Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe
-
Size
454KB
-
MD5
8de096c759f4a80189902bf7be87c630
-
SHA1
dc2e3e422649ca7365594bd1e47f59afe9092050
-
SHA256
45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4ba
-
SHA512
82195ed80ccff663794a4a00f7861bf4bc47ea0eb89c8601376ef22f330034f5e35982e66c00e68684b4b4992693baf131851b5cf6d09bb95db45579681601ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-1076-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 748 040082.exe 1592 jpppd.exe 3236 2620088.exe 3736 nhbthb.exe 1920 1jdpd.exe 3036 rrrrrlx.exe 1100 pjdpj.exe 3652 806086.exe 2804 m6808.exe 4856 nhbnht.exe 4464 btthth.exe 1388 840420.exe 4324 hnnhtb.exe 3884 pdddv.exe 3540 htnbnt.exe 1276 hhnbnb.exe 4484 ttbnbn.exe 2280 7thtnh.exe 4796 i466886.exe 2332 pjdvj.exe 2752 u482268.exe 4400 i664208.exe 976 20064.exe 864 a8420.exe 1684 q48204.exe 776 hthbnb.exe 2836 btbttt.exe 1712 204260.exe 3828 268822.exe 4988 20200.exe 4516 bnthhb.exe 4232 vjpvd.exe 2728 frfrfxl.exe 3936 xlxlxfr.exe 3672 vvdvp.exe 904 266420.exe 3940 vpvjd.exe 3092 a6864.exe 3088 8842604.exe 736 dpvjp.exe 4404 440264.exe 4364 m8020.exe 4352 8628446.exe 4864 tbntbh.exe 5108 028664.exe 1408 vvdvj.exe 2924 bhhtnn.exe 4236 6280440.exe 3852 m0848.exe 4540 2088626.exe 1920 s8860.exe 3080 q22048.exe 3036 jpvjv.exe 2036 02488.exe 60 1jvpd.exe 2344 k62644.exe 4832 hnnbnb.exe 1756 8686042.exe 1476 thhbnn.exe 1460 a4088.exe 220 3btnhb.exe 3040 0640804.exe 3288 5dvvp.exe 680 082644.exe -
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-965-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o242604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m2864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2460482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u660860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 748 4676 45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe 83 PID 4676 wrote to memory of 748 4676 45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe 83 PID 4676 wrote to memory of 748 4676 45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe 83 PID 748 wrote to memory of 1592 748 040082.exe 84 PID 748 wrote to memory of 1592 748 040082.exe 84 PID 748 wrote to memory of 1592 748 040082.exe 84 PID 1592 wrote to memory of 3236 1592 jpppd.exe 85 PID 1592 wrote to memory of 3236 1592 jpppd.exe 85 PID 1592 wrote to memory of 3236 1592 jpppd.exe 85 PID 3236 wrote to memory of 3736 3236 2620088.exe 86 PID 3236 wrote to memory of 3736 3236 2620088.exe 86 PID 3236 wrote to memory of 3736 3236 2620088.exe 86 PID 3736 wrote to memory of 1920 3736 nhbthb.exe 87 PID 3736 wrote to memory of 1920 3736 nhbthb.exe 87 PID 3736 wrote to memory of 1920 3736 nhbthb.exe 87 PID 1920 wrote to memory of 3036 1920 1jdpd.exe 88 PID 1920 wrote to memory of 3036 1920 1jdpd.exe 88 PID 1920 wrote to memory of 3036 1920 1jdpd.exe 88 PID 3036 wrote to memory of 1100 3036 rrrrrlx.exe 89 PID 3036 wrote to memory of 1100 3036 rrrrrlx.exe 89 PID 3036 wrote to memory of 1100 3036 rrrrrlx.exe 89 PID 1100 wrote to memory of 3652 1100 pjdpj.exe 90 PID 1100 wrote to memory of 3652 1100 pjdpj.exe 90 PID 1100 wrote to memory of 3652 1100 pjdpj.exe 90 PID 3652 wrote to memory of 2804 3652 806086.exe 91 PID 3652 wrote to memory of 2804 3652 806086.exe 91 PID 3652 wrote to memory of 2804 3652 806086.exe 91 PID 2804 wrote to memory of 4856 2804 m6808.exe 92 PID 2804 wrote to memory of 4856 2804 m6808.exe 92 PID 2804 wrote to memory of 4856 2804 m6808.exe 92 PID 4856 wrote to memory of 4464 4856 nhbnht.exe 93 PID 4856 wrote to memory of 4464 4856 nhbnht.exe 93 PID 4856 wrote to memory of 4464 4856 nhbnht.exe 93 PID 4464 wrote to memory of 1388 4464 btthth.exe 94 PID 4464 wrote to memory of 1388 4464 btthth.exe 94 PID 4464 wrote to memory of 1388 4464 btthth.exe 94 PID 1388 wrote to memory of 4324 1388 840420.exe 95 PID 1388 wrote to memory of 4324 1388 840420.exe 95 PID 1388 wrote to memory of 4324 1388 840420.exe 95 PID 4324 wrote to memory of 3884 4324 hnnhtb.exe 96 PID 4324 wrote to memory of 3884 4324 hnnhtb.exe 96 PID 4324 wrote to memory of 3884 4324 hnnhtb.exe 96 PID 3884 wrote to memory of 3540 3884 pdddv.exe 97 PID 3884 wrote to memory of 3540 3884 pdddv.exe 97 PID 3884 wrote to memory of 3540 3884 pdddv.exe 97 PID 3540 wrote to memory of 1276 3540 htnbnt.exe 98 PID 3540 wrote to memory of 1276 3540 htnbnt.exe 98 PID 3540 wrote to memory of 1276 3540 htnbnt.exe 98 PID 1276 wrote to memory of 4484 1276 hhnbnb.exe 99 PID 1276 wrote to memory of 4484 1276 hhnbnb.exe 99 PID 1276 wrote to memory of 4484 1276 hhnbnb.exe 99 PID 4484 wrote to memory of 2280 4484 ttbnbn.exe 100 PID 4484 wrote to memory of 2280 4484 ttbnbn.exe 100 PID 4484 wrote to memory of 2280 4484 ttbnbn.exe 100 PID 2280 wrote to memory of 4796 2280 7thtnh.exe 101 PID 2280 wrote to memory of 4796 2280 7thtnh.exe 101 PID 2280 wrote to memory of 4796 2280 7thtnh.exe 101 PID 4796 wrote to memory of 2332 4796 i466886.exe 102 PID 4796 wrote to memory of 2332 4796 i466886.exe 102 PID 4796 wrote to memory of 2332 4796 i466886.exe 102 PID 2332 wrote to memory of 2752 2332 pjdvj.exe 103 PID 2332 wrote to memory of 2752 2332 pjdvj.exe 103 PID 2332 wrote to memory of 2752 2332 pjdvj.exe 103 PID 2752 wrote to memory of 4400 2752 u482268.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe"C:\Users\Admin\AppData\Local\Temp\45cba6672e91cd76cf1d38c53161e3c4a676ad115fd99f9e093a3bae1ffbe4baN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\040082.exec:\040082.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\jpppd.exec:\jpppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\2620088.exec:\2620088.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\nhbthb.exec:\nhbthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\1jdpd.exec:\1jdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\rrrrrlx.exec:\rrrrrlx.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\pjdpj.exec:\pjdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\806086.exec:\806086.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\m6808.exec:\m6808.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\nhbnht.exec:\nhbnht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\btthth.exec:\btthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\840420.exec:\840420.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\hnnhtb.exec:\hnnhtb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\pdddv.exec:\pdddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\htnbnt.exec:\htnbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\hhnbnb.exec:\hhnbnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
\??\c:\ttbnbn.exec:\ttbnbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\7thtnh.exec:\7thtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\i466886.exec:\i466886.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\pjdvj.exec:\pjdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\u482268.exec:\u482268.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\i664208.exec:\i664208.exe23⤵
- Executes dropped EXE
PID:4400 -
\??\c:\20064.exec:\20064.exe24⤵
- Executes dropped EXE
PID:976 -
\??\c:\a8420.exec:\a8420.exe25⤵
- Executes dropped EXE
PID:864 -
\??\c:\q48204.exec:\q48204.exe26⤵
- Executes dropped EXE
PID:1684 -
\??\c:\hthbnb.exec:\hthbnb.exe27⤵
- Executes dropped EXE
PID:776 -
\??\c:\btbttt.exec:\btbttt.exe28⤵
- Executes dropped EXE
PID:2836 -
\??\c:\204260.exec:\204260.exe29⤵
- Executes dropped EXE
PID:1712 -
\??\c:\268822.exec:\268822.exe30⤵
- Executes dropped EXE
PID:3828 -
\??\c:\20200.exec:\20200.exe31⤵
- Executes dropped EXE
PID:4988 -
\??\c:\bnthhb.exec:\bnthhb.exe32⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vjpvd.exec:\vjpvd.exe33⤵
- Executes dropped EXE
PID:4232 -
\??\c:\frfrfxl.exec:\frfrfxl.exe34⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xlxlxfr.exec:\xlxlxfr.exe35⤵
- Executes dropped EXE
PID:3936 -
\??\c:\vvdvp.exec:\vvdvp.exe36⤵
- Executes dropped EXE
PID:3672 -
\??\c:\266420.exec:\266420.exe37⤵
- Executes dropped EXE
PID:904 -
\??\c:\vpvjd.exec:\vpvjd.exe38⤵
- Executes dropped EXE
PID:3940 -
\??\c:\a6864.exec:\a6864.exe39⤵
- Executes dropped EXE
PID:3092 -
\??\c:\8842604.exec:\8842604.exe40⤵
- Executes dropped EXE
PID:3088 -
\??\c:\dpvjp.exec:\dpvjp.exe41⤵
- Executes dropped EXE
PID:736 -
\??\c:\440264.exec:\440264.exe42⤵
- Executes dropped EXE
PID:4404 -
\??\c:\m8020.exec:\m8020.exe43⤵
- Executes dropped EXE
PID:4364 -
\??\c:\8628446.exec:\8628446.exe44⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tbntbh.exec:\tbntbh.exe45⤵
- Executes dropped EXE
PID:4864 -
\??\c:\028664.exec:\028664.exe46⤵
- Executes dropped EXE
PID:5108 -
\??\c:\vvdvj.exec:\vvdvj.exe47⤵
- Executes dropped EXE
PID:1408 -
\??\c:\bhhtnn.exec:\bhhtnn.exe48⤵
- Executes dropped EXE
PID:2924 -
\??\c:\6280440.exec:\6280440.exe49⤵
- Executes dropped EXE
PID:4236 -
\??\c:\m0848.exec:\m0848.exe50⤵
- Executes dropped EXE
PID:3852 -
\??\c:\2088626.exec:\2088626.exe51⤵
- Executes dropped EXE
PID:4540 -
\??\c:\s8860.exec:\s8860.exe52⤵
- Executes dropped EXE
PID:1920 -
\??\c:\q22048.exec:\q22048.exe53⤵
- Executes dropped EXE
PID:3080 -
\??\c:\jpvjv.exec:\jpvjv.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\02488.exec:\02488.exe55⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1jvpd.exec:\1jvpd.exe56⤵
- Executes dropped EXE
PID:60 -
\??\c:\k62644.exec:\k62644.exe57⤵
- Executes dropped EXE
PID:2344 -
\??\c:\hnnbnb.exec:\hnnbnb.exe58⤵
- Executes dropped EXE
PID:4832 -
\??\c:\8686042.exec:\8686042.exe59⤵
- Executes dropped EXE
PID:1756 -
\??\c:\thhbnn.exec:\thhbnn.exe60⤵
- Executes dropped EXE
PID:1476 -
\??\c:\a4088.exec:\a4088.exe61⤵
- Executes dropped EXE
PID:1460 -
\??\c:\3btnhb.exec:\3btnhb.exe62⤵
- Executes dropped EXE
PID:220 -
\??\c:\0640804.exec:\0640804.exe63⤵
- Executes dropped EXE
PID:3040 -
\??\c:\5dvvp.exec:\5dvvp.exe64⤵
- Executes dropped EXE
PID:3288 -
\??\c:\082644.exec:\082644.exe65⤵
- Executes dropped EXE
PID:680 -
\??\c:\hbhbnn.exec:\hbhbnn.exe66⤵PID:2484
-
\??\c:\vdpvj.exec:\vdpvj.exe67⤵PID:1660
-
\??\c:\vjjvj.exec:\vjjvj.exe68⤵PID:4892
-
\??\c:\o242604.exec:\o242604.exe69⤵
- System Location Discovery: System Language Discovery
PID:2648 -
\??\c:\pjvpp.exec:\pjvpp.exe70⤵PID:1172
-
\??\c:\62208.exec:\62208.exe71⤵PID:3876
-
\??\c:\422600.exec:\422600.exe72⤵PID:984
-
\??\c:\u660860.exec:\u660860.exe73⤵
- System Location Discovery: System Language Discovery
PID:4672 -
\??\c:\5vvvp.exec:\5vvvp.exe74⤵PID:2288
-
\??\c:\5fxlxrf.exec:\5fxlxrf.exe75⤵PID:3404
-
\??\c:\62860.exec:\62860.exe76⤵PID:4400
-
\??\c:\hbtnbt.exec:\hbtnbt.exe77⤵PID:3944
-
\??\c:\nbhbbb.exec:\nbhbbb.exe78⤵PID:3476
-
\??\c:\8464826.exec:\8464826.exe79⤵PID:4104
-
\??\c:\fllfxxf.exec:\fllfxxf.exe80⤵PID:3536
-
\??\c:\flflflf.exec:\flflflf.exe81⤵PID:4300
-
\??\c:\frlxlfx.exec:\frlxlfx.exe82⤵PID:2784
-
\??\c:\lffxxxr.exec:\lffxxxr.exe83⤵PID:1376
-
\??\c:\006426.exec:\006426.exe84⤵PID:1448
-
\??\c:\q88660.exec:\q88660.exe85⤵PID:3916
-
\??\c:\8284404.exec:\8284404.exe86⤵PID:4112
-
\??\c:\6004882.exec:\6004882.exe87⤵PID:4988
-
\??\c:\7jjvj.exec:\7jjvj.exe88⤵PID:1164
-
\??\c:\m0042.exec:\m0042.exe89⤵PID:4020
-
\??\c:\hbtttb.exec:\hbtttb.exe90⤵PID:4232
-
\??\c:\00226.exec:\00226.exe91⤵PID:4632
-
\??\c:\djjvj.exec:\djjvj.exe92⤵PID:3936
-
\??\c:\4248826.exec:\4248826.exe93⤵PID:5016
-
\??\c:\0408280.exec:\0408280.exe94⤵PID:904
-
\??\c:\7rfxxrl.exec:\7rfxxrl.exe95⤵PID:672
-
\??\c:\2204824.exec:\2204824.exe96⤵PID:4840
-
\??\c:\22864.exec:\22864.exe97⤵PID:2120
-
\??\c:\rfrfxxr.exec:\rfrfxxr.exe98⤵PID:4520
-
\??\c:\rffrfxr.exec:\rffrfxr.exe99⤵PID:4372
-
\??\c:\0688882.exec:\0688882.exe100⤵PID:1680
-
\??\c:\04082.exec:\04082.exe101⤵PID:4644
-
\??\c:\k22082.exec:\k22082.exe102⤵PID:4328
-
\??\c:\2408486.exec:\2408486.exe103⤵PID:2720
-
\??\c:\40648.exec:\40648.exe104⤵PID:3616
-
\??\c:\28448.exec:\28448.exe105⤵PID:3024
-
\??\c:\jdvjv.exec:\jdvjv.exe106⤵PID:2832
-
\??\c:\tnhbnh.exec:\tnhbnh.exe107⤵PID:960
-
\??\c:\bhthtn.exec:\bhthtn.exe108⤵PID:1148
-
\??\c:\68482.exec:\68482.exe109⤵PID:1436
-
\??\c:\vjvpj.exec:\vjvpj.exe110⤵PID:4680
-
\??\c:\5xxlfxf.exec:\5xxlfxf.exe111⤵PID:2876
-
\??\c:\040822.exec:\040822.exe112⤵PID:1816
-
\??\c:\frrrlxr.exec:\frrrlxr.exe113⤵PID:2348
-
\??\c:\g4664.exec:\g4664.exe114⤵PID:2036
-
\??\c:\20604.exec:\20604.exe115⤵PID:1892
-
\??\c:\btbnhb.exec:\btbnhb.exe116⤵PID:4760
-
\??\c:\7rlxrlf.exec:\7rlxrlf.exe117⤵PID:2492
-
\??\c:\406088.exec:\406088.exe118⤵PID:3452
-
\??\c:\vpddd.exec:\vpddd.exe119⤵PID:1044
-
\??\c:\0682048.exec:\0682048.exe120⤵PID:1460
-
\??\c:\5ttnnb.exec:\5ttnnb.exe121⤵PID:1780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-