Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 19:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe
-
Size
454KB
-
MD5
26e47a741468ae2447aef83a6c757333
-
SHA1
67b02a8d491a13031954390fd8a9582871f85c92
-
SHA256
11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a
-
SHA512
05d40185474e5a31b99516b60af9e2c528e00fce7979564ce9c1eefa7033cea75c3d3e01721bbdd0a0f8e672f0d3e2ac47cbae7be11aabc39b0f04574a596c15
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH2:q7Tc2NYHUrAwfMp3CDH2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1700-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-1605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 736 g2820.exe 4896 nnnnht.exe 3084 htnhbt.exe 544 082860.exe 3864 bbbtnn.exe 1264 k80804.exe 2508 87flfx.exe 2264 flrrlll.exe 2004 5bhbhh.exe 2424 htttnn.exe 2652 flxxrrr.exe 3808 frfxxxx.exe 4000 rffxfrl.exe 4884 jdjdv.exe 1412 840448.exe 3636 tttnhh.exe 2020 pjppv.exe 4468 pjvpj.exe 3504 xxffxxr.exe 2284 4826626.exe 428 68822.exe 180 tnbtbb.exe 1648 680482.exe 1628 a4282.exe 2336 a6482.exe 3732 xxfrffr.exe 4196 8282222.exe 3800 c804444.exe 860 466600.exe 3772 5vjdd.exe 720 bbnnth.exe 4952 8842226.exe 3392 o640660.exe 1712 2226004.exe 2880 rfrlrxr.exe 1376 i008800.exe 2768 222222.exe 1100 264000.exe 4348 9tbnnn.exe 660 pvdvp.exe 2784 4684666.exe 4488 fffflll.exe 3604 48860.exe 2856 86484.exe 4260 llrffxf.exe 1460 bttbbh.exe 728 480044.exe 4880 28004.exe 4412 6026228.exe 2992 vdpdp.exe 4940 4066622.exe 1104 442068.exe 3268 rfrxrlr.exe 4668 g6442.exe 4404 w68660.exe 544 5djdd.exe 3768 6426004.exe 4876 fxxrlll.exe 4528 606282.exe 2508 0246240.exe 1172 tnnhbb.exe 2884 nhnhbb.exe 2912 24444.exe 3688 ddjjd.exe -
resource yara_rule behavioral2/memory/1700-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-722-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8266600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8448226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q22048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 024880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 288820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6282666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 736 1700 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 83 PID 1700 wrote to memory of 736 1700 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 83 PID 1700 wrote to memory of 736 1700 11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe 83 PID 736 wrote to memory of 4896 736 g2820.exe 84 PID 736 wrote to memory of 4896 736 g2820.exe 84 PID 736 wrote to memory of 4896 736 g2820.exe 84 PID 4896 wrote to memory of 3084 4896 nnnnht.exe 85 PID 4896 wrote to memory of 3084 4896 nnnnht.exe 85 PID 4896 wrote to memory of 3084 4896 nnnnht.exe 85 PID 3084 wrote to memory of 544 3084 htnhbt.exe 86 PID 3084 wrote to memory of 544 3084 htnhbt.exe 86 PID 3084 wrote to memory of 544 3084 htnhbt.exe 86 PID 544 wrote to memory of 3864 544 082860.exe 87 PID 544 wrote to memory of 3864 544 082860.exe 87 PID 544 wrote to memory of 3864 544 082860.exe 87 PID 3864 wrote to memory of 1264 3864 bbbtnn.exe 88 PID 3864 wrote to memory of 1264 3864 bbbtnn.exe 88 PID 3864 wrote to memory of 1264 3864 bbbtnn.exe 88 PID 1264 wrote to memory of 2508 1264 k80804.exe 89 PID 1264 wrote to memory of 2508 1264 k80804.exe 89 PID 1264 wrote to memory of 2508 1264 k80804.exe 89 PID 2508 wrote to memory of 2264 2508 87flfx.exe 90 PID 2508 wrote to memory of 2264 2508 87flfx.exe 90 PID 2508 wrote to memory of 2264 2508 87flfx.exe 90 PID 2264 wrote to memory of 2004 2264 flrrlll.exe 91 PID 2264 wrote to memory of 2004 2264 flrrlll.exe 91 PID 2264 wrote to memory of 2004 2264 flrrlll.exe 91 PID 2004 wrote to memory of 2424 2004 5bhbhh.exe 92 PID 2004 wrote to memory of 2424 2004 5bhbhh.exe 92 PID 2004 wrote to memory of 2424 2004 5bhbhh.exe 92 PID 2424 wrote to memory of 2652 2424 htttnn.exe 93 PID 2424 wrote to memory of 2652 2424 htttnn.exe 93 PID 2424 wrote to memory of 2652 2424 htttnn.exe 93 PID 2652 wrote to memory of 3808 2652 flxxrrr.exe 94 PID 2652 wrote to memory of 3808 2652 flxxrrr.exe 94 PID 2652 wrote to memory of 3808 2652 flxxrrr.exe 94 PID 3808 wrote to memory of 4000 3808 frfxxxx.exe 95 PID 3808 wrote to memory of 4000 3808 frfxxxx.exe 95 PID 3808 wrote to memory of 4000 3808 frfxxxx.exe 95 PID 4000 wrote to memory of 4884 4000 rffxfrl.exe 96 PID 4000 wrote to memory of 4884 4000 rffxfrl.exe 96 PID 4000 wrote to memory of 4884 4000 rffxfrl.exe 96 PID 4884 wrote to memory of 1412 4884 jdjdv.exe 97 PID 4884 wrote to memory of 1412 4884 jdjdv.exe 97 PID 4884 wrote to memory of 1412 4884 jdjdv.exe 97 PID 1412 wrote to memory of 3636 1412 840448.exe 98 PID 1412 wrote to memory of 3636 1412 840448.exe 98 PID 1412 wrote to memory of 3636 1412 840448.exe 98 PID 3636 wrote to memory of 2020 3636 tttnhh.exe 99 PID 3636 wrote to memory of 2020 3636 tttnhh.exe 99 PID 3636 wrote to memory of 2020 3636 tttnhh.exe 99 PID 2020 wrote to memory of 4468 2020 pjppv.exe 100 PID 2020 wrote to memory of 4468 2020 pjppv.exe 100 PID 2020 wrote to memory of 4468 2020 pjppv.exe 100 PID 4468 wrote to memory of 3504 4468 pjvpj.exe 101 PID 4468 wrote to memory of 3504 4468 pjvpj.exe 101 PID 4468 wrote to memory of 3504 4468 pjvpj.exe 101 PID 3504 wrote to memory of 2284 3504 xxffxxr.exe 102 PID 3504 wrote to memory of 2284 3504 xxffxxr.exe 102 PID 3504 wrote to memory of 2284 3504 xxffxxr.exe 102 PID 2284 wrote to memory of 428 2284 4826626.exe 103 PID 2284 wrote to memory of 428 2284 4826626.exe 103 PID 2284 wrote to memory of 428 2284 4826626.exe 103 PID 428 wrote to memory of 180 428 68822.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"C:\Users\Admin\AppData\Local\Temp\11ecf8d25ce7007f207c0d1f2323ce60577a183d1ec9830c53798b42f8fdd06a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\g2820.exec:\g2820.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\nnnnht.exec:\nnnnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\htnhbt.exec:\htnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\082860.exec:\082860.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\bbbtnn.exec:\bbbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\k80804.exec:\k80804.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\87flfx.exec:\87flfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\flrrlll.exec:\flrrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\5bhbhh.exec:\5bhbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\htttnn.exec:\htttnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\flxxrrr.exec:\flxxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\frfxxxx.exec:\frfxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\rffxfrl.exec:\rffxfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\jdjdv.exec:\jdjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\840448.exec:\840448.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\tttnhh.exec:\tttnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\pjppv.exec:\pjppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\pjvpj.exec:\pjvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\xxffxxr.exec:\xxffxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\4826626.exec:\4826626.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\68822.exec:\68822.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\tnbtbb.exec:\tnbtbb.exe23⤵
- Executes dropped EXE
PID:180 -
\??\c:\680482.exec:\680482.exe24⤵
- Executes dropped EXE
PID:1648 -
\??\c:\a4282.exec:\a4282.exe25⤵
- Executes dropped EXE
PID:1628 -
\??\c:\a6482.exec:\a6482.exe26⤵
- Executes dropped EXE
PID:2336 -
\??\c:\xxfrffr.exec:\xxfrffr.exe27⤵
- Executes dropped EXE
PID:3732 -
\??\c:\8282222.exec:\8282222.exe28⤵
- Executes dropped EXE
PID:4196 -
\??\c:\c804444.exec:\c804444.exe29⤵
- Executes dropped EXE
PID:3800 -
\??\c:\466600.exec:\466600.exe30⤵
- Executes dropped EXE
PID:860 -
\??\c:\5vjdd.exec:\5vjdd.exe31⤵
- Executes dropped EXE
PID:3772 -
\??\c:\bbnnth.exec:\bbnnth.exe32⤵
- Executes dropped EXE
PID:720 -
\??\c:\8842226.exec:\8842226.exe33⤵
- Executes dropped EXE
PID:4952 -
\??\c:\o640660.exec:\o640660.exe34⤵
- Executes dropped EXE
PID:3392 -
\??\c:\2226004.exec:\2226004.exe35⤵
- Executes dropped EXE
PID:1712 -
\??\c:\rfrlrxr.exec:\rfrlrxr.exe36⤵
- Executes dropped EXE
PID:2880 -
\??\c:\i008800.exec:\i008800.exe37⤵
- Executes dropped EXE
PID:1376 -
\??\c:\222222.exec:\222222.exe38⤵
- Executes dropped EXE
PID:2768 -
\??\c:\264000.exec:\264000.exe39⤵
- Executes dropped EXE
PID:1100 -
\??\c:\9tbnnn.exec:\9tbnnn.exe40⤵
- Executes dropped EXE
PID:4348 -
\??\c:\pvdvp.exec:\pvdvp.exe41⤵
- Executes dropped EXE
PID:660 -
\??\c:\4684666.exec:\4684666.exe42⤵
- Executes dropped EXE
PID:2784 -
\??\c:\fffflll.exec:\fffflll.exe43⤵
- Executes dropped EXE
PID:4488 -
\??\c:\48860.exec:\48860.exe44⤵
- Executes dropped EXE
PID:3604 -
\??\c:\86484.exec:\86484.exe45⤵
- Executes dropped EXE
PID:2856 -
\??\c:\llrffxf.exec:\llrffxf.exe46⤵
- Executes dropped EXE
PID:4260 -
\??\c:\bttbbh.exec:\bttbbh.exe47⤵
- Executes dropped EXE
PID:1460 -
\??\c:\480044.exec:\480044.exe48⤵
- Executes dropped EXE
PID:728 -
\??\c:\28004.exec:\28004.exe49⤵
- Executes dropped EXE
PID:4880 -
\??\c:\6026228.exec:\6026228.exe50⤵
- Executes dropped EXE
PID:4412 -
\??\c:\vdpdp.exec:\vdpdp.exe51⤵
- Executes dropped EXE
PID:2992 -
\??\c:\4066622.exec:\4066622.exe52⤵
- Executes dropped EXE
PID:4940 -
\??\c:\442068.exec:\442068.exe53⤵
- Executes dropped EXE
PID:1104 -
\??\c:\rfrxrlr.exec:\rfrxrlr.exe54⤵
- Executes dropped EXE
PID:3268 -
\??\c:\g6442.exec:\g6442.exe55⤵
- Executes dropped EXE
PID:4668 -
\??\c:\w68660.exec:\w68660.exe56⤵
- Executes dropped EXE
PID:4404 -
\??\c:\5djdd.exec:\5djdd.exe57⤵
- Executes dropped EXE
PID:544 -
\??\c:\6426004.exec:\6426004.exe58⤵
- Executes dropped EXE
PID:3768 -
\??\c:\fxxrlll.exec:\fxxrlll.exe59⤵
- Executes dropped EXE
PID:4876 -
\??\c:\606282.exec:\606282.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\0246240.exec:\0246240.exe61⤵
- Executes dropped EXE
PID:2508 -
\??\c:\tnnhbb.exec:\tnnhbb.exe62⤵
- Executes dropped EXE
PID:1172 -
\??\c:\nhnhbb.exec:\nhnhbb.exe63⤵
- Executes dropped EXE
PID:2884 -
\??\c:\24444.exec:\24444.exe64⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ddjjd.exec:\ddjjd.exe65⤵
- Executes dropped EXE
PID:3688 -
\??\c:\226664.exec:\226664.exe66⤵PID:2344
-
\??\c:\bttnnn.exec:\bttnnn.exe67⤵PID:4296
-
\??\c:\vpppj.exec:\vpppj.exe68⤵PID:4612
-
\??\c:\06460.exec:\06460.exe69⤵PID:2552
-
\??\c:\djjvp.exec:\djjvp.exe70⤵PID:208
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe71⤵PID:3844
-
\??\c:\5frxrxr.exec:\5frxrxr.exe72⤵PID:1412
-
\??\c:\4220826.exec:\4220826.exe73⤵PID:2780
-
\??\c:\vpjdv.exec:\vpjdv.exe74⤵PID:2260
-
\??\c:\ddjdj.exec:\ddjdj.exe75⤵PID:3636
-
\??\c:\xlrlffx.exec:\xlrlffx.exe76⤵PID:3284
-
\??\c:\frrlxrl.exec:\frrlxrl.exe77⤵PID:5028
-
\??\c:\lrlfffx.exec:\lrlfffx.exe78⤵PID:2432
-
\??\c:\2404848.exec:\2404848.exe79⤵PID:4560
-
\??\c:\u626060.exec:\u626060.exe80⤵PID:312
-
\??\c:\q08266.exec:\q08266.exe81⤵PID:3632
-
\??\c:\bttnhh.exec:\bttnhh.exe82⤵PID:536
-
\??\c:\06402.exec:\06402.exe83⤵PID:2960
-
\??\c:\nnnhhh.exec:\nnnhhh.exe84⤵
- System Location Discovery: System Language Discovery
PID:1628 -
\??\c:\46224.exec:\46224.exe85⤵
- System Location Discovery: System Language Discovery
PID:4368 -
\??\c:\486026.exec:\486026.exe86⤵
- System Location Discovery: System Language Discovery
PID:4008 -
\??\c:\ppvpp.exec:\ppvpp.exe87⤵
- System Location Discovery: System Language Discovery
PID:4972 -
\??\c:\xrrlxff.exec:\xrrlxff.exe88⤵PID:3088
-
\??\c:\pppvp.exec:\pppvp.exe89⤵PID:4768
-
\??\c:\e08600.exec:\e08600.exe90⤵PID:2600
-
\??\c:\ffxrxrl.exec:\ffxrxrl.exe91⤵PID:4716
-
\??\c:\djjdp.exec:\djjdp.exe92⤵PID:3388
-
\??\c:\btnhtn.exec:\btnhtn.exe93⤵PID:872
-
\??\c:\fxfxllf.exec:\fxfxllf.exe94⤵PID:1176
-
\??\c:\1nthnh.exec:\1nthnh.exe95⤵PID:1656
-
\??\c:\bttnnh.exec:\bttnnh.exe96⤵PID:1272
-
\??\c:\604444.exec:\604444.exe97⤵PID:1888
-
\??\c:\2062400.exec:\2062400.exe98⤵PID:2932
-
\??\c:\264888.exec:\264888.exe99⤵PID:3272
-
\??\c:\006088.exec:\006088.exe100⤵PID:1680
-
\??\c:\jvdpd.exec:\jvdpd.exe101⤵PID:1728
-
\??\c:\vjjvj.exec:\vjjvj.exe102⤵PID:1100
-
\??\c:\lxfrxll.exec:\lxfrxll.exe103⤵PID:964
-
\??\c:\nhhbbn.exec:\nhhbbn.exe104⤵PID:660
-
\??\c:\bbbbtt.exec:\bbbbtt.exe105⤵PID:2404
-
\??\c:\i020004.exec:\i020004.exe106⤵PID:1472
-
\??\c:\00824.exec:\00824.exe107⤵PID:3604
-
\??\c:\84604.exec:\84604.exe108⤵PID:3064
-
\??\c:\vvjdj.exec:\vvjdj.exe109⤵PID:1404
-
\??\c:\628264.exec:\628264.exe110⤵PID:5084
-
\??\c:\jddpd.exec:\jddpd.exe111⤵PID:1760
-
\??\c:\bbtnhh.exec:\bbtnhh.exe112⤵PID:4416
-
\??\c:\pddvp.exec:\pddvp.exe113⤵PID:4424
-
\??\c:\i626008.exec:\i626008.exe114⤵PID:4660
-
\??\c:\htbtbb.exec:\htbtbb.exe115⤵PID:2396
-
\??\c:\9pvjd.exec:\9pvjd.exe116⤵PID:1228
-
\??\c:\frlxrrf.exec:\frlxrrf.exe117⤵PID:1756
-
\??\c:\i808046.exec:\i808046.exe118⤵PID:3432
-
\??\c:\nnnhtt.exec:\nnnhtt.exe119⤵PID:4668
-
\??\c:\httnbb.exec:\httnbb.exe120⤵PID:4404
-
\??\c:\488480.exec:\488480.exe121⤵PID:1480
-
\??\c:\m8864.exec:\m8864.exe122⤵PID:3864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-