Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe
-
Size
453KB
-
MD5
b290e973507fda7f8903c0f2fe963af1
-
SHA1
bc55489f62b57c44dec28fae1a989d9bb54aa830
-
SHA256
1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05
-
SHA512
e9d3ea6e8d39f9aea292d0bf946f46d794cbb771a285a57992ad137e17068cbb596b12337114f0cbd248cb15e10f8d7381af2d837af8c0247caa27c9d5ab60e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2792-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-866-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-1066-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-1172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-1371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2792 86804.exe 4924 844266.exe 4268 3bttnt.exe 4008 828626.exe 4484 666604.exe 1896 vvvvv.exe 1696 06282.exe 64 42268.exe 4116 268466.exe 3292 5vpjj.exe 5004 jvvvp.exe 4084 08864.exe 2876 nttbtn.exe 4572 628222.exe 3340 tnnhbb.exe 2740 bthnhb.exe 4968 e80826.exe 1224 hnthbb.exe 4476 6648822.exe 3544 626824.exe 2880 nbbbht.exe 100 4848002.exe 3624 flfrrll.exe 2036 04208.exe 3684 fxllxlr.exe 4056 2466000.exe 2744 pppjv.exe 2968 vvpjd.exe 3004 rflxrll.exe 4380 jppdv.exe 972 80420.exe 4324 3ffxxrl.exe 3880 vdjdp.exe 1160 7ddpd.exe 1220 1bnhtt.exe 4516 u886048.exe 512 i000082.exe 448 68486.exe 5040 666088.exe 3528 flrfrlf.exe 2924 nbtnhb.exe 3620 frlxllf.exe 1500 3ffxllx.exe 2960 822042.exe 4360 nhbttt.exe 4348 22864.exe 3960 m2486.exe 2192 q28666.exe 2276 24048.exe 3324 8604286.exe 4724 xflfrlf.exe 4800 jppjp.exe 1456 rllxfxr.exe 2732 28202.exe 3632 64480.exe 4712 thnhht.exe 3248 248204.exe 4936 i620202.exe 1664 64844.exe 3452 3vvvp.exe 1584 4226464.exe 2888 2060664.exe 3872 hntnbt.exe 4436 3bthtt.exe -
resource yara_rule behavioral2/memory/2792-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-655-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4666004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6444262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0820488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o460606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a6040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6226442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 628606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 2792 4688 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 85 PID 4688 wrote to memory of 2792 4688 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 85 PID 4688 wrote to memory of 2792 4688 1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe 85 PID 2792 wrote to memory of 4924 2792 86804.exe 86 PID 2792 wrote to memory of 4924 2792 86804.exe 86 PID 2792 wrote to memory of 4924 2792 86804.exe 86 PID 4924 wrote to memory of 4268 4924 844266.exe 87 PID 4924 wrote to memory of 4268 4924 844266.exe 87 PID 4924 wrote to memory of 4268 4924 844266.exe 87 PID 4268 wrote to memory of 4008 4268 3bttnt.exe 88 PID 4268 wrote to memory of 4008 4268 3bttnt.exe 88 PID 4268 wrote to memory of 4008 4268 3bttnt.exe 88 PID 4008 wrote to memory of 4484 4008 828626.exe 89 PID 4008 wrote to memory of 4484 4008 828626.exe 89 PID 4008 wrote to memory of 4484 4008 828626.exe 89 PID 4484 wrote to memory of 1896 4484 666604.exe 90 PID 4484 wrote to memory of 1896 4484 666604.exe 90 PID 4484 wrote to memory of 1896 4484 666604.exe 90 PID 1896 wrote to memory of 1696 1896 vvvvv.exe 91 PID 1896 wrote to memory of 1696 1896 vvvvv.exe 91 PID 1896 wrote to memory of 1696 1896 vvvvv.exe 91 PID 1696 wrote to memory of 64 1696 06282.exe 92 PID 1696 wrote to memory of 64 1696 06282.exe 92 PID 1696 wrote to memory of 64 1696 06282.exe 92 PID 64 wrote to memory of 4116 64 42268.exe 93 PID 64 wrote to memory of 4116 64 42268.exe 93 PID 64 wrote to memory of 4116 64 42268.exe 93 PID 4116 wrote to memory of 3292 4116 268466.exe 94 PID 4116 wrote to memory of 3292 4116 268466.exe 94 PID 4116 wrote to memory of 3292 4116 268466.exe 94 PID 3292 wrote to memory of 5004 3292 5vpjj.exe 95 PID 3292 wrote to memory of 5004 3292 5vpjj.exe 95 PID 3292 wrote to memory of 5004 3292 5vpjj.exe 95 PID 5004 wrote to memory of 4084 5004 jvvvp.exe 96 PID 5004 wrote to memory of 4084 5004 jvvvp.exe 96 PID 5004 wrote to memory of 4084 5004 jvvvp.exe 96 PID 4084 wrote to memory of 2876 4084 08864.exe 97 PID 4084 wrote to memory of 2876 4084 08864.exe 97 PID 4084 wrote to memory of 2876 4084 08864.exe 97 PID 2876 wrote to memory of 4572 2876 nttbtn.exe 98 PID 2876 wrote to memory of 4572 2876 nttbtn.exe 98 PID 2876 wrote to memory of 4572 2876 nttbtn.exe 98 PID 4572 wrote to memory of 3340 4572 628222.exe 99 PID 4572 wrote to memory of 3340 4572 628222.exe 99 PID 4572 wrote to memory of 3340 4572 628222.exe 99 PID 3340 wrote to memory of 2740 3340 tnnhbb.exe 100 PID 3340 wrote to memory of 2740 3340 tnnhbb.exe 100 PID 3340 wrote to memory of 2740 3340 tnnhbb.exe 100 PID 2740 wrote to memory of 4968 2740 bthnhb.exe 101 PID 2740 wrote to memory of 4968 2740 bthnhb.exe 101 PID 2740 wrote to memory of 4968 2740 bthnhb.exe 101 PID 4968 wrote to memory of 1224 4968 e80826.exe 102 PID 4968 wrote to memory of 1224 4968 e80826.exe 102 PID 4968 wrote to memory of 1224 4968 e80826.exe 102 PID 1224 wrote to memory of 4476 1224 hnthbb.exe 103 PID 1224 wrote to memory of 4476 1224 hnthbb.exe 103 PID 1224 wrote to memory of 4476 1224 hnthbb.exe 103 PID 4476 wrote to memory of 3544 4476 6648822.exe 104 PID 4476 wrote to memory of 3544 4476 6648822.exe 104 PID 4476 wrote to memory of 3544 4476 6648822.exe 104 PID 3544 wrote to memory of 2880 3544 626824.exe 105 PID 3544 wrote to memory of 2880 3544 626824.exe 105 PID 3544 wrote to memory of 2880 3544 626824.exe 105 PID 2880 wrote to memory of 100 2880 nbbbht.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe"C:\Users\Admin\AppData\Local\Temp\1fe9713d2ff0734cf6b41b32d4004fb8a3044cbc21b008ee199b218fbd034c05.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\86804.exec:\86804.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\844266.exec:\844266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\3bttnt.exec:\3bttnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\828626.exec:\828626.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\666604.exec:\666604.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\vvvvv.exec:\vvvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\06282.exec:\06282.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\42268.exec:\42268.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\268466.exec:\268466.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\5vpjj.exec:\5vpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\jvvvp.exec:\jvvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\08864.exec:\08864.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\nttbtn.exec:\nttbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\628222.exec:\628222.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\tnnhbb.exec:\tnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\bthnhb.exec:\bthnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\e80826.exec:\e80826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\hnthbb.exec:\hnthbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\6648822.exec:\6648822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\626824.exec:\626824.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\nbbbht.exec:\nbbbht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\4848002.exec:\4848002.exe23⤵
- Executes dropped EXE
PID:100 -
\??\c:\flfrrll.exec:\flfrrll.exe24⤵
- Executes dropped EXE
PID:3624 -
\??\c:\04208.exec:\04208.exe25⤵
- Executes dropped EXE
PID:2036 -
\??\c:\fxllxlr.exec:\fxllxlr.exe26⤵
- Executes dropped EXE
PID:3684 -
\??\c:\2466000.exec:\2466000.exe27⤵
- Executes dropped EXE
PID:4056 -
\??\c:\pppjv.exec:\pppjv.exe28⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vvpjd.exec:\vvpjd.exe29⤵
- Executes dropped EXE
PID:2968 -
\??\c:\rflxrll.exec:\rflxrll.exe30⤵
- Executes dropped EXE
PID:3004 -
\??\c:\jppdv.exec:\jppdv.exe31⤵
- Executes dropped EXE
PID:4380 -
\??\c:\80420.exec:\80420.exe32⤵
- Executes dropped EXE
PID:972 -
\??\c:\3ffxxrl.exec:\3ffxxrl.exe33⤵
- Executes dropped EXE
PID:4324 -
\??\c:\vdjdp.exec:\vdjdp.exe34⤵
- Executes dropped EXE
PID:3880 -
\??\c:\7ddpd.exec:\7ddpd.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\1bnhtt.exec:\1bnhtt.exe36⤵
- Executes dropped EXE
PID:1220 -
\??\c:\u886048.exec:\u886048.exe37⤵
- Executes dropped EXE
PID:4516 -
\??\c:\i000082.exec:\i000082.exe38⤵
- Executes dropped EXE
PID:512 -
\??\c:\68486.exec:\68486.exe39⤵
- Executes dropped EXE
PID:448 -
\??\c:\666088.exec:\666088.exe40⤵
- Executes dropped EXE
PID:5040 -
\??\c:\flrfrlf.exec:\flrfrlf.exe41⤵
- Executes dropped EXE
PID:3528 -
\??\c:\nbtnhb.exec:\nbtnhb.exe42⤵
- Executes dropped EXE
PID:2924 -
\??\c:\frlxllf.exec:\frlxllf.exe43⤵
- Executes dropped EXE
PID:3620 -
\??\c:\3ffxllx.exec:\3ffxllx.exe44⤵
- Executes dropped EXE
PID:1500 -
\??\c:\822042.exec:\822042.exe45⤵
- Executes dropped EXE
PID:2960 -
\??\c:\nhbttt.exec:\nhbttt.exe46⤵
- Executes dropped EXE
PID:4360 -
\??\c:\22864.exec:\22864.exe47⤵
- Executes dropped EXE
PID:4348 -
\??\c:\m2486.exec:\m2486.exe48⤵
- Executes dropped EXE
PID:3960 -
\??\c:\q28666.exec:\q28666.exe49⤵
- Executes dropped EXE
PID:2192 -
\??\c:\24048.exec:\24048.exe50⤵
- Executes dropped EXE
PID:2276 -
\??\c:\8604286.exec:\8604286.exe51⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xflfrlf.exec:\xflfrlf.exe52⤵
- Executes dropped EXE
PID:4724 -
\??\c:\jppjp.exec:\jppjp.exe53⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rllxfxr.exec:\rllxfxr.exe54⤵
- Executes dropped EXE
PID:1456 -
\??\c:\28202.exec:\28202.exe55⤵
- Executes dropped EXE
PID:2732 -
\??\c:\64480.exec:\64480.exe56⤵
- Executes dropped EXE
PID:3632 -
\??\c:\thnhht.exec:\thnhht.exe57⤵
- Executes dropped EXE
PID:4712 -
\??\c:\248204.exec:\248204.exe58⤵
- Executes dropped EXE
PID:3248 -
\??\c:\i620202.exec:\i620202.exe59⤵
- Executes dropped EXE
PID:4936 -
\??\c:\64844.exec:\64844.exe60⤵
- Executes dropped EXE
PID:1664 -
\??\c:\3vvvp.exec:\3vvvp.exe61⤵
- Executes dropped EXE
PID:3452 -
\??\c:\4226464.exec:\4226464.exe62⤵
- Executes dropped EXE
PID:1584 -
\??\c:\2060664.exec:\2060664.exe63⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hntnbt.exec:\hntnbt.exe64⤵
- Executes dropped EXE
PID:3872 -
\??\c:\3bthtt.exec:\3bthtt.exe65⤵
- Executes dropped EXE
PID:4436 -
\??\c:\6260426.exec:\6260426.exe66⤵PID:4860
-
\??\c:\nttnhn.exec:\nttnhn.exe67⤵PID:4812
-
\??\c:\428426.exec:\428426.exe68⤵PID:3436
-
\??\c:\i844264.exec:\i844264.exe69⤵PID:4440
-
\??\c:\rffrrfx.exec:\rffrrfx.exe70⤵PID:2764
-
\??\c:\3lfrlfr.exec:\3lfrlfr.exe71⤵PID:4940
-
\??\c:\1hnhhn.exec:\1hnhhn.exe72⤵PID:3564
-
\??\c:\462660.exec:\462660.exe73⤵PID:3548
-
\??\c:\04826.exec:\04826.exe74⤵PID:1844
-
\??\c:\622084.exec:\622084.exe75⤵PID:3560
-
\??\c:\btbnhb.exec:\btbnhb.exe76⤵PID:4788
-
\??\c:\djdpj.exec:\djdpj.exe77⤵PID:376
-
\??\c:\pjpjd.exec:\pjpjd.exe78⤵PID:2828
-
\??\c:\266082.exec:\266082.exe79⤵PID:4644
-
\??\c:\22602.exec:\22602.exe80⤵PID:4676
-
\??\c:\248426.exec:\248426.exe81⤵PID:3016
-
\??\c:\644244.exec:\644244.exe82⤵PID:1000
-
\??\c:\dpvvp.exec:\dpvvp.exe83⤵PID:1776
-
\??\c:\rrxlfxl.exec:\rrxlfxl.exe84⤵PID:3964
-
\??\c:\xrlxllf.exec:\xrlxllf.exe85⤵PID:1480
-
\??\c:\i280044.exec:\i280044.exe86⤵PID:2008
-
\??\c:\ththht.exec:\ththht.exe87⤵PID:4004
-
\??\c:\xllxlff.exec:\xllxlff.exe88⤵PID:4180
-
\??\c:\o820826.exec:\o820826.exe89⤵PID:4656
-
\??\c:\00662.exec:\00662.exe90⤵PID:4472
-
\??\c:\060442.exec:\060442.exe91⤵PID:1980
-
\??\c:\862640.exec:\862640.exe92⤵PID:884
-
\??\c:\hnttnh.exec:\hnttnh.exe93⤵PID:4380
-
\??\c:\ddppp.exec:\ddppp.exe94⤵PID:3036
-
\??\c:\rrxrfff.exec:\rrxrfff.exe95⤵PID:2132
-
\??\c:\8644406.exec:\8644406.exe96⤵PID:1824
-
\??\c:\48482.exec:\48482.exe97⤵PID:768
-
\??\c:\646088.exec:\646088.exe98⤵PID:1136
-
\??\c:\g2826.exec:\g2826.exe99⤵PID:1616
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe100⤵PID:3616
-
\??\c:\004602.exec:\004602.exe101⤵PID:2196
-
\??\c:\djpjv.exec:\djpjv.exe102⤵PID:1596
-
\??\c:\802660.exec:\802660.exe103⤵PID:400
-
\??\c:\djpjj.exec:\djpjj.exe104⤵PID:3280
-
\??\c:\468822.exec:\468822.exe105⤵PID:2708
-
\??\c:\dvpjd.exec:\dvpjd.exe106⤵PID:2524
-
\??\c:\86064.exec:\86064.exe107⤵PID:2632
-
\??\c:\xlrllxr.exec:\xlrllxr.exe108⤵PID:4364
-
\??\c:\pppjd.exec:\pppjd.exe109⤵PID:4636
-
\??\c:\nnnnhb.exec:\nnnnhb.exe110⤵PID:1932
-
\??\c:\dpvpp.exec:\dpvpp.exe111⤵PID:2792
-
\??\c:\u844060.exec:\u844060.exe112⤵PID:4888
-
\??\c:\28488.exec:\28488.exe113⤵PID:792
-
\??\c:\rrfrllf.exec:\rrfrllf.exe114⤵PID:4848
-
\??\c:\068266.exec:\068266.exe115⤵PID:4156
-
\??\c:\9xfxxxr.exec:\9xfxxxr.exe116⤵PID:4708
-
\??\c:\rlrfxfx.exec:\rlrfxfx.exe117⤵PID:4932
-
\??\c:\826888.exec:\826888.exe118⤵PID:4120
-
\??\c:\628266.exec:\628266.exe119⤵PID:4540
-
\??\c:\m6222.exec:\m6222.exe120⤵PID:4712
-
\??\c:\ntbnnn.exec:\ntbnnn.exe121⤵PID:228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-