Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/12/2024, 20:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe
-
Size
454KB
-
MD5
0e6e8f092e9d8790438ca22735e9af2c
-
SHA1
366d2c922aac0e3c3d4af2bcb764b312bd6e6011
-
SHA256
1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1
-
SHA512
bf06c6b8ebcda7bc77297830107c6111593d0a4b16073b5d4a4d2e1b3caeff58081a30b4d1abcfd79f13e77ff0ff73d321529d106ff6e09bce4aa4fff4ad336d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-31-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-68-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2704-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-129-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/948-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-336-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1808-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1288-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2412-792-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2340-803-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2024-813-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-830-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2528 e26240.exe 2900 frlxflr.exe 2776 0024624.exe 2888 bhtbhh.exe 3032 w26228.exe 2708 4442400.exe 2704 a6840.exe 1648 3hbhnh.exe 2984 2000824.exe 1956 hthhhh.exe 2844 1fxrrxx.exe 1336 bnbtbt.exe 2868 o084488.exe 2740 htbbnh.exe 2416 42000.exe 3024 frffllx.exe 1100 xlxllrx.exe 1532 8688488.exe 1588 4240086.exe 2368 08422.exe 1288 60280.exe 2432 jvdpj.exe 948 9jvdd.exe 2012 462226.exe 1684 fxlflfl.exe 1720 1jvdd.exe 2568 9lllflf.exe 2020 tthnhn.exe 1760 lxlfllr.exe 2604 1pppp.exe 996 pjvpv.exe 1716 pjddp.exe 2212 8066488.exe 2940 1hbtbh.exe 2292 ffrxfxf.exe 2756 jvpvj.exe 1332 lfllrrr.exe 3032 0424640.exe 2648 086622.exe 2816 hbbbnn.exe 2728 tntntt.exe 2704 02208.exe 1804 s6822.exe 1524 8606228.exe 1752 jvdvd.exe 1272 26406.exe 2748 q24062.exe 1808 xrfflrx.exe 2968 42062.exe 2828 o084062.exe 2740 5jdvv.exe 2072 042866.exe 2836 g6220.exe 2116 rlxflrf.exe 324 djjjj.exe 2344 202282.exe 2156 fxfrrrx.exe 2348 vvjpv.exe 2368 tnbbnt.exe 2220 c028446.exe 1820 u200662.exe 1740 862840.exe 496 pddvp.exe 1340 nhhnbn.exe -
resource yara_rule behavioral1/memory/2524-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-144-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1532-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-205-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/948-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-604-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2504-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1808-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1288-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-792-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1828-843-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6022406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2028446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 042866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 020666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6040606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q46248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 486800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u424646.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2528 2524 1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe 30 PID 2524 wrote to memory of 2528 2524 1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe 30 PID 2524 wrote to memory of 2528 2524 1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe 30 PID 2524 wrote to memory of 2528 2524 1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe 30 PID 2528 wrote to memory of 2900 2528 e26240.exe 31 PID 2528 wrote to memory of 2900 2528 e26240.exe 31 PID 2528 wrote to memory of 2900 2528 e26240.exe 31 PID 2528 wrote to memory of 2900 2528 e26240.exe 31 PID 2900 wrote to memory of 2776 2900 frlxflr.exe 32 PID 2900 wrote to memory of 2776 2900 frlxflr.exe 32 PID 2900 wrote to memory of 2776 2900 frlxflr.exe 32 PID 2900 wrote to memory of 2776 2900 frlxflr.exe 32 PID 2776 wrote to memory of 2888 2776 0024624.exe 33 PID 2776 wrote to memory of 2888 2776 0024624.exe 33 PID 2776 wrote to memory of 2888 2776 0024624.exe 33 PID 2776 wrote to memory of 2888 2776 0024624.exe 33 PID 2888 wrote to memory of 3032 2888 bhtbhh.exe 34 PID 2888 wrote to memory of 3032 2888 bhtbhh.exe 34 PID 2888 wrote to memory of 3032 2888 bhtbhh.exe 34 PID 2888 wrote to memory of 3032 2888 bhtbhh.exe 34 PID 3032 wrote to memory of 2708 3032 w26228.exe 35 PID 3032 wrote to memory of 2708 3032 w26228.exe 35 PID 3032 wrote to memory of 2708 3032 w26228.exe 35 PID 3032 wrote to memory of 2708 3032 w26228.exe 35 PID 2708 wrote to memory of 2704 2708 4442400.exe 36 PID 2708 wrote to memory of 2704 2708 4442400.exe 36 PID 2708 wrote to memory of 2704 2708 4442400.exe 36 PID 2708 wrote to memory of 2704 2708 4442400.exe 36 PID 2704 wrote to memory of 1648 2704 a6840.exe 37 PID 2704 wrote to memory of 1648 2704 a6840.exe 37 PID 2704 wrote to memory of 1648 2704 a6840.exe 37 PID 2704 wrote to memory of 1648 2704 a6840.exe 37 PID 1648 wrote to memory of 2984 1648 3hbhnh.exe 38 PID 1648 wrote to memory of 2984 1648 3hbhnh.exe 38 PID 1648 wrote to memory of 2984 1648 3hbhnh.exe 38 PID 1648 wrote to memory of 2984 1648 3hbhnh.exe 38 PID 2984 wrote to memory of 1956 2984 2000824.exe 39 PID 2984 wrote to memory of 1956 2984 2000824.exe 39 PID 2984 wrote to memory of 1956 2984 2000824.exe 39 PID 2984 wrote to memory of 1956 2984 2000824.exe 39 PID 1956 wrote to memory of 2844 1956 hthhhh.exe 40 PID 1956 wrote to memory of 2844 1956 hthhhh.exe 40 PID 1956 wrote to memory of 2844 1956 hthhhh.exe 40 PID 1956 wrote to memory of 2844 1956 hthhhh.exe 40 PID 2844 wrote to memory of 1336 2844 1fxrrxx.exe 41 PID 2844 wrote to memory of 1336 2844 1fxrrxx.exe 41 PID 2844 wrote to memory of 1336 2844 1fxrrxx.exe 41 PID 2844 wrote to memory of 1336 2844 1fxrrxx.exe 41 PID 1336 wrote to memory of 2868 1336 bnbtbt.exe 42 PID 1336 wrote to memory of 2868 1336 bnbtbt.exe 42 PID 1336 wrote to memory of 2868 1336 bnbtbt.exe 42 PID 1336 wrote to memory of 2868 1336 bnbtbt.exe 42 PID 2868 wrote to memory of 2740 2868 o084488.exe 43 PID 2868 wrote to memory of 2740 2868 o084488.exe 43 PID 2868 wrote to memory of 2740 2868 o084488.exe 43 PID 2868 wrote to memory of 2740 2868 o084488.exe 43 PID 2740 wrote to memory of 2416 2740 htbbnh.exe 44 PID 2740 wrote to memory of 2416 2740 htbbnh.exe 44 PID 2740 wrote to memory of 2416 2740 htbbnh.exe 44 PID 2740 wrote to memory of 2416 2740 htbbnh.exe 44 PID 2416 wrote to memory of 3024 2416 42000.exe 45 PID 2416 wrote to memory of 3024 2416 42000.exe 45 PID 2416 wrote to memory of 3024 2416 42000.exe 45 PID 2416 wrote to memory of 3024 2416 42000.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe"C:\Users\Admin\AppData\Local\Temp\1c8b6854e45b6c0f2f49b9abf7afaa74405d5517f6075afaa295160f629749c1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\e26240.exec:\e26240.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\frlxflr.exec:\frlxflr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\0024624.exec:\0024624.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\bhtbhh.exec:\bhtbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\w26228.exec:\w26228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\4442400.exec:\4442400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\a6840.exec:\a6840.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\3hbhnh.exec:\3hbhnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\2000824.exec:\2000824.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\hthhhh.exec:\hthhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\1fxrrxx.exec:\1fxrrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\bnbtbt.exec:\bnbtbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\o084488.exec:\o084488.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\htbbnh.exec:\htbbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\42000.exec:\42000.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\frffllx.exec:\frffllx.exe17⤵
- Executes dropped EXE
PID:3024 -
\??\c:\xlxllrx.exec:\xlxllrx.exe18⤵
- Executes dropped EXE
PID:1100 -
\??\c:\8688488.exec:\8688488.exe19⤵
- Executes dropped EXE
PID:1532 -
\??\c:\4240086.exec:\4240086.exe20⤵
- Executes dropped EXE
PID:1588 -
\??\c:\08422.exec:\08422.exe21⤵
- Executes dropped EXE
PID:2368 -
\??\c:\60280.exec:\60280.exe22⤵
- Executes dropped EXE
PID:1288 -
\??\c:\jvdpj.exec:\jvdpj.exe23⤵
- Executes dropped EXE
PID:2432 -
\??\c:\9jvdd.exec:\9jvdd.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\462226.exec:\462226.exe25⤵
- Executes dropped EXE
PID:2012 -
\??\c:\fxlflfl.exec:\fxlflfl.exe26⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1jvdd.exec:\1jvdd.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\9lllflf.exec:\9lllflf.exe28⤵
- Executes dropped EXE
PID:2568 -
\??\c:\tthnhn.exec:\tthnhn.exe29⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lxlfllr.exec:\lxlfllr.exe30⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1pppp.exec:\1pppp.exe31⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pjvpv.exec:\pjvpv.exe32⤵
- Executes dropped EXE
PID:996 -
\??\c:\pjddp.exec:\pjddp.exe33⤵
- Executes dropped EXE
PID:1716 -
\??\c:\8066488.exec:\8066488.exe34⤵
- Executes dropped EXE
PID:2212 -
\??\c:\1hbtbh.exec:\1hbtbh.exe35⤵
- Executes dropped EXE
PID:2940 -
\??\c:\ffrxfxf.exec:\ffrxfxf.exe36⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jvpvj.exec:\jvpvj.exe37⤵
- Executes dropped EXE
PID:2756 -
\??\c:\lfllrrr.exec:\lfllrrr.exe38⤵
- Executes dropped EXE
PID:1332 -
\??\c:\0424640.exec:\0424640.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\086622.exec:\086622.exe40⤵
- Executes dropped EXE
PID:2648 -
\??\c:\hbbbnn.exec:\hbbbnn.exe41⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tntntt.exec:\tntntt.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\02208.exec:\02208.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\s6822.exec:\s6822.exe44⤵
- Executes dropped EXE
PID:1804 -
\??\c:\8606228.exec:\8606228.exe45⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jvdvd.exec:\jvdvd.exe46⤵
- Executes dropped EXE
PID:1752 -
\??\c:\26406.exec:\26406.exe47⤵
- Executes dropped EXE
PID:1272 -
\??\c:\q24062.exec:\q24062.exe48⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrfflrx.exec:\xrfflrx.exe49⤵
- Executes dropped EXE
PID:1808 -
\??\c:\42062.exec:\42062.exe50⤵
- Executes dropped EXE
PID:2968 -
\??\c:\o084062.exec:\o084062.exe51⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5jdvv.exec:\5jdvv.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\042866.exec:\042866.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
\??\c:\g6220.exec:\g6220.exe54⤵
- Executes dropped EXE
PID:2836 -
\??\c:\rlxflrf.exec:\rlxflrf.exe55⤵
- Executes dropped EXE
PID:2116 -
\??\c:\djjjj.exec:\djjjj.exe56⤵
- Executes dropped EXE
PID:324 -
\??\c:\202282.exec:\202282.exe57⤵
- Executes dropped EXE
PID:2344 -
\??\c:\fxfrrrx.exec:\fxfrrrx.exe58⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vvjpv.exec:\vvjpv.exe59⤵
- Executes dropped EXE
PID:2348 -
\??\c:\tnbbnt.exec:\tnbbnt.exe60⤵
- Executes dropped EXE
PID:2368 -
\??\c:\c028446.exec:\c028446.exe61⤵
- Executes dropped EXE
PID:2220 -
\??\c:\u200662.exec:\u200662.exe62⤵
- Executes dropped EXE
PID:1820 -
\??\c:\862840.exec:\862840.exe63⤵
- Executes dropped EXE
PID:1740 -
\??\c:\pddvp.exec:\pddvp.exe64⤵
- Executes dropped EXE
PID:496 -
\??\c:\nhhnbn.exec:\nhhnbn.exe65⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ffrlrrx.exec:\ffrlrrx.exe66⤵PID:1972
-
\??\c:\g0402.exec:\g0402.exe67⤵PID:884
-
\??\c:\42200.exec:\42200.exe68⤵PID:2372
-
\??\c:\8282266.exec:\8282266.exe69⤵PID:2732
-
\??\c:\8028444.exec:\8028444.exe70⤵PID:2020
-
\??\c:\864084.exec:\864084.exe71⤵PID:1936
-
\??\c:\xlrxxrr.exec:\xlrxxrr.exe72⤵PID:1916
-
\??\c:\dppvd.exec:\dppvd.exe73⤵PID:1924
-
\??\c:\0244602.exec:\0244602.exe74⤵PID:1756
-
\??\c:\hbntbh.exec:\hbntbh.exe75⤵PID:2404
-
\??\c:\9jpjj.exec:\9jpjj.exe76⤵PID:2912
-
\??\c:\u062884.exec:\u062884.exe77⤵PID:2608
-
\??\c:\xflllll.exec:\xflllll.exe78⤵PID:2160
-
\??\c:\thtntn.exec:\thtntn.exe79⤵PID:2848
-
\??\c:\g8062.exec:\g8062.exe80⤵PID:2784
-
\??\c:\640400.exec:\640400.exe81⤵PID:2812
-
\??\c:\6026228.exec:\6026228.exe82⤵PID:2664
-
\??\c:\1ntbnt.exec:\1ntbnt.exe83⤵PID:2028
-
\??\c:\jdpvd.exec:\jdpvd.exe84⤵PID:2700
-
\??\c:\w62604.exec:\w62604.exe85⤵PID:2504
-
\??\c:\3tbbhh.exec:\3tbbhh.exe86⤵PID:2704
-
\??\c:\bntnnn.exec:\bntnnn.exe87⤵PID:1648
-
\??\c:\k64088.exec:\k64088.exe88⤵PID:2268
-
\??\c:\nhhntt.exec:\nhhntt.exe89⤵PID:1752
-
\??\c:\5tbtbb.exec:\5tbtbb.exe90⤵PID:1272
-
\??\c:\4206228.exec:\4206228.exe91⤵PID:2096
-
\??\c:\646626.exec:\646626.exe92⤵PID:1808
-
\??\c:\m6062.exec:\m6062.exe93⤵PID:2968
-
\??\c:\04600.exec:\04600.exe94⤵PID:448
-
\??\c:\dvpvd.exec:\dvpvd.exe95⤵PID:2740
-
\??\c:\frxrxrr.exec:\frxrxrr.exe96⤵PID:320
-
\??\c:\080666.exec:\080666.exe97⤵PID:2960
-
\??\c:\jdvdj.exec:\jdvdj.exe98⤵PID:2224
-
\??\c:\5xrrxxl.exec:\5xrrxxl.exe99⤵PID:324
-
\??\c:\xrffllr.exec:\xrffllr.exe100⤵PID:2388
-
\??\c:\64246.exec:\64246.exe101⤵PID:2464
-
\??\c:\42844.exec:\42844.exe102⤵PID:2348
-
\??\c:\04240.exec:\04240.exe103⤵PID:1288
-
\??\c:\jdvvp.exec:\jdvvp.exe104⤵PID:2092
-
\??\c:\6040606.exec:\6040606.exe105⤵
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\ddjjp.exec:\ddjjp.exe106⤵PID:948
-
\??\c:\7dvvd.exec:\7dvvd.exe107⤵PID:2412
-
\??\c:\btnthn.exec:\btnthn.exe108⤵PID:1728
-
\??\c:\0806846.exec:\0806846.exe109⤵PID:2584
-
\??\c:\fllrlxx.exec:\fllrlxx.exe110⤵PID:2024
-
\??\c:\hbnnbt.exec:\hbnnbt.exe111⤵PID:2372
-
\??\c:\u424646.exec:\u424646.exe112⤵
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\048406.exec:\048406.exe113⤵PID:2276
-
\??\c:\60280.exec:\60280.exe114⤵PID:2692
-
\??\c:\04628.exec:\04628.exe115⤵PID:1828
-
\??\c:\8206824.exec:\8206824.exe116⤵PID:2524
-
\??\c:\lxrfrxl.exec:\lxrfrxl.exe117⤵PID:2760
-
\??\c:\824028.exec:\824028.exe118⤵PID:2212
-
\??\c:\nbbhtt.exec:\nbbhtt.exe119⤵PID:2900
-
\??\c:\i688406.exec:\i688406.exe120⤵PID:2908
-
\??\c:\648466.exec:\648466.exe121⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-