Analysis
-
max time kernel
43s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 06:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe
-
Size
189KB
-
MD5
299c386c9bdb7d042e553be7cfac2a1b
-
SHA1
f36ad1f24089d6ce3d924d689b00445545a9e8f5
-
SHA256
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d
-
SHA512
9285742b255571e2b2bf4c3926193f197e433305cfb6f2fbe4a9e2fa01ac062432118b9ef753e7f0b21e437e0a62b828f8362f0d640be3f228d70dfb8381f448
-
SSDEEP
3072:YhOmTsF93UYfwC6GIoutLmxHxae5yLpcgDE4JBuItR8pTsgnKbQFe3+w:Ycm4FmowdHoSLEaTBftapTsyFeOw
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-4-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2480-19-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3284-32-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1764-54-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3640-67-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1708-79-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3380-91-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/5080-135-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4540-188-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4332-221-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1192-225-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2952-286-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4668-367-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4636-390-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3640-405-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3800-443-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3812-471-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/404-485-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4232-519-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1404-526-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1632-605-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2592-601-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4528-588-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4920-530-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3908-492-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1692-482-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/736-423-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4804-412-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4140-395-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2992-382-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2476-372-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3432-356-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4184-346-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3468-342-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3364-335-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2700-331-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4084-315-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1580-308-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1360-300-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3620-287-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/5108-281-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/5108-277-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4552-270-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3088-266-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2424-248-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1344-240-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4016-232-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/876-213-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1820-209-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4572-202-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1556-195-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3272-194-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3336-175-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4460-169-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2520-161-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1676-129-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1540-127-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/3192-122-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/516-116-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4024-100-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/1440-98-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4876-81-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/2060-49-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon behavioral2/memory/4016-42-0x0000000000400000-0x0000000000430000-memory.dmp family_blackmoon -
UPX dump on OEP (original entry point) 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-0-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1172-4-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1788-6-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/112-20-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2480-19-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\btnhhh.exe UPX behavioral2/memory/3284-32-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\rlrrfff.exe UPX \??\c:\dvjjv.exe UPX behavioral2/memory/1764-54-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3640-61-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3640-67-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\hhnnnn.exe UPX behavioral2/memory/1708-79-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3380-91-0x0000000000400000-0x0000000000430000-memory.dmp UPX \??\c:\jdppp.exe UPX behavioral2/memory/5080-135-0x0000000000400000-0x0000000000430000-memory.dmp UPX C:\nhtthh.exe UPX \??\c:\ppjjd.exe UPX behavioral2/memory/4540-188-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4332-221-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1192-225-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2952-286-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1580-304-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4668-367-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4636-390-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3640-405-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/736-419-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3800-443-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3812-471-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/404-485-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4232-519-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1404-526-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1632-605-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/5036-734-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3432-779-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3056-807-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4532-763-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4456-753-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/740-640-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3936-618-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2592-601-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4528-588-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4600-572-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1928-544-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/880-531-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4920-530-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3432-500-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1776-493-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3908-492-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1692-482-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3800-439-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/736-423-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4804-412-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4140-395-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2992-382-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2476-372-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4668-363-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3432-356-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4184-346-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3468-342-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3364-335-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/2700-331-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4084-315-0x0000000000400000-0x0000000000430000-memory.dmp UPX -
Executes dropped EXE 64 IoCs
Processes:
ddpdv.exexxrrlxf.exebtnhhh.exepdjdd.exedpdvv.exe7fxxrrl.exerlrrfff.exedjvpj.exedvjjv.exexrfllrf.exehhnnnn.exerfxrffl.exetttttt.exehbnhtt.exejvjdd.exexfrrrxr.exelxlfxxr.exehtbtnh.exehntttb.exejdppp.exe7xrllll.exellrlfff.exebhbbtb.exenhtthh.exeppjjd.exefflxxxx.exeffxflfr.exe7vjpp.exerflfxxx.exexxllxxx.exehnnhbb.exe7ttntt.exepjpjp.exeffrxxfl.exefrrrlll.exe1thbtt.exe3hbtnn.exevjvpj.exefxrlflr.exerrxxlll.exetnnnhh.exevpvvv.exe1flfxxr.exeffxlfll.exetntttt.exe5vpvv.exeppvjd.exellrlffx.exelflfxxr.exehthbbb.exe9bbttt.exepvppd.exeppppp.exefrfffrr.exenthhbb.exetttnhh.exevdvvp.exexxffxxr.exeffffxff.exe7hhbth.exebhtbth.exepdddd.exe5rxrrfl.exerrrlrrx.exepid process 1788 ddpdv.exe 2480 xxrrlxf.exe 112 btnhhh.exe 3248 pdjdd.exe 3284 dpdvv.exe 4016 7fxxrrl.exe 2060 rlrrfff.exe 1764 djvpj.exe 1452 dvjjv.exe 3640 xrfllrf.exe 3848 hhnnnn.exe 1708 rfxrffl.exe 4876 tttttt.exe 3380 hbnhtt.exe 1440 jvjdd.exe 4024 xfrrrxr.exe 2836 lxlfxxr.exe 516 htbtnh.exe 1540 hntttb.exe 3192 jdppp.exe 1676 7xrllll.exe 5080 llrlfff.exe 1840 bhbbtb.exe 4284 nhtthh.exe 4568 ppjjd.exe 2520 fflxxxx.exe 428 ffxflfr.exe 4460 7vjpp.exe 3336 rflfxxx.exe 3468 xxllxxx.exe 4540 hnnhbb.exe 3272 7ttntt.exe 1556 pjpjp.exe 4508 ffrxxfl.exe 4572 frrrlll.exe 1820 1thbtt.exe 4368 3hbtnn.exe 876 vjvpj.exe 4332 fxrlflr.exe 3888 rrxxlll.exe 1192 tnnnhh.exe 2992 vpvvv.exe 4016 1flfxxr.exe 1344 ffxlfll.exe 2120 tntttt.exe 692 5vpvv.exe 2424 ppvjd.exe 844 llrlffx.exe 1972 lflfxxr.exe 4640 hthbbb.exe 3088 9bbttt.exe 4552 pvppd.exe 3912 ppppp.exe 5096 frfffrr.exe 5108 nthhbb.exe 2952 tttnhh.exe 3620 vdvvp.exe 4152 xxffxxr.exe 4644 ffffxff.exe 2284 7hhbth.exe 1360 bhtbth.exe 1580 pdddd.exe 624 5rxrrfl.exe 4084 rrrlrrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exeddpdv.exexxrrlxf.exebtnhhh.exepdjdd.exedpdvv.exe7fxxrrl.exerlrrfff.exedjvpj.exedvjjv.exexrfllrf.exehhnnnn.exerfxrffl.exetttttt.exehbnhtt.exejvjdd.exexfrrrxr.exelxlfxxr.exehtbtnh.exehntttb.exejdppp.exe7xrllll.exedescription pid process target process PID 1172 wrote to memory of 1788 1172 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe ddpdv.exe PID 1172 wrote to memory of 1788 1172 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe ddpdv.exe PID 1172 wrote to memory of 1788 1172 ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe ddpdv.exe PID 1788 wrote to memory of 2480 1788 ddpdv.exe xxrrlxf.exe PID 1788 wrote to memory of 2480 1788 ddpdv.exe xxrrlxf.exe PID 1788 wrote to memory of 2480 1788 ddpdv.exe xxrrlxf.exe PID 2480 wrote to memory of 112 2480 xxrrlxf.exe lxllfrr.exe PID 2480 wrote to memory of 112 2480 xxrrlxf.exe lxllfrr.exe PID 2480 wrote to memory of 112 2480 xxrrlxf.exe lxllfrr.exe PID 112 wrote to memory of 3248 112 btnhhh.exe nnhhnt.exe PID 112 wrote to memory of 3248 112 btnhhh.exe nnhhnt.exe PID 112 wrote to memory of 3248 112 btnhhh.exe nnhhnt.exe PID 3248 wrote to memory of 3284 3248 pdjdd.exe dpdvv.exe PID 3248 wrote to memory of 3284 3248 pdjdd.exe dpdvv.exe PID 3248 wrote to memory of 3284 3248 pdjdd.exe dpdvv.exe PID 3284 wrote to memory of 4016 3284 dpdvv.exe 7fxxrrl.exe PID 3284 wrote to memory of 4016 3284 dpdvv.exe 7fxxrrl.exe PID 3284 wrote to memory of 4016 3284 dpdvv.exe 7fxxrrl.exe PID 4016 wrote to memory of 2060 4016 7fxxrrl.exe rlrrfff.exe PID 4016 wrote to memory of 2060 4016 7fxxrrl.exe rlrrfff.exe PID 4016 wrote to memory of 2060 4016 7fxxrrl.exe rlrrfff.exe PID 2060 wrote to memory of 1764 2060 rlrrfff.exe jvdjd.exe PID 2060 wrote to memory of 1764 2060 rlrrfff.exe jvdjd.exe PID 2060 wrote to memory of 1764 2060 rlrrfff.exe jvdjd.exe PID 1764 wrote to memory of 1452 1764 djvpj.exe dvjjv.exe PID 1764 wrote to memory of 1452 1764 djvpj.exe dvjjv.exe PID 1764 wrote to memory of 1452 1764 djvpj.exe dvjjv.exe PID 1452 wrote to memory of 3640 1452 dvjjv.exe xrfllrf.exe PID 1452 wrote to memory of 3640 1452 dvjjv.exe xrfllrf.exe PID 1452 wrote to memory of 3640 1452 dvjjv.exe xrfllrf.exe PID 3640 wrote to memory of 3848 3640 xrfllrf.exe hhnnnn.exe PID 3640 wrote to memory of 3848 3640 xrfllrf.exe hhnnnn.exe PID 3640 wrote to memory of 3848 3640 xrfllrf.exe hhnnnn.exe PID 3848 wrote to memory of 1708 3848 hhnnnn.exe rfxrffl.exe PID 3848 wrote to memory of 1708 3848 hhnnnn.exe rfxrffl.exe PID 3848 wrote to memory of 1708 3848 hhnnnn.exe rfxrffl.exe PID 1708 wrote to memory of 4876 1708 rfxrffl.exe tttttt.exe PID 1708 wrote to memory of 4876 1708 rfxrffl.exe tttttt.exe PID 1708 wrote to memory of 4876 1708 rfxrffl.exe tttttt.exe PID 4876 wrote to memory of 3380 4876 tttttt.exe hbnhtt.exe PID 4876 wrote to memory of 3380 4876 tttttt.exe hbnhtt.exe PID 4876 wrote to memory of 3380 4876 tttttt.exe hbnhtt.exe PID 3380 wrote to memory of 1440 3380 hbnhtt.exe jvjdd.exe PID 3380 wrote to memory of 1440 3380 hbnhtt.exe jvjdd.exe PID 3380 wrote to memory of 1440 3380 hbnhtt.exe jvjdd.exe PID 1440 wrote to memory of 4024 1440 jvjdd.exe xfrrrxr.exe PID 1440 wrote to memory of 4024 1440 jvjdd.exe xfrrrxr.exe PID 1440 wrote to memory of 4024 1440 jvjdd.exe xfrrrxr.exe PID 4024 wrote to memory of 2836 4024 xfrrrxr.exe lxlfxxr.exe PID 4024 wrote to memory of 2836 4024 xfrrrxr.exe lxlfxxr.exe PID 4024 wrote to memory of 2836 4024 xfrrrxr.exe lxlfxxr.exe PID 2836 wrote to memory of 516 2836 lxlfxxr.exe htbtnh.exe PID 2836 wrote to memory of 516 2836 lxlfxxr.exe htbtnh.exe PID 2836 wrote to memory of 516 2836 lxlfxxr.exe htbtnh.exe PID 516 wrote to memory of 1540 516 htbtnh.exe hntttb.exe PID 516 wrote to memory of 1540 516 htbtnh.exe hntttb.exe PID 516 wrote to memory of 1540 516 htbtnh.exe hntttb.exe PID 1540 wrote to memory of 3192 1540 hntttb.exe jdppp.exe PID 1540 wrote to memory of 3192 1540 hntttb.exe jdppp.exe PID 1540 wrote to memory of 3192 1540 hntttb.exe jdppp.exe PID 3192 wrote to memory of 1676 3192 jdppp.exe 7xrllll.exe PID 3192 wrote to memory of 1676 3192 jdppp.exe 7xrllll.exe PID 3192 wrote to memory of 1676 3192 jdppp.exe 7xrllll.exe PID 1676 wrote to memory of 5080 1676 7xrllll.exe llrlfff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\875741171\zmstage.exeC:\Users\Admin\AppData\Local\Temp\875741171\zmstage.exe1⤵PID:3480
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe"C:\Users\Admin\AppData\Local\Temp\ca7a3a2e07a6f18fbca558b47237f8df732a4e6f041cde9461679d2bfec1bc3d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\ddpdv.exec:\ddpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\xxrrlxf.exec:\xxrrlxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\btnhhh.exec:\btnhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\pdjdd.exec:\pdjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\dpdvv.exec:\dpdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284 -
\??\c:\7fxxrrl.exec:\7fxxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\rlrrfff.exec:\rlrrfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\djvpj.exec:\djvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\dvjjv.exec:\dvjjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\xrfllrf.exec:\xrfllrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\hhnnnn.exec:\hhnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\rfxrffl.exec:\rfxrffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\tttttt.exec:\tttttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\hbnhtt.exec:\hbnhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\jvjdd.exec:\jvjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\xfrrrxr.exec:\xfrrrxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\htbtnh.exec:\htbtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\hntttb.exec:\hntttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\jdppp.exec:\jdppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\7xrllll.exec:\7xrllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\llrlfff.exec:\llrlfff.exe23⤵
- Executes dropped EXE
PID:5080 -
\??\c:\bhbbtb.exec:\bhbbtb.exe24⤵
- Executes dropped EXE
PID:1840 -
\??\c:\nhtthh.exec:\nhtthh.exe25⤵
- Executes dropped EXE
PID:4284 -
\??\c:\ppjjd.exec:\ppjjd.exe26⤵
- Executes dropped EXE
PID:4568 -
\??\c:\fflxxxx.exec:\fflxxxx.exe27⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ffxflfr.exec:\ffxflfr.exe28⤵
- Executes dropped EXE
PID:428 -
\??\c:\7vjpp.exec:\7vjpp.exe29⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rflfxxx.exec:\rflfxxx.exe30⤵
- Executes dropped EXE
PID:3336 -
\??\c:\xxllxxx.exec:\xxllxxx.exe31⤵
- Executes dropped EXE
PID:3468 -
\??\c:\hnnhbb.exec:\hnnhbb.exe32⤵
- Executes dropped EXE
PID:4540 -
\??\c:\7ttntt.exec:\7ttntt.exe33⤵
- Executes dropped EXE
PID:3272 -
\??\c:\pjpjp.exec:\pjpjp.exe34⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ffrxxfl.exec:\ffrxxfl.exe35⤵
- Executes dropped EXE
PID:4508 -
\??\c:\frrrlll.exec:\frrrlll.exe36⤵
- Executes dropped EXE
PID:4572 -
\??\c:\1thbtt.exec:\1thbtt.exe37⤵
- Executes dropped EXE
PID:1820 -
\??\c:\3hbtnn.exec:\3hbtnn.exe38⤵
- Executes dropped EXE
PID:4368 -
\??\c:\vjvpj.exec:\vjvpj.exe39⤵
- Executes dropped EXE
PID:876 -
\??\c:\fxrlflr.exec:\fxrlflr.exe40⤵
- Executes dropped EXE
PID:4332 -
\??\c:\rrxxlll.exec:\rrxxlll.exe41⤵
- Executes dropped EXE
PID:3888 -
\??\c:\tnnnhh.exec:\tnnnhh.exe42⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vpvvv.exec:\vpvvv.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1flfxxr.exec:\1flfxxr.exe44⤵
- Executes dropped EXE
PID:4016 -
\??\c:\ffxlfll.exec:\ffxlfll.exe45⤵
- Executes dropped EXE
PID:1344 -
\??\c:\tntttt.exec:\tntttt.exe46⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5vpvv.exec:\5vpvv.exe47⤵
- Executes dropped EXE
PID:692 -
\??\c:\ppvjd.exec:\ppvjd.exe48⤵
- Executes dropped EXE
PID:2424 -
\??\c:\llrlffx.exec:\llrlffx.exe49⤵
- Executes dropped EXE
PID:844 -
\??\c:\lflfxxr.exec:\lflfxxr.exe50⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hthbbb.exec:\hthbbb.exe51⤵
- Executes dropped EXE
PID:4640 -
\??\c:\9bbttt.exec:\9bbttt.exe52⤵
- Executes dropped EXE
PID:3088 -
\??\c:\pvppd.exec:\pvppd.exe53⤵
- Executes dropped EXE
PID:4552 -
\??\c:\ppppp.exec:\ppppp.exe54⤵
- Executes dropped EXE
PID:3912 -
\??\c:\frfffrr.exec:\frfffrr.exe55⤵
- Executes dropped EXE
PID:5096 -
\??\c:\nthhbb.exec:\nthhbb.exe56⤵
- Executes dropped EXE
PID:5108 -
\??\c:\tttnhh.exec:\tttnhh.exe57⤵
- Executes dropped EXE
PID:2952 -
\??\c:\vdvvp.exec:\vdvvp.exe58⤵
- Executes dropped EXE
PID:3620 -
\??\c:\xxffxxr.exec:\xxffxxr.exe59⤵
- Executes dropped EXE
PID:4152 -
\??\c:\ffffxff.exec:\ffffxff.exe60⤵
- Executes dropped EXE
PID:4644 -
\??\c:\7hhbth.exec:\7hhbth.exe61⤵
- Executes dropped EXE
PID:2284 -
\??\c:\bhtbth.exec:\bhtbth.exe62⤵
- Executes dropped EXE
PID:1360 -
\??\c:\pdddd.exec:\pdddd.exe63⤵
- Executes dropped EXE
PID:1580 -
\??\c:\5rxrrfl.exec:\5rxrrfl.exe64⤵
- Executes dropped EXE
PID:624 -
\??\c:\rrrlrrx.exec:\rrrlrrx.exe65⤵
- Executes dropped EXE
PID:4084 -
\??\c:\bhbbbn.exec:\bhbbbn.exe66⤵PID:4248
-
\??\c:\hbnnnn.exec:\hbnnnn.exe67⤵PID:452
-
\??\c:\jdddd.exec:\jdddd.exe68⤵PID:816
-
\??\c:\dvvdv.exec:\dvvdv.exe69⤵PID:2756
-
\??\c:\xlxrrlr.exec:\xlxrrlr.exe70⤵PID:5036
-
\??\c:\bbtnnn.exec:\bbtnnn.exe71⤵PID:2700
-
\??\c:\hhhbth.exec:\hhhbth.exe72⤵PID:3364
-
\??\c:\tnnnhh.exec:\tnnnhh.exe73⤵PID:3468
-
\??\c:\1jpjj.exec:\1jpjj.exe74⤵PID:4540
-
\??\c:\jdpjj.exec:\jdpjj.exe75⤵PID:4184
-
\??\c:\fxlrrrr.exec:\fxlrrrr.exe76⤵PID:4148
-
\??\c:\xflrrxx.exec:\xflrrxx.exe77⤵PID:4456
-
\??\c:\hbhhhh.exec:\hbhhhh.exe78⤵PID:3432
-
\??\c:\tnnhbb.exec:\tnnhbb.exe79⤵PID:1056
-
\??\c:\pjjjd.exec:\pjjjd.exe80⤵PID:4668
-
\??\c:\jvdvp.exec:\jvdvp.exe81⤵PID:2904
-
\??\c:\fxrlfrr.exec:\fxrlfrr.exe82⤵PID:2476
-
\??\c:\ffffffx.exec:\ffffffx.exe83⤵PID:3888
-
\??\c:\tthhbh.exec:\tthhbh.exe84⤵PID:1332
-
\??\c:\9ffxfff.exec:\9ffxfff.exe85⤵PID:2992
-
\??\c:\htntth.exec:\htntth.exe86⤵PID:880
-
\??\c:\btbttb.exec:\btbttb.exe87⤵PID:4636
-
\??\c:\5jvpj.exec:\5jvpj.exe88⤵PID:2664
-
\??\c:\ddjdd.exec:\ddjdd.exe89⤵PID:4140
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe90⤵PID:4844
-
\??\c:\fflfxxx.exec:\fflfxxx.exe91⤵PID:3864
-
\??\c:\9hhbtb.exec:\9hhbtb.exe92⤵PID:3640
-
\??\c:\nhtnhn.exec:\nhtnhn.exe93⤵PID:4804
-
\??\c:\vjvpp.exec:\vjvpp.exe94⤵PID:4008
-
\??\c:\5vdvj.exec:\5vdvj.exe95⤵PID:4280
-
\??\c:\xxrxxxl.exec:\xxrxxxl.exe96⤵PID:736
-
\??\c:\xrlfflr.exec:\xrlfflr.exe97⤵PID:5096
-
\??\c:\hbnhnh.exec:\hbnhnh.exe98⤵PID:5108
-
\??\c:\ddpjd.exec:\ddpjd.exe99⤵PID:2952
-
\??\c:\1dpjv.exec:\1dpjv.exe100⤵PID:4036
-
\??\c:\xffxxfl.exec:\xffxxfl.exe101⤵PID:5068
-
\??\c:\lxlfrrl.exec:\lxlfrrl.exe102⤵PID:3800
-
\??\c:\btthht.exec:\btthht.exe103⤵PID:1616
-
\??\c:\nthhhn.exec:\nthhhn.exe104⤵PID:2160
-
\??\c:\pjvpp.exec:\pjvpp.exe105⤵PID:1060
-
\??\c:\dvdjd.exec:\dvdjd.exe106⤵PID:2100
-
\??\c:\rfffxff.exec:\rfffxff.exe107⤵PID:4084
-
\??\c:\fxxrrrf.exec:\fxxrrrf.exe108⤵PID:4248
-
\??\c:\ntbbnt.exec:\ntbbnt.exe109⤵PID:3236
-
\??\c:\nbhbtt.exec:\nbhbtt.exe110⤵PID:1856
-
\??\c:\jpddv.exec:\jpddv.exe111⤵PID:1868
-
\??\c:\7vvvj.exec:\7vvvj.exe112⤵PID:3812
-
\??\c:\rfrrlll.exec:\rfrrlll.exe113⤵PID:3116
-
\??\c:\lfflfxx.exec:\lfflfxx.exe114⤵PID:2528
-
\??\c:\bbnnth.exec:\bbnnth.exe115⤵PID:1692
-
\??\c:\5ttnhn.exec:\5ttnhn.exe116⤵PID:404
-
\??\c:\nhhbbt.exec:\nhhbbt.exe117⤵PID:3908
-
\??\c:\3vvvv.exec:\3vvvv.exe118⤵PID:1776
-
\??\c:\3xlfxxx.exec:\3xlfxxx.exe119⤵PID:1184
-
\??\c:\rrlfxll.exec:\rrlfxll.exe120⤵PID:3432
-
\??\c:\tntnnn.exec:\tntnnn.exe121⤵PID:1760
-
\??\c:\hhnhbb.exec:\hhnhbb.exe122⤵PID:60
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-