Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 09:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe
-
Size
455KB
-
MD5
1cf07a7bc29c0b69fa0714ea16ac1cd6
-
SHA1
5cec6275f73ff29a9fe31319de813b6eccd9929f
-
SHA256
adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535
-
SHA512
61c7b3d5ccc942c546ed4ce1989987577e011c8bed7ea81d487787715ae1b7a44b016ed170927d9f5b4e72a6c537c874b83894015ab98eed8868dc397b7e2c16
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeoc:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2948-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-47-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2196-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2088-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1084-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/684-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/932-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-230-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1008-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-247-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-293-0x0000000077960000-0x0000000077A7F000-memory.dmp family_blackmoon behavioral1/memory/2336-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-321-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/1780-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-445-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2400-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1356-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-505-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2004-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-814-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-1059-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2912-1124-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2844-1187-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3008 tbntth.exe 2892 tnhtnt.exe 3048 flrlxll.exe 2196 9jddp.exe 2800 9tthth.exe 2668 dvjpd.exe 2696 bttbnb.exe 2700 djjdp.exe 2536 7fxfxfr.exe 2988 nttbtb.exe 2508 hhnthh.exe 2364 1hntnn.exe 2088 5llrlxr.exe 1692 hnnbbh.exe 1064 ntnhth.exe 1908 dpvjj.exe 2876 7rflrxf.exe 2976 tnnbtb.exe 2180 llfrfrf.exe 3000 nbbttb.exe 1084 5fxrfxl.exe 684 nhbttb.exe 932 fllxlll.exe 1992 rrxrlrl.exe 1008 3xlxrfr.exe 1752 hbhhnh.exe 820 xffrxfl.exe 380 nttnnb.exe 2392 jpjvp.exe 2480 nnhbht.exe 2332 djjpj.exe 2336 xrfrrxl.exe 2156 1vpjd.exe 3008 3ffrlxx.exe 1780 vdjvp.exe 2624 3xrflxr.exe 3048 7tthnt.exe 2644 3vpjp.exe 2688 lllflll.exe 2860 lrfflrf.exe 1276 nbtthb.exe 2696 pjvdd.exe 2648 7rffllr.exe 2584 flfxflx.exe 1296 7tnbhh.exe 2384 pjvvd.exe 1244 xxffrrf.exe 1240 rllffff.exe 764 htnbtt.exe 1736 dddvv.exe 1284 xrffrrl.exe 2016 7llrrxf.exe 1156 1htthn.exe 1556 pjppj.exe 2876 pdpvd.exe 1884 rlxfflx.exe 2416 nnhnbn.exe 1328 ddvdp.exe 2400 1xrxflr.exe 2736 fffrxlf.exe 1356 bhbhtb.exe 684 pdvvp.exe 2004 xrxxxrx.exe 2104 ntnbhn.exe -
resource yara_rule behavioral1/memory/2948-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-84-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2700-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-192-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1084-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/932-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-293-0x0000000077960000-0x0000000077A7F000-memory.dmp upx behavioral1/memory/2336-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-445-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2736-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1356-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-503-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2004-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3008 2948 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 31 PID 2948 wrote to memory of 3008 2948 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 31 PID 2948 wrote to memory of 3008 2948 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 31 PID 2948 wrote to memory of 3008 2948 adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe 31 PID 3008 wrote to memory of 2892 3008 tbntth.exe 32 PID 3008 wrote to memory of 2892 3008 tbntth.exe 32 PID 3008 wrote to memory of 2892 3008 tbntth.exe 32 PID 3008 wrote to memory of 2892 3008 tbntth.exe 32 PID 2892 wrote to memory of 3048 2892 tnhtnt.exe 33 PID 2892 wrote to memory of 3048 2892 tnhtnt.exe 33 PID 2892 wrote to memory of 3048 2892 tnhtnt.exe 33 PID 2892 wrote to memory of 3048 2892 tnhtnt.exe 33 PID 3048 wrote to memory of 2196 3048 flrlxll.exe 34 PID 3048 wrote to memory of 2196 3048 flrlxll.exe 34 PID 3048 wrote to memory of 2196 3048 flrlxll.exe 34 PID 3048 wrote to memory of 2196 3048 flrlxll.exe 34 PID 2196 wrote to memory of 2800 2196 9jddp.exe 35 PID 2196 wrote to memory of 2800 2196 9jddp.exe 35 PID 2196 wrote to memory of 2800 2196 9jddp.exe 35 PID 2196 wrote to memory of 2800 2196 9jddp.exe 35 PID 2800 wrote to memory of 2668 2800 9tthth.exe 36 PID 2800 wrote to memory of 2668 2800 9tthth.exe 36 PID 2800 wrote to memory of 2668 2800 9tthth.exe 36 PID 2800 wrote to memory of 2668 2800 9tthth.exe 36 PID 2668 wrote to memory of 2696 2668 dvjpd.exe 37 PID 2668 wrote to memory of 2696 2668 dvjpd.exe 37 PID 2668 wrote to memory of 2696 2668 dvjpd.exe 37 PID 2668 wrote to memory of 2696 2668 dvjpd.exe 37 PID 2696 wrote to memory of 2700 2696 bttbnb.exe 38 PID 2696 wrote to memory of 2700 2696 bttbnb.exe 38 PID 2696 wrote to memory of 2700 2696 bttbnb.exe 38 PID 2696 wrote to memory of 2700 2696 bttbnb.exe 38 PID 2700 wrote to memory of 2536 2700 djjdp.exe 39 PID 2700 wrote to memory of 2536 2700 djjdp.exe 39 PID 2700 wrote to memory of 2536 2700 djjdp.exe 39 PID 2700 wrote to memory of 2536 2700 djjdp.exe 39 PID 2536 wrote to memory of 2988 2536 7fxfxfr.exe 40 PID 2536 wrote to memory of 2988 2536 7fxfxfr.exe 40 PID 2536 wrote to memory of 2988 2536 7fxfxfr.exe 40 PID 2536 wrote to memory of 2988 2536 7fxfxfr.exe 40 PID 2988 wrote to memory of 2508 2988 nttbtb.exe 41 PID 2988 wrote to memory of 2508 2988 nttbtb.exe 41 PID 2988 wrote to memory of 2508 2988 nttbtb.exe 41 PID 2988 wrote to memory of 2508 2988 nttbtb.exe 41 PID 2508 wrote to memory of 2364 2508 hhnthh.exe 42 PID 2508 wrote to memory of 2364 2508 hhnthh.exe 42 PID 2508 wrote to memory of 2364 2508 hhnthh.exe 42 PID 2508 wrote to memory of 2364 2508 hhnthh.exe 42 PID 2364 wrote to memory of 2088 2364 1hntnn.exe 43 PID 2364 wrote to memory of 2088 2364 1hntnn.exe 43 PID 2364 wrote to memory of 2088 2364 1hntnn.exe 43 PID 2364 wrote to memory of 2088 2364 1hntnn.exe 43 PID 2088 wrote to memory of 1692 2088 5llrlxr.exe 44 PID 2088 wrote to memory of 1692 2088 5llrlxr.exe 44 PID 2088 wrote to memory of 1692 2088 5llrlxr.exe 44 PID 2088 wrote to memory of 1692 2088 5llrlxr.exe 44 PID 1692 wrote to memory of 1064 1692 hnnbbh.exe 45 PID 1692 wrote to memory of 1064 1692 hnnbbh.exe 45 PID 1692 wrote to memory of 1064 1692 hnnbbh.exe 45 PID 1692 wrote to memory of 1064 1692 hnnbbh.exe 45 PID 1064 wrote to memory of 1908 1064 ntnhth.exe 46 PID 1064 wrote to memory of 1908 1064 ntnhth.exe 46 PID 1064 wrote to memory of 1908 1064 ntnhth.exe 46 PID 1064 wrote to memory of 1908 1064 ntnhth.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe"C:\Users\Admin\AppData\Local\Temp\adb38e054c14787d3ec20185531ceb0d6f64a5ebe772a1619ee7b57e68e94535.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\tbntth.exec:\tbntth.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\tnhtnt.exec:\tnhtnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\flrlxll.exec:\flrlxll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\9jddp.exec:\9jddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\9tthth.exec:\9tthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\dvjpd.exec:\dvjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\bttbnb.exec:\bttbnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\djjdp.exec:\djjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\7fxfxfr.exec:\7fxfxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\nttbtb.exec:\nttbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hhnthh.exec:\hhnthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\1hntnn.exec:\1hntnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\5llrlxr.exec:\5llrlxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\hnnbbh.exec:\hnnbbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\ntnhth.exec:\ntnhth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\dpvjj.exec:\dpvjj.exe17⤵
- Executes dropped EXE
PID:1908 -
\??\c:\7rflrxf.exec:\7rflrxf.exe18⤵
- Executes dropped EXE
PID:2876 -
\??\c:\tnnbtb.exec:\tnnbtb.exe19⤵
- Executes dropped EXE
PID:2976 -
\??\c:\llfrfrf.exec:\llfrfrf.exe20⤵
- Executes dropped EXE
PID:2180 -
\??\c:\nbbttb.exec:\nbbttb.exe21⤵
- Executes dropped EXE
PID:3000 -
\??\c:\5fxrfxl.exec:\5fxrfxl.exe22⤵
- Executes dropped EXE
PID:1084 -
\??\c:\nhbttb.exec:\nhbttb.exe23⤵
- Executes dropped EXE
PID:684 -
\??\c:\fllxlll.exec:\fllxlll.exe24⤵
- Executes dropped EXE
PID:932 -
\??\c:\rrxrlrl.exec:\rrxrlrl.exe25⤵
- Executes dropped EXE
PID:1992 -
\??\c:\3xlxrfr.exec:\3xlxrfr.exe26⤵
- Executes dropped EXE
PID:1008 -
\??\c:\hbhhnh.exec:\hbhhnh.exe27⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xffrxfl.exec:\xffrxfl.exe28⤵
- Executes dropped EXE
PID:820 -
\??\c:\nttnnb.exec:\nttnnb.exe29⤵
- Executes dropped EXE
PID:380 -
\??\c:\jpjvp.exec:\jpjvp.exe30⤵
- Executes dropped EXE
PID:2392 -
\??\c:\nnhbht.exec:\nnhbht.exe31⤵
- Executes dropped EXE
PID:2480 -
\??\c:\djjpj.exec:\djjpj.exe32⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xrfrrxl.exec:\xrfrrxl.exe33⤵
- Executes dropped EXE
PID:2336 -
\??\c:\vvpvd.exec:\vvpvd.exe34⤵PID:1576
-
\??\c:\1vpjd.exec:\1vpjd.exe35⤵
- Executes dropped EXE
PID:2156 -
\??\c:\3ffrlxx.exec:\3ffrlxx.exe36⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vdjvp.exec:\vdjvp.exe37⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3xrflxr.exec:\3xrflxr.exe38⤵
- Executes dropped EXE
PID:2624 -
\??\c:\7tthnt.exec:\7tthnt.exe39⤵
- Executes dropped EXE
PID:3048 -
\??\c:\3vpjp.exec:\3vpjp.exe40⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lllflll.exec:\lllflll.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lrfflrf.exec:\lrfflrf.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\nbtthb.exec:\nbtthb.exe43⤵
- Executes dropped EXE
PID:1276 -
\??\c:\pjvdd.exec:\pjvdd.exe44⤵
- Executes dropped EXE
PID:2696 -
\??\c:\7rffllr.exec:\7rffllr.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\flfxflx.exec:\flfxflx.exe46⤵
- Executes dropped EXE
PID:2584 -
\??\c:\7tnbhh.exec:\7tnbhh.exe47⤵
- Executes dropped EXE
PID:1296 -
\??\c:\pjvvd.exec:\pjvvd.exe48⤵
- Executes dropped EXE
PID:2384 -
\??\c:\xxffrrf.exec:\xxffrrf.exe49⤵
- Executes dropped EXE
PID:1244 -
\??\c:\rllffff.exec:\rllffff.exe50⤵
- Executes dropped EXE
PID:1240 -
\??\c:\htnbtt.exec:\htnbtt.exe51⤵
- Executes dropped EXE
PID:764 -
\??\c:\dddvv.exec:\dddvv.exe52⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xrffrrl.exec:\xrffrrl.exe53⤵
- Executes dropped EXE
PID:1284 -
\??\c:\7llrrxf.exec:\7llrrxf.exe54⤵
- Executes dropped EXE
PID:2016 -
\??\c:\1htthn.exec:\1htthn.exe55⤵
- Executes dropped EXE
PID:1156 -
\??\c:\pjppj.exec:\pjppj.exe56⤵
- Executes dropped EXE
PID:1556 -
\??\c:\pdpvd.exec:\pdpvd.exe57⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rlxfflx.exec:\rlxfflx.exe58⤵
- Executes dropped EXE
PID:1884 -
\??\c:\nnhnbn.exec:\nnhnbn.exe59⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ddvdp.exec:\ddvdp.exe60⤵
- Executes dropped EXE
PID:1328 -
\??\c:\1xrxflr.exec:\1xrxflr.exe61⤵
- Executes dropped EXE
PID:2400 -
\??\c:\fffrxlf.exec:\fffrxlf.exe62⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bhbhtb.exec:\bhbhtb.exe63⤵
- Executes dropped EXE
PID:1356 -
\??\c:\pdvvp.exec:\pdvvp.exe64⤵
- Executes dropped EXE
PID:684 -
\??\c:\xrxxxrx.exec:\xrxxxrx.exe65⤵
- Executes dropped EXE
PID:2004 -
\??\c:\ntnbhn.exec:\ntnbhn.exe66⤵
- Executes dropped EXE
PID:2104 -
\??\c:\hhhnbh.exec:\hhhnbh.exe67⤵PID:612
-
\??\c:\5pvdj.exec:\5pvdj.exe68⤵PID:2184
-
\??\c:\fxrlllf.exec:\fxrlllf.exe69⤵PID:1056
-
\??\c:\nhhnht.exec:\nhhnht.exe70⤵PID:2228
-
\??\c:\ppdpd.exec:\ppdpd.exe71⤵PID:572
-
\??\c:\3jjvj.exec:\3jjvj.exe72⤵PID:1000
-
\??\c:\xrxlfff.exec:\xrxlfff.exe73⤵PID:1492
-
\??\c:\btbbtb.exec:\btbbtb.exe74⤵PID:1044
-
\??\c:\pvjdv.exec:\pvjdv.exe75⤵PID:556
-
\??\c:\pdddp.exec:\pdddp.exe76⤵PID:2336
-
\??\c:\ffrxrxl.exec:\ffrxrxl.exe77⤵PID:1432
-
\??\c:\hhntht.exec:\hhntht.exe78⤵PID:1696
-
\??\c:\pjvpd.exec:\pjvpd.exe79⤵PID:2968
-
\??\c:\jppdv.exec:\jppdv.exe80⤵PID:3060
-
\??\c:\llxfxfl.exec:\llxfxfl.exe81⤵PID:2664
-
\??\c:\7hbnth.exec:\7hbnth.exe82⤵PID:2792
-
\??\c:\vpjjd.exec:\vpjjd.exe83⤵PID:2816
-
\??\c:\llfxxff.exec:\llfxxff.exe84⤵PID:2804
-
\??\c:\ttthhn.exec:\ttthhn.exe85⤵PID:2652
-
\??\c:\tttbnn.exec:\tttbnn.exe86⤵PID:2556
-
\??\c:\9jvpv.exec:\9jvpv.exe87⤵PID:1268
-
\??\c:\9xlrfrl.exec:\9xlrfrl.exe88⤵PID:2596
-
\??\c:\nhbbhh.exec:\nhbbhh.exe89⤵PID:3036
-
\??\c:\nnnbtb.exec:\nnnbtb.exe90⤵PID:2656
-
\??\c:\pvvjd.exec:\pvvjd.exe91⤵PID:1832
-
\??\c:\3xlllxf.exec:\3xlllxf.exe92⤵PID:2384
-
\??\c:\lllxlrl.exec:\lllxlrl.exe93⤵PID:1680
-
\??\c:\7httnt.exec:\7httnt.exe94⤵PID:1704
-
\??\c:\jdvjv.exec:\jdvjv.exe95⤵PID:2592
-
\??\c:\xxrflxf.exec:\xxrflxf.exe96⤵PID:2724
-
\??\c:\tnbhnn.exec:\tnbhnn.exe97⤵PID:1996
-
\??\c:\vpjpp.exec:\vpjpp.exe98⤵PID:2756
-
\??\c:\dvjpj.exec:\dvjpj.exe99⤵PID:2620
-
\??\c:\7rlflrr.exec:\7rlflrr.exe100⤵PID:1908
-
\??\c:\9thhnt.exec:\9thhnt.exe101⤵PID:2740
-
\??\c:\3vdvp.exec:\3vdvp.exe102⤵PID:2300
-
\??\c:\vpdjv.exec:\vpdjv.exe103⤵PID:2120
-
\??\c:\xrrfxlf.exec:\xrrfxlf.exe104⤵PID:1328
-
\??\c:\thhnbn.exec:\thhnbn.exe105⤵PID:3000
-
\??\c:\jjpjd.exec:\jjpjd.exe106⤵PID:832
-
\??\c:\dddvj.exec:\dddvj.exe107⤵PID:372
-
\??\c:\llfrfrx.exec:\llfrfrx.exe108⤵PID:2420
-
\??\c:\bhtbnn.exec:\bhtbnn.exe109⤵PID:2000
-
\??\c:\xrlrxrl.exec:\xrlrxrl.exe110⤵PID:1992
-
\??\c:\btbbbb.exec:\btbbbb.exe111⤵PID:1336
-
\??\c:\tbnnnh.exec:\tbnnnh.exe112⤵PID:1008
-
\??\c:\dddpj.exec:\dddpj.exe113⤵PID:1620
-
\??\c:\fffrxfl.exec:\fffrxfl.exe114⤵PID:1732
-
\??\c:\bbbtnt.exec:\bbbtnt.exe115⤵PID:2100
-
\??\c:\nhhntn.exec:\nhhntn.exe116⤵PID:2264
-
\??\c:\5dvdp.exec:\5dvdp.exe117⤵PID:1000
-
\??\c:\xrffxfl.exec:\xrffxfl.exe118⤵PID:1492
-
\??\c:\thbhbh.exec:\thbhbh.exe119⤵PID:2952
-
\??\c:\ntntbh.exec:\ntntbh.exe120⤵PID:1444
-
\??\c:\vvdvp.exec:\vvdvp.exe121⤵PID:1924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-