Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
-
Size
454KB
-
MD5
06241bd1d858ecd7dfbb1021e97c3a15
-
SHA1
96168875e1b52223de7e2beae79cb419f5ae4c7e
-
SHA256
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47
-
SHA512
43aa10a2aac5a7fe1a3033a0902b4eb05df01db5d6e058a8ba38acb9e81f911ce65b7d5dd05f775ddce950a8776a042930d485d41661e88f6a58782db65acafc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/308-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2220-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1164-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1844-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-492-0x0000000000260000-0x000000000028A000-memory.dmp family_blackmoon behavioral1/memory/2064-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-898-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2492-905-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2492-922-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/656-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-1044-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1188-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1040-1107-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2916-1126-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2712-1157-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2492-1185-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2220 1jvvv.exe 2740 xfrffll.exe 2264 ddpvp.exe 2924 626862.exe 2996 htbhhb.exe 2860 22680.exe 2652 nhtbhn.exe 2340 i080886.exe 2548 hbtbbh.exe 3036 jjvdj.exe 2240 nthhtb.exe 1264 rlflxfr.exe 1848 6220426.exe 1860 402820.exe 2984 ntnbht.exe 2040 042802.exe 1088 s4808.exe 2960 646202.exe 1712 2688062.exe 1164 664684.exe 580 64880.exe 2436 2684002.exe 2616 846844.exe 380 42246.exe 288 3jdjj.exe 1792 6046842.exe 1736 lrfrrrl.exe 568 pjvpv.exe 2296 s0020.exe 548 9btthn.exe 2480 80666.exe 2332 jddvv.exe 1972 840404.exe 2416 886840.exe 2848 vjjpj.exe 1568 84426.exe 2264 a4806.exe 2796 48602.exe 2864 g2002.exe 2996 6002008.exe 2860 vppdp.exe 2756 1jddj.exe 2216 64846.exe 2548 5lrxrfx.exe 2636 dvpvj.exe 3036 xrrxlrf.exe 2008 ppdjd.exe 1324 lrlxllx.exe 2732 0262022.exe 3040 vvpvp.exe 1844 fxxlxfr.exe 2544 9xxfxlx.exe 2812 bthnth.exe 2928 rxrlxxl.exe 2988 9ffxlrr.exe 1784 9hnbbh.exe 1244 820684.exe 332 82220.exe 872 llrlffx.exe 1872 nnhbhb.exe 2176 9btbbt.exe 2164 nhhhnn.exe 612 9fllrrx.exe 2004 dvjpd.exe -
resource yara_rule behavioral1/memory/308-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/484-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/656-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-1044-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1188-1057-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-1158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-1177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-1186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-1302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-1357-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4420464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22248.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u082868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 480622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 308 wrote to memory of 2220 308 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 30 PID 308 wrote to memory of 2220 308 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 30 PID 308 wrote to memory of 2220 308 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 30 PID 308 wrote to memory of 2220 308 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 30 PID 2220 wrote to memory of 2740 2220 1jvvv.exe 31 PID 2220 wrote to memory of 2740 2220 1jvvv.exe 31 PID 2220 wrote to memory of 2740 2220 1jvvv.exe 31 PID 2220 wrote to memory of 2740 2220 1jvvv.exe 31 PID 2740 wrote to memory of 2264 2740 xfrffll.exe 66 PID 2740 wrote to memory of 2264 2740 xfrffll.exe 66 PID 2740 wrote to memory of 2264 2740 xfrffll.exe 66 PID 2740 wrote to memory of 2264 2740 xfrffll.exe 66 PID 2264 wrote to memory of 2924 2264 ddpvp.exe 33 PID 2264 wrote to memory of 2924 2264 ddpvp.exe 33 PID 2264 wrote to memory of 2924 2264 ddpvp.exe 33 PID 2264 wrote to memory of 2924 2264 ddpvp.exe 33 PID 2924 wrote to memory of 2996 2924 626862.exe 34 PID 2924 wrote to memory of 2996 2924 626862.exe 34 PID 2924 wrote to memory of 2996 2924 626862.exe 34 PID 2924 wrote to memory of 2996 2924 626862.exe 34 PID 2996 wrote to memory of 2860 2996 htbhhb.exe 35 PID 2996 wrote to memory of 2860 2996 htbhhb.exe 35 PID 2996 wrote to memory of 2860 2996 htbhhb.exe 35 PID 2996 wrote to memory of 2860 2996 htbhhb.exe 35 PID 2860 wrote to memory of 2652 2860 22680.exe 36 PID 2860 wrote to memory of 2652 2860 22680.exe 36 PID 2860 wrote to memory of 2652 2860 22680.exe 36 PID 2860 wrote to memory of 2652 2860 22680.exe 36 PID 2652 wrote to memory of 2340 2652 nhtbhn.exe 37 PID 2652 wrote to memory of 2340 2652 nhtbhn.exe 37 PID 2652 wrote to memory of 2340 2652 nhtbhn.exe 37 PID 2652 wrote to memory of 2340 2652 nhtbhn.exe 37 PID 2340 wrote to memory of 2548 2340 i080886.exe 38 PID 2340 wrote to memory of 2548 2340 i080886.exe 38 PID 2340 wrote to memory of 2548 2340 i080886.exe 38 PID 2340 wrote to memory of 2548 2340 i080886.exe 38 PID 2548 wrote to memory of 3036 2548 hbtbbh.exe 39 PID 2548 wrote to memory of 3036 2548 hbtbbh.exe 39 PID 2548 wrote to memory of 3036 2548 hbtbbh.exe 39 PID 2548 wrote to memory of 3036 2548 hbtbbh.exe 39 PID 3036 wrote to memory of 2240 3036 jjvdj.exe 40 PID 3036 wrote to memory of 2240 3036 jjvdj.exe 40 PID 3036 wrote to memory of 2240 3036 jjvdj.exe 40 PID 3036 wrote to memory of 2240 3036 jjvdj.exe 40 PID 2240 wrote to memory of 1264 2240 nthhtb.exe 41 PID 2240 wrote to memory of 1264 2240 nthhtb.exe 41 PID 2240 wrote to memory of 1264 2240 nthhtb.exe 41 PID 2240 wrote to memory of 1264 2240 nthhtb.exe 41 PID 1264 wrote to memory of 1848 1264 rlflxfr.exe 42 PID 1264 wrote to memory of 1848 1264 rlflxfr.exe 42 PID 1264 wrote to memory of 1848 1264 rlflxfr.exe 42 PID 1264 wrote to memory of 1848 1264 rlflxfr.exe 42 PID 1848 wrote to memory of 1860 1848 6220426.exe 43 PID 1848 wrote to memory of 1860 1848 6220426.exe 43 PID 1848 wrote to memory of 1860 1848 6220426.exe 43 PID 1848 wrote to memory of 1860 1848 6220426.exe 43 PID 1860 wrote to memory of 2984 1860 402820.exe 44 PID 1860 wrote to memory of 2984 1860 402820.exe 44 PID 1860 wrote to memory of 2984 1860 402820.exe 44 PID 1860 wrote to memory of 2984 1860 402820.exe 44 PID 2984 wrote to memory of 2040 2984 ntnbht.exe 45 PID 2984 wrote to memory of 2040 2984 ntnbht.exe 45 PID 2984 wrote to memory of 2040 2984 ntnbht.exe 45 PID 2984 wrote to memory of 2040 2984 ntnbht.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:308 -
\??\c:\1jvvv.exec:\1jvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
\??\c:\xfrffll.exec:\xfrffll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\ddpvp.exec:\ddpvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\626862.exec:\626862.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\htbhhb.exec:\htbhhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\22680.exec:\22680.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\nhtbhn.exec:\nhtbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\i080886.exec:\i080886.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\hbtbbh.exec:\hbtbbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\jjvdj.exec:\jjvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\nthhtb.exec:\nthhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\rlflxfr.exec:\rlflxfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\6220426.exec:\6220426.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\402820.exec:\402820.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\ntnbht.exec:\ntnbht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\042802.exec:\042802.exe17⤵
- Executes dropped EXE
PID:2040 -
\??\c:\s4808.exec:\s4808.exe18⤵
- Executes dropped EXE
PID:1088 -
\??\c:\646202.exec:\646202.exe19⤵
- Executes dropped EXE
PID:2960 -
\??\c:\2688062.exec:\2688062.exe20⤵
- Executes dropped EXE
PID:1712 -
\??\c:\664684.exec:\664684.exe21⤵
- Executes dropped EXE
PID:1164 -
\??\c:\64880.exec:\64880.exe22⤵
- Executes dropped EXE
PID:580 -
\??\c:\2684002.exec:\2684002.exe23⤵
- Executes dropped EXE
PID:2436 -
\??\c:\846844.exec:\846844.exe24⤵
- Executes dropped EXE
PID:2616 -
\??\c:\42246.exec:\42246.exe25⤵
- Executes dropped EXE
PID:380 -
\??\c:\3jdjj.exec:\3jdjj.exe26⤵
- Executes dropped EXE
PID:288 -
\??\c:\6046842.exec:\6046842.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\lrfrrrl.exec:\lrfrrrl.exe28⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pjvpv.exec:\pjvpv.exe29⤵
- Executes dropped EXE
PID:568 -
\??\c:\s0020.exec:\s0020.exe30⤵
- Executes dropped EXE
PID:2296 -
\??\c:\9btthn.exec:\9btthn.exe31⤵
- Executes dropped EXE
PID:548 -
\??\c:\80666.exec:\80666.exe32⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jddvv.exec:\jddvv.exe33⤵
- Executes dropped EXE
PID:2332 -
\??\c:\840404.exec:\840404.exe34⤵
- Executes dropped EXE
PID:1972 -
\??\c:\886840.exec:\886840.exe35⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vjjpj.exec:\vjjpj.exe36⤵
- Executes dropped EXE
PID:2848 -
\??\c:\84426.exec:\84426.exe37⤵
- Executes dropped EXE
PID:1568 -
\??\c:\a4806.exec:\a4806.exe38⤵
- Executes dropped EXE
PID:2264 -
\??\c:\48602.exec:\48602.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\g2002.exec:\g2002.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\6002008.exec:\6002008.exe41⤵
- Executes dropped EXE
PID:2996 -
\??\c:\vppdp.exec:\vppdp.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\1jddj.exec:\1jddj.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\64846.exec:\64846.exe44⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5lrxrfx.exec:\5lrxrfx.exe45⤵
- Executes dropped EXE
PID:2548 -
\??\c:\dvpvj.exec:\dvpvj.exe46⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xrrxlrf.exec:\xrrxlrf.exe47⤵
- Executes dropped EXE
PID:3036 -
\??\c:\ppdjd.exec:\ppdjd.exe48⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lrlxllx.exec:\lrlxllx.exe49⤵
- Executes dropped EXE
PID:1324 -
\??\c:\0262022.exec:\0262022.exe50⤵
- Executes dropped EXE
PID:2732 -
\??\c:\vvpvp.exec:\vvpvp.exe51⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxxlxfr.exec:\fxxlxfr.exe52⤵
- Executes dropped EXE
PID:1844 -
\??\c:\9xxfxlx.exec:\9xxfxlx.exe53⤵
- Executes dropped EXE
PID:2544 -
\??\c:\bthnth.exec:\bthnth.exe54⤵
- Executes dropped EXE
PID:2812 -
\??\c:\rxrlxxl.exec:\rxrlxxl.exe55⤵
- Executes dropped EXE
PID:2928 -
\??\c:\9ffxlrr.exec:\9ffxlrr.exe56⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9hnbbh.exec:\9hnbbh.exe57⤵
- Executes dropped EXE
PID:1784 -
\??\c:\820684.exec:\820684.exe58⤵
- Executes dropped EXE
PID:1244 -
\??\c:\82220.exec:\82220.exe59⤵
- Executes dropped EXE
PID:332 -
\??\c:\llrlffx.exec:\llrlffx.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\nnhbhb.exec:\nnhbhb.exe61⤵
- Executes dropped EXE
PID:1872 -
\??\c:\9btbbt.exec:\9btbbt.exe62⤵
- Executes dropped EXE
PID:2176 -
\??\c:\nhhhnn.exec:\nhhhnn.exe63⤵
- Executes dropped EXE
PID:2164 -
\??\c:\9fllrrx.exec:\9fllrrx.exe64⤵
- Executes dropped EXE
PID:612 -
\??\c:\dvjpd.exec:\dvjpd.exe65⤵
- Executes dropped EXE
PID:2004 -
\??\c:\m6068.exec:\m6068.exe66⤵PID:1964
-
\??\c:\nnbnbn.exec:\nnbnbn.exe67⤵PID:2132
-
\??\c:\s6020.exec:\s6020.exe68⤵PID:1188
-
\??\c:\1rlllrx.exec:\1rlllrx.exe69⤵PID:2064
-
\??\c:\nbhnnn.exec:\nbhnnn.exe70⤵PID:1252
-
\??\c:\hnhthb.exec:\hnhthb.exe71⤵PID:2152
-
\??\c:\48620.exec:\48620.exe72⤵PID:1620
-
\??\c:\fxllxfr.exec:\fxllxfr.exe73⤵PID:2336
-
\??\c:\488062.exec:\488062.exe74⤵PID:1040
-
\??\c:\btntbn.exec:\btntbn.exe75⤵PID:2832
-
\??\c:\xxrxllf.exec:\xxrxllf.exe76⤵PID:1424
-
\??\c:\60624.exec:\60624.exe77⤵PID:2304
-
\??\c:\204028.exec:\204028.exe78⤵PID:2104
-
\??\c:\pjvvj.exec:\pjvvj.exe79⤵PID:1604
-
\??\c:\448042.exec:\448042.exe80⤵PID:2228
-
\??\c:\fxrfflx.exec:\fxrfflx.exe81⤵PID:2796
-
\??\c:\1hhntt.exec:\1hhntt.exe82⤵PID:2496
-
\??\c:\fxrflrx.exec:\fxrflrx.exe83⤵PID:2996
-
\??\c:\646202.exec:\646202.exe84⤵PID:2804
-
\??\c:\o268402.exec:\o268402.exe85⤵PID:2468
-
\??\c:\2288488.exec:\2288488.exe86⤵PID:2532
-
\??\c:\7vppv.exec:\7vppv.exe87⤵PID:572
-
\??\c:\g4286.exec:\g4286.exe88⤵PID:2676
-
\??\c:\1rxflrf.exec:\1rxflrf.exe89⤵PID:1968
-
\??\c:\a4464.exec:\a4464.exe90⤵PID:1520
-
\??\c:\44486.exec:\44486.exe91⤵PID:2256
-
\??\c:\608046.exec:\608046.exe92⤵PID:2968
-
\??\c:\e22466.exec:\e22466.exe93⤵PID:2624
-
\??\c:\jppvv.exec:\jppvv.exe94⤵PID:2100
-
\??\c:\fllrllr.exec:\fllrllr.exe95⤵PID:1876
-
\??\c:\fxxfxfr.exec:\fxxfxfr.exe96⤵PID:2112
-
\??\c:\bbhhnb.exec:\bbhhnb.exe97⤵PID:3000
-
\??\c:\xxfrllf.exec:\xxfrllf.exe98⤵PID:1292
-
\??\c:\lxfrxrf.exec:\lxfrxrf.exe99⤵PID:1712
-
\??\c:\k82206.exec:\k82206.exe100⤵PID:1280
-
\??\c:\vppvp.exec:\vppvp.exe101⤵PID:484
-
\??\c:\9hhttb.exec:\9hhttb.exe102⤵PID:2016
-
\??\c:\nbthbn.exec:\nbthbn.exe103⤵PID:1856
-
\??\c:\e44628.exec:\e44628.exe104⤵PID:1508
-
\??\c:\3xxlxrf.exec:\3xxlxrf.exe105⤵PID:2176
-
\??\c:\60082.exec:\60082.exe106⤵PID:2164
-
\??\c:\xlxxrxr.exec:\xlxxrxr.exe107⤵PID:2140
-
\??\c:\0468446.exec:\0468446.exe108⤵PID:2824
-
\??\c:\26008.exec:\26008.exe109⤵PID:1696
-
\??\c:\m0026.exec:\m0026.exe110⤵PID:2308
-
\??\c:\2646408.exec:\2646408.exe111⤵PID:2088
-
\??\c:\226480.exec:\226480.exe112⤵PID:844
-
\??\c:\422660.exec:\422660.exe113⤵PID:2076
-
\??\c:\rrxfxxl.exec:\rrxfxxl.exe114⤵PID:996
-
\??\c:\xxxxlfr.exec:\xxxxlfr.exe115⤵PID:2152
-
\??\c:\xfffxfx.exec:\xfffxfx.exe116⤵PID:884
-
\??\c:\1xrflrf.exec:\1xrflrf.exe117⤵PID:2452
-
\??\c:\6084620.exec:\6084620.exe118⤵PID:2820
-
\??\c:\5dpvp.exec:\5dpvp.exe119⤵PID:2516
-
\??\c:\jjjpd.exec:\jjjpd.exe120⤵PID:2920
-
\??\c:\224680.exec:\224680.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-