Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 14:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe
-
Size
454KB
-
MD5
90bc83eaabf5f87a9aa6c3c0893559e0
-
SHA1
93ab5b2712277bc5317e4cd6392b0b76f380784d
-
SHA256
7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0c
-
SHA512
f3cbe6e1de2608b2586a246d66ffdf32282e15a9539d21a2ee491a8a959653882fc59f0beb7dc2759f0c8d7a6d3b3eddf556d26304a3814702bf4c463d77eabd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 41 IoCs
resource yara_rule behavioral1/memory/2412-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/476-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-83-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-399-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-543-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1296-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/532-893-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2544-949-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-952-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2544-969-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-1053-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2260-1175-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2156 26628.exe 2276 u664602.exe 476 864804.exe 2172 w64060.exe 2800 0426666.exe 2656 nthbbt.exe 2696 q20660.exe 2936 086222.exe 2584 42666.exe 2608 024864.exe 2152 3flfxxf.exe 1620 64244.exe 2756 5lxfrrx.exe 960 0840228.exe 780 btnhnh.exe 396 60460.exe 2940 80880.exe 2384 5hnttn.exe 2076 7htbbh.exe 1712 0022024.exe 1776 20448.exe 2508 046806.exe 1324 lfrxflx.exe 1008 6660468.exe 568 6046886.exe 624 lrflrxf.exe 1564 ttnthn.exe 316 i022402.exe 2452 xfflrrx.exe 348 i606242.exe 2460 8208800.exe 868 e88488.exe 2404 s4846.exe 1600 vpddj.exe 1604 9tnntb.exe 2324 2688046.exe 2300 48286.exe 2676 xlxxrrf.exe 2624 m2886.exe 2808 frxxffl.exe 2660 q42806.exe 2564 9ddvd.exe 1928 2644662.exe 1032 s2480.exe 2544 02062.exe 2596 64666.exe 2548 hbhhtt.exe 1528 884024.exe 1860 rlrrrrf.exe 2836 046028.exe 2516 lfxlxfx.exe 1264 6804484.exe 960 1fxfffr.exe 1848 vpjjd.exe 2976 jvjpv.exe 2888 q42888.exe 1788 e00022.exe 3068 ththtn.exe 2980 lrffflx.exe 1484 vpjpp.exe 1124 0422228.exe 2016 882800.exe 948 o804062.exe 1960 9rxflxl.exe -
resource yara_rule behavioral1/memory/2412-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-545-0x00000000002B0000-0x00000000002DA000-memory.dmp upx behavioral1/memory/1612-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-786-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-847-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-873-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2544-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-1007-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/1660-1033-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-1319-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2156 2412 7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe 31 PID 2412 wrote to memory of 2156 2412 7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe 31 PID 2412 wrote to memory of 2156 2412 7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe 31 PID 2412 wrote to memory of 2156 2412 7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe 31 PID 2156 wrote to memory of 2276 2156 26628.exe 32 PID 2156 wrote to memory of 2276 2156 26628.exe 32 PID 2156 wrote to memory of 2276 2156 26628.exe 32 PID 2156 wrote to memory of 2276 2156 26628.exe 32 PID 2276 wrote to memory of 476 2276 u664602.exe 33 PID 2276 wrote to memory of 476 2276 u664602.exe 33 PID 2276 wrote to memory of 476 2276 u664602.exe 33 PID 2276 wrote to memory of 476 2276 u664602.exe 33 PID 476 wrote to memory of 2172 476 864804.exe 34 PID 476 wrote to memory of 2172 476 864804.exe 34 PID 476 wrote to memory of 2172 476 864804.exe 34 PID 476 wrote to memory of 2172 476 864804.exe 34 PID 2172 wrote to memory of 2800 2172 w64060.exe 35 PID 2172 wrote to memory of 2800 2172 w64060.exe 35 PID 2172 wrote to memory of 2800 2172 w64060.exe 35 PID 2172 wrote to memory of 2800 2172 w64060.exe 35 PID 2800 wrote to memory of 2656 2800 0426666.exe 36 PID 2800 wrote to memory of 2656 2800 0426666.exe 36 PID 2800 wrote to memory of 2656 2800 0426666.exe 36 PID 2800 wrote to memory of 2656 2800 0426666.exe 36 PID 2656 wrote to memory of 2696 2656 nthbbt.exe 37 PID 2656 wrote to memory of 2696 2656 nthbbt.exe 37 PID 2656 wrote to memory of 2696 2656 nthbbt.exe 37 PID 2656 wrote to memory of 2696 2656 nthbbt.exe 37 PID 2696 wrote to memory of 2936 2696 q20660.exe 38 PID 2696 wrote to memory of 2936 2696 q20660.exe 38 PID 2696 wrote to memory of 2936 2696 q20660.exe 38 PID 2696 wrote to memory of 2936 2696 q20660.exe 38 PID 2936 wrote to memory of 2584 2936 086222.exe 39 PID 2936 wrote to memory of 2584 2936 086222.exe 39 PID 2936 wrote to memory of 2584 2936 086222.exe 39 PID 2936 wrote to memory of 2584 2936 086222.exe 39 PID 2584 wrote to memory of 2608 2584 42666.exe 40 PID 2584 wrote to memory of 2608 2584 42666.exe 40 PID 2584 wrote to memory of 2608 2584 42666.exe 40 PID 2584 wrote to memory of 2608 2584 42666.exe 40 PID 2608 wrote to memory of 2152 2608 024864.exe 41 PID 2608 wrote to memory of 2152 2608 024864.exe 41 PID 2608 wrote to memory of 2152 2608 024864.exe 41 PID 2608 wrote to memory of 2152 2608 024864.exe 41 PID 2152 wrote to memory of 1620 2152 3flfxxf.exe 42 PID 2152 wrote to memory of 1620 2152 3flfxxf.exe 42 PID 2152 wrote to memory of 1620 2152 3flfxxf.exe 42 PID 2152 wrote to memory of 1620 2152 3flfxxf.exe 42 PID 1620 wrote to memory of 2756 1620 64244.exe 43 PID 1620 wrote to memory of 2756 1620 64244.exe 43 PID 1620 wrote to memory of 2756 1620 64244.exe 43 PID 1620 wrote to memory of 2756 1620 64244.exe 43 PID 2756 wrote to memory of 960 2756 5lxfrrx.exe 44 PID 2756 wrote to memory of 960 2756 5lxfrrx.exe 44 PID 2756 wrote to memory of 960 2756 5lxfrrx.exe 44 PID 2756 wrote to memory of 960 2756 5lxfrrx.exe 44 PID 960 wrote to memory of 780 960 0840228.exe 45 PID 960 wrote to memory of 780 960 0840228.exe 45 PID 960 wrote to memory of 780 960 0840228.exe 45 PID 960 wrote to memory of 780 960 0840228.exe 45 PID 780 wrote to memory of 396 780 btnhnh.exe 46 PID 780 wrote to memory of 396 780 btnhnh.exe 46 PID 780 wrote to memory of 396 780 btnhnh.exe 46 PID 780 wrote to memory of 396 780 btnhnh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe"C:\Users\Admin\AppData\Local\Temp\7ed362f5b3acfefa92fff984c94c27e17dd2f3b53ba438fcb2da53881ea0bb0cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\26628.exec:\26628.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\u664602.exec:\u664602.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\864804.exec:\864804.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:476 -
\??\c:\w64060.exec:\w64060.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\0426666.exec:\0426666.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nthbbt.exec:\nthbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\q20660.exec:\q20660.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\086222.exec:\086222.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\42666.exec:\42666.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\024864.exec:\024864.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\3flfxxf.exec:\3flfxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\64244.exec:\64244.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\5lxfrrx.exec:\5lxfrrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\0840228.exec:\0840228.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\btnhnh.exec:\btnhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\60460.exec:\60460.exe17⤵
- Executes dropped EXE
PID:396 -
\??\c:\80880.exec:\80880.exe18⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5hnttn.exec:\5hnttn.exe19⤵
- Executes dropped EXE
PID:2384 -
\??\c:\7htbbh.exec:\7htbbh.exe20⤵
- Executes dropped EXE
PID:2076 -
\??\c:\0022024.exec:\0022024.exe21⤵
- Executes dropped EXE
PID:1712 -
\??\c:\20448.exec:\20448.exe22⤵
- Executes dropped EXE
PID:1776 -
\??\c:\046806.exec:\046806.exe23⤵
- Executes dropped EXE
PID:2508 -
\??\c:\lfrxflx.exec:\lfrxflx.exe24⤵
- Executes dropped EXE
PID:1324 -
\??\c:\6660468.exec:\6660468.exe25⤵
- Executes dropped EXE
PID:1008 -
\??\c:\6046886.exec:\6046886.exe26⤵
- Executes dropped EXE
PID:568 -
\??\c:\lrflrxf.exec:\lrflrxf.exe27⤵
- Executes dropped EXE
PID:624 -
\??\c:\ttnthn.exec:\ttnthn.exe28⤵
- Executes dropped EXE
PID:1564 -
\??\c:\i022402.exec:\i022402.exe29⤵
- Executes dropped EXE
PID:316 -
\??\c:\xfflrrx.exec:\xfflrrx.exe30⤵
- Executes dropped EXE
PID:2452 -
\??\c:\i606242.exec:\i606242.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\8208800.exec:\8208800.exe32⤵
- Executes dropped EXE
PID:2460 -
\??\c:\e88488.exec:\e88488.exe33⤵
- Executes dropped EXE
PID:868 -
\??\c:\s4846.exec:\s4846.exe34⤵
- Executes dropped EXE
PID:2404 -
\??\c:\vpddj.exec:\vpddj.exe35⤵
- Executes dropped EXE
PID:1600 -
\??\c:\9tnntb.exec:\9tnntb.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\2688046.exec:\2688046.exe37⤵
- Executes dropped EXE
PID:2324 -
\??\c:\48286.exec:\48286.exe38⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xlxxrrf.exec:\xlxxrrf.exe39⤵
- Executes dropped EXE
PID:2676 -
\??\c:\m2886.exec:\m2886.exe40⤵
- Executes dropped EXE
PID:2624 -
\??\c:\frxxffl.exec:\frxxffl.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\q42806.exec:\q42806.exe42⤵
- Executes dropped EXE
PID:2660 -
\??\c:\9ddvd.exec:\9ddvd.exe43⤵
- Executes dropped EXE
PID:2564 -
\??\c:\2644662.exec:\2644662.exe44⤵
- Executes dropped EXE
PID:1928 -
\??\c:\s2480.exec:\s2480.exe45⤵
- Executes dropped EXE
PID:1032 -
\??\c:\02062.exec:\02062.exe46⤵
- Executes dropped EXE
PID:2544 -
\??\c:\64666.exec:\64666.exe47⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hbhhtt.exec:\hbhhtt.exe48⤵
- Executes dropped EXE
PID:2548 -
\??\c:\884024.exec:\884024.exe49⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rlrrrrf.exec:\rlrrrrf.exe50⤵
- Executes dropped EXE
PID:1860 -
\??\c:\046028.exec:\046028.exe51⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lfxlxfx.exec:\lfxlxfx.exe52⤵
- Executes dropped EXE
PID:2516 -
\??\c:\6804484.exec:\6804484.exe53⤵
- Executes dropped EXE
PID:1264 -
\??\c:\1fxfffr.exec:\1fxfffr.exe54⤵
- Executes dropped EXE
PID:960 -
\??\c:\vpjjd.exec:\vpjjd.exe55⤵
- Executes dropped EXE
PID:1848 -
\??\c:\jvjpv.exec:\jvjpv.exe56⤵
- Executes dropped EXE
PID:2976 -
\??\c:\q42888.exec:\q42888.exe57⤵
- Executes dropped EXE
PID:2888 -
\??\c:\e00022.exec:\e00022.exe58⤵
- Executes dropped EXE
PID:1788 -
\??\c:\ththtn.exec:\ththtn.exe59⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lrffflx.exec:\lrffflx.exe60⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vpjpp.exec:\vpjpp.exe61⤵
- Executes dropped EXE
PID:1484 -
\??\c:\0422228.exec:\0422228.exe62⤵
- Executes dropped EXE
PID:1124 -
\??\c:\882800.exec:\882800.exe63⤵
- Executes dropped EXE
PID:2016 -
\??\c:\o804062.exec:\o804062.exe64⤵
- Executes dropped EXE
PID:948 -
\??\c:\9rxflxl.exec:\9rxflxl.exe65⤵
- Executes dropped EXE
PID:1960 -
\??\c:\486244.exec:\486244.exe66⤵PID:2164
-
\??\c:\42802.exec:\42802.exe67⤵
- System Location Discovery: System Language Discovery
PID:2376 -
\??\c:\1bhhnn.exec:\1bhhnn.exe68⤵PID:568
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe69⤵PID:1780
-
\??\c:\dpvjj.exec:\dpvjj.exe70⤵PID:2220
-
\??\c:\1lrlxrx.exec:\1lrlxrx.exe71⤵PID:1296
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe72⤵
- System Location Discovery: System Language Discovery
PID:316 -
\??\c:\lrxfxxl.exec:\lrxfxxl.exe73⤵PID:3060
-
\??\c:\4200246.exec:\4200246.exe74⤵PID:2128
-
\??\c:\6844484.exec:\6844484.exe75⤵PID:1756
-
\??\c:\48842.exec:\48842.exe76⤵PID:1804
-
\??\c:\028228.exec:\028228.exe77⤵PID:1912
-
\??\c:\206048.exec:\206048.exe78⤵PID:1612
-
\??\c:\bbtbhb.exec:\bbtbhb.exe79⤵PID:1600
-
\??\c:\822466.exec:\822466.exe80⤵PID:1920
-
\??\c:\jdddd.exec:\jdddd.exe81⤵PID:2324
-
\??\c:\868406.exec:\868406.exe82⤵PID:2276
-
\??\c:\02262.exec:\02262.exe83⤵PID:2676
-
\??\c:\w62004.exec:\w62004.exe84⤵PID:1992
-
\??\c:\0806846.exec:\0806846.exe85⤵PID:2536
-
\??\c:\rrlfxfr.exec:\rrlfxfr.exe86⤵PID:2664
-
\??\c:\htbhhh.exec:\htbhhh.exe87⤵PID:2564
-
\??\c:\u824668.exec:\u824668.exe88⤵PID:1928
-
\??\c:\6866004.exec:\6866004.exe89⤵PID:2528
-
\??\c:\jvjjp.exec:\jvjjp.exe90⤵PID:2544
-
\??\c:\rlfrxxf.exec:\rlfrxxf.exe91⤵PID:2596
-
\??\c:\hbhhnn.exec:\hbhhnn.exe92⤵PID:2572
-
\??\c:\jdjvd.exec:\jdjvd.exe93⤵PID:2592
-
\??\c:\dpddj.exec:\dpddj.exe94⤵PID:2716
-
\??\c:\466604.exec:\466604.exe95⤵PID:1084
-
\??\c:\tnbhnh.exec:\tnbhnh.exe96⤵PID:2516
-
\??\c:\6806468.exec:\6806468.exe97⤵PID:2764
-
\??\c:\g8628.exec:\g8628.exe98⤵PID:2872
-
\??\c:\208006.exec:\208006.exe99⤵PID:780
-
\??\c:\q84448.exec:\q84448.exe100⤵PID:2912
-
\??\c:\2640628.exec:\2640628.exe101⤵PID:2628
-
\??\c:\2022262.exec:\2022262.exe102⤵PID:2080
-
\??\c:\9lxxflx.exec:\9lxxflx.exe103⤵PID:2492
-
\??\c:\2688888.exec:\2688888.exe104⤵PID:1440
-
\??\c:\48802.exec:\48802.exe105⤵PID:1836
-
\??\c:\u862228.exec:\u862228.exe106⤵PID:2336
-
\??\c:\pjvvd.exec:\pjvvd.exe107⤵PID:3016
-
\??\c:\64846.exec:\64846.exe108⤵PID:1864
-
\??\c:\g8020.exec:\g8020.exe109⤵PID:1732
-
\??\c:\e82288.exec:\e82288.exe110⤵PID:1728
-
\??\c:\htbtbb.exec:\htbtbb.exe111⤵PID:1716
-
\??\c:\e84440.exec:\e84440.exe112⤵PID:2056
-
\??\c:\nbhbbn.exec:\nbhbbn.exe113⤵PID:1284
-
\??\c:\w82244.exec:\w82244.exe114⤵PID:752
-
\??\c:\202882.exec:\202882.exe115⤵PID:2992
-
\??\c:\2640288.exec:\2640288.exe116⤵PID:1144
-
\??\c:\3rxfxfl.exec:\3rxfxfl.exe117⤵PID:292
-
\??\c:\jpdpd.exec:\jpdpd.exe118⤵PID:1740
-
\??\c:\hthhhh.exec:\hthhhh.exe119⤵PID:1028
-
\??\c:\nhhhhh.exec:\nhhhhh.exe120⤵PID:2368
-
\??\c:\68006.exec:\68006.exe121⤵PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-