Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe
-
Size
454KB
-
MD5
174f203ed04767e7c1640117dfa34ed0
-
SHA1
bd23ecec949c92696bfec0a34b12276fd2346624
-
SHA256
afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4
-
SHA512
6c33305afde6ba71abfb331ba948c6c94c1442c947bbea45ccb9f5c0579f198d1e0bddb12d0283aaef091ae322efe268faf8b3faf03ada7546c44bd895876087
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2704-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/340-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-1593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-1736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3992 7nbhnt.exe 4376 s0884.exe 3720 0060826.exe 2696 7hbnhb.exe 4008 88200.exe 2416 flrfxrl.exe 1632 w22048.exe 4712 xfllrff.exe 1788 6682048.exe 2400 2660088.exe 4252 68260.exe 976 066648.exe 244 thnbbb.exe 2412 0848484.exe 5076 s4482.exe 2904 62882.exe 1580 djppd.exe 3412 84260.exe 3616 nnnhhb.exe 3392 6622004.exe 3800 pjjjd.exe 3632 0648266.exe 4648 htbttt.exe 4812 tthhbb.exe 3972 dvvpd.exe 1624 lllfffx.exe 3536 26484.exe 3496 e84488.exe 636 fllfffx.exe 688 rlfrfff.exe 1836 200266.exe 3288 jpvpj.exe 4804 rflxxrr.exe 4856 tbnnnt.exe 4692 444800.exe 3368 frrfrlr.exe 5080 bbtnhb.exe 3796 2808826.exe 2160 062600.exe 2656 jvdvv.exe 2112 htnbtn.exe 4280 w80828.exe 3944 1vvpd.exe 2868 02008.exe 3572 5rxlxrl.exe 4384 0804424.exe 4188 dpjvp.exe 2940 7hnhnh.exe 3992 vddpd.exe 880 tnbnbt.exe 3040 28820.exe 3840 1jdvj.exe 372 bnhbnh.exe 2696 lxrlxrl.exe 4008 2606040.exe 4920 222486.exe 3788 6660826.exe 3160 jdvpd.exe 4712 xrxffff.exe 1668 084886.exe 5112 5bnhnh.exe 3440 xffrlfr.exe 4148 rlxlfxl.exe 4004 1bbnbt.exe -
resource yara_rule behavioral2/memory/2704-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/340-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-906-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e40040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082824.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i682684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6488268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08828.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c682048.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 3992 2704 afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe 87 PID 2704 wrote to memory of 3992 2704 afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe 87 PID 2704 wrote to memory of 3992 2704 afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe 87 PID 3992 wrote to memory of 4376 3992 7nbhnt.exe 88 PID 3992 wrote to memory of 4376 3992 7nbhnt.exe 88 PID 3992 wrote to memory of 4376 3992 7nbhnt.exe 88 PID 4376 wrote to memory of 3720 4376 s0884.exe 89 PID 4376 wrote to memory of 3720 4376 s0884.exe 89 PID 4376 wrote to memory of 3720 4376 s0884.exe 89 PID 3720 wrote to memory of 2696 3720 0060826.exe 90 PID 3720 wrote to memory of 2696 3720 0060826.exe 90 PID 3720 wrote to memory of 2696 3720 0060826.exe 90 PID 2696 wrote to memory of 4008 2696 7hbnhb.exe 91 PID 2696 wrote to memory of 4008 2696 7hbnhb.exe 91 PID 2696 wrote to memory of 4008 2696 7hbnhb.exe 91 PID 4008 wrote to memory of 2416 4008 88200.exe 92 PID 4008 wrote to memory of 2416 4008 88200.exe 92 PID 4008 wrote to memory of 2416 4008 88200.exe 92 PID 2416 wrote to memory of 1632 2416 flrfxrl.exe 93 PID 2416 wrote to memory of 1632 2416 flrfxrl.exe 93 PID 2416 wrote to memory of 1632 2416 flrfxrl.exe 93 PID 1632 wrote to memory of 4712 1632 w22048.exe 94 PID 1632 wrote to memory of 4712 1632 w22048.exe 94 PID 1632 wrote to memory of 4712 1632 w22048.exe 94 PID 4712 wrote to memory of 1788 4712 xfllrff.exe 95 PID 4712 wrote to memory of 1788 4712 xfllrff.exe 95 PID 4712 wrote to memory of 1788 4712 xfllrff.exe 95 PID 1788 wrote to memory of 2400 1788 6682048.exe 96 PID 1788 wrote to memory of 2400 1788 6682048.exe 96 PID 1788 wrote to memory of 2400 1788 6682048.exe 96 PID 2400 wrote to memory of 4252 2400 2660088.exe 97 PID 2400 wrote to memory of 4252 2400 2660088.exe 97 PID 2400 wrote to memory of 4252 2400 2660088.exe 97 PID 4252 wrote to memory of 976 4252 68260.exe 98 PID 4252 wrote to memory of 976 4252 68260.exe 98 PID 4252 wrote to memory of 976 4252 68260.exe 98 PID 976 wrote to memory of 244 976 066648.exe 99 PID 976 wrote to memory of 244 976 066648.exe 99 PID 976 wrote to memory of 244 976 066648.exe 99 PID 244 wrote to memory of 2412 244 thnbbb.exe 100 PID 244 wrote to memory of 2412 244 thnbbb.exe 100 PID 244 wrote to memory of 2412 244 thnbbb.exe 100 PID 2412 wrote to memory of 5076 2412 0848484.exe 101 PID 2412 wrote to memory of 5076 2412 0848484.exe 101 PID 2412 wrote to memory of 5076 2412 0848484.exe 101 PID 5076 wrote to memory of 2904 5076 s4482.exe 102 PID 5076 wrote to memory of 2904 5076 s4482.exe 102 PID 5076 wrote to memory of 2904 5076 s4482.exe 102 PID 2904 wrote to memory of 1580 2904 62882.exe 103 PID 2904 wrote to memory of 1580 2904 62882.exe 103 PID 2904 wrote to memory of 1580 2904 62882.exe 103 PID 1580 wrote to memory of 3412 1580 djppd.exe 104 PID 1580 wrote to memory of 3412 1580 djppd.exe 104 PID 1580 wrote to memory of 3412 1580 djppd.exe 104 PID 3412 wrote to memory of 3616 3412 84260.exe 105 PID 3412 wrote to memory of 3616 3412 84260.exe 105 PID 3412 wrote to memory of 3616 3412 84260.exe 105 PID 3616 wrote to memory of 3392 3616 nnnhhb.exe 106 PID 3616 wrote to memory of 3392 3616 nnnhhb.exe 106 PID 3616 wrote to memory of 3392 3616 nnnhhb.exe 106 PID 3392 wrote to memory of 3800 3392 6622004.exe 107 PID 3392 wrote to memory of 3800 3392 6622004.exe 107 PID 3392 wrote to memory of 3800 3392 6622004.exe 107 PID 3800 wrote to memory of 3632 3800 pjjjd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe"C:\Users\Admin\AppData\Local\Temp\afb83cd9abf45a699b8649748720b3fdd559585d63cfb9b32d272ce3d54daeb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\7nbhnt.exec:\7nbhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\s0884.exec:\s0884.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\0060826.exec:\0060826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\7hbnhb.exec:\7hbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\88200.exec:\88200.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\flrfxrl.exec:\flrfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\w22048.exec:\w22048.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\xfllrff.exec:\xfllrff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\6682048.exec:\6682048.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\2660088.exec:\2660088.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\68260.exec:\68260.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\066648.exec:\066648.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\thnbbb.exec:\thnbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\0848484.exec:\0848484.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\s4482.exec:\s4482.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\62882.exec:\62882.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\djppd.exec:\djppd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\84260.exec:\84260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\nnnhhb.exec:\nnnhhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\6622004.exec:\6622004.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\pjjjd.exec:\pjjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\0648266.exec:\0648266.exe23⤵
- Executes dropped EXE
PID:3632 -
\??\c:\htbttt.exec:\htbttt.exe24⤵
- Executes dropped EXE
PID:4648 -
\??\c:\tthhbb.exec:\tthhbb.exe25⤵
- Executes dropped EXE
PID:4812 -
\??\c:\dvvpd.exec:\dvvpd.exe26⤵
- Executes dropped EXE
PID:3972 -
\??\c:\lllfffx.exec:\lllfffx.exe27⤵
- Executes dropped EXE
PID:1624 -
\??\c:\26484.exec:\26484.exe28⤵
- Executes dropped EXE
PID:3536 -
\??\c:\e84488.exec:\e84488.exe29⤵
- Executes dropped EXE
PID:3496 -
\??\c:\fllfffx.exec:\fllfffx.exe30⤵
- Executes dropped EXE
PID:636 -
\??\c:\rlfrfff.exec:\rlfrfff.exe31⤵
- Executes dropped EXE
PID:688 -
\??\c:\200266.exec:\200266.exe32⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jpvpj.exec:\jpvpj.exe33⤵
- Executes dropped EXE
PID:3288 -
\??\c:\rflxxrr.exec:\rflxxrr.exe34⤵
- Executes dropped EXE
PID:4804 -
\??\c:\tbnnnt.exec:\tbnnnt.exe35⤵
- Executes dropped EXE
PID:4856 -
\??\c:\444800.exec:\444800.exe36⤵
- Executes dropped EXE
PID:4692 -
\??\c:\frrfrlr.exec:\frrfrlr.exe37⤵
- Executes dropped EXE
PID:3368 -
\??\c:\bbtnhb.exec:\bbtnhb.exe38⤵
- Executes dropped EXE
PID:5080 -
\??\c:\2808826.exec:\2808826.exe39⤵
- Executes dropped EXE
PID:3796 -
\??\c:\062600.exec:\062600.exe40⤵
- Executes dropped EXE
PID:2160 -
\??\c:\jvdvv.exec:\jvdvv.exe41⤵
- Executes dropped EXE
PID:2656 -
\??\c:\htnbtn.exec:\htnbtn.exe42⤵
- Executes dropped EXE
PID:2112 -
\??\c:\w80828.exec:\w80828.exe43⤵
- Executes dropped EXE
PID:4280 -
\??\c:\1vvpd.exec:\1vvpd.exe44⤵
- Executes dropped EXE
PID:3944 -
\??\c:\02008.exec:\02008.exe45⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5rxlxrl.exec:\5rxlxrl.exe46⤵
- Executes dropped EXE
PID:3572 -
\??\c:\0804424.exec:\0804424.exe47⤵
- Executes dropped EXE
PID:4384 -
\??\c:\dpjvp.exec:\dpjvp.exe48⤵
- Executes dropped EXE
PID:4188 -
\??\c:\7hnhnh.exec:\7hnhnh.exe49⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vddpd.exec:\vddpd.exe50⤵
- Executes dropped EXE
PID:3992 -
\??\c:\tnbnbt.exec:\tnbnbt.exe51⤵
- Executes dropped EXE
PID:880 -
\??\c:\28820.exec:\28820.exe52⤵
- Executes dropped EXE
PID:3040 -
\??\c:\1jdvj.exec:\1jdvj.exe53⤵
- Executes dropped EXE
PID:3840 -
\??\c:\bnhbnh.exec:\bnhbnh.exe54⤵
- Executes dropped EXE
PID:372 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe55⤵
- Executes dropped EXE
PID:2696 -
\??\c:\2606040.exec:\2606040.exe56⤵
- Executes dropped EXE
PID:4008 -
\??\c:\222486.exec:\222486.exe57⤵
- Executes dropped EXE
PID:4920 -
\??\c:\6660826.exec:\6660826.exe58⤵
- Executes dropped EXE
PID:3788 -
\??\c:\jdvpd.exec:\jdvpd.exe59⤵
- Executes dropped EXE
PID:3160 -
\??\c:\xrxffff.exec:\xrxffff.exe60⤵
- Executes dropped EXE
PID:4712 -
\??\c:\084886.exec:\084886.exe61⤵
- Executes dropped EXE
PID:1668 -
\??\c:\5bnhnh.exec:\5bnhnh.exe62⤵
- Executes dropped EXE
PID:5112 -
\??\c:\xffrlfr.exec:\xffrlfr.exe63⤵
- Executes dropped EXE
PID:3440 -
\??\c:\rlxlfxl.exec:\rlxlfxl.exe64⤵
- Executes dropped EXE
PID:4148 -
\??\c:\1bbnbt.exec:\1bbnbt.exe65⤵
- Executes dropped EXE
PID:4004 -
\??\c:\8660048.exec:\8660048.exe66⤵PID:2680
-
\??\c:\840826.exec:\840826.exe67⤵PID:216
-
\??\c:\fxrflfx.exec:\fxrflfx.exe68⤵PID:2972
-
\??\c:\288866.exec:\288866.exe69⤵PID:2412
-
\??\c:\288264.exec:\288264.exe70⤵PID:3400
-
\??\c:\ntbnhb.exec:\ntbnhb.exe71⤵PID:4604
-
\??\c:\jdvpj.exec:\jdvpj.exe72⤵PID:1436
-
\??\c:\1vvjv.exec:\1vvjv.exe73⤵PID:4576
-
\??\c:\86604.exec:\86604.exe74⤵PID:1988
-
\??\c:\0804422.exec:\0804422.exe75⤵PID:1528
-
\??\c:\lllffrr.exec:\lllffrr.exe76⤵PID:4372
-
\??\c:\hnhbnb.exec:\hnhbnb.exe77⤵PID:544
-
\??\c:\84224.exec:\84224.exe78⤵PID:3996
-
\??\c:\w60042.exec:\w60042.exe79⤵PID:3800
-
\??\c:\bbtbbt.exec:\bbtbbt.exe80⤵PID:632
-
\??\c:\424820.exec:\424820.exe81⤵PID:1008
-
\??\c:\8882042.exec:\8882042.exe82⤵PID:2332
-
\??\c:\004062.exec:\004062.exe83⤵PID:4648
-
\??\c:\1rfrlfx.exec:\1rfrlfx.exe84⤵PID:4528
-
\??\c:\1fxrlfx.exec:\1fxrlfx.exe85⤵PID:1560
-
\??\c:\i482648.exec:\i482648.exe86⤵PID:2536
-
\??\c:\k82082.exec:\k82082.exe87⤵PID:4720
-
\??\c:\vjdvp.exec:\vjdvp.exe88⤵PID:2372
-
\??\c:\s8460.exec:\s8460.exe89⤵PID:4872
-
\??\c:\024862.exec:\024862.exe90⤵PID:636
-
\??\c:\g4020.exec:\g4020.exe91⤵PID:4800
-
\??\c:\7xfxrrf.exec:\7xfxrrf.exe92⤵PID:688
-
\??\c:\88840.exec:\88840.exe93⤵PID:4568
-
\??\c:\dpjvj.exec:\dpjvj.exe94⤵PID:4460
-
\??\c:\002008.exec:\002008.exe95⤵PID:4448
-
\??\c:\84426.exec:\84426.exe96⤵PID:4724
-
\??\c:\xrlfxxl.exec:\xrlfxxl.exe97⤵PID:340
-
\??\c:\vjjvp.exec:\vjjvp.exe98⤵PID:3908
-
\??\c:\266048.exec:\266048.exe99⤵PID:1556
-
\??\c:\bhhbnb.exec:\bhhbnb.exe100⤵PID:5080
-
\??\c:\2622226.exec:\2622226.exe101⤵PID:3796
-
\??\c:\482048.exec:\482048.exe102⤵PID:4792
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe103⤵PID:3548
-
\??\c:\u286440.exec:\u286440.exe104⤵PID:4756
-
\??\c:\u660820.exec:\u660820.exe105⤵PID:2028
-
\??\c:\3fxrllr.exec:\3fxrllr.exe106⤵PID:3248
-
\??\c:\fxrfrll.exec:\fxrfrll.exe107⤵PID:4944
-
\??\c:\028860.exec:\028860.exe108⤵PID:4600
-
\??\c:\7jjdd.exec:\7jjdd.exe109⤵PID:4316
-
\??\c:\8886664.exec:\8886664.exe110⤵PID:2088
-
\??\c:\nhhbtn.exec:\nhhbtn.exe111⤵PID:964
-
\??\c:\40648.exec:\40648.exe112⤵PID:2540
-
\??\c:\dvjpv.exec:\dvjpv.exe113⤵PID:4980
-
\??\c:\bhhbtn.exec:\bhhbtn.exe114⤵PID:3912
-
\??\c:\dddvj.exec:\dddvj.exe115⤵PID:3560
-
\??\c:\888442.exec:\888442.exe116⤵PID:1684
-
\??\c:\w02682.exec:\w02682.exe117⤵PID:3092
-
\??\c:\84284.exec:\84284.exe118⤵PID:3448
-
\??\c:\00426.exec:\00426.exe119⤵PID:2468
-
\??\c:\btbnbt.exec:\btbnbt.exe120⤵PID:4852
-
\??\c:\nttnbt.exec:\nttnbt.exe121⤵PID:452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-