Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
-
Size
456KB
-
MD5
ef605d78c631dabd16caf4ab30a2f35b
-
SHA1
70aadb02d97141f354336789fc56b0d44adcd88a
-
SHA256
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6
-
SHA512
fe906cccfa82877760b48a394996fa5c04aaf6f6fef0336ef93d5659b545d22f829dd0d52b7c49445e1cc641324e1ed33359f147da86b9a4b514e5f88eba1a28
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/3012-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1740-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-175-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1828-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-449-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1056-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-467-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-493-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1040-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-967-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-986-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1428-1045-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-1085-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-1106-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-1150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-1157-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2928 hbhtth.exe 2676 jdddd.exe 2956 btnnbb.exe 2936 48224.exe 2680 btbhtn.exe 2160 864406.exe 320 840662.exe 1496 rlxxlfl.exe 2064 20086.exe 2888 a0468.exe 1676 1vpvd.exe 2140 60802.exe 1244 xrxrxxf.exe 1740 60844.exe 2656 86224.exe 1852 208466.exe 1348 6462884.exe 2480 26884.exe 1828 btnnbb.exe 2524 7vjpv.exe 2232 vpjpv.exe 1088 42440.exe 2304 pdppd.exe 1064 8266802.exe 2464 lfrrxfl.exe 1376 3jjpp.exe 1760 pppdj.exe 544 820628.exe 1312 6040280.exe 2528 jjvdv.exe 2748 vvpdp.exe 1508 xrffrxf.exe 2584 nhnbhh.exe 2920 04224.exe 1572 6084668.exe 2792 2040280.exe 2948 8640628.exe 2868 864622.exe 2804 u644624.exe 2940 8208462.exe 2740 rlffrxr.exe 2516 hhbntt.exe 2160 fxrrxfr.exe 1364 jvjjp.exe 1108 w42844.exe 1844 204066.exe 836 lfrxflf.exe 2872 fxllxrx.exe 2220 fxlfffr.exe 1676 3jdjp.exe 2024 48428.exe 2028 vpdjp.exe 664 60424.exe 2876 48628.exe 756 40600.exe 1276 82028.exe 1056 5bbnnh.exe 2264 08628.exe 1836 2602802.exe 2536 rrxrfrx.exe 2256 lfrxflr.exe 2320 6080262.exe 3004 vvdjv.exe 1040 6024882.exe -
resource yara_rule behavioral1/memory/3012-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-1019-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/812-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-1150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-1262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-1300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-1337-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6428680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u040840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i600824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2928 3012 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 30 PID 3012 wrote to memory of 2928 3012 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 30 PID 3012 wrote to memory of 2928 3012 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 30 PID 3012 wrote to memory of 2928 3012 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 30 PID 2928 wrote to memory of 2676 2928 hbhtth.exe 31 PID 2928 wrote to memory of 2676 2928 hbhtth.exe 31 PID 2928 wrote to memory of 2676 2928 hbhtth.exe 31 PID 2928 wrote to memory of 2676 2928 hbhtth.exe 31 PID 2676 wrote to memory of 2956 2676 jdddd.exe 32 PID 2676 wrote to memory of 2956 2676 jdddd.exe 32 PID 2676 wrote to memory of 2956 2676 jdddd.exe 32 PID 2676 wrote to memory of 2956 2676 jdddd.exe 32 PID 2956 wrote to memory of 2936 2956 btnnbb.exe 33 PID 2956 wrote to memory of 2936 2956 btnnbb.exe 33 PID 2956 wrote to memory of 2936 2956 btnnbb.exe 33 PID 2956 wrote to memory of 2936 2956 btnnbb.exe 33 PID 2936 wrote to memory of 2680 2936 48224.exe 34 PID 2936 wrote to memory of 2680 2936 48224.exe 34 PID 2936 wrote to memory of 2680 2936 48224.exe 34 PID 2936 wrote to memory of 2680 2936 48224.exe 34 PID 2680 wrote to memory of 2160 2680 btbhtn.exe 35 PID 2680 wrote to memory of 2160 2680 btbhtn.exe 35 PID 2680 wrote to memory of 2160 2680 btbhtn.exe 35 PID 2680 wrote to memory of 2160 2680 btbhtn.exe 35 PID 2160 wrote to memory of 320 2160 864406.exe 36 PID 2160 wrote to memory of 320 2160 864406.exe 36 PID 2160 wrote to memory of 320 2160 864406.exe 36 PID 2160 wrote to memory of 320 2160 864406.exe 36 PID 320 wrote to memory of 1496 320 840662.exe 37 PID 320 wrote to memory of 1496 320 840662.exe 37 PID 320 wrote to memory of 1496 320 840662.exe 37 PID 320 wrote to memory of 1496 320 840662.exe 37 PID 1496 wrote to memory of 2064 1496 rlxxlfl.exe 38 PID 1496 wrote to memory of 2064 1496 rlxxlfl.exe 38 PID 1496 wrote to memory of 2064 1496 rlxxlfl.exe 38 PID 1496 wrote to memory of 2064 1496 rlxxlfl.exe 38 PID 2064 wrote to memory of 2888 2064 20086.exe 39 PID 2064 wrote to memory of 2888 2064 20086.exe 39 PID 2064 wrote to memory of 2888 2064 20086.exe 39 PID 2064 wrote to memory of 2888 2064 20086.exe 39 PID 2888 wrote to memory of 1676 2888 a0468.exe 40 PID 2888 wrote to memory of 1676 2888 a0468.exe 40 PID 2888 wrote to memory of 1676 2888 a0468.exe 40 PID 2888 wrote to memory of 1676 2888 a0468.exe 40 PID 1676 wrote to memory of 2140 1676 1vpvd.exe 41 PID 1676 wrote to memory of 2140 1676 1vpvd.exe 41 PID 1676 wrote to memory of 2140 1676 1vpvd.exe 41 PID 1676 wrote to memory of 2140 1676 1vpvd.exe 41 PID 2140 wrote to memory of 1244 2140 60802.exe 42 PID 2140 wrote to memory of 1244 2140 60802.exe 42 PID 2140 wrote to memory of 1244 2140 60802.exe 42 PID 2140 wrote to memory of 1244 2140 60802.exe 42 PID 1244 wrote to memory of 1740 1244 xrxrxxf.exe 43 PID 1244 wrote to memory of 1740 1244 xrxrxxf.exe 43 PID 1244 wrote to memory of 1740 1244 xrxrxxf.exe 43 PID 1244 wrote to memory of 1740 1244 xrxrxxf.exe 43 PID 1740 wrote to memory of 2656 1740 60844.exe 44 PID 1740 wrote to memory of 2656 1740 60844.exe 44 PID 1740 wrote to memory of 2656 1740 60844.exe 44 PID 1740 wrote to memory of 2656 1740 60844.exe 44 PID 2656 wrote to memory of 1852 2656 86224.exe 45 PID 2656 wrote to memory of 1852 2656 86224.exe 45 PID 2656 wrote to memory of 1852 2656 86224.exe 45 PID 2656 wrote to memory of 1852 2656 86224.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\hbhtth.exec:\hbhtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jdddd.exec:\jdddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\btnnbb.exec:\btnnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\48224.exec:\48224.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\btbhtn.exec:\btbhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\864406.exec:\864406.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\840662.exec:\840662.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\rlxxlfl.exec:\rlxxlfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\20086.exec:\20086.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\a0468.exec:\a0468.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\1vpvd.exec:\1vpvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\60802.exec:\60802.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\xrxrxxf.exec:\xrxrxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\60844.exec:\60844.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\86224.exec:\86224.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\208466.exec:\208466.exe17⤵
- Executes dropped EXE
PID:1852 -
\??\c:\6462884.exec:\6462884.exe18⤵
- Executes dropped EXE
PID:1348 -
\??\c:\26884.exec:\26884.exe19⤵
- Executes dropped EXE
PID:2480 -
\??\c:\btnnbb.exec:\btnnbb.exe20⤵
- Executes dropped EXE
PID:1828 -
\??\c:\7vjpv.exec:\7vjpv.exe21⤵
- Executes dropped EXE
PID:2524 -
\??\c:\vpjpv.exec:\vpjpv.exe22⤵
- Executes dropped EXE
PID:2232 -
\??\c:\42440.exec:\42440.exe23⤵
- Executes dropped EXE
PID:1088 -
\??\c:\pdppd.exec:\pdppd.exe24⤵
- Executes dropped EXE
PID:2304 -
\??\c:\8266802.exec:\8266802.exe25⤵
- Executes dropped EXE
PID:1064 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe26⤵
- Executes dropped EXE
PID:2464 -
\??\c:\3jjpp.exec:\3jjpp.exe27⤵
- Executes dropped EXE
PID:1376 -
\??\c:\pppdj.exec:\pppdj.exe28⤵
- Executes dropped EXE
PID:1760 -
\??\c:\820628.exec:\820628.exe29⤵
- Executes dropped EXE
PID:544 -
\??\c:\6040280.exec:\6040280.exe30⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jjvdv.exec:\jjvdv.exe31⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vvpdp.exec:\vvpdp.exe32⤵
- Executes dropped EXE
PID:2748 -
\??\c:\xrffrxf.exec:\xrffrxf.exe33⤵
- Executes dropped EXE
PID:1508 -
\??\c:\nhnbhh.exec:\nhnbhh.exe34⤵
- Executes dropped EXE
PID:2584 -
\??\c:\04224.exec:\04224.exe35⤵
- Executes dropped EXE
PID:2920 -
\??\c:\6084668.exec:\6084668.exe36⤵
- Executes dropped EXE
PID:1572 -
\??\c:\2040280.exec:\2040280.exe37⤵
- Executes dropped EXE
PID:2792 -
\??\c:\8640628.exec:\8640628.exe38⤵
- Executes dropped EXE
PID:2948 -
\??\c:\864622.exec:\864622.exe39⤵
- Executes dropped EXE
PID:2868 -
\??\c:\u644624.exec:\u644624.exe40⤵
- Executes dropped EXE
PID:2804 -
\??\c:\8208462.exec:\8208462.exe41⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rlffrxr.exec:\rlffrxr.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hhbntt.exec:\hhbntt.exe43⤵
- Executes dropped EXE
PID:2516 -
\??\c:\fxrrxfr.exec:\fxrrxfr.exe44⤵
- Executes dropped EXE
PID:2160 -
\??\c:\jvjjp.exec:\jvjjp.exe45⤵
- Executes dropped EXE
PID:1364 -
\??\c:\w42844.exec:\w42844.exe46⤵
- Executes dropped EXE
PID:1108 -
\??\c:\204066.exec:\204066.exe47⤵
- Executes dropped EXE
PID:1844 -
\??\c:\lfrxflf.exec:\lfrxflf.exe48⤵
- Executes dropped EXE
PID:836 -
\??\c:\fxllxrx.exec:\fxllxrx.exe49⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fxlfffr.exec:\fxlfffr.exe50⤵
- Executes dropped EXE
PID:2220 -
\??\c:\3jdjp.exec:\3jdjp.exe51⤵
- Executes dropped EXE
PID:1676 -
\??\c:\48428.exec:\48428.exe52⤵
- Executes dropped EXE
PID:2024 -
\??\c:\vpdjp.exec:\vpdjp.exe53⤵
- Executes dropped EXE
PID:2028 -
\??\c:\60424.exec:\60424.exe54⤵
- Executes dropped EXE
PID:664 -
\??\c:\48628.exec:\48628.exe55⤵
- Executes dropped EXE
PID:2876 -
\??\c:\40600.exec:\40600.exe56⤵
- Executes dropped EXE
PID:756 -
\??\c:\82028.exec:\82028.exe57⤵
- Executes dropped EXE
PID:1276 -
\??\c:\5bbnnh.exec:\5bbnnh.exe58⤵
- Executes dropped EXE
PID:1056 -
\??\c:\08628.exec:\08628.exe59⤵
- Executes dropped EXE
PID:2264 -
\??\c:\2602802.exec:\2602802.exe60⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rrxrfrx.exec:\rrxrfrx.exe61⤵
- Executes dropped EXE
PID:2536 -
\??\c:\lfrxflr.exec:\lfrxflr.exe62⤵
- Executes dropped EXE
PID:2256 -
\??\c:\6080262.exec:\6080262.exe63⤵
- Executes dropped EXE
PID:2320 -
\??\c:\vvdjv.exec:\vvdjv.exe64⤵
- Executes dropped EXE
PID:3004 -
\??\c:\6024882.exec:\6024882.exe65⤵
- Executes dropped EXE
PID:1040 -
\??\c:\q62288.exec:\q62288.exe66⤵PID:1792
-
\??\c:\tnbhtt.exec:\tnbhtt.exe67⤵PID:1624
-
\??\c:\pjdvd.exec:\pjdvd.exe68⤵PID:2196
-
\??\c:\s4880.exec:\s4880.exe69⤵PID:1556
-
\??\c:\2028006.exec:\2028006.exe70⤵PID:1764
-
\??\c:\6462828.exec:\6462828.exe71⤵PID:1756
-
\??\c:\5flfrlf.exec:\5flfrlf.exe72⤵PID:1684
-
\??\c:\208406.exec:\208406.exe73⤵PID:2388
-
\??\c:\022486.exec:\022486.exe74⤵PID:1312
-
\??\c:\8202402.exec:\8202402.exe75⤵PID:2240
-
\??\c:\7vdpj.exec:\7vdpj.exe76⤵PID:2608
-
\??\c:\66026.exec:\66026.exe77⤵PID:1724
-
\??\c:\7bnttt.exec:\7bnttt.exe78⤵PID:1512
-
\??\c:\6602842.exec:\6602842.exe79⤵PID:2584
-
\??\c:\64200.exec:\64200.exe80⤵PID:2244
-
\??\c:\hbhnhh.exec:\hbhnhh.exe81⤵PID:1572
-
\??\c:\824022.exec:\824022.exe82⤵PID:3024
-
\??\c:\hhhttb.exec:\hhhttb.exe83⤵PID:2784
-
\??\c:\nthnnh.exec:\nthnnh.exe84⤵PID:2968
-
\??\c:\66068.exec:\66068.exe85⤵PID:2956
-
\??\c:\6086846.exec:\6086846.exe86⤵PID:2688
-
\??\c:\2022002.exec:\2022002.exe87⤵PID:2684
-
\??\c:\3thhtn.exec:\3thhtn.exe88⤵PID:2712
-
\??\c:\e08466.exec:\e08466.exe89⤵PID:2788
-
\??\c:\20420.exec:\20420.exe90⤵PID:536
-
\??\c:\26008.exec:\26008.exe91⤵PID:300
-
\??\c:\hbhbtt.exec:\hbhbtt.exe92⤵PID:1948
-
\??\c:\bthhnt.exec:\bthhnt.exe93⤵PID:3068
-
\??\c:\0088024.exec:\0088024.exe94⤵PID:2888
-
\??\c:\djjjd.exec:\djjjd.exe95⤵PID:2816
-
\??\c:\7httbh.exec:\7httbh.exe96⤵PID:296
-
\??\c:\lflrxfr.exec:\lflrxfr.exe97⤵PID:2060
-
\??\c:\2640224.exec:\2640224.exe98⤵PID:2012
-
\??\c:\6028200.exec:\6028200.exe99⤵PID:1516
-
\??\c:\042840.exec:\042840.exe100⤵PID:860
-
\??\c:\68602.exec:\68602.exe101⤵PID:844
-
\??\c:\868406.exec:\868406.exe102⤵PID:1272
-
\??\c:\7nnhtn.exec:\7nnhtn.exe103⤵PID:1348
-
\??\c:\c662846.exec:\c662846.exe104⤵PID:1672
-
\??\c:\jjpdj.exec:\jjpdj.exe105⤵PID:656
-
\??\c:\4802486.exec:\4802486.exe106⤵PID:2492
-
\??\c:\q26240.exec:\q26240.exe107⤵PID:2556
-
\??\c:\420600.exec:\420600.exe108⤵PID:2256
-
\??\c:\482428.exec:\482428.exe109⤵PID:2320
-
\??\c:\vpjvp.exec:\vpjvp.exe110⤵PID:2440
-
\??\c:\608428.exec:\608428.exe111⤵PID:2612
-
\??\c:\s4866.exec:\s4866.exe112⤵PID:1792
-
\??\c:\08068.exec:\08068.exe113⤵PID:372
-
\??\c:\60840.exec:\60840.exe114⤵PID:2196
-
\??\c:\6466684.exec:\6466684.exe115⤵PID:1544
-
\??\c:\086400.exec:\086400.exe116⤵PID:1708
-
\??\c:\7lflxfr.exec:\7lflxfr.exe117⤵PID:744
-
\??\c:\btnthn.exec:\btnthn.exe118⤵PID:544
-
\??\c:\2640280.exec:\2640280.exe119⤵PID:2004
-
\??\c:\pjvvd.exec:\pjvvd.exe120⤵PID:2168
-
\??\c:\q60622.exec:\q60622.exe121⤵PID:1632
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-