ddpvp.exe 2604 5jjvd.exe 2540 44008.exe 1696 dvvjd.exe -
resource yara_rule behavioral2/memory/1412-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-878-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4808822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2680820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i406600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8404826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3btnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4842042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 4580 1412 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 1412 wrote to memory of 4580 1412 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 1412 wrote to memory of 4580 1412 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 85 PID 4580 wrote to memory of 2812 4580 486480.exe 86 PID 4580 wrote to memory of 2812 4580 486480.exe 86 PID 4580 wrote to memory of 2812 4580 486480.exe 86 PID 2812 wrote to memory of 1200 2812 6804848.exe 87 PID 2812 wrote to memory of 1200 2812 6804848.exe 87 PID 2812 wrote to memory of 1200 2812 6804848.exe 87 PID 1200 wrote to memory of 4500 1200 bntnnn.exe 88 PID 1200 wrote to memory of 4500 1200 bntnnn.exe 88 PID 1200 wrote to memory of 4500 1200 bntnnn.exe 88 PID 4500 wrote to memory of 2572 4500 28826.exe 89 PID 4500 wrote to memory of 2572 4500 28826.exe 89 PID 4500 wrote to memory of 2572 4500 28826.exe 89 PID 2572 wrote to memory of 4488 2572 s8688.exe 90 PID 2572 wrote to memory of 4488 2572 s8688.exe 90 PID 2572 wrote to memory of 4488 2572 s8688.exe 90 PID 4488 wrote to memory of 2384 4488 22800.exe 91 PID 4488 wrote to memory of 2384 4488 22800.exe 91 PID 4488 wrote to memory of 2384 4488 22800.exe 91 PID 2384 wrote to memory of 768 2384 488260.exe 92 PID 2384 wrote to memory of 768 2384 488260.exe 92 PID 2384 wrote to memory of 768 2384 488260.exe 92 PID 768 wrote to memory of 4032 768 0822824.exe 93 PID 768 wrote to memory of 4032 768 0822824.exe 93 PID 768 wrote to memory of 4032 768 0822824.exe 93 PID 4032 wrote to memory of 944 4032 fxffxxr.exe 94 PID 4032 wrote to memory of 944 4032 fxffxxr.exe 94 PID 4032 wrote to memory of 944 4032 fxffxxr.exe 94 PID 944 wrote to memory of 1940 944 7xxrffr.exe 95 PID 944 wrote to memory of 1940 944 7xxrffr.exe 95 PID 944 wrote to memory of 1940 944 7xxrffr.exe 95 PID 1940 wrote to memory of 3152 1940 hbhtnh.exe 96 PID 1940 wrote to memory of 3152 1940 hbhtnh.exe 96 PID 1940 wrote to memory of 3152 1940 hbhtnh.exe 96 PID 3152 wrote to memory of 2440 3152 6660826.exe 97 PID 3152 wrote to memory of 2440 3152 6660826.exe 97 PID 3152 wrote to memory of 2440 3152 6660826.exe 97 PID 2440 wrote to memory of 4440 2440 206482.exe 98 PID 2440 wrote to memory of 4440 2440 206482.exe 98 PID 2440 wrote to memory of 4440 2440 206482.exe 98 PID 4440 wrote to memory of 3436 4440 0804662.exe 99 PID 4440 wrote to memory of 3436 4440 0804662.exe 99 PID 4440 wrote to memory of 3436 4440 0804662.exe 99 PID 3436 wrote to memory of 2264 3436 bnthbt.exe 100 PID 3436 wrote to memory of 2264 3436 bnthbt.exe 100 PID 3436 wrote to memory of 2264 3436 bnthbt.exe 100 PID 2264 wrote to memory of 3416 2264 c026048.exe 101 PID 2264 wrote to memory of 3416 2264 c026048.exe 101 PID 2264 wrote to memory of 3416 2264 c026048.exe 101 PID 3416 wrote to memory of 1512 3416 xfrffxx.exe 102 PID 3416 wrote to memory of 1512 3416 xfrffxx.exe 102 PID 3416 wrote to memory of 1512 3416 xfrffxx.exe 102 PID 1512 wrote to memory of 2988 1512 8282660.exe 103 PID 1512 wrote to memory of 2988 1512 8282660.exe 103 PID 1512 wrote to memory of 2988 1512 8282660.exe 103 PID 2988 wrote to memory of 1936 2988 02422.exe 104 PID 2988 wrote to memory of 1936 2988 02422.exe 104 PID 2988 wrote to memory of 1936 2988 02422.exe 104 PID 1936 wrote to memory of 452 1936 0404400.exe 105 PID 1936 wrote to memory of 452 1936 0404400.exe 105 PID 1936 wrote to memory of 452 1936 0404400.exe 105 PID 452 wrote to memory of 2968 452 6860482.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\486480.exec:\486480.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\6804848.exec:\6804848.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\bntnnn.exec:\bntnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\28826.exec:\28826.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\s8688.exec:\s8688.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\22800.exec:\22800.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\488260.exec:\488260.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\0822824.exec:\0822824.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\fxffxxr.exec:\fxffxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\7xxrffr.exec:\7xxrffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\hbhtnh.exec:\hbhtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\6660826.exec:\6660826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\206482.exec:\206482.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\0804662.exec:\0804662.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\bnthbt.exec:\bnthbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\c026048.exec:\c026048.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\xfrffxx.exec:\xfrffxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\8282660.exec:\8282660.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\02422.exec:\02422.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\0404400.exec:\0404400.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\6860482.exec:\6860482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\860488.exec:\860488.exe23⤵
- Executes dropped EXE
PID:2968 -
\??\c:\0686606.exec:\0686606.exe24⤵
- Executes dropped EXE
PID:3260 -
\??\c:\lflrlrl.exec:\lflrlrl.exe25⤵
- Executes dropped EXE
PID:4980 -
\??\c:\680440.exec:\680440.exe26⤵
- Executes dropped EXE
PID:448 -
\??\c:\g8486.exec:\g8486.exe27⤵
- Executes dropped EXE
PID:3188 -
\??\c:\64600.exec:\64600.exe28⤵
- Executes dropped EXE
PID:3292 -
\??\c:\9jjdv.exec:\9jjdv.exe29⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jvvpp.exec:\jvvpp.exe30⤵
- Executes dropped EXE
PID:1180 -
\??\c:\0066004.exec:\0066004.exe31⤵
- Executes dropped EXE
PID:5000 -
\??\c:\tnbtnb.exec:\tnbtnb.exe32⤵
- Executes dropped EXE
PID:4420 -
\??\c:\bnhbtn.exec:\bnhbtn.exe33⤵
- Executes dropped EXE
PID:4216 -
\??\c:\fffxlfx.exec:\fffxlfx.exe34⤵
- Executes dropped EXE
PID:3548 -
\??\c:\rllrlll.exec:\rllrlll.exe35⤵
- Executes dropped EXE
PID:4036 -
\??\c:\q86660.exec:\q86660.exe36⤵
- Executes dropped EXE
PID:3096 -
\??\c:\7xlrlll.exec:\7xlrlll.exe37⤵
- Executes dropped EXE
PID:3532 -
\??\c:\82828.exec:\82828.exe38⤵
- Executes dropped EXE
PID:3948 -
\??\c:\628266.exec:\628266.exe39⤵
- Executes dropped EXE
PID:4404 -
\??\c:\04048.exec:\04048.exe40⤵
- Executes dropped EXE
PID:2084 -
\??\c:\7ppdv.exec:\7ppdv.exe41⤵
- Executes dropped EXE
PID:4716 -
\??\c:\lfffxrx.exec:\lfffxrx.exe42⤵
- Executes dropped EXE
PID:4580 -
\??\c:\044482.exec:\044482.exe43⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xxlxffl.exec:\xxlxffl.exe44⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vjjjd.exec:\vjjjd.exe45⤵
- Executes dropped EXE
PID:1924 -
\??\c:\thtnhh.exec:\thtnhh.exe46⤵
- Executes dropped EXE
PID:4372 -
\??\c:\1dvjd.exec:\1dvjd.exe47⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lllffxx.exec:\lllffxx.exe48⤵
- Executes dropped EXE
PID:5096 -
\??\c:\c064882.exec:\c064882.exe49⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5lfrllx.exec:\5lfrllx.exe50⤵
- Executes dropped EXE
PID:3196 -
\??\c:\fxrlffx.exec:\fxrlffx.exe51⤵
- Executes dropped EXE
PID:1444 -
\??\c:\llffxrx.exec:\llffxrx.exe52⤵
- Executes dropped EXE
PID:3348 -
\??\c:\pjpjj.exec:\pjpjj.exe53⤵
- Executes dropped EXE
PID:960 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe54⤵
- Executes dropped EXE
PID:536 -
\??\c:\g8640.exec:\g8640.exe55⤵
- Executes dropped EXE
PID:3228 -
\??\c:\e46040.exec:\e46040.exe56⤵
- Executes dropped EXE
PID:4536 -
\??\c:\686448.exec:\686448.exe57⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hnhbtt.exec:\hnhbtt.exe58⤵
- Executes dropped EXE
PID:4084 -
\??\c:\nbnthh.exec:\nbnthh.exe59⤵
- Executes dropped EXE
PID:4136 -
\??\c:\640422.exec:\640422.exe60⤵
- Executes dropped EXE
PID:3720 -
\??\c:\8460448.exec:\8460448.exe61⤵
- Executes dropped EXE
PID:2340 -
\??\c:\ddpvp.exec:\ddpvp.exe62⤵
- Executes dropped EXE
PID:4440 -
\??\c:\5jjvd.exec:\5jjvd.exe63⤵
- Executes dropped EXE
PID:2604 -
\??\c:\44008.exec:\44008.exe64⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dvvjd.exec:\dvvjd.exe65⤵
- Executes dropped EXE
PID:1696 -
\??\c:\fxfxlrl.exec:\fxfxlrl.exe66⤵PID:2452
-
\??\c:\q66048.exec:\q66048.exe67⤵PID:1936
-
\??\c:\828288.exec:\828288.exe68⤵PID:2172
-
\??\c:\888666.exec:\888666.exe69⤵PID:400
-
\??\c:\8604864.exec:\8604864.exe70⤵PID:2236
-
\??\c:\244860.exec:\244860.exe71⤵PID:3108
-
\??\c:\82604.exec:\82604.exe72⤵
- System Location Discovery: System Language Discovery
PID:1800 -
\??\c:\5xrlxrf.exec:\5xrlxrf.exe73⤵PID:3188
-
\??\c:\nbhthb.exec:\nbhthb.exe74⤵PID:2732
-
\??\c:\djpjv.exec:\djpjv.exe75⤵PID:1180
-
\??\c:\8008226.exec:\8008226.exe76⤵PID:2496
-
\??\c:\fffrfrl.exec:\fffrfrl.exe77⤵PID:4420
-
\??\c:\hbhbth.exec:\hbhbth.exe78⤵PID:3476
-
\??\c:\tnthtn.exec:\tnthtn.exe79⤵PID:1680
-
\??\c:\208264.exec:\208264.exe80⤵PID:4616
-
\??\c:\20604.exec:\20604.exe81⤵PID:2348
-
\??\c:\40086.exec:\40086.exe82⤵PID:3444
-
\??\c:\024260.exec:\024260.exe83⤵PID:4996
-
\??\c:\i408826.exec:\i408826.exe84⤵PID:2600
-
\??\c:\nnnhtt.exec:\nnnhtt.exe85⤵PID:1712
-
\??\c:\c226086.exec:\c226086.exe86⤵PID:1700
-
\??\c:\682486.exec:\682486.exe87⤵PID:4388
-
\??\c:\thnnbt.exec:\thnnbt.exe88⤵PID:3212
-
\??\c:\ntbtnh.exec:\ntbtnh.exe89⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\3nnhbb.exec:\3nnhbb.exe90⤵PID:1692
-
\??\c:\08088.exec:\08088.exe91⤵PID:4228
-
\??\c:\1jdvp.exec:\1jdvp.exe92⤵PID:4168
-
\??\c:\484864.exec:\484864.exe93⤵PID:4604
-
\??\c:\26008.exec:\26008.exe94⤵PID:1204
-
\??\c:\5llrfxl.exec:\5llrfxl.exe95⤵PID:2408
-
\??\c:\2246022.exec:\2246022.exe96⤵PID:2208
-
\??\c:\08882.exec:\08882.exe97⤵PID:1836
-
\??\c:\2208648.exec:\2208648.exe98⤵PID:2648
-
\??\c:\5hthnh.exec:\5hthnh.exe99⤵PID:536
-
\??\c:\ppvvp.exec:\ppvvp.exe100⤵PID:1940
-
\??\c:\1xlxlxr.exec:\1xlxlxr.exe101⤵PID:3152
-
\??\c:\3rlxlxr.exec:\3rlxlxr.exe102⤵PID:2708
-
\??\c:\jvdpj.exec:\jvdpj.exe103⤵PID:1276
-
\??\c:\6262042.exec:\6262042.exe104⤵PID:3276
-
\??\c:\vjpdj.exec:\vjpdj.exe105⤵PID:4052
-
\??\c:\82868.exec:\82868.exe106⤵PID:3000
-
\??\c:\1vpjv.exec:\1vpjv.exe107⤵PID:3724
-
\??\c:\nhnhnt.exec:\nhnhnt.exe108⤵PID:2388
-
\??\c:\42626.exec:\42626.exe109⤵PID:4480
-
\??\c:\4064860.exec:\4064860.exe110⤵PID:3696
-
\??\c:\6626448.exec:\6626448.exe111⤵PID:4540
-
\??\c:\0860886.exec:\0860886.exe112⤵PID:2908
-
\??\c:\4626486.exec:\4626486.exe113⤵PID:4056
-
\??\c:\lffxlfx.exec:\lffxlfx.exe114⤵PID:3120
-
\??\c:\20482.exec:\20482.exe115⤵PID:2360
-
\??\c:\thbtnh.exec:\thbtnh.exe116⤵PID:4104
-
\??\c:\pdjdp.exec:\pdjdp.exe117⤵PID:4860
-
\??\c:\fllxrll.exec:\fllxrll.exe118⤵PID:2392
-
\??\c:\ppjdp.exec:\ppjdp.exe119⤵PID:4220
-
\??\c:\8220848.exec:\8220848.exe120⤵PID:2416
-
\??\c:\lrfrlfx.exec:\lrfrlfx.exe121⤵PID:3460
-
\??\c:\nhtnbt.exec:\nhtnbt.exe122⤵PID:2864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-