Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe
-
Size
455KB
-
MD5
c1e09b76c22bdd96548348aa8b020850
-
SHA1
a16534508dd7f6de1cdb0f41a3a0715329bcd139
-
SHA256
611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6
-
SHA512
cdafe84945d2f85a4da5ec272f27f81e205019c35aa46754b1ab25fee418c52731486cbb020183f22198726e760253f0088dd809119f7d3bdf9683c3ca83250a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTm:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2700-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-57-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-106-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1316-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-136-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1988-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1888-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/984-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-371-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1584-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-512-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1996-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/336-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-755-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1736-849-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2940-888-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2928-901-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-913-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2928-922-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2768 xlrlrrr.exe 2688 862204.exe 2128 pjvdj.exe 2148 9lrlfxf.exe 2568 044280.exe 2680 2648480.exe 2560 4828002.exe 1992 tbbtth.exe 1928 ppjdj.exe 1144 8060484.exe 1316 bntnnh.exe 2204 lfrrrrr.exe 2892 k64462.exe 972 nnhthh.exe 2020 8680884.exe 1988 64860.exe 1176 6406202.exe 2212 864622.exe 2244 djjpj.exe 1908 vddvj.exe 1648 nhtnhb.exe 1804 xrfrxrr.exe 540 4808628.exe 2116 ntnbnt.exe 1736 868062.exe 580 3jddd.exe 1888 lfrxffr.exe 2060 862288.exe 1876 nnbhnn.exe 2896 9nnbbh.exe 1652 66204.exe 984 08680.exe 1608 1rfrffl.exe 2708 0464000.exe 2928 080088.exe 2764 8600224.exe 2248 o264646.exe 2748 3thnbn.exe 2696 3hthhn.exe 1864 vvpjp.exe 2556 bbttnt.exe 3032 826428.exe 3048 1lflxxl.exe 3044 42828.exe 1584 1xlfffl.exe 2540 5htbhn.exe 2164 086242.exe 2240 xlflxfl.exe 2860 k68888.exe 2032 60840.exe 2204 jdpvj.exe 2884 20440.exe 2744 020820.exe 972 tbbhhb.exe 1552 9tntbh.exe 1548 btnntt.exe 1868 82868.exe 2400 pjvdp.exe 2340 bbtthh.exe 1936 nhbhnn.exe 2516 0402846.exe 1880 5djvd.exe 2392 xxlrrxf.exe 1636 606248.exe -
resource yara_rule behavioral1/memory/2700-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/984-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/336-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-849-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2144-869-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6080242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6604426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2062480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2768 2700 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 30 PID 2700 wrote to memory of 2768 2700 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 30 PID 2700 wrote to memory of 2768 2700 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 30 PID 2700 wrote to memory of 2768 2700 611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe 30 PID 2768 wrote to memory of 2688 2768 xlrlrrr.exe 31 PID 2768 wrote to memory of 2688 2768 xlrlrrr.exe 31 PID 2768 wrote to memory of 2688 2768 xlrlrrr.exe 31 PID 2768 wrote to memory of 2688 2768 xlrlrrr.exe 31 PID 2688 wrote to memory of 2128 2688 862204.exe 32 PID 2688 wrote to memory of 2128 2688 862204.exe 32 PID 2688 wrote to memory of 2128 2688 862204.exe 32 PID 2688 wrote to memory of 2128 2688 862204.exe 32 PID 2128 wrote to memory of 2148 2128 pjvdj.exe 33 PID 2128 wrote to memory of 2148 2128 pjvdj.exe 33 PID 2128 wrote to memory of 2148 2128 pjvdj.exe 33 PID 2128 wrote to memory of 2148 2128 pjvdj.exe 33 PID 2148 wrote to memory of 2568 2148 9lrlfxf.exe 34 PID 2148 wrote to memory of 2568 2148 9lrlfxf.exe 34 PID 2148 wrote to memory of 2568 2148 9lrlfxf.exe 34 PID 2148 wrote to memory of 2568 2148 9lrlfxf.exe 34 PID 2568 wrote to memory of 2680 2568 044280.exe 35 PID 2568 wrote to memory of 2680 2568 044280.exe 35 PID 2568 wrote to memory of 2680 2568 044280.exe 35 PID 2568 wrote to memory of 2680 2568 044280.exe 35 PID 2680 wrote to memory of 2560 2680 2648480.exe 36 PID 2680 wrote to memory of 2560 2680 2648480.exe 36 PID 2680 wrote to memory of 2560 2680 2648480.exe 36 PID 2680 wrote to memory of 2560 2680 2648480.exe 36 PID 2560 wrote to memory of 1992 2560 4828002.exe 37 PID 2560 wrote to memory of 1992 2560 4828002.exe 37 PID 2560 wrote to memory of 1992 2560 4828002.exe 37 PID 2560 wrote to memory of 1992 2560 4828002.exe 37 PID 1992 wrote to memory of 1928 1992 tbbtth.exe 38 PID 1992 wrote to memory of 1928 1992 tbbtth.exe 38 PID 1992 wrote to memory of 1928 1992 tbbtth.exe 38 PID 1992 wrote to memory of 1928 1992 tbbtth.exe 38 PID 1928 wrote to memory of 1144 1928 ppjdj.exe 39 PID 1928 wrote to memory of 1144 1928 ppjdj.exe 39 PID 1928 wrote to memory of 1144 1928 ppjdj.exe 39 PID 1928 wrote to memory of 1144 1928 ppjdj.exe 39 PID 1144 wrote to memory of 1316 1144 8060484.exe 40 PID 1144 wrote to memory of 1316 1144 8060484.exe 40 PID 1144 wrote to memory of 1316 1144 8060484.exe 40 PID 1144 wrote to memory of 1316 1144 8060484.exe 40 PID 1316 wrote to memory of 2204 1316 bntnnh.exe 41 PID 1316 wrote to memory of 2204 1316 bntnnh.exe 41 PID 1316 wrote to memory of 2204 1316 bntnnh.exe 41 PID 1316 wrote to memory of 2204 1316 bntnnh.exe 41 PID 2204 wrote to memory of 2892 2204 lfrrrrr.exe 42 PID 2204 wrote to memory of 2892 2204 lfrrrrr.exe 42 PID 2204 wrote to memory of 2892 2204 lfrrrrr.exe 42 PID 2204 wrote to memory of 2892 2204 lfrrrrr.exe 42 PID 2892 wrote to memory of 972 2892 k64462.exe 43 PID 2892 wrote to memory of 972 2892 k64462.exe 43 PID 2892 wrote to memory of 972 2892 k64462.exe 43 PID 2892 wrote to memory of 972 2892 k64462.exe 43 PID 972 wrote to memory of 2020 972 nnhthh.exe 44 PID 972 wrote to memory of 2020 972 nnhthh.exe 44 PID 972 wrote to memory of 2020 972 nnhthh.exe 44 PID 972 wrote to memory of 2020 972 nnhthh.exe 44 PID 2020 wrote to memory of 1988 2020 8680884.exe 45 PID 2020 wrote to memory of 1988 2020 8680884.exe 45 PID 2020 wrote to memory of 1988 2020 8680884.exe 45 PID 2020 wrote to memory of 1988 2020 8680884.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe"C:\Users\Admin\AppData\Local\Temp\611f52ba32193bdaea0a5d684038c3a50fea24f63d8a9e8a8d8e1c86a518ddf6N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xlrlrrr.exec:\xlrlrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\862204.exec:\862204.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\pjvdj.exec:\pjvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\9lrlfxf.exec:\9lrlfxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\044280.exec:\044280.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\2648480.exec:\2648480.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\4828002.exec:\4828002.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\tbbtth.exec:\tbbtth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\ppjdj.exec:\ppjdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\8060484.exec:\8060484.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\bntnnh.exec:\bntnnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\k64462.exec:\k64462.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\nnhthh.exec:\nnhthh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\8680884.exec:\8680884.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\64860.exec:\64860.exe17⤵
- Executes dropped EXE
PID:1988 -
\??\c:\6406202.exec:\6406202.exe18⤵
- Executes dropped EXE
PID:1176 -
\??\c:\864622.exec:\864622.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\djjpj.exec:\djjpj.exe20⤵
- Executes dropped EXE
PID:2244 -
\??\c:\vddvj.exec:\vddvj.exe21⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nhtnhb.exec:\nhtnhb.exe22⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrfrxrr.exec:\xrfrxrr.exe23⤵
- Executes dropped EXE
PID:1804 -
\??\c:\4808628.exec:\4808628.exe24⤵
- Executes dropped EXE
PID:540 -
\??\c:\ntnbnt.exec:\ntnbnt.exe25⤵
- Executes dropped EXE
PID:2116 -
\??\c:\868062.exec:\868062.exe26⤵
- Executes dropped EXE
PID:1736 -
\??\c:\3jddd.exec:\3jddd.exe27⤵
- Executes dropped EXE
PID:580 -
\??\c:\lfrxffr.exec:\lfrxffr.exe28⤵
- Executes dropped EXE
PID:1888 -
\??\c:\862288.exec:\862288.exe29⤵
- Executes dropped EXE
PID:2060 -
\??\c:\nnbhnn.exec:\nnbhnn.exe30⤵
- Executes dropped EXE
PID:1876 -
\??\c:\9nnbbh.exec:\9nnbbh.exe31⤵
- Executes dropped EXE
PID:2896 -
\??\c:\66204.exec:\66204.exe32⤵
- Executes dropped EXE
PID:1652 -
\??\c:\08680.exec:\08680.exe33⤵
- Executes dropped EXE
PID:984 -
\??\c:\1rfrffl.exec:\1rfrffl.exe34⤵
- Executes dropped EXE
PID:1608 -
\??\c:\0464000.exec:\0464000.exe35⤵
- Executes dropped EXE
PID:2708 -
\??\c:\080088.exec:\080088.exe36⤵
- Executes dropped EXE
PID:2928 -
\??\c:\8600224.exec:\8600224.exe37⤵
- Executes dropped EXE
PID:2764 -
\??\c:\o264646.exec:\o264646.exe38⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3thnbn.exec:\3thnbn.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\3hthhn.exec:\3hthhn.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\vvpjp.exec:\vvpjp.exe41⤵
- Executes dropped EXE
PID:1864 -
\??\c:\bbttnt.exec:\bbttnt.exe42⤵
- Executes dropped EXE
PID:2556 -
\??\c:\826428.exec:\826428.exe43⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1lflxxl.exec:\1lflxxl.exe44⤵
- Executes dropped EXE
PID:3048 -
\??\c:\42828.exec:\42828.exe45⤵
- Executes dropped EXE
PID:3044 -
\??\c:\1xlfffl.exec:\1xlfffl.exe46⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5htbhn.exec:\5htbhn.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\086242.exec:\086242.exe48⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xlflxfl.exec:\xlflxfl.exe49⤵
- Executes dropped EXE
PID:2240 -
\??\c:\k68888.exec:\k68888.exe50⤵
- Executes dropped EXE
PID:2860 -
\??\c:\60840.exec:\60840.exe51⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jdpvj.exec:\jdpvj.exe52⤵
- Executes dropped EXE
PID:2204 -
\??\c:\20440.exec:\20440.exe53⤵
- Executes dropped EXE
PID:2884 -
\??\c:\020820.exec:\020820.exe54⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tbbhhb.exec:\tbbhhb.exe55⤵
- Executes dropped EXE
PID:972 -
\??\c:\9tntbh.exec:\9tntbh.exe56⤵
- Executes dropped EXE
PID:1552 -
\??\c:\btnntt.exec:\btnntt.exe57⤵
- Executes dropped EXE
PID:1548 -
\??\c:\82868.exec:\82868.exe58⤵
- Executes dropped EXE
PID:1868 -
\??\c:\pjvdp.exec:\pjvdp.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bbtthh.exec:\bbtthh.exe60⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nhbhnn.exec:\nhbhnn.exe61⤵
- Executes dropped EXE
PID:1936 -
\??\c:\0402846.exec:\0402846.exe62⤵
- Executes dropped EXE
PID:2516 -
\??\c:\5djvd.exec:\5djvd.exe63⤵
- Executes dropped EXE
PID:1880 -
\??\c:\xxlrrxf.exec:\xxlrrxf.exe64⤵
- Executes dropped EXE
PID:2392 -
\??\c:\606248.exec:\606248.exe65⤵
- Executes dropped EXE
PID:1636 -
\??\c:\fxxlxfx.exec:\fxxlxfx.exe66⤵PID:1792
-
\??\c:\hhtbhh.exec:\hhtbhh.exe67⤵PID:1996
-
\??\c:\48286.exec:\48286.exe68⤵PID:1404
-
\??\c:\frrflrl.exec:\frrflrl.exe69⤵PID:2292
-
\??\c:\6024806.exec:\6024806.exe70⤵PID:1980
-
\??\c:\8824628.exec:\8824628.exe71⤵PID:1632
-
\??\c:\04246.exec:\04246.exe72⤵PID:2524
-
\??\c:\4086228.exec:\4086228.exe73⤵PID:708
-
\??\c:\rlllrrx.exec:\rlllrrx.exe74⤵PID:336
-
\??\c:\4808440.exec:\4808440.exe75⤵PID:976
-
\??\c:\9pjjv.exec:\9pjjv.exe76⤵PID:2288
-
\??\c:\ddppj.exec:\ddppj.exe77⤵PID:1660
-
\??\c:\s8228.exec:\s8228.exe78⤵PID:2700
-
\??\c:\0880280.exec:\0880280.exe79⤵PID:1572
-
\??\c:\486204.exec:\486204.exe80⤵PID:1668
-
\??\c:\bbhhnn.exec:\bbhhnn.exe81⤵PID:2564
-
\??\c:\ntnnnn.exec:\ntnnnn.exe82⤵PID:2848
-
\??\c:\k48028.exec:\k48028.exe83⤵PID:2676
-
\??\c:\62244.exec:\62244.exe84⤵PID:2612
-
\??\c:\4268662.exec:\4268662.exe85⤵PID:2772
-
\??\c:\826244.exec:\826244.exe86⤵PID:2632
-
\??\c:\2026288.exec:\2026288.exe87⤵PID:2680
-
\??\c:\ntnthh.exec:\ntnthh.exe88⤵PID:3036
-
\??\c:\pjvdj.exec:\pjvdj.exe89⤵PID:2560
-
\??\c:\04624.exec:\04624.exe90⤵PID:1992
-
\??\c:\886806.exec:\886806.exe91⤵PID:2952
-
\??\c:\8802002.exec:\8802002.exe92⤵PID:2008
-
\??\c:\o466262.exec:\o466262.exe93⤵PID:2256
-
\??\c:\60848.exec:\60848.exe94⤵PID:1944
-
\??\c:\dvddv.exec:\dvddv.exe95⤵PID:1316
-
\??\c:\bttthn.exec:\bttthn.exe96⤵PID:2544
-
\??\c:\m4628.exec:\m4628.exe97⤵PID:3012
-
\??\c:\g6884.exec:\g6884.exe98⤵PID:1376
-
\??\c:\vvvvj.exec:\vvvvj.exe99⤵PID:2904
-
\??\c:\pjdjd.exec:\pjdjd.exe100⤵PID:1960
-
\??\c:\tnhnbh.exec:\tnhnbh.exe101⤵PID:1612
-
\??\c:\860062.exec:\860062.exe102⤵PID:1156
-
\??\c:\1bnntt.exec:\1bnntt.exe103⤵PID:1868
-
\??\c:\vvpdv.exec:\vvpdv.exe104⤵PID:2296
-
\??\c:\086284.exec:\086284.exe105⤵PID:2340
-
\??\c:\hbnntt.exec:\hbnntt.exe106⤵PID:1964
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe107⤵PID:2516
-
\??\c:\e22444.exec:\e22444.exe108⤵PID:1880
-
\??\c:\7hbhtt.exec:\7hbhtt.exe109⤵PID:2392
-
\??\c:\vpjjv.exec:\vpjjv.exe110⤵PID:1636
-
\??\c:\2022284.exec:\2022284.exe111⤵PID:1040
-
\??\c:\tntbhh.exec:\tntbhh.exe112⤵PID:1996
-
\??\c:\3xflxxf.exec:\3xflxxf.exe113⤵PID:1736
-
\??\c:\tnbnbb.exec:\tnbnbb.exe114⤵PID:1692
-
\??\c:\vpjpv.exec:\vpjpv.exe115⤵PID:2976
-
\??\c:\260088.exec:\260088.exe116⤵PID:1464
-
\??\c:\s0408.exec:\s0408.exe117⤵PID:2068
-
\??\c:\7pdjd.exec:\7pdjd.exe118⤵PID:2076
-
\??\c:\4868468.exec:\4868468.exe119⤵PID:340
-
\??\c:\4262446.exec:\4262446.exe120⤵PID:2224
-
\??\c:\nhbhtb.exec:\nhbhtb.exe121⤵PID:2144
-
\??\c:\9jdpd.exec:\9jdpd.exe122⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-