Analysis
-
max time kernel
120s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe
-
Size
456KB
-
MD5
fd18a83087a45242852101c473ccd23c
-
SHA1
948bea61ecc4504d80816a0a1151076e6e40c609
-
SHA256
bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106
-
SHA512
21fb69bcb213fa11b50fa1015fd0705aa3747688f582b6c5d31dcab18869508bbba6a2a49f1081339fcff67e81d46f392d7920024327d1c86736ee0f3112f9fd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3560-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-1200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5020 44482.exe 4872 bntnhh.exe 3560 w68648.exe 2024 hbthhn.exe 4316 66266.exe 2472 684888.exe 2132 448888.exe 3960 4244444.exe 2524 i688246.exe 1284 04820.exe 1416 jjjdd.exe 3156 djpdd.exe 2012 880888.exe 3344 5vddd.exe 3456 8286600.exe 2944 vdvdp.exe 2508 5pjjv.exe 1132 hbtbtb.exe 3936 rxrxxlx.exe 696 o886048.exe 2136 406600.exe 4008 thnhbb.exe 4424 20048.exe 1016 xrfxllx.exe 5068 82224.exe 2852 006002.exe 2856 vjdjd.exe 1008 846086.exe 3056 llfxxrl.exe 3524 060822.exe 4828 k68282.exe 224 bttnhh.exe 2564 xlxrrxr.exe 2504 068402.exe 1748 bttnnt.exe 4840 lrrlfff.exe 3180 tbbbtt.exe 2500 xxllllf.exe 4940 m8004.exe 956 6282260.exe 376 622226.exe 2040 5ppvv.exe 1996 86848.exe 772 bbnnhh.exe 3124 hbhbtb.exe 2288 xrfxxxr.exe 4324 nnttbb.exe 732 40200.exe 2068 q00044.exe 960 0882688.exe 2948 84048.exe 4872 w88480.exe 4464 e24044.exe 3212 ffrlf86.exe 2672 nnntnt.exe 3640 ppppv.exe 3796 28020.exe 3324 ddjdv.exe 3652 e28668.exe 2900 8404882.exe 2088 428262.exe 3960 hbttbb.exe 4856 2848888.exe 2360 4642604.exe -
resource yara_rule behavioral2/memory/3560-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-785-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o804888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 5020 1420 bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe 83 PID 1420 wrote to memory of 5020 1420 bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe 83 PID 1420 wrote to memory of 5020 1420 bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe 83 PID 5020 wrote to memory of 4872 5020 44482.exe 84 PID 5020 wrote to memory of 4872 5020 44482.exe 84 PID 5020 wrote to memory of 4872 5020 44482.exe 84 PID 4872 wrote to memory of 3560 4872 bntnhh.exe 85 PID 4872 wrote to memory of 3560 4872 bntnhh.exe 85 PID 4872 wrote to memory of 3560 4872 bntnhh.exe 85 PID 3560 wrote to memory of 2024 3560 w68648.exe 86 PID 3560 wrote to memory of 2024 3560 w68648.exe 86 PID 3560 wrote to memory of 2024 3560 w68648.exe 86 PID 2024 wrote to memory of 4316 2024 hbthhn.exe 87 PID 2024 wrote to memory of 4316 2024 hbthhn.exe 87 PID 2024 wrote to memory of 4316 2024 hbthhn.exe 87 PID 4316 wrote to memory of 2472 4316 66266.exe 88 PID 4316 wrote to memory of 2472 4316 66266.exe 88 PID 4316 wrote to memory of 2472 4316 66266.exe 88 PID 2472 wrote to memory of 2132 2472 684888.exe 89 PID 2472 wrote to memory of 2132 2472 684888.exe 89 PID 2472 wrote to memory of 2132 2472 684888.exe 89 PID 2132 wrote to memory of 3960 2132 448888.exe 90 PID 2132 wrote to memory of 3960 2132 448888.exe 90 PID 2132 wrote to memory of 3960 2132 448888.exe 90 PID 3960 wrote to memory of 2524 3960 4244444.exe 91 PID 3960 wrote to memory of 2524 3960 4244444.exe 91 PID 3960 wrote to memory of 2524 3960 4244444.exe 91 PID 2524 wrote to memory of 1284 2524 i688246.exe 92 PID 2524 wrote to memory of 1284 2524 i688246.exe 92 PID 2524 wrote to memory of 1284 2524 i688246.exe 92 PID 1284 wrote to memory of 1416 1284 04820.exe 93 PID 1284 wrote to memory of 1416 1284 04820.exe 93 PID 1284 wrote to memory of 1416 1284 04820.exe 93 PID 1416 wrote to memory of 3156 1416 jjjdd.exe 94 PID 1416 wrote to memory of 3156 1416 jjjdd.exe 94 PID 1416 wrote to memory of 3156 1416 jjjdd.exe 94 PID 3156 wrote to memory of 2012 3156 djpdd.exe 95 PID 3156 wrote to memory of 2012 3156 djpdd.exe 95 PID 3156 wrote to memory of 2012 3156 djpdd.exe 95 PID 2012 wrote to memory of 3344 2012 880888.exe 96 PID 2012 wrote to memory of 3344 2012 880888.exe 96 PID 2012 wrote to memory of 3344 2012 880888.exe 96 PID 3344 wrote to memory of 3456 3344 5vddd.exe 97 PID 3344 wrote to memory of 3456 3344 5vddd.exe 97 PID 3344 wrote to memory of 3456 3344 5vddd.exe 97 PID 3456 wrote to memory of 2944 3456 8286600.exe 98 PID 3456 wrote to memory of 2944 3456 8286600.exe 98 PID 3456 wrote to memory of 2944 3456 8286600.exe 98 PID 2944 wrote to memory of 2508 2944 vdvdp.exe 99 PID 2944 wrote to memory of 2508 2944 vdvdp.exe 99 PID 2944 wrote to memory of 2508 2944 vdvdp.exe 99 PID 2508 wrote to memory of 1132 2508 5pjjv.exe 100 PID 2508 wrote to memory of 1132 2508 5pjjv.exe 100 PID 2508 wrote to memory of 1132 2508 5pjjv.exe 100 PID 1132 wrote to memory of 3936 1132 hbtbtb.exe 101 PID 1132 wrote to memory of 3936 1132 hbtbtb.exe 101 PID 1132 wrote to memory of 3936 1132 hbtbtb.exe 101 PID 3936 wrote to memory of 696 3936 rxrxxlx.exe 102 PID 3936 wrote to memory of 696 3936 rxrxxlx.exe 102 PID 3936 wrote to memory of 696 3936 rxrxxlx.exe 102 PID 696 wrote to memory of 2136 696 o886048.exe 103 PID 696 wrote to memory of 2136 696 o886048.exe 103 PID 696 wrote to memory of 2136 696 o886048.exe 103 PID 2136 wrote to memory of 4008 2136 406600.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe"C:\Users\Admin\AppData\Local\Temp\bd0b6cd66460e7ad873ae33fb4e3f1fe079b74d82879d9e3c9cdda625a43f106.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\44482.exec:\44482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\bntnhh.exec:\bntnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\w68648.exec:\w68648.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\hbthhn.exec:\hbthhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\66266.exec:\66266.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\684888.exec:\684888.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\448888.exec:\448888.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\4244444.exec:\4244444.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
\??\c:\i688246.exec:\i688246.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\04820.exec:\04820.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\jjjdd.exec:\jjjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\djpdd.exec:\djpdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\880888.exec:\880888.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\5vddd.exec:\5vddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\8286600.exec:\8286600.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\vdvdp.exec:\vdvdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\5pjjv.exec:\5pjjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\hbtbtb.exec:\hbtbtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\rxrxxlx.exec:\rxrxxlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\o886048.exec:\o886048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\406600.exec:\406600.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\thnhbb.exec:\thnhbb.exe23⤵
- Executes dropped EXE
PID:4008 -
\??\c:\20048.exec:\20048.exe24⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xrfxllx.exec:\xrfxllx.exe25⤵
- Executes dropped EXE
PID:1016 -
\??\c:\82224.exec:\82224.exe26⤵
- Executes dropped EXE
PID:5068 -
\??\c:\006002.exec:\006002.exe27⤵
- Executes dropped EXE
PID:2852 -
\??\c:\vjdjd.exec:\vjdjd.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\846086.exec:\846086.exe29⤵
- Executes dropped EXE
PID:1008 -
\??\c:\llfxxrl.exec:\llfxxrl.exe30⤵
- Executes dropped EXE
PID:3056 -
\??\c:\060822.exec:\060822.exe31⤵
- Executes dropped EXE
PID:3524 -
\??\c:\k68282.exec:\k68282.exe32⤵
- Executes dropped EXE
PID:4828 -
\??\c:\bttnhh.exec:\bttnhh.exe33⤵
- Executes dropped EXE
PID:224 -
\??\c:\xlxrrxr.exec:\xlxrrxr.exe34⤵
- Executes dropped EXE
PID:2564 -
\??\c:\068402.exec:\068402.exe35⤵
- Executes dropped EXE
PID:2504 -
\??\c:\bttnnt.exec:\bttnnt.exe36⤵
- Executes dropped EXE
PID:1748 -
\??\c:\lrrlfff.exec:\lrrlfff.exe37⤵
- Executes dropped EXE
PID:4840 -
\??\c:\tbbbtt.exec:\tbbbtt.exe38⤵
- Executes dropped EXE
PID:3180 -
\??\c:\xxllllf.exec:\xxllllf.exe39⤵
- Executes dropped EXE
PID:2500 -
\??\c:\m8004.exec:\m8004.exe40⤵
- Executes dropped EXE
PID:4940 -
\??\c:\6282260.exec:\6282260.exe41⤵
- Executes dropped EXE
PID:956 -
\??\c:\622226.exec:\622226.exe42⤵
- Executes dropped EXE
PID:376 -
\??\c:\5ppvv.exec:\5ppvv.exe43⤵
- Executes dropped EXE
PID:2040 -
\??\c:\86848.exec:\86848.exe44⤵
- Executes dropped EXE
PID:1996 -
\??\c:\bbnnhh.exec:\bbnnhh.exe45⤵
- Executes dropped EXE
PID:772 -
\??\c:\hbhbtb.exec:\hbhbtb.exe46⤵
- Executes dropped EXE
PID:3124 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe47⤵
- Executes dropped EXE
PID:2288 -
\??\c:\nnttbb.exec:\nnttbb.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\40200.exec:\40200.exe49⤵
- Executes dropped EXE
PID:732 -
\??\c:\q00044.exec:\q00044.exe50⤵
- Executes dropped EXE
PID:2068 -
\??\c:\0882688.exec:\0882688.exe51⤵
- Executes dropped EXE
PID:960 -
\??\c:\84048.exec:\84048.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\w88480.exec:\w88480.exe53⤵
- Executes dropped EXE
PID:4872 -
\??\c:\e24044.exec:\e24044.exe54⤵
- Executes dropped EXE
PID:4464 -
\??\c:\ffrlf86.exec:\ffrlf86.exe55⤵
- Executes dropped EXE
PID:3212 -
\??\c:\nnntnt.exec:\nnntnt.exe56⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ppppv.exec:\ppppv.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3640 -
\??\c:\28020.exec:\28020.exe58⤵
- Executes dropped EXE
PID:3796 -
\??\c:\ddjdv.exec:\ddjdv.exe59⤵
- Executes dropped EXE
PID:3324 -
\??\c:\e28668.exec:\e28668.exe60⤵
- Executes dropped EXE
PID:3652 -
\??\c:\8404882.exec:\8404882.exe61⤵
- Executes dropped EXE
PID:2900 -
\??\c:\428262.exec:\428262.exe62⤵
- Executes dropped EXE
PID:2088 -
\??\c:\hbttbb.exec:\hbttbb.exe63⤵
- Executes dropped EXE
PID:3960 -
\??\c:\2848888.exec:\2848888.exe64⤵
- Executes dropped EXE
PID:4856 -
\??\c:\4642604.exec:\4642604.exe65⤵
- Executes dropped EXE
PID:2360 -
\??\c:\frffxxr.exec:\frffxxr.exe66⤵PID:3184
-
\??\c:\3hhhbb.exec:\3hhhbb.exe67⤵PID:684
-
\??\c:\m2220.exec:\m2220.exe68⤵PID:2104
-
\??\c:\htnbbh.exec:\htnbbh.exe69⤵PID:4448
-
\??\c:\244888.exec:\244888.exe70⤵PID:1940
-
\??\c:\7tbtht.exec:\7tbtht.exe71⤵PID:4996
-
\??\c:\022460.exec:\022460.exe72⤵PID:5084
-
\??\c:\6466046.exec:\6466046.exe73⤵PID:2180
-
\??\c:\ntnbnh.exec:\ntnbnh.exe74⤵PID:4428
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe75⤵PID:3572
-
\??\c:\hhhnnn.exec:\hhhnnn.exe76⤵PID:404
-
\??\c:\ddvpv.exec:\ddvpv.exe77⤵PID:3680
-
\??\c:\40608.exec:\40608.exe78⤵PID:4284
-
\??\c:\20488.exec:\20488.exe79⤵PID:716
-
\??\c:\4268226.exec:\4268226.exe80⤵PID:2572
-
\??\c:\rrxrrll.exec:\rrxrrll.exe81⤵PID:3232
-
\??\c:\8444226.exec:\8444226.exe82⤵PID:2136
-
\??\c:\bnhthb.exec:\bnhthb.exe83⤵PID:3648
-
\??\c:\644860.exec:\644860.exe84⤵PID:4824
-
\??\c:\rrllxfr.exec:\rrllxfr.exe85⤵PID:2404
-
\??\c:\4404048.exec:\4404048.exe86⤵PID:1192
-
\??\c:\8482622.exec:\8482622.exe87⤵PID:5100
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe88⤵PID:2912
-
\??\c:\xrrrlll.exec:\xrrrlll.exe89⤵PID:1884
-
\??\c:\nbhtnn.exec:\nbhtnn.exe90⤵PID:3272
-
\??\c:\626460.exec:\626460.exe91⤵PID:2856
-
\??\c:\dpdvv.exec:\dpdvv.exe92⤵PID:2340
-
\??\c:\xlllxxf.exec:\xlllxxf.exe93⤵PID:2372
-
\??\c:\pvppj.exec:\pvppj.exe94⤵PID:4976
-
\??\c:\pdjjv.exec:\pdjjv.exe95⤵PID:3524
-
\??\c:\o288226.exec:\o288226.exe96⤵PID:4060
-
\??\c:\frxrrrr.exec:\frxrrrr.exe97⤵PID:180
-
\??\c:\3htnbt.exec:\3htnbt.exe98⤵PID:4812
-
\??\c:\40442.exec:\40442.exe99⤵PID:2796
-
\??\c:\1jppp.exec:\1jppp.exe100⤵PID:1436
-
\??\c:\xffxlfx.exec:\xffxlfx.exe101⤵PID:3484
-
\??\c:\flrllrr.exec:\flrllrr.exe102⤵PID:3416
-
\??\c:\tbhthb.exec:\tbhthb.exe103⤵PID:4476
-
\??\c:\flflxfr.exec:\flflxfr.exe104⤵PID:2500
-
\??\c:\pjjdp.exec:\pjjdp.exe105⤵PID:5044
-
\??\c:\466266.exec:\466266.exe106⤵PID:1460
-
\??\c:\06660.exec:\06660.exe107⤵PID:3964
-
\??\c:\vjjjd.exec:\vjjjd.exe108⤵PID:4740
-
\??\c:\hbbttt.exec:\hbbttt.exe109⤵PID:3988
-
\??\c:\xllfxrl.exec:\xllfxrl.exe110⤵PID:772
-
\??\c:\040844.exec:\040844.exe111⤵PID:1128
-
\??\c:\46424.exec:\46424.exe112⤵PID:3152
-
\??\c:\xxrllxr.exec:\xxrllxr.exe113⤵PID:720
-
\??\c:\xrrllll.exec:\xrrllll.exe114⤵PID:1124
-
\??\c:\4288606.exec:\4288606.exe115⤵PID:3044
-
\??\c:\vdjjd.exec:\vdjjd.exe116⤵PID:396
-
\??\c:\o226482.exec:\o226482.exe117⤵PID:2144
-
\??\c:\1ppjd.exec:\1ppjd.exe118⤵PID:3560
-
\??\c:\244882.exec:\244882.exe119⤵PID:1512
-
\??\c:\1pjvj.exec:\1pjvj.exe120⤵PID:3404
-
\??\c:\btbtnt.exec:\btbtnt.exe121⤵PID:384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-