Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 19:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe
-
Size
454KB
-
MD5
ccec0e30ce8dbdee3432fbe21847a17e
-
SHA1
cd3fb766fee5a51f6556bd74d79604a5bfa7e479
-
SHA256
046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf
-
SHA512
90ba1a9e8c8fbdcd7e43a83feaccd742cd61f62934027edd8120ff2df2485b9e323e28373ca6f0461ff562984717107b9b32d3d3a8590c0c92f17659c59fdf12
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2000-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/720-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-108-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1892-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-337-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2800-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1112-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1624-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-559-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1644-582-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/1588-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-659-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1400-686-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2640-921-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2348-943-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-1142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-1194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-1276-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 720 5httbb.exe 1960 m4220.exe 2916 2084022.exe 2124 5thntn.exe 2796 024406.exe 2756 8240268.exe 2888 fxllrrx.exe 2936 rrrxlrx.exe 2764 nhbbht.exe 2612 484006.exe 2240 lrlfrxl.exe 688 4862408.exe 1092 hhbnhn.exe 2776 hhbhnt.exe 2828 4868020.exe 1868 2602024.exe 1892 hbtntt.exe 2972 tbttnb.exe 2476 82400.exe 2144 486622.exe 1676 642822.exe 1704 42406.exe 708 rlrlrxl.exe 3068 tbtthn.exe 1260 3vpdd.exe 1008 fxxlrfr.exe 964 w86840.exe 1780 42068.exe 2388 hhhbnt.exe 1492 xrllrxl.exe 2416 i040224.exe 1684 60406.exe 1896 fxlrrfx.exe 1596 2640228.exe 3020 vjppd.exe 2384 266284.exe 2360 9pjpj.exe 380 htbttt.exe 2692 20828.exe 2320 ppdvd.exe 2800 4240662.exe 2756 20806.exe 2636 bnbhbb.exe 2192 20408.exe 1668 24000.exe 2764 jdppv.exe 1996 8684228.exe 2096 48660.exe 1624 xrfffff.exe 1112 9pvvp.exe 1860 46886.exe 2844 080666.exe 2828 pddjp.exe 712 o266268.exe 2952 tnbtbb.exe 1408 pdddd.exe 1208 fllfxxf.exe 2064 864026.exe 2316 dpjjp.exe 2176 thbbth.exe 3012 42008.exe 1904 dpjjv.exe 1680 jddjd.exe 1792 28046.exe -
resource yara_rule behavioral1/memory/2000-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/720-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1112-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-921-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/2240-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-1060-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1020-1073-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-1128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-1135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-1226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-1276-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2472-1283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/108-1290-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4866284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 720 2000 046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe 30 PID 2000 wrote to memory of 720 2000 046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe 30 PID 2000 wrote to memory of 720 2000 046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe 30 PID 2000 wrote to memory of 720 2000 046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe 30 PID 720 wrote to memory of 1960 720 5httbb.exe 31 PID 720 wrote to memory of 1960 720 5httbb.exe 31 PID 720 wrote to memory of 1960 720 5httbb.exe 31 PID 720 wrote to memory of 1960 720 5httbb.exe 31 PID 1960 wrote to memory of 2916 1960 m4220.exe 32 PID 1960 wrote to memory of 2916 1960 m4220.exe 32 PID 1960 wrote to memory of 2916 1960 m4220.exe 32 PID 1960 wrote to memory of 2916 1960 m4220.exe 32 PID 2916 wrote to memory of 2124 2916 2084022.exe 33 PID 2916 wrote to memory of 2124 2916 2084022.exe 33 PID 2916 wrote to memory of 2124 2916 2084022.exe 33 PID 2916 wrote to memory of 2124 2916 2084022.exe 33 PID 2124 wrote to memory of 2796 2124 5thntn.exe 34 PID 2124 wrote to memory of 2796 2124 5thntn.exe 34 PID 2124 wrote to memory of 2796 2124 5thntn.exe 34 PID 2124 wrote to memory of 2796 2124 5thntn.exe 34 PID 2796 wrote to memory of 2756 2796 024406.exe 35 PID 2796 wrote to memory of 2756 2796 024406.exe 35 PID 2796 wrote to memory of 2756 2796 024406.exe 35 PID 2796 wrote to memory of 2756 2796 024406.exe 35 PID 2756 wrote to memory of 2888 2756 8240268.exe 36 PID 2756 wrote to memory of 2888 2756 8240268.exe 36 PID 2756 wrote to memory of 2888 2756 8240268.exe 36 PID 2756 wrote to memory of 2888 2756 8240268.exe 36 PID 2888 wrote to memory of 2936 2888 fxllrrx.exe 37 PID 2888 wrote to memory of 2936 2888 fxllrrx.exe 37 PID 2888 wrote to memory of 2936 2888 fxllrrx.exe 37 PID 2888 wrote to memory of 2936 2888 fxllrrx.exe 37 PID 2936 wrote to memory of 2764 2936 rrrxlrx.exe 38 PID 2936 wrote to memory of 2764 2936 rrrxlrx.exe 38 PID 2936 wrote to memory of 2764 2936 rrrxlrx.exe 38 PID 2936 wrote to memory of 2764 2936 rrrxlrx.exe 38 PID 2764 wrote to memory of 2612 2764 nhbbht.exe 39 PID 2764 wrote to memory of 2612 2764 nhbbht.exe 39 PID 2764 wrote to memory of 2612 2764 nhbbht.exe 39 PID 2764 wrote to memory of 2612 2764 nhbbht.exe 39 PID 2612 wrote to memory of 2240 2612 484006.exe 40 PID 2612 wrote to memory of 2240 2612 484006.exe 40 PID 2612 wrote to memory of 2240 2612 484006.exe 40 PID 2612 wrote to memory of 2240 2612 484006.exe 40 PID 2240 wrote to memory of 688 2240 lrlfrxl.exe 41 PID 2240 wrote to memory of 688 2240 lrlfrxl.exe 41 PID 2240 wrote to memory of 688 2240 lrlfrxl.exe 41 PID 2240 wrote to memory of 688 2240 lrlfrxl.exe 41 PID 688 wrote to memory of 1092 688 4862408.exe 42 PID 688 wrote to memory of 1092 688 4862408.exe 42 PID 688 wrote to memory of 1092 688 4862408.exe 42 PID 688 wrote to memory of 1092 688 4862408.exe 42 PID 1092 wrote to memory of 2776 1092 hhbnhn.exe 43 PID 1092 wrote to memory of 2776 1092 hhbnhn.exe 43 PID 1092 wrote to memory of 2776 1092 hhbnhn.exe 43 PID 1092 wrote to memory of 2776 1092 hhbnhn.exe 43 PID 2776 wrote to memory of 2828 2776 hhbhnt.exe 44 PID 2776 wrote to memory of 2828 2776 hhbhnt.exe 44 PID 2776 wrote to memory of 2828 2776 hhbhnt.exe 44 PID 2776 wrote to memory of 2828 2776 hhbhnt.exe 44 PID 2828 wrote to memory of 1868 2828 4868020.exe 45 PID 2828 wrote to memory of 1868 2828 4868020.exe 45 PID 2828 wrote to memory of 1868 2828 4868020.exe 45 PID 2828 wrote to memory of 1868 2828 4868020.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe"C:\Users\Admin\AppData\Local\Temp\046649d2320518a7aca7902d010f132757a0703d6a74c3a82d796a133aab7adf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\5httbb.exec:\5httbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\m4220.exec:\m4220.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\2084022.exec:\2084022.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\5thntn.exec:\5thntn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\024406.exec:\024406.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\8240268.exec:\8240268.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\fxllrrx.exec:\fxllrrx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\rrrxlrx.exec:\rrrxlrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\nhbbht.exec:\nhbbht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\484006.exec:\484006.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\lrlfrxl.exec:\lrlfrxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\4862408.exec:\4862408.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\hhbnhn.exec:\hhbnhn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\hhbhnt.exec:\hhbhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\4868020.exec:\4868020.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\2602024.exec:\2602024.exe17⤵
- Executes dropped EXE
PID:1868 -
\??\c:\hbtntt.exec:\hbtntt.exe18⤵
- Executes dropped EXE
PID:1892 -
\??\c:\tbttnb.exec:\tbttnb.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\82400.exec:\82400.exe20⤵
- Executes dropped EXE
PID:2476 -
\??\c:\486622.exec:\486622.exe21⤵
- Executes dropped EXE
PID:2144 -
\??\c:\642822.exec:\642822.exe22⤵
- Executes dropped EXE
PID:1676 -
\??\c:\42406.exec:\42406.exe23⤵
- Executes dropped EXE
PID:1704 -
\??\c:\rlrlrxl.exec:\rlrlrxl.exe24⤵
- Executes dropped EXE
PID:708 -
\??\c:\tbtthn.exec:\tbtthn.exe25⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3vpdd.exec:\3vpdd.exe26⤵
- Executes dropped EXE
PID:1260 -
\??\c:\fxxlrfr.exec:\fxxlrfr.exe27⤵
- Executes dropped EXE
PID:1008 -
\??\c:\w86840.exec:\w86840.exe28⤵
- Executes dropped EXE
PID:964 -
\??\c:\42068.exec:\42068.exe29⤵
- Executes dropped EXE
PID:1780 -
\??\c:\hhhbnt.exec:\hhhbnt.exe30⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xrllrxl.exec:\xrllrxl.exe31⤵
- Executes dropped EXE
PID:1492 -
\??\c:\i040224.exec:\i040224.exe32⤵
- Executes dropped EXE
PID:2416 -
\??\c:\60406.exec:\60406.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\fxlrrfx.exec:\fxlrrfx.exe34⤵
- Executes dropped EXE
PID:1896 -
\??\c:\2640228.exec:\2640228.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vjppd.exec:\vjppd.exe36⤵
- Executes dropped EXE
PID:3020 -
\??\c:\266284.exec:\266284.exe37⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9pjpj.exec:\9pjpj.exe38⤵
- Executes dropped EXE
PID:2360 -
\??\c:\htbttt.exec:\htbttt.exe39⤵
- Executes dropped EXE
PID:380 -
\??\c:\20828.exec:\20828.exe40⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ppdvd.exec:\ppdvd.exe41⤵
- Executes dropped EXE
PID:2320 -
\??\c:\4240662.exec:\4240662.exe42⤵
- Executes dropped EXE
PID:2800 -
\??\c:\20806.exec:\20806.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bnbhbb.exec:\bnbhbb.exe44⤵
- Executes dropped EXE
PID:2636 -
\??\c:\20408.exec:\20408.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\24000.exec:\24000.exe46⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jdppv.exec:\jdppv.exe47⤵
- Executes dropped EXE
PID:2764 -
\??\c:\8684228.exec:\8684228.exe48⤵
- Executes dropped EXE
PID:1996 -
\??\c:\48660.exec:\48660.exe49⤵
- Executes dropped EXE
PID:2096 -
\??\c:\xrfffff.exec:\xrfffff.exe50⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9pvvp.exec:\9pvvp.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\46886.exec:\46886.exe52⤵
- Executes dropped EXE
PID:1860 -
\??\c:\080666.exec:\080666.exe53⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pddjp.exec:\pddjp.exe54⤵
- Executes dropped EXE
PID:2828 -
\??\c:\o266268.exec:\o266268.exe55⤵
- Executes dropped EXE
PID:712 -
\??\c:\tnbtbb.exec:\tnbtbb.exe56⤵
- Executes dropped EXE
PID:2952 -
\??\c:\pdddd.exec:\pdddd.exe57⤵
- Executes dropped EXE
PID:1408 -
\??\c:\fllfxxf.exec:\fllfxxf.exe58⤵
- Executes dropped EXE
PID:1208 -
\??\c:\864026.exec:\864026.exe59⤵
- Executes dropped EXE
PID:2064 -
\??\c:\dpjjp.exec:\dpjjp.exe60⤵
- Executes dropped EXE
PID:2316 -
\??\c:\thbbth.exec:\thbbth.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\42008.exec:\42008.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\dpjjv.exec:\dpjjv.exe63⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jddjd.exec:\jddjd.exe64⤵
- Executes dropped EXE
PID:1680 -
\??\c:\28046.exec:\28046.exe65⤵
- Executes dropped EXE
PID:1792 -
\??\c:\btnttb.exec:\btnttb.exe66⤵PID:1540
-
\??\c:\a2628.exec:\a2628.exe67⤵PID:484
-
\??\c:\tnnbbb.exec:\tnnbbb.exe68⤵PID:1260
-
\??\c:\q68400.exec:\q68400.exe69⤵PID:2120
-
\??\c:\lrfxxxx.exec:\lrfxxxx.exe70⤵PID:3024
-
\??\c:\a4666.exec:\a4666.exe71⤵PID:2020
-
\??\c:\820622.exec:\820622.exe72⤵PID:644
-
\??\c:\7pvjd.exec:\7pvjd.exe73⤵PID:1644
-
\??\c:\1hhntt.exec:\1hhntt.exe74⤵PID:1628
-
\??\c:\828282.exec:\828282.exe75⤵PID:2416
-
\??\c:\2462440.exec:\2462440.exe76⤵PID:1324
-
\??\c:\ddjdp.exec:\ddjdp.exe77⤵PID:1716
-
\??\c:\8004482.exec:\8004482.exe78⤵PID:1588
-
\??\c:\rrlfrxl.exec:\rrlfrxl.exe79⤵PID:720
-
\??\c:\9nnbnt.exec:\9nnbnt.exe80⤵PID:2520
-
\??\c:\rlxrxxl.exec:\rlxrxxl.exe81⤵PID:3016
-
\??\c:\3rflrrf.exec:\3rflrrf.exe82⤵PID:2188
-
\??\c:\q22406.exec:\q22406.exe83⤵PID:1032
-
\??\c:\1dpjp.exec:\1dpjp.exe84⤵PID:2876
-
\??\c:\a0406.exec:\a0406.exe85⤵PID:3032
-
\??\c:\dvppj.exec:\dvppj.exe86⤵PID:2716
-
\??\c:\60802.exec:\60802.exe87⤵PID:2892
-
\??\c:\2066006.exec:\2066006.exe88⤵PID:2832
-
\??\c:\22028.exec:\22028.exe89⤵PID:2960
-
\??\c:\1xrlrrf.exec:\1xrlrrf.exe90⤵PID:1400
-
\??\c:\1djpv.exec:\1djpv.exe91⤵PID:2332
-
\??\c:\5pvpp.exec:\5pvpp.exe92⤵PID:1996
-
\??\c:\q42248.exec:\q42248.exe93⤵PID:1732
-
\??\c:\rlfxfxl.exec:\rlfxfxl.exe94⤵PID:2836
-
\??\c:\7jvvd.exec:\7jvvd.exe95⤵PID:2668
-
\??\c:\486622.exec:\486622.exe96⤵PID:2860
-
\??\c:\204082.exec:\204082.exe97⤵PID:2844
-
\??\c:\tnbthn.exec:\tnbthn.exe98⤵PID:2828
-
\??\c:\i640624.exec:\i640624.exe99⤵PID:3004
-
\??\c:\rfrrlll.exec:\rfrrlll.exe100⤵PID:2136
-
\??\c:\fxxxrlr.exec:\fxxxrlr.exe101⤵PID:1752
-
\??\c:\646688.exec:\646688.exe102⤵PID:2196
-
\??\c:\a2006.exec:\a2006.exe103⤵PID:1856
-
\??\c:\i862480.exec:\i862480.exe104⤵PID:2316
-
\??\c:\xrfllff.exec:\xrfllff.exe105⤵PID:2176
-
\??\c:\bnttbt.exec:\bnttbt.exe106⤵PID:2004
-
\??\c:\rlfxxff.exec:\rlfxxff.exe107⤵PID:1224
-
\??\c:\20680.exec:\20680.exe108⤵PID:1800
-
\??\c:\dvdvj.exec:\dvdvj.exe109⤵PID:2696
-
\??\c:\0804006.exec:\0804006.exe110⤵PID:672
-
\??\c:\llxlrll.exec:\llxlrll.exe111⤵PID:916
-
\??\c:\4246268.exec:\4246268.exe112⤵PID:1020
-
\??\c:\lxxrrrx.exec:\lxxrrrx.exe113⤵PID:1724
-
\??\c:\btbbbt.exec:\btbbbt.exe114⤵PID:2368
-
\??\c:\9dddd.exec:\9dddd.exe115⤵PID:2092
-
\??\c:\thhbbt.exec:\thhbbt.exe116⤵PID:2388
-
\??\c:\5tttth.exec:\5tttth.exe117⤵PID:2280
-
\??\c:\xlxxffl.exec:\xlxxffl.exe118⤵PID:1056
-
\??\c:\jvjpd.exec:\jvjpd.exe119⤵PID:1244
-
\??\c:\pdvvd.exec:\pdvvd.exe120⤵PID:1756
-
\??\c:\a8406.exec:\a8406.exe121⤵PID:2372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-