Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe
-
Size
454KB
-
MD5
4277192a52f6d58b02381afd9abde73f
-
SHA1
e04c984f44c4aaa4fa7098bdbdc533797f8daa3e
-
SHA256
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f
-
SHA512
8a1570af7579a3cc004f63b89bf13bfafe02cce987398782965544d85585957b22f232734e3039f5dff1749164fc9d7f312761bdfabe450e1f0f89ffa44464bd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1Q6:q7Tc2NYHUrAwfMp3CD1r
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2376-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-51-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2804-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-105-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1400-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-191-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1624-222-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/640-235-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/640-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/488-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-337-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2172-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-379-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2636-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1016-480-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2856-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-507-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/956-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-526-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-539-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-553-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2216-562-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1716-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-659-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1040-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-901-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 64626.exe 2512 vppvd.exe 2096 6220686.exe 2744 hbbtth.exe 2128 226262.exe 2804 9bnbhn.exe 2684 rrfrlrl.exe 2676 0800224.exe 2748 046640.exe 2604 rrffrrf.exe 2624 206688.exe 2232 646224.exe 1400 08248.exe 1696 4202840.exe 1100 8842688.exe 1156 m6062.exe 1764 a0884.exe 1908 7nbbhn.exe 3016 nnnnnn.exe 2432 bhthhb.exe 1892 nhhtbh.exe 1460 1bnnnb.exe 852 rfffxfl.exe 1624 0802846.exe 640 dddjv.exe 1532 o606240.exe 1852 jvppd.exe 488 868460.exe 2124 4884668.exe 2216 0862444.exe 1648 rrlrxlr.exe 540 0806884.exe 2500 m0800.exe 2324 242808.exe 1076 lxrlfff.exe 1952 9jdvv.exe 2068 dvdjp.exe 2532 thtntt.exe 2172 ffrxflx.exe 2796 lfrxfxf.exe 2816 nbnnth.exe 2764 3hnbbn.exe 2684 bttntt.exe 2256 xxxlffx.exe 2908 tntbnt.exe 1404 bthhnt.exe 2580 868422.exe 2636 86444.exe 840 xlxfrrf.exe 2044 86844.exe 1268 tnbbbb.exe 1808 frffllx.exe 1456 206686.exe 1936 m2662.exe 1948 lflffff.exe 1764 xrxxfrx.exe 2144 xlffrfr.exe 2600 rlfrllx.exe 2916 jdjjj.exe 1016 68008.exe 2856 1vdjp.exe 1056 jdjpp.exe 956 rfxxrlx.exe 2880 260066.exe -
resource yara_rule behavioral1/memory/2376-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1400-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1624-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-235-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/640-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/488-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-613-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2652-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/500-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-830-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-850-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-921-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-984-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o688884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e68400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q26288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e60688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o480880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2024 2376 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 30 PID 2376 wrote to memory of 2024 2376 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 30 PID 2376 wrote to memory of 2024 2376 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 30 PID 2376 wrote to memory of 2024 2376 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 30 PID 2024 wrote to memory of 2512 2024 64626.exe 31 PID 2024 wrote to memory of 2512 2024 64626.exe 31 PID 2024 wrote to memory of 2512 2024 64626.exe 31 PID 2024 wrote to memory of 2512 2024 64626.exe 31 PID 2512 wrote to memory of 2096 2512 vppvd.exe 32 PID 2512 wrote to memory of 2096 2512 vppvd.exe 32 PID 2512 wrote to memory of 2096 2512 vppvd.exe 32 PID 2512 wrote to memory of 2096 2512 vppvd.exe 32 PID 2096 wrote to memory of 2744 2096 6220686.exe 33 PID 2096 wrote to memory of 2744 2096 6220686.exe 33 PID 2096 wrote to memory of 2744 2096 6220686.exe 33 PID 2096 wrote to memory of 2744 2096 6220686.exe 33 PID 2744 wrote to memory of 2128 2744 hbbtth.exe 34 PID 2744 wrote to memory of 2128 2744 hbbtth.exe 34 PID 2744 wrote to memory of 2128 2744 hbbtth.exe 34 PID 2744 wrote to memory of 2128 2744 hbbtth.exe 34 PID 2128 wrote to memory of 2804 2128 226262.exe 35 PID 2128 wrote to memory of 2804 2128 226262.exe 35 PID 2128 wrote to memory of 2804 2128 226262.exe 35 PID 2128 wrote to memory of 2804 2128 226262.exe 35 PID 2804 wrote to memory of 2684 2804 9bnbhn.exe 36 PID 2804 wrote to memory of 2684 2804 9bnbhn.exe 36 PID 2804 wrote to memory of 2684 2804 9bnbhn.exe 36 PID 2804 wrote to memory of 2684 2804 9bnbhn.exe 36 PID 2684 wrote to memory of 2676 2684 rrfrlrl.exe 37 PID 2684 wrote to memory of 2676 2684 rrfrlrl.exe 37 PID 2684 wrote to memory of 2676 2684 rrfrlrl.exe 37 PID 2684 wrote to memory of 2676 2684 rrfrlrl.exe 37 PID 2676 wrote to memory of 2748 2676 0800224.exe 38 PID 2676 wrote to memory of 2748 2676 0800224.exe 38 PID 2676 wrote to memory of 2748 2676 0800224.exe 38 PID 2676 wrote to memory of 2748 2676 0800224.exe 38 PID 2748 wrote to memory of 2604 2748 046640.exe 39 PID 2748 wrote to memory of 2604 2748 046640.exe 39 PID 2748 wrote to memory of 2604 2748 046640.exe 39 PID 2748 wrote to memory of 2604 2748 046640.exe 39 PID 2604 wrote to memory of 2624 2604 rrffrrf.exe 40 PID 2604 wrote to memory of 2624 2604 rrffrrf.exe 40 PID 2604 wrote to memory of 2624 2604 rrffrrf.exe 40 PID 2604 wrote to memory of 2624 2604 rrffrrf.exe 40 PID 2624 wrote to memory of 2232 2624 206688.exe 41 PID 2624 wrote to memory of 2232 2624 206688.exe 41 PID 2624 wrote to memory of 2232 2624 206688.exe 41 PID 2624 wrote to memory of 2232 2624 206688.exe 41 PID 2232 wrote to memory of 1400 2232 646224.exe 42 PID 2232 wrote to memory of 1400 2232 646224.exe 42 PID 2232 wrote to memory of 1400 2232 646224.exe 42 PID 2232 wrote to memory of 1400 2232 646224.exe 42 PID 1400 wrote to memory of 1696 1400 08248.exe 43 PID 1400 wrote to memory of 1696 1400 08248.exe 43 PID 1400 wrote to memory of 1696 1400 08248.exe 43 PID 1400 wrote to memory of 1696 1400 08248.exe 43 PID 1696 wrote to memory of 1100 1696 4202840.exe 44 PID 1696 wrote to memory of 1100 1696 4202840.exe 44 PID 1696 wrote to memory of 1100 1696 4202840.exe 44 PID 1696 wrote to memory of 1100 1696 4202840.exe 44 PID 1100 wrote to memory of 1156 1100 8842688.exe 45 PID 1100 wrote to memory of 1156 1100 8842688.exe 45 PID 1100 wrote to memory of 1156 1100 8842688.exe 45 PID 1100 wrote to memory of 1156 1100 8842688.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe"C:\Users\Admin\AppData\Local\Temp\0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\64626.exec:\64626.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\vppvd.exec:\vppvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\6220686.exec:\6220686.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\hbbtth.exec:\hbbtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\226262.exec:\226262.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\9bnbhn.exec:\9bnbhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\rrfrlrl.exec:\rrfrlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\0800224.exec:\0800224.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\046640.exec:\046640.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\rrffrrf.exec:\rrffrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\206688.exec:\206688.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\646224.exec:\646224.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\08248.exec:\08248.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\4202840.exec:\4202840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\8842688.exec:\8842688.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\m6062.exec:\m6062.exe17⤵
- Executes dropped EXE
PID:1156 -
\??\c:\a0884.exec:\a0884.exe18⤵
- Executes dropped EXE
PID:1764 -
\??\c:\7nbbhn.exec:\7nbbhn.exe19⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nnnnnn.exec:\nnnnnn.exe20⤵
- Executes dropped EXE
PID:3016 -
\??\c:\bhthhb.exec:\bhthhb.exe21⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nhhtbh.exec:\nhhtbh.exe22⤵
- Executes dropped EXE
PID:1892 -
\??\c:\1bnnnb.exec:\1bnnnb.exe23⤵
- Executes dropped EXE
PID:1460 -
\??\c:\rfffxfl.exec:\rfffxfl.exe24⤵
- Executes dropped EXE
PID:852 -
\??\c:\0802846.exec:\0802846.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\dddjv.exec:\dddjv.exe26⤵
- Executes dropped EXE
PID:640 -
\??\c:\o606240.exec:\o606240.exe27⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jvppd.exec:\jvppd.exe28⤵
- Executes dropped EXE
PID:1852 -
\??\c:\868460.exec:\868460.exe29⤵
- Executes dropped EXE
PID:488 -
\??\c:\4884668.exec:\4884668.exe30⤵
- Executes dropped EXE
PID:2124 -
\??\c:\0862444.exec:\0862444.exe31⤵
- Executes dropped EXE
PID:2216 -
\??\c:\rrlrxlr.exec:\rrlrxlr.exe32⤵
- Executes dropped EXE
PID:1648 -
\??\c:\0806884.exec:\0806884.exe33⤵
- Executes dropped EXE
PID:540 -
\??\c:\m0800.exec:\m0800.exe34⤵
- Executes dropped EXE
PID:2500 -
\??\c:\242808.exec:\242808.exe35⤵
- Executes dropped EXE
PID:2324 -
\??\c:\lxrlfff.exec:\lxrlfff.exe36⤵
- Executes dropped EXE
PID:1076 -
\??\c:\9jdvv.exec:\9jdvv.exe37⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dvdjp.exec:\dvdjp.exe38⤵
- Executes dropped EXE
PID:2068 -
\??\c:\thtntt.exec:\thtntt.exe39⤵
- Executes dropped EXE
PID:2532 -
\??\c:\ffrxflx.exec:\ffrxflx.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe41⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nbnnth.exec:\nbnnth.exe42⤵
- Executes dropped EXE
PID:2816 -
\??\c:\3hnbbn.exec:\3hnbbn.exe43⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bttntt.exec:\bttntt.exe44⤵
- Executes dropped EXE
PID:2684 -
\??\c:\xxxlffx.exec:\xxxlffx.exe45⤵
- Executes dropped EXE
PID:2256 -
\??\c:\tntbnt.exec:\tntbnt.exe46⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bthhnt.exec:\bthhnt.exe47⤵
- Executes dropped EXE
PID:1404 -
\??\c:\868422.exec:\868422.exe48⤵
- Executes dropped EXE
PID:2580 -
\??\c:\86444.exec:\86444.exe49⤵
- Executes dropped EXE
PID:2636 -
\??\c:\xlxfrrf.exec:\xlxfrrf.exe50⤵
- Executes dropped EXE
PID:840 -
\??\c:\86844.exec:\86844.exe51⤵
- Executes dropped EXE
PID:2044 -
\??\c:\tnbbbb.exec:\tnbbbb.exe52⤵
- Executes dropped EXE
PID:1268 -
\??\c:\frffllx.exec:\frffllx.exe53⤵
- Executes dropped EXE
PID:1808 -
\??\c:\206686.exec:\206686.exe54⤵
- Executes dropped EXE
PID:1456 -
\??\c:\m2662.exec:\m2662.exe55⤵
- Executes dropped EXE
PID:1936 -
\??\c:\lflffff.exec:\lflffff.exe56⤵
- Executes dropped EXE
PID:1948 -
\??\c:\xrxxfrx.exec:\xrxxfrx.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xlffrfr.exec:\xlffrfr.exe58⤵
- Executes dropped EXE
PID:2144 -
\??\c:\rlfrllx.exec:\rlfrllx.exe59⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jdjjj.exec:\jdjjj.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\68008.exec:\68008.exe61⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1vdjp.exec:\1vdjp.exe62⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jdjpp.exec:\jdjpp.exe63⤵
- Executes dropped EXE
PID:1056 -
\??\c:\rfxxrlx.exec:\rfxxrlx.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\260066.exec:\260066.exe65⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7vpvp.exec:\7vpvp.exe66⤵PID:1640
-
\??\c:\xrllrxf.exec:\xrllrxf.exe67⤵PID:2168
-
\??\c:\486022.exec:\486022.exe68⤵PID:1368
-
\??\c:\2006862.exec:\2006862.exe69⤵PID:2236
-
\??\c:\pdjjj.exec:\pdjjj.exe70⤵PID:1820
-
\??\c:\26428.exec:\26428.exe71⤵PID:2960
-
\??\c:\fxllrlr.exec:\fxllrlr.exe72⤵PID:2280
-
\??\c:\604224.exec:\604224.exe73⤵PID:2216
-
\??\c:\2022240.exec:\2022240.exe74⤵PID:1512
-
\??\c:\g6008.exec:\g6008.exe75⤵PID:1716
-
\??\c:\8028068.exec:\8028068.exe76⤵PID:2296
-
\??\c:\5vjjj.exec:\5vjjj.exe77⤵PID:592
-
\??\c:\000448.exec:\000448.exe78⤵PID:2324
-
\??\c:\hhthtn.exec:\hhthtn.exe79⤵PID:1076
-
\??\c:\hbnbhn.exec:\hbnbhn.exe80⤵PID:1952
-
\??\c:\w20068.exec:\w20068.exe81⤵PID:2068
-
\??\c:\2804000.exec:\2804000.exe82⤵PID:2652
-
\??\c:\5tbnnn.exec:\5tbnnn.exe83⤵PID:2716
-
\??\c:\fxllxlf.exec:\fxllxlf.exe84⤵PID:2568
-
\??\c:\ttnhnh.exec:\ttnhnh.exe85⤵PID:2940
-
\??\c:\646622.exec:\646622.exe86⤵PID:2724
-
\??\c:\9fxrrrr.exec:\9fxrrrr.exe87⤵PID:2684
-
\??\c:\08624.exec:\08624.exe88⤵PID:2824
-
\??\c:\fxrrxrr.exec:\fxrrxrr.exe89⤵PID:2672
-
\??\c:\tbbhbb.exec:\tbbhbb.exe90⤵PID:1404
-
\??\c:\8226600.exec:\8226600.exe91⤵PID:2492
-
\??\c:\o244000.exec:\o244000.exe92⤵PID:2636
-
\??\c:\nbnnnh.exec:\nbnnnh.exe93⤵PID:1484
-
\??\c:\264402.exec:\264402.exe94⤵PID:1040
-
\??\c:\rlxxxxx.exec:\rlxxxxx.exe95⤵PID:500
-
\??\c:\flxllff.exec:\flxllff.exe96⤵PID:1984
-
\??\c:\8684668.exec:\8684668.exe97⤵PID:1160
-
\??\c:\bththh.exec:\bththh.exe98⤵PID:2620
-
\??\c:\btnntt.exec:\btnntt.exe99⤵PID:2660
-
\??\c:\pdddj.exec:\pdddj.exe100⤵PID:2396
-
\??\c:\826684.exec:\826684.exe101⤵PID:2176
-
\??\c:\9nbbbh.exec:\9nbbbh.exe102⤵PID:2896
-
\??\c:\m2620.exec:\m2620.exe103⤵PID:2152
-
\??\c:\nbnhhh.exec:\nbnhhh.exe104⤵PID:1660
-
\??\c:\e24404.exec:\e24404.exe105⤵PID:1460
-
\??\c:\0866228.exec:\0866228.exe106⤵PID:1616
-
\??\c:\bthnnn.exec:\bthnnn.exe107⤵PID:1860
-
\??\c:\82884.exec:\82884.exe108⤵PID:1624
-
\??\c:\46822.exec:\46822.exe109⤵PID:620
-
\??\c:\64228.exec:\64228.exe110⤵PID:1640
-
\??\c:\nnhnbh.exec:\nnhnbh.exe111⤵PID:2968
-
\??\c:\646200.exec:\646200.exe112⤵PID:1368
-
\??\c:\8626262.exec:\8626262.exe113⤵PID:2236
-
\??\c:\btnhhh.exec:\btnhhh.exe114⤵PID:760
-
\??\c:\0248262.exec:\0248262.exe115⤵PID:320
-
\??\c:\82062.exec:\82062.exe116⤵PID:2280
-
\??\c:\m6406.exec:\m6406.exe117⤵PID:2988
-
\??\c:\jpddd.exec:\jpddd.exe118⤵PID:1512
-
\??\c:\vjvvd.exec:\vjvvd.exe119⤵PID:2100
-
\??\c:\i228440.exec:\i228440.exe120⤵PID:1956
-
\??\c:\tthhhh.exec:\tthhhh.exe121⤵PID:592
-
\??\c:\u482820.exec:\u482820.exe122⤵PID:2324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-