Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe
-
Size
453KB
-
MD5
309cf5664152150b0b76a54ada527794
-
SHA1
0590568a2a5433d59efd56c36ab8bc5009486cc5
-
SHA256
1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a
-
SHA512
44af26fcee99182cbb09695fca3f8f6b4a7d2d053dd9ac8c8ac9ec319781191631aae9ac28d7a781b597423de438ea2f99b19d2d4aa8d2f55f693a25daa24c43
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2508-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-195-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2012-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-339-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3000-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1132-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-565-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1592-582-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2312-597-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1256-717-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1268-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-756-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2312-868-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3040-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-917-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2388-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-995-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2408-1025-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1248-1033-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2992-1113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 8026262.exe 1008 lflfrll.exe 2948 3rllrlf.exe 1496 5nbnnh.exe 2312 48062.exe 2900 260084.exe 2904 bnhtbh.exe 2672 082844.exe 2692 864044.exe 1668 9ntthb.exe 2660 082284.exe 3044 1btttt.exe 2072 nhtthn.exe 2224 htnhnh.exe 2260 i084220.exe 2172 vpdjv.exe 2600 u688608.exe 1928 xrlrflx.exe 2284 088800.exe 1464 llflxxr.exe 1676 824688.exe 2012 4244624.exe 1696 bnbbbh.exe 1712 e60626.exe 884 08626.exe 1976 5fllfll.exe 1796 k04400.exe 2400 k80404.exe 1656 5rlfrxf.exe 2504 hnhntb.exe 780 26468.exe 2316 rlllfxf.exe 1628 64284.exe 1592 o244040.exe 2948 vjvpd.exe 1500 dpdvv.exe 2168 20884.exe 2920 6844440.exe 2464 xlxxxfl.exe 3000 pjddj.exe 2940 42402.exe 2832 pdvjj.exe 2836 o422822.exe 2804 86222.exe 2788 64684.exe 2496 xlllxxl.exe 2276 1bhntt.exe 2180 00840.exe 2224 4246844.exe 1952 42406.exe 2416 9thnnt.exe 2212 bbnthn.exe 2056 u486642.exe 1828 2088002.exe 2456 djjpv.exe 1456 hbnnhb.exe 1464 jdvvv.exe 1132 xrlxllx.exe 2016 6406222.exe 2012 62006.exe 2408 tnbtbt.exe 1716 w20022.exe 1004 0884006.exe 2588 7bnnnn.exe -
resource yara_rule behavioral1/memory/2508-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-868-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3040-900-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-947-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/448-964-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-1061-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-1068-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6806440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c862880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o800262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028484.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2508 2132 1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe 30 PID 2132 wrote to memory of 2508 2132 1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe 30 PID 2132 wrote to memory of 2508 2132 1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe 30 PID 2132 wrote to memory of 2508 2132 1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe 30 PID 2508 wrote to memory of 1008 2508 8026262.exe 31 PID 2508 wrote to memory of 1008 2508 8026262.exe 31 PID 2508 wrote to memory of 1008 2508 8026262.exe 31 PID 2508 wrote to memory of 1008 2508 8026262.exe 31 PID 1008 wrote to memory of 2948 1008 lflfrll.exe 32 PID 1008 wrote to memory of 2948 1008 lflfrll.exe 32 PID 1008 wrote to memory of 2948 1008 lflfrll.exe 32 PID 1008 wrote to memory of 2948 1008 lflfrll.exe 32 PID 2948 wrote to memory of 1496 2948 3rllrlf.exe 33 PID 2948 wrote to memory of 1496 2948 3rllrlf.exe 33 PID 2948 wrote to memory of 1496 2948 3rllrlf.exe 33 PID 2948 wrote to memory of 1496 2948 3rllrlf.exe 33 PID 1496 wrote to memory of 2312 1496 5nbnnh.exe 34 PID 1496 wrote to memory of 2312 1496 5nbnnh.exe 34 PID 1496 wrote to memory of 2312 1496 5nbnnh.exe 34 PID 1496 wrote to memory of 2312 1496 5nbnnh.exe 34 PID 2312 wrote to memory of 2900 2312 48062.exe 35 PID 2312 wrote to memory of 2900 2312 48062.exe 35 PID 2312 wrote to memory of 2900 2312 48062.exe 35 PID 2312 wrote to memory of 2900 2312 48062.exe 35 PID 2900 wrote to memory of 2904 2900 260084.exe 36 PID 2900 wrote to memory of 2904 2900 260084.exe 36 PID 2900 wrote to memory of 2904 2900 260084.exe 36 PID 2900 wrote to memory of 2904 2900 260084.exe 36 PID 2904 wrote to memory of 2672 2904 bnhtbh.exe 37 PID 2904 wrote to memory of 2672 2904 bnhtbh.exe 37 PID 2904 wrote to memory of 2672 2904 bnhtbh.exe 37 PID 2904 wrote to memory of 2672 2904 bnhtbh.exe 37 PID 2672 wrote to memory of 2692 2672 082844.exe 38 PID 2672 wrote to memory of 2692 2672 082844.exe 38 PID 2672 wrote to memory of 2692 2672 082844.exe 38 PID 2672 wrote to memory of 2692 2672 082844.exe 38 PID 2692 wrote to memory of 1668 2692 864044.exe 39 PID 2692 wrote to memory of 1668 2692 864044.exe 39 PID 2692 wrote to memory of 1668 2692 864044.exe 39 PID 2692 wrote to memory of 1668 2692 864044.exe 39 PID 1668 wrote to memory of 2660 1668 9ntthb.exe 40 PID 1668 wrote to memory of 2660 1668 9ntthb.exe 40 PID 1668 wrote to memory of 2660 1668 9ntthb.exe 40 PID 1668 wrote to memory of 2660 1668 9ntthb.exe 40 PID 2660 wrote to memory of 3044 2660 082284.exe 41 PID 2660 wrote to memory of 3044 2660 082284.exe 41 PID 2660 wrote to memory of 3044 2660 082284.exe 41 PID 2660 wrote to memory of 3044 2660 082284.exe 41 PID 3044 wrote to memory of 2072 3044 1btttt.exe 42 PID 3044 wrote to memory of 2072 3044 1btttt.exe 42 PID 3044 wrote to memory of 2072 3044 1btttt.exe 42 PID 3044 wrote to memory of 2072 3044 1btttt.exe 42 PID 2072 wrote to memory of 2224 2072 nhtthn.exe 43 PID 2072 wrote to memory of 2224 2072 nhtthn.exe 43 PID 2072 wrote to memory of 2224 2072 nhtthn.exe 43 PID 2072 wrote to memory of 2224 2072 nhtthn.exe 43 PID 2224 wrote to memory of 2260 2224 htnhnh.exe 44 PID 2224 wrote to memory of 2260 2224 htnhnh.exe 44 PID 2224 wrote to memory of 2260 2224 htnhnh.exe 44 PID 2224 wrote to memory of 2260 2224 htnhnh.exe 44 PID 2260 wrote to memory of 2172 2260 i084220.exe 45 PID 2260 wrote to memory of 2172 2260 i084220.exe 45 PID 2260 wrote to memory of 2172 2260 i084220.exe 45 PID 2260 wrote to memory of 2172 2260 i084220.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe"C:\Users\Admin\AppData\Local\Temp\1059e3f9885ba44e386bfdccb4dffffb72cd1ac52617b408987a46f17f8f713a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\8026262.exec:\8026262.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\lflfrll.exec:\lflfrll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\3rllrlf.exec:\3rllrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\5nbnnh.exec:\5nbnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\48062.exec:\48062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\260084.exec:\260084.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\bnhtbh.exec:\bnhtbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\082844.exec:\082844.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\864044.exec:\864044.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9ntthb.exec:\9ntthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\082284.exec:\082284.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\1btttt.exec:\1btttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nhtthn.exec:\nhtthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\htnhnh.exec:\htnhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\i084220.exec:\i084220.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vpdjv.exec:\vpdjv.exe17⤵
- Executes dropped EXE
PID:2172 -
\??\c:\u688608.exec:\u688608.exe18⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xrlrflx.exec:\xrlrflx.exe19⤵
- Executes dropped EXE
PID:1928 -
\??\c:\088800.exec:\088800.exe20⤵
- Executes dropped EXE
PID:2284 -
\??\c:\llflxxr.exec:\llflxxr.exe21⤵
- Executes dropped EXE
PID:1464 -
\??\c:\824688.exec:\824688.exe22⤵
- Executes dropped EXE
PID:1676 -
\??\c:\4244624.exec:\4244624.exe23⤵
- Executes dropped EXE
PID:2012 -
\??\c:\bnbbbh.exec:\bnbbbh.exe24⤵
- Executes dropped EXE
PID:1696 -
\??\c:\e60626.exec:\e60626.exe25⤵
- Executes dropped EXE
PID:1712 -
\??\c:\08626.exec:\08626.exe26⤵
- Executes dropped EXE
PID:884 -
\??\c:\5fllfll.exec:\5fllfll.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\k04400.exec:\k04400.exe28⤵
- Executes dropped EXE
PID:1796 -
\??\c:\k80404.exec:\k80404.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\5rlfrxf.exec:\5rlfrxf.exe30⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hnhntb.exec:\hnhntb.exe31⤵
- Executes dropped EXE
PID:2504 -
\??\c:\26468.exec:\26468.exe32⤵
- Executes dropped EXE
PID:780 -
\??\c:\rlllfxf.exec:\rlllfxf.exe33⤵
- Executes dropped EXE
PID:2316 -
\??\c:\64284.exec:\64284.exe34⤵
- Executes dropped EXE
PID:1628 -
\??\c:\o244040.exec:\o244040.exe35⤵
- Executes dropped EXE
PID:1592 -
\??\c:\vjvpd.exec:\vjvpd.exe36⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dpdvv.exec:\dpdvv.exe37⤵
- Executes dropped EXE
PID:1500 -
\??\c:\20884.exec:\20884.exe38⤵
- Executes dropped EXE
PID:2168 -
\??\c:\6844440.exec:\6844440.exe39⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xlxxxfl.exec:\xlxxxfl.exe40⤵
- Executes dropped EXE
PID:2464 -
\??\c:\pjddj.exec:\pjddj.exe41⤵
- Executes dropped EXE
PID:3000 -
\??\c:\42402.exec:\42402.exe42⤵
- Executes dropped EXE
PID:2940 -
\??\c:\pdvjj.exec:\pdvjj.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\o422822.exec:\o422822.exe44⤵
- Executes dropped EXE
PID:2836 -
\??\c:\86222.exec:\86222.exe45⤵
- Executes dropped EXE
PID:2804 -
\??\c:\64684.exec:\64684.exe46⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xlllxxl.exec:\xlllxxl.exe47⤵
- Executes dropped EXE
PID:2496 -
\??\c:\1bhntt.exec:\1bhntt.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
\??\c:\00840.exec:\00840.exe49⤵
- Executes dropped EXE
PID:2180 -
\??\c:\4246844.exec:\4246844.exe50⤵
- Executes dropped EXE
PID:2224 -
\??\c:\42406.exec:\42406.exe51⤵
- Executes dropped EXE
PID:1952 -
\??\c:\9thnnt.exec:\9thnnt.exe52⤵
- Executes dropped EXE
PID:2416 -
\??\c:\bbnthn.exec:\bbnthn.exe53⤵
- Executes dropped EXE
PID:2212 -
\??\c:\u486642.exec:\u486642.exe54⤵
- Executes dropped EXE
PID:2056 -
\??\c:\2088002.exec:\2088002.exe55⤵
- Executes dropped EXE
PID:1828 -
\??\c:\djjpv.exec:\djjpv.exe56⤵
- Executes dropped EXE
PID:2456 -
\??\c:\hbnnhb.exec:\hbnnhb.exe57⤵
- Executes dropped EXE
PID:1456 -
\??\c:\jdvvv.exec:\jdvvv.exe58⤵
- Executes dropped EXE
PID:1464 -
\??\c:\xrlxllx.exec:\xrlxllx.exe59⤵
- Executes dropped EXE
PID:1132 -
\??\c:\6406222.exec:\6406222.exe60⤵
- Executes dropped EXE
PID:2016 -
\??\c:\62006.exec:\62006.exe61⤵
- Executes dropped EXE
PID:2012 -
\??\c:\tnbtbt.exec:\tnbtbt.exe62⤵
- Executes dropped EXE
PID:2408 -
\??\c:\w20022.exec:\w20022.exe63⤵
- Executes dropped EXE
PID:1716 -
\??\c:\0884006.exec:\0884006.exe64⤵
- Executes dropped EXE
PID:1004 -
\??\c:\7bnnnn.exec:\7bnnnn.exe65⤵
- Executes dropped EXE
PID:2588 -
\??\c:\7htbhh.exec:\7htbhh.exe66⤵PID:1756
-
\??\c:\q46666.exec:\q46666.exe67⤵PID:1796
-
\??\c:\086248.exec:\086248.exe68⤵
- System Location Discovery: System Language Discovery
PID:2636 -
\??\c:\2606280.exec:\2606280.exe69⤵PID:712
-
\??\c:\jpdpv.exec:\jpdpv.exe70⤵PID:888
-
\??\c:\pdpdd.exec:\pdpdd.exe71⤵PID:572
-
\??\c:\pjpvv.exec:\pjpvv.exe72⤵PID:2148
-
\??\c:\0806622.exec:\0806622.exe73⤵PID:2512
-
\??\c:\0862484.exec:\0862484.exe74⤵PID:1740
-
\??\c:\42046.exec:\42046.exe75⤵PID:1840
-
\??\c:\m8622.exec:\m8622.exe76⤵PID:1592
-
\??\c:\g0846.exec:\g0846.exe77⤵PID:1404
-
\??\c:\084448.exec:\084448.exe78⤵PID:2312
-
\??\c:\426682.exec:\426682.exe79⤵PID:2760
-
\??\c:\m8624.exec:\m8624.exe80⤵
- System Location Discovery: System Language Discovery
PID:928 -
\??\c:\468226.exec:\468226.exe81⤵PID:300
-
\??\c:\lflrrrx.exec:\lflrrrx.exe82⤵PID:2888
-
\??\c:\nbnnnn.exec:\nbnnnn.exe83⤵PID:2880
-
\??\c:\hthbhb.exec:\hthbhb.exe84⤵PID:3040
-
\??\c:\nhthtn.exec:\nhthtn.exe85⤵PID:2896
-
\??\c:\flrxxxr.exec:\flrxxxr.exe86⤵PID:2668
-
\??\c:\c248446.exec:\c248446.exe87⤵PID:2804
-
\??\c:\9pdjv.exec:\9pdjv.exe88⤵PID:1744
-
\??\c:\s0884.exec:\s0884.exe89⤵PID:2432
-
\??\c:\nbnthb.exec:\nbnthb.exe90⤵PID:2596
-
\??\c:\5tnttt.exec:\5tnttt.exe91⤵PID:2592
-
\??\c:\xxxrllx.exec:\xxxrllx.exe92⤵PID:2288
-
\??\c:\i244406.exec:\i244406.exe93⤵PID:2248
-
\??\c:\6024606.exec:\6024606.exe94⤵PID:2240
-
\??\c:\tbntbb.exec:\tbntbb.exe95⤵PID:2420
-
\??\c:\9frxllf.exec:\9frxllf.exe96⤵PID:1528
-
\??\c:\hbthtt.exec:\hbthtt.exe97⤵PID:1256
-
\??\c:\w42248.exec:\w42248.exe98⤵PID:1152
-
\??\c:\646628.exec:\646628.exe99⤵PID:1800
-
\??\c:\4244606.exec:\4244606.exe100⤵PID:304
-
\??\c:\9nbntn.exec:\9nbntn.exe101⤵PID:1268
-
\??\c:\6000006.exec:\6000006.exe102⤵PID:1964
-
\??\c:\20666.exec:\20666.exe103⤵PID:2112
-
\??\c:\3vdvp.exec:\3vdvp.exe104⤵PID:1696
-
\??\c:\028848.exec:\028848.exe105⤵PID:880
-
\??\c:\8600222.exec:\8600222.exe106⤵PID:308
-
\??\c:\5llffrx.exec:\5llffrx.exe107⤵PID:2876
-
\??\c:\rxfllrr.exec:\rxfllrr.exe108⤵PID:2716
-
\??\c:\bthhbb.exec:\bthhbb.exe109⤵PID:2516
-
\??\c:\ththhh.exec:\ththhh.exe110⤵PID:2400
-
\??\c:\bttbnn.exec:\bttbnn.exe111⤵PID:588
-
\??\c:\9fflfff.exec:\9fflfff.exe112⤵PID:2548
-
\??\c:\64240.exec:\64240.exe113⤵PID:2272
-
\??\c:\llfflrx.exec:\llfflrx.exe114⤵PID:2704
-
\??\c:\1flfxxf.exec:\1flfxxf.exe115⤵PID:2148
-
\??\c:\tbhhnh.exec:\tbhhnh.exe116⤵PID:1616
-
\??\c:\8682888.exec:\8682888.exe117⤵PID:1008
-
\??\c:\202622.exec:\202622.exe118⤵PID:1628
-
\??\c:\3pjjj.exec:\3pjjj.exe119⤵PID:3036
-
\??\c:\ppdpd.exec:\ppdpd.exe120⤵PID:1496
-
\??\c:\3nhntb.exec:\3nhntb.exe121⤵PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-