Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe
Resource
win7-20240729-en
7 signatures
120 seconds
General
-
Target
68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe
-
Size
453KB
-
MD5
5a12c3490b86f357604b846e61123670
-
SHA1
ffc478383b3966864e9999f72e4617f4b14d62d5
-
SHA256
68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238
-
SHA512
6628f4c28c441b27ccc07e08bb9224a11f13749ce44f3be99a8c9dc346ed19eb8b58e09e64d9bceb9b49b023a4320d12c34c72c8239eb8bb03a584b4300138aa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4552-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-1006-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-1107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-1276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-1650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4564 xffxllx.exe 2724 0820202.exe 1968 6064886.exe 2376 466684.exe 872 m0220.exe 3520 btnbth.exe 4472 m6082.exe 2116 24660.exe 2832 flrlfxf.exe 2172 nnnhbt.exe 1660 lxrlxrf.exe 4112 hntnbt.exe 212 9frfrlr.exe 224 842048.exe 3300 thhbnb.exe 1444 lffrllx.exe 2412 pvvjj.exe 2068 84048.exe 3548 604262.exe 980 bbthbb.exe 3604 062600.exe 4080 xrlfxrl.exe 1424 q82622.exe 4008 086644.exe 3472 3hnbbb.exe 2960 lfllfff.exe 2560 4866666.exe 4732 4226004.exe 1060 g0482.exe 2384 jdpvp.exe 2188 20082.exe 1676 82604.exe 1236 c404826.exe 460 djvpp.exe 1344 0026000.exe 1736 4882602.exe 1792 2628226.exe 2052 hbttnn.exe 1548 3ntnhb.exe 4388 22482.exe 816 rlrrrfr.exe 3700 vjpjj.exe 4068 ffrrffx.exe 1148 e68260.exe 988 3tthnn.exe 3620 lrlfxrr.exe 4656 8004882.exe 3752 20226.exe 216 462642.exe 1080 nbbnbt.exe 5068 jvppj.exe 4492 s4060.exe 2556 k46404.exe 2928 rxfxxlf.exe 1296 dpvpj.exe 2448 bhthtn.exe 2136 jvvjv.exe 4224 7pvvp.exe 2520 1vpdp.exe 4236 5lrlfxf.exe 2708 pdvpj.exe 1456 628686.exe 924 882266.exe 3592 5pvpp.exe -
resource yara_rule behavioral2/memory/4552-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-1006-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2666482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i866400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxllxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0882048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62808.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4564 4552 68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe 83 PID 4552 wrote to memory of 4564 4552 68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe 83 PID 4552 wrote to memory of 4564 4552 68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe 83 PID 4564 wrote to memory of 2724 4564 xffxllx.exe 84 PID 4564 wrote to memory of 2724 4564 xffxllx.exe 84 PID 4564 wrote to memory of 2724 4564 xffxllx.exe 84 PID 2724 wrote to memory of 1968 2724 0820202.exe 85 PID 2724 wrote to memory of 1968 2724 0820202.exe 85 PID 2724 wrote to memory of 1968 2724 0820202.exe 85 PID 1968 wrote to memory of 2376 1968 6064886.exe 86 PID 1968 wrote to memory of 2376 1968 6064886.exe 86 PID 1968 wrote to memory of 2376 1968 6064886.exe 86 PID 2376 wrote to memory of 872 2376 466684.exe 87 PID 2376 wrote to memory of 872 2376 466684.exe 87 PID 2376 wrote to memory of 872 2376 466684.exe 87 PID 872 wrote to memory of 3520 872 m0220.exe 88 PID 872 wrote to memory of 3520 872 m0220.exe 88 PID 872 wrote to memory of 3520 872 m0220.exe 88 PID 3520 wrote to memory of 4472 3520 btnbth.exe 89 PID 3520 wrote to memory of 4472 3520 btnbth.exe 89 PID 3520 wrote to memory of 4472 3520 btnbth.exe 89 PID 4472 wrote to memory of 2116 4472 m6082.exe 90 PID 4472 wrote to memory of 2116 4472 m6082.exe 90 PID 4472 wrote to memory of 2116 4472 m6082.exe 90 PID 2116 wrote to memory of 2832 2116 24660.exe 91 PID 2116 wrote to memory of 2832 2116 24660.exe 91 PID 2116 wrote to memory of 2832 2116 24660.exe 91 PID 2832 wrote to memory of 2172 2832 flrlfxf.exe 92 PID 2832 wrote to memory of 2172 2832 flrlfxf.exe 92 PID 2832 wrote to memory of 2172 2832 flrlfxf.exe 92 PID 2172 wrote to memory of 1660 2172 nnnhbt.exe 93 PID 2172 wrote to memory of 1660 2172 nnnhbt.exe 93 PID 2172 wrote to memory of 1660 2172 nnnhbt.exe 93 PID 1660 wrote to memory of 4112 1660 lxrlxrf.exe 94 PID 1660 wrote to memory of 4112 1660 lxrlxrf.exe 94 PID 1660 wrote to memory of 4112 1660 lxrlxrf.exe 94 PID 4112 wrote to memory of 212 4112 hntnbt.exe 95 PID 4112 wrote to memory of 212 4112 hntnbt.exe 95 PID 4112 wrote to memory of 212 4112 hntnbt.exe 95 PID 212 wrote to memory of 224 212 9frfrlr.exe 96 PID 212 wrote to memory of 224 212 9frfrlr.exe 96 PID 212 wrote to memory of 224 212 9frfrlr.exe 96 PID 224 wrote to memory of 3300 224 842048.exe 97 PID 224 wrote to memory of 3300 224 842048.exe 97 PID 224 wrote to memory of 3300 224 842048.exe 97 PID 3300 wrote to memory of 1444 3300 thhbnb.exe 98 PID 3300 wrote to memory of 1444 3300 thhbnb.exe 98 PID 3300 wrote to memory of 1444 3300 thhbnb.exe 98 PID 1444 wrote to memory of 2412 1444 lffrllx.exe 99 PID 1444 wrote to memory of 2412 1444 lffrllx.exe 99 PID 1444 wrote to memory of 2412 1444 lffrllx.exe 99 PID 2412 wrote to memory of 2068 2412 pvvjj.exe 100 PID 2412 wrote to memory of 2068 2412 pvvjj.exe 100 PID 2412 wrote to memory of 2068 2412 pvvjj.exe 100 PID 2068 wrote to memory of 3548 2068 84048.exe 101 PID 2068 wrote to memory of 3548 2068 84048.exe 101 PID 2068 wrote to memory of 3548 2068 84048.exe 101 PID 3548 wrote to memory of 980 3548 604262.exe 102 PID 3548 wrote to memory of 980 3548 604262.exe 102 PID 3548 wrote to memory of 980 3548 604262.exe 102 PID 980 wrote to memory of 3604 980 bbthbb.exe 103 PID 980 wrote to memory of 3604 980 bbthbb.exe 103 PID 980 wrote to memory of 3604 980 bbthbb.exe 103 PID 3604 wrote to memory of 4080 3604 062600.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe"C:\Users\Admin\AppData\Local\Temp\68289eacb30dd7d55724dceca8bab010681fa67c81740c781ddd49a44ec6e238N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\xffxllx.exec:\xffxllx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\0820202.exec:\0820202.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\6064886.exec:\6064886.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\466684.exec:\466684.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\m0220.exec:\m0220.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\btnbth.exec:\btnbth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\m6082.exec:\m6082.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\24660.exec:\24660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\flrlfxf.exec:\flrlfxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\nnnhbt.exec:\nnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\lxrlxrf.exec:\lxrlxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\hntnbt.exec:\hntnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\9frfrlr.exec:\9frfrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\842048.exec:\842048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\thhbnb.exec:\thhbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\lffrllx.exec:\lffrllx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\pvvjj.exec:\pvvjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\84048.exec:\84048.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\604262.exec:\604262.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\bbthbb.exec:\bbthbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\062600.exec:\062600.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe23⤵
- Executes dropped EXE
PID:4080 -
\??\c:\q82622.exec:\q82622.exe24⤵
- Executes dropped EXE
PID:1424 -
\??\c:\086644.exec:\086644.exe25⤵
- Executes dropped EXE
PID:4008 -
\??\c:\3hnbbb.exec:\3hnbbb.exe26⤵
- Executes dropped EXE
PID:3472 -
\??\c:\lfllfff.exec:\lfllfff.exe27⤵
- Executes dropped EXE
PID:2960 -
\??\c:\4866666.exec:\4866666.exe28⤵
- Executes dropped EXE
PID:2560 -
\??\c:\4226004.exec:\4226004.exe29⤵
- Executes dropped EXE
PID:4732 -
\??\c:\g0482.exec:\g0482.exe30⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jdpvp.exec:\jdpvp.exe31⤵
- Executes dropped EXE
PID:2384 -
\??\c:\20082.exec:\20082.exe32⤵
- Executes dropped EXE
PID:2188 -
\??\c:\82604.exec:\82604.exe33⤵
- Executes dropped EXE
PID:1676 -
\??\c:\c404826.exec:\c404826.exe34⤵
- Executes dropped EXE
PID:1236 -
\??\c:\djvpp.exec:\djvpp.exe35⤵
- Executes dropped EXE
PID:460 -
\??\c:\0026000.exec:\0026000.exe36⤵
- Executes dropped EXE
PID:1344 -
\??\c:\4882602.exec:\4882602.exe37⤵
- Executes dropped EXE
PID:1736 -
\??\c:\2628226.exec:\2628226.exe38⤵
- Executes dropped EXE
PID:1792 -
\??\c:\hbttnn.exec:\hbttnn.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3ntnhb.exec:\3ntnhb.exe40⤵
- Executes dropped EXE
PID:1548 -
\??\c:\22482.exec:\22482.exe41⤵
- Executes dropped EXE
PID:4388 -
\??\c:\rlrrrfr.exec:\rlrrrfr.exe42⤵
- Executes dropped EXE
PID:816 -
\??\c:\vjpjj.exec:\vjpjj.exe43⤵
- Executes dropped EXE
PID:3700 -
\??\c:\ffrrffx.exec:\ffrrffx.exe44⤵
- Executes dropped EXE
PID:4068 -
\??\c:\e68260.exec:\e68260.exe45⤵
- Executes dropped EXE
PID:1148 -
\??\c:\3tthnn.exec:\3tthnn.exe46⤵
- Executes dropped EXE
PID:988 -
\??\c:\lrlfxrr.exec:\lrlfxrr.exe47⤵
- Executes dropped EXE
PID:3620 -
\??\c:\8004882.exec:\8004882.exe48⤵
- Executes dropped EXE
PID:4656 -
\??\c:\20226.exec:\20226.exe49⤵
- Executes dropped EXE
PID:3752 -
\??\c:\462642.exec:\462642.exe50⤵
- Executes dropped EXE
PID:216 -
\??\c:\nbbnbt.exec:\nbbnbt.exe51⤵
- Executes dropped EXE
PID:1080 -
\??\c:\jvppj.exec:\jvppj.exe52⤵
- Executes dropped EXE
PID:5068 -
\??\c:\s4060.exec:\s4060.exe53⤵
- Executes dropped EXE
PID:4492 -
\??\c:\k46404.exec:\k46404.exe54⤵
- Executes dropped EXE
PID:2556 -
\??\c:\rxfxxlf.exec:\rxfxxlf.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dpvpj.exec:\dpvpj.exe56⤵
- Executes dropped EXE
PID:1296 -
\??\c:\bhthtn.exec:\bhthtn.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jvvjv.exec:\jvvjv.exe58⤵
- Executes dropped EXE
PID:2136 -
\??\c:\7pvvp.exec:\7pvvp.exe59⤵
- Executes dropped EXE
PID:4224 -
\??\c:\1vpdp.exec:\1vpdp.exe60⤵
- Executes dropped EXE
PID:2520 -
\??\c:\5lrlfxf.exec:\5lrlfxf.exe61⤵
- Executes dropped EXE
PID:4236 -
\??\c:\pdvpj.exec:\pdvpj.exe62⤵
- Executes dropped EXE
PID:2708 -
\??\c:\628686.exec:\628686.exe63⤵
- Executes dropped EXE
PID:1456 -
\??\c:\882266.exec:\882266.exe64⤵
- Executes dropped EXE
PID:924 -
\??\c:\5pvpp.exec:\5pvpp.exe65⤵
- Executes dropped EXE
PID:3592 -
\??\c:\pdddp.exec:\pdddp.exe66⤵PID:2820
-
\??\c:\46842.exec:\46842.exe67⤵PID:2816
-
\??\c:\jpvpj.exec:\jpvpj.exe68⤵PID:4588
-
\??\c:\1ppdv.exec:\1ppdv.exe69⤵PID:5004
-
\??\c:\082088.exec:\082088.exe70⤵PID:2668
-
\??\c:\4404886.exec:\4404886.exe71⤵PID:2164
-
\??\c:\9rxlfxf.exec:\9rxlfxf.exe72⤵PID:1752
-
\??\c:\rxflxlr.exec:\rxflxlr.exe73⤵PID:1984
-
\??\c:\g8404.exec:\g8404.exe74⤵PID:3836
-
\??\c:\btntbn.exec:\btntbn.exe75⤵PID:4084
-
\??\c:\9hbnbt.exec:\9hbnbt.exe76⤵PID:3964
-
\??\c:\64486.exec:\64486.exe77⤵PID:3436
-
\??\c:\ddvpj.exec:\ddvpj.exe78⤵PID:2068
-
\??\c:\3tnbhb.exec:\3tnbhb.exe79⤵PID:440
-
\??\c:\6404488.exec:\6404488.exe80⤵PID:4156
-
\??\c:\lxlfrlf.exec:\lxlfrlf.exe81⤵PID:980
-
\??\c:\htthbn.exec:\htthbn.exe82⤵PID:2916
-
\??\c:\bhnhhh.exec:\bhnhhh.exe83⤵PID:1820
-
\??\c:\406044.exec:\406044.exe84⤵PID:1488
-
\??\c:\82860.exec:\82860.exe85⤵PID:4584
-
\??\c:\nnbntn.exec:\nnbntn.exe86⤵PID:5096
-
\??\c:\42208.exec:\42208.exe87⤵PID:2764
-
\??\c:\btnbnh.exec:\btnbnh.exe88⤵PID:2200
-
\??\c:\ddpdp.exec:\ddpdp.exe89⤵PID:4572
-
\??\c:\808642.exec:\808642.exe90⤵PID:4640
-
\??\c:\660820.exec:\660820.exe91⤵PID:3796
-
\??\c:\3dpvp.exec:\3dpvp.exe92⤵PID:5060
-
\??\c:\a2264.exec:\a2264.exe93⤵PID:4560
-
\??\c:\i840482.exec:\i840482.exe94⤵PID:884
-
\??\c:\0802266.exec:\0802266.exe95⤵PID:2656
-
\??\c:\flrlfxr.exec:\flrlfxr.exe96⤵PID:4460
-
\??\c:\00482.exec:\00482.exe97⤵PID:4844
-
\??\c:\jpvpj.exec:\jpvpj.exe98⤵PID:3496
-
\??\c:\7jjdp.exec:\7jjdp.exe99⤵PID:3024
-
\??\c:\nbhttt.exec:\nbhttt.exe100⤵PID:2444
-
\??\c:\jdjvp.exec:\jdjvp.exe101⤵PID:880
-
\??\c:\jjvvd.exec:\jjvvd.exe102⤵PID:2308
-
\??\c:\dppjd.exec:\dppjd.exe103⤵PID:4716
-
\??\c:\c284646.exec:\c284646.exe104⤵PID:5084
-
\??\c:\20822.exec:\20822.exe105⤵PID:1544
-
\??\c:\640460.exec:\640460.exe106⤵PID:4672
-
\??\c:\dpvjd.exec:\dpvjd.exe107⤵PID:3924
-
\??\c:\0066664.exec:\0066664.exe108⤵PID:4900
-
\??\c:\jjpjv.exec:\jjpjv.exe109⤵PID:3748
-
\??\c:\6268604.exec:\6268604.exe110⤵PID:3036
-
\??\c:\frlxrlf.exec:\frlxrlf.exe111⤵PID:1212
-
\??\c:\9hhhbb.exec:\9hhhbb.exe112⤵PID:3904
-
\??\c:\g2000.exec:\g2000.exe113⤵PID:3476
-
\??\c:\jjpjd.exec:\jjpjd.exe114⤵PID:2128
-
\??\c:\nnbnbb.exec:\nnbnbb.exe115⤵PID:1692
-
\??\c:\btbtbb.exec:\btbtbb.exe116⤵PID:3632
-
\??\c:\22228.exec:\22228.exe117⤵PID:1496
-
\??\c:\rffxlfx.exec:\rffxlfx.exe118⤵PID:1916
-
\??\c:\5hhthb.exec:\5hhthb.exe119⤵PID:1912
-
\??\c:\48486.exec:\48486.exe120⤵PID:4024
-
\??\c:\e48084.exec:\e48084.exe121⤵PID:2556
-
\??\c:\084888.exec:\084888.exe122⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-