Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe
-
Size
454KB
-
MD5
2b4459e27da1049220207176c17f50d2
-
SHA1
7f59eb24954ad250efdaec961443b87efb91b4f1
-
SHA256
114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7
-
SHA512
5d4358f477f9b89ffd89adad2fe9ce226525f5006d4757b2bc61adc556555083dce4d5755aeea282f991f90826ccc173aae54e82659b7e4a046c6dd49a8c3553
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2464-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-33-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2840-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-73-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-78-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2720-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-94-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2752-102-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/680-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-117-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2000-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1756-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-265-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1284-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-526-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2060-536-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1660-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-615-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-693-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/296-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-797-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-804-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1452-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-884-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2804-909-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1532-939-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1472-955-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1512-1145-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2108 68006.exe 2436 60284.exe 2208 8640666.exe 2840 68484.exe 2844 lxflrlr.exe 1932 04662.exe 2868 42000.exe 2856 nnttbt.exe 2720 446682.exe 2752 624082.exe 680 rlllrrf.exe 1832 1pvpp.exe 2912 20600.exe 2000 868404.exe 1720 0244044.exe 304 9rxxxff.exe 1824 w80066.exe 1872 thtbhb.exe 2980 bnnbtt.exe 1580 9thhhb.exe 2324 fxlrrlr.exe 1336 6422884.exe 1816 666242.exe 1756 3xflffr.exe 1876 vpdvv.exe 956 e24408.exe 2032 68044.exe 1536 1thhhb.exe 324 rrxffll.exe 2112 lfrfxlr.exe 1796 c244040.exe 1284 0800606.exe 3008 nbttbb.exe 1544 3hnhtt.exe 2488 420404.exe 2796 i802862.exe 1496 1jvvv.exe 2948 jpdvv.exe 2104 jvjvv.exe 2976 0244600.exe 2724 2028828.exe 2728 202804.exe 2688 5pdvv.exe 2740 3pddj.exe 2356 tbhbbt.exe 2512 pjpvv.exe 888 pjvvv.exe 268 jvjjj.exe 2360 tbnntn.exe 840 86200.exe 1964 6448822.exe 2016 2422826.exe 2748 lrllrrr.exe 1724 480282.exe 272 3tbttt.exe 1708 c422822.exe 3016 642222.exe 2992 24222.exe 1928 20006.exe 2188 206648.exe 2192 xrlxxrr.exe 1560 rflffxr.exe 996 nbhhnn.exe 2896 g8440.exe -
resource yara_rule behavioral1/memory/2464-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-78-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2720-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/680-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1816-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1876-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-615-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2740-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1872-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1268-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/296-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-928-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-1101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-1240-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2988-1271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-1278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-1376-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 868840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2066824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8622884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2108 2464 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 30 PID 2464 wrote to memory of 2108 2464 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 30 PID 2464 wrote to memory of 2108 2464 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 30 PID 2464 wrote to memory of 2108 2464 114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe 30 PID 2108 wrote to memory of 2436 2108 68006.exe 31 PID 2108 wrote to memory of 2436 2108 68006.exe 31 PID 2108 wrote to memory of 2436 2108 68006.exe 31 PID 2108 wrote to memory of 2436 2108 68006.exe 31 PID 2436 wrote to memory of 2208 2436 60284.exe 32 PID 2436 wrote to memory of 2208 2436 60284.exe 32 PID 2436 wrote to memory of 2208 2436 60284.exe 32 PID 2436 wrote to memory of 2208 2436 60284.exe 32 PID 2208 wrote to memory of 2840 2208 8640666.exe 33 PID 2208 wrote to memory of 2840 2208 8640666.exe 33 PID 2208 wrote to memory of 2840 2208 8640666.exe 33 PID 2208 wrote to memory of 2840 2208 8640666.exe 33 PID 2840 wrote to memory of 2844 2840 68484.exe 34 PID 2840 wrote to memory of 2844 2840 68484.exe 34 PID 2840 wrote to memory of 2844 2840 68484.exe 34 PID 2840 wrote to memory of 2844 2840 68484.exe 34 PID 2844 wrote to memory of 1932 2844 lxflrlr.exe 35 PID 2844 wrote to memory of 1932 2844 lxflrlr.exe 35 PID 2844 wrote to memory of 1932 2844 lxflrlr.exe 35 PID 2844 wrote to memory of 1932 2844 lxflrlr.exe 35 PID 1932 wrote to memory of 2868 1932 04662.exe 36 PID 1932 wrote to memory of 2868 1932 04662.exe 36 PID 1932 wrote to memory of 2868 1932 04662.exe 36 PID 1932 wrote to memory of 2868 1932 04662.exe 36 PID 2868 wrote to memory of 2856 2868 42000.exe 37 PID 2868 wrote to memory of 2856 2868 42000.exe 37 PID 2868 wrote to memory of 2856 2868 42000.exe 37 PID 2868 wrote to memory of 2856 2868 42000.exe 37 PID 2856 wrote to memory of 2720 2856 nnttbt.exe 38 PID 2856 wrote to memory of 2720 2856 nnttbt.exe 38 PID 2856 wrote to memory of 2720 2856 nnttbt.exe 38 PID 2856 wrote to memory of 2720 2856 nnttbt.exe 38 PID 2720 wrote to memory of 2752 2720 446682.exe 39 PID 2720 wrote to memory of 2752 2720 446682.exe 39 PID 2720 wrote to memory of 2752 2720 446682.exe 39 PID 2720 wrote to memory of 2752 2720 446682.exe 39 PID 2752 wrote to memory of 680 2752 624082.exe 40 PID 2752 wrote to memory of 680 2752 624082.exe 40 PID 2752 wrote to memory of 680 2752 624082.exe 40 PID 2752 wrote to memory of 680 2752 624082.exe 40 PID 680 wrote to memory of 1832 680 rlllrrf.exe 41 PID 680 wrote to memory of 1832 680 rlllrrf.exe 41 PID 680 wrote to memory of 1832 680 rlllrrf.exe 41 PID 680 wrote to memory of 1832 680 rlllrrf.exe 41 PID 1832 wrote to memory of 2912 1832 1pvpp.exe 42 PID 1832 wrote to memory of 2912 1832 1pvpp.exe 42 PID 1832 wrote to memory of 2912 1832 1pvpp.exe 42 PID 1832 wrote to memory of 2912 1832 1pvpp.exe 42 PID 2912 wrote to memory of 2000 2912 20600.exe 43 PID 2912 wrote to memory of 2000 2912 20600.exe 43 PID 2912 wrote to memory of 2000 2912 20600.exe 43 PID 2912 wrote to memory of 2000 2912 20600.exe 43 PID 2000 wrote to memory of 1720 2000 868404.exe 44 PID 2000 wrote to memory of 1720 2000 868404.exe 44 PID 2000 wrote to memory of 1720 2000 868404.exe 44 PID 2000 wrote to memory of 1720 2000 868404.exe 44 PID 1720 wrote to memory of 304 1720 0244044.exe 45 PID 1720 wrote to memory of 304 1720 0244044.exe 45 PID 1720 wrote to memory of 304 1720 0244044.exe 45 PID 1720 wrote to memory of 304 1720 0244044.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"C:\Users\Admin\AppData\Local\Temp\114edc41129da003b3f5cdacbbbb987eb3107f12244e0da9b4afbb1adbb1e7b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\68006.exec:\68006.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\60284.exec:\60284.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\8640666.exec:\8640666.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\68484.exec:\68484.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\lxflrlr.exec:\lxflrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\04662.exec:\04662.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\42000.exec:\42000.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\nnttbt.exec:\nnttbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\446682.exec:\446682.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\624082.exec:\624082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\rlllrrf.exec:\rlllrrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\1pvpp.exec:\1pvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\20600.exec:\20600.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\868404.exec:\868404.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\0244044.exec:\0244044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\9rxxxff.exec:\9rxxxff.exe17⤵
- Executes dropped EXE
PID:304 -
\??\c:\w80066.exec:\w80066.exe18⤵
- Executes dropped EXE
PID:1824 -
\??\c:\thtbhb.exec:\thtbhb.exe19⤵
- Executes dropped EXE
PID:1872 -
\??\c:\bnnbtt.exec:\bnnbtt.exe20⤵
- Executes dropped EXE
PID:2980 -
\??\c:\9thhhb.exec:\9thhhb.exe21⤵
- Executes dropped EXE
PID:1580 -
\??\c:\fxlrrlr.exec:\fxlrrlr.exe22⤵
- Executes dropped EXE
PID:2324 -
\??\c:\6422884.exec:\6422884.exe23⤵
- Executes dropped EXE
PID:1336 -
\??\c:\666242.exec:\666242.exe24⤵
- Executes dropped EXE
PID:1816 -
\??\c:\3xflffr.exec:\3xflffr.exe25⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vpdvv.exec:\vpdvv.exe26⤵
- Executes dropped EXE
PID:1876 -
\??\c:\e24408.exec:\e24408.exe27⤵
- Executes dropped EXE
PID:956 -
\??\c:\68044.exec:\68044.exe28⤵
- Executes dropped EXE
PID:2032 -
\??\c:\1thhhb.exec:\1thhhb.exe29⤵
- Executes dropped EXE
PID:1536 -
\??\c:\rrxffll.exec:\rrxffll.exe30⤵
- Executes dropped EXE
PID:324 -
\??\c:\lfrfxlr.exec:\lfrfxlr.exe31⤵
- Executes dropped EXE
PID:2112 -
\??\c:\c244040.exec:\c244040.exe32⤵
- Executes dropped EXE
PID:1796 -
\??\c:\0800606.exec:\0800606.exe33⤵
- Executes dropped EXE
PID:1284 -
\??\c:\nbttbb.exec:\nbttbb.exe34⤵
- Executes dropped EXE
PID:3008 -
\??\c:\3hnhtt.exec:\3hnhtt.exe35⤵
- Executes dropped EXE
PID:1544 -
\??\c:\420404.exec:\420404.exe36⤵
- Executes dropped EXE
PID:2488 -
\??\c:\i802862.exec:\i802862.exe37⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1jvvv.exec:\1jvvv.exe38⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jpdvv.exec:\jpdvv.exe39⤵
- Executes dropped EXE
PID:2948 -
\??\c:\jvjvv.exec:\jvjvv.exe40⤵
- Executes dropped EXE
PID:2104 -
\??\c:\0244600.exec:\0244600.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\2028828.exec:\2028828.exe42⤵
- Executes dropped EXE
PID:2724 -
\??\c:\202804.exec:\202804.exe43⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5pdvv.exec:\5pdvv.exe44⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3pddj.exec:\3pddj.exe45⤵
- Executes dropped EXE
PID:2740 -
\??\c:\tbhbbt.exec:\tbhbbt.exe46⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pjpvv.exec:\pjpvv.exe47⤵
- Executes dropped EXE
PID:2512 -
\??\c:\pjvvv.exec:\pjvvv.exe48⤵
- Executes dropped EXE
PID:888 -
\??\c:\jvjjj.exec:\jvjjj.exe49⤵
- Executes dropped EXE
PID:268 -
\??\c:\tbnntn.exec:\tbnntn.exe50⤵
- Executes dropped EXE
PID:2360 -
\??\c:\86200.exec:\86200.exe51⤵
- Executes dropped EXE
PID:840 -
\??\c:\6448822.exec:\6448822.exe52⤵
- Executes dropped EXE
PID:1964 -
\??\c:\2422826.exec:\2422826.exe53⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lrllrrr.exec:\lrllrrr.exe54⤵
- Executes dropped EXE
PID:2748 -
\??\c:\480282.exec:\480282.exe55⤵
- Executes dropped EXE
PID:1724 -
\??\c:\3tbttt.exec:\3tbttt.exe56⤵
- Executes dropped EXE
PID:272 -
\??\c:\c422822.exec:\c422822.exe57⤵
- Executes dropped EXE
PID:1708 -
\??\c:\642222.exec:\642222.exe58⤵
- Executes dropped EXE
PID:3016 -
\??\c:\24222.exec:\24222.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
\??\c:\20006.exec:\20006.exe60⤵
- Executes dropped EXE
PID:1928 -
\??\c:\206648.exec:\206648.exe61⤵
- Executes dropped EXE
PID:2188 -
\??\c:\xrlxxrr.exec:\xrlxxrr.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rflffxr.exec:\rflffxr.exe63⤵
- Executes dropped EXE
PID:1560 -
\??\c:\nbhhnn.exec:\nbhhnn.exe64⤵
- Executes dropped EXE
PID:996 -
\??\c:\g8440.exec:\g8440.exe65⤵
- Executes dropped EXE
PID:2896 -
\??\c:\6444884.exec:\6444884.exe66⤵PID:1764
-
\??\c:\c428662.exec:\c428662.exe67⤵PID:1004
-
\??\c:\pdjvv.exec:\pdjvv.exe68⤵PID:2648
-
\??\c:\vpvvp.exec:\vpvvp.exe69⤵PID:708
-
\??\c:\080664.exec:\080664.exe70⤵PID:2468
-
\??\c:\hbnnnn.exec:\hbnnnn.exe71⤵PID:2060
-
\??\c:\jdjjj.exec:\jdjjj.exe72⤵PID:112
-
\??\c:\lxllrlr.exec:\lxllrlr.exe73⤵PID:1944
-
\??\c:\602282.exec:\602282.exe74⤵PID:1592
-
\??\c:\202626.exec:\202626.exe75⤵PID:2168
-
\??\c:\lxllfxf.exec:\lxllfxf.exe76⤵PID:2616
-
\??\c:\64800.exec:\64800.exe77⤵PID:1284
-
\??\c:\5ffxlll.exec:\5ffxlll.exe78⤵PID:1660
-
\??\c:\vvjdd.exec:\vvjdd.exe79⤵PID:2476
-
\??\c:\48066.exec:\48066.exe80⤵PID:2548
-
\??\c:\8020600.exec:\8020600.exe81⤵PID:2936
-
\??\c:\2682228.exec:\2682228.exe82⤵PID:2928
-
\??\c:\hhnttb.exec:\hhnttb.exe83⤵PID:2968
-
\??\c:\fxllrrl.exec:\fxllrrl.exe84⤵PID:2960
-
\??\c:\5ntnnh.exec:\5ntnnh.exe85⤵PID:2976
-
\??\c:\8628828.exec:\8628828.exe86⤵PID:2724
-
\??\c:\206066.exec:\206066.exe87⤵PID:2728
-
\??\c:\024848.exec:\024848.exe88⤵PID:316
-
\??\c:\1htttt.exec:\1htttt.exe89⤵PID:2740
-
\??\c:\828444.exec:\828444.exe90⤵PID:2528
-
\??\c:\lxrfrlr.exec:\lxrfrlr.exe91⤵PID:1752
-
\??\c:\4288826.exec:\4288826.exe92⤵PID:1676
-
\??\c:\246004.exec:\246004.exe93⤵PID:1584
-
\??\c:\268844.exec:\268844.exe94⤵PID:1980
-
\??\c:\lxllrrf.exec:\lxllrrf.exe95⤵PID:588
-
\??\c:\08246.exec:\08246.exe96⤵PID:2176
-
\??\c:\5djdd.exec:\5djdd.exe97⤵PID:1564
-
\??\c:\jvdvp.exec:\jvdvp.exe98⤵PID:2892
-
\??\c:\9xrllfl.exec:\9xrllfl.exe99⤵PID:1908
-
\??\c:\lxfrxrx.exec:\lxfrxrx.exe100⤵PID:3048
-
\??\c:\6406226.exec:\6406226.exe101⤵PID:1872
-
\??\c:\jdddd.exec:\jdddd.exe102⤵PID:3024
-
\??\c:\xrlfllr.exec:\xrlfllr.exe103⤵PID:1580
-
\??\c:\020004.exec:\020004.exe104⤵PID:2668
-
\??\c:\e20622.exec:\e20622.exe105⤵PID:1248
-
\??\c:\c800684.exec:\c800684.exe106⤵PID:2144
-
\??\c:\08488.exec:\08488.exe107⤵PID:1268
-
\??\c:\vpvvv.exec:\vpvvv.exe108⤵PID:1816
-
\??\c:\202622.exec:\202622.exe109⤵PID:1484
-
\??\c:\nntttt.exec:\nntttt.exe110⤵PID:296
-
\??\c:\4688440.exec:\4688440.exe111⤵PID:2272
-
\??\c:\8604088.exec:\8604088.exe112⤵PID:2352
-
\??\c:\828400.exec:\828400.exe113⤵PID:1812
-
\??\c:\httbhh.exec:\httbhh.exe114⤵PID:1264
-
\??\c:\3bnntt.exec:\3bnntt.exe115⤵PID:568
-
\??\c:\fxlllfl.exec:\fxlllfl.exe116⤵PID:1452
-
\??\c:\9xrrxrr.exec:\9xrrxrr.exe117⤵PID:3060
-
\??\c:\1bhhnh.exec:\1bhhnh.exe118⤵PID:2604
-
\??\c:\lfrxffl.exec:\lfrxffl.exe119⤵PID:2172
-
\??\c:\48262.exec:\48262.exe120⤵PID:2416
-
\??\c:\vpdvd.exec:\vpdvd.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-