Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe
-
Size
457KB
-
MD5
06a37ece0983d5e900630eeb162c84a6
-
SHA1
e465f6783bdd06cda089e710a9750bf6494e3822
-
SHA256
bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b
-
SHA512
63a80fccfe70a95259ba9911ec88169fc7b31646280b7184c2a4bcec68b1fee4ea9201eebff6d7b0eda636267acac4f9fac65b60d3267fb2fa9a2bbf31c98978
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRPK:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/1268-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3052-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-135-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/1996-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-166-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1432-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-171-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2096-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-198-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1068-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-241-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/768-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-291-0x00000000777E0000-0x00000000778FF000-memory.dmp family_blackmoon behavioral1/memory/2000-289-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-306-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1652-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-540-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/304-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/304-549-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-547-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2316-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2000-564-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/580-593-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2116-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1268-840-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1204-853-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1740-953-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1448-981-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2356-1091-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1916-1098-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/1268-1139-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2156-1249-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2080 6428040.exe 320 bbnbhn.exe 1028 ffflxxr.exe 2152 2806262.exe 2852 a2062.exe 2848 bbhnth.exe 2812 jdvdj.exe 2720 lfxlxfl.exe 2748 3jvdj.exe 2756 u028402.exe 2508 rrrxlll.exe 1316 ddpvj.exe 3052 xxlrxlr.exe 1996 26464.exe 1440 k00028.exe 3044 llxfrxx.exe 2428 48062.exe 1432 i202062.exe 2096 g6880.exe 1700 3bttnn.exe 2312 4840628.exe 1712 268062.exe 1068 206022.exe 928 648466.exe 1556 82468.exe 1548 64280.exe 768 7pppj.exe 2168 dvjpd.exe 304 q48846.exe 1012 hbbtht.exe 1520 264028.exe 2000 04628.exe 1652 7htbhh.exe 2600 e04066.exe 2520 w64066.exe 1028 btntbb.exe 2524 rlxlxxl.exe 2916 08448.exe 2820 i044824.exe 2856 9dvdj.exe 2964 20284.exe 2832 nbhnbh.exe 2948 xfxfrrf.exe 2724 642860.exe 2864 4200284.exe 2336 nbhhhh.exe 2764 i860262.exe 1804 jpjdd.exe 2432 22262.exe 1992 ddppd.exe 2992 08602.exe 3036 08668.exe 3020 o266220.exe 536 s2084.exe 1764 g8804.exe 2280 3xlfrrx.exe 2204 8688440.exe 1244 pdppd.exe 2420 40240.exe 2272 4802840.exe 2028 xfffrfl.exe 1508 60884.exe 2068 6406884.exe 2732 602644.exe -
resource yara_rule behavioral1/memory/1268-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-166-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1432-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-241-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/768-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-291-0x00000000777E0000-0x00000000778FF000-memory.dmp upx behavioral1/memory/1652-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/304-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/696-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-929-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-981-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2452-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-1249-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2288-1280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-1318-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2040668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2080 1268 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 31 PID 1268 wrote to memory of 2080 1268 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 31 PID 1268 wrote to memory of 2080 1268 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 31 PID 1268 wrote to memory of 2080 1268 bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe 31 PID 2080 wrote to memory of 320 2080 6428040.exe 32 PID 2080 wrote to memory of 320 2080 6428040.exe 32 PID 2080 wrote to memory of 320 2080 6428040.exe 32 PID 2080 wrote to memory of 320 2080 6428040.exe 32 PID 320 wrote to memory of 1028 320 bbnbhn.exe 33 PID 320 wrote to memory of 1028 320 bbnbhn.exe 33 PID 320 wrote to memory of 1028 320 bbnbhn.exe 33 PID 320 wrote to memory of 1028 320 bbnbhn.exe 33 PID 1028 wrote to memory of 2152 1028 ffflxxr.exe 34 PID 1028 wrote to memory of 2152 1028 ffflxxr.exe 34 PID 1028 wrote to memory of 2152 1028 ffflxxr.exe 34 PID 1028 wrote to memory of 2152 1028 ffflxxr.exe 34 PID 2152 wrote to memory of 2852 2152 2806262.exe 35 PID 2152 wrote to memory of 2852 2152 2806262.exe 35 PID 2152 wrote to memory of 2852 2152 2806262.exe 35 PID 2152 wrote to memory of 2852 2152 2806262.exe 35 PID 2852 wrote to memory of 2848 2852 a2062.exe 36 PID 2852 wrote to memory of 2848 2852 a2062.exe 36 PID 2852 wrote to memory of 2848 2852 a2062.exe 36 PID 2852 wrote to memory of 2848 2852 a2062.exe 36 PID 2848 wrote to memory of 2812 2848 bbhnth.exe 37 PID 2848 wrote to memory of 2812 2848 bbhnth.exe 37 PID 2848 wrote to memory of 2812 2848 bbhnth.exe 37 PID 2848 wrote to memory of 2812 2848 bbhnth.exe 37 PID 2812 wrote to memory of 2720 2812 jdvdj.exe 38 PID 2812 wrote to memory of 2720 2812 jdvdj.exe 38 PID 2812 wrote to memory of 2720 2812 jdvdj.exe 38 PID 2812 wrote to memory of 2720 2812 jdvdj.exe 38 PID 2720 wrote to memory of 2748 2720 lfxlxfl.exe 39 PID 2720 wrote to memory of 2748 2720 lfxlxfl.exe 39 PID 2720 wrote to memory of 2748 2720 lfxlxfl.exe 39 PID 2720 wrote to memory of 2748 2720 lfxlxfl.exe 39 PID 2748 wrote to memory of 2756 2748 3jvdj.exe 40 PID 2748 wrote to memory of 2756 2748 3jvdj.exe 40 PID 2748 wrote to memory of 2756 2748 3jvdj.exe 40 PID 2748 wrote to memory of 2756 2748 3jvdj.exe 40 PID 2756 wrote to memory of 2508 2756 u028402.exe 41 PID 2756 wrote to memory of 2508 2756 u028402.exe 41 PID 2756 wrote to memory of 2508 2756 u028402.exe 41 PID 2756 wrote to memory of 2508 2756 u028402.exe 41 PID 2508 wrote to memory of 1316 2508 rrrxlll.exe 42 PID 2508 wrote to memory of 1316 2508 rrrxlll.exe 42 PID 2508 wrote to memory of 1316 2508 rrrxlll.exe 42 PID 2508 wrote to memory of 1316 2508 rrrxlll.exe 42 PID 1316 wrote to memory of 3052 1316 ddpvj.exe 43 PID 1316 wrote to memory of 3052 1316 ddpvj.exe 43 PID 1316 wrote to memory of 3052 1316 ddpvj.exe 43 PID 1316 wrote to memory of 3052 1316 ddpvj.exe 43 PID 3052 wrote to memory of 1996 3052 xxlrxlr.exe 44 PID 3052 wrote to memory of 1996 3052 xxlrxlr.exe 44 PID 3052 wrote to memory of 1996 3052 xxlrxlr.exe 44 PID 3052 wrote to memory of 1996 3052 xxlrxlr.exe 44 PID 1996 wrote to memory of 1440 1996 26464.exe 45 PID 1996 wrote to memory of 1440 1996 26464.exe 45 PID 1996 wrote to memory of 1440 1996 26464.exe 45 PID 1996 wrote to memory of 1440 1996 26464.exe 45 PID 1440 wrote to memory of 3044 1440 k00028.exe 46 PID 1440 wrote to memory of 3044 1440 k00028.exe 46 PID 1440 wrote to memory of 3044 1440 k00028.exe 46 PID 1440 wrote to memory of 3044 1440 k00028.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe"C:\Users\Admin\AppData\Local\Temp\bb6c7862ee1a89cb715779b330bf7083b2dafa43f7f61e93a12326253bd8936b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\6428040.exec:\6428040.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\bbnbhn.exec:\bbnbhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\ffflxxr.exec:\ffflxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\2806262.exec:\2806262.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\a2062.exec:\a2062.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bbhnth.exec:\bbhnth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jdvdj.exec:\jdvdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\lfxlxfl.exec:\lfxlxfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\3jvdj.exec:\3jvdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\u028402.exec:\u028402.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rrrxlll.exec:\rrrxlll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\ddpvj.exec:\ddpvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\xxlrxlr.exec:\xxlrxlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\26464.exec:\26464.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\k00028.exec:\k00028.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\llxfrxx.exec:\llxfrxx.exe17⤵
- Executes dropped EXE
PID:3044 -
\??\c:\48062.exec:\48062.exe18⤵
- Executes dropped EXE
PID:2428 -
\??\c:\i202062.exec:\i202062.exe19⤵
- Executes dropped EXE
PID:1432 -
\??\c:\g6880.exec:\g6880.exe20⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3bttnn.exec:\3bttnn.exe21⤵
- Executes dropped EXE
PID:1700 -
\??\c:\4840628.exec:\4840628.exe22⤵
- Executes dropped EXE
PID:2312 -
\??\c:\268062.exec:\268062.exe23⤵
- Executes dropped EXE
PID:1712 -
\??\c:\206022.exec:\206022.exe24⤵
- Executes dropped EXE
PID:1068 -
\??\c:\648466.exec:\648466.exe25⤵
- Executes dropped EXE
PID:928 -
\??\c:\82468.exec:\82468.exe26⤵
- Executes dropped EXE
PID:1556 -
\??\c:\64280.exec:\64280.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
\??\c:\7pppj.exec:\7pppj.exe28⤵
- Executes dropped EXE
PID:768 -
\??\c:\dvjpd.exec:\dvjpd.exe29⤵
- Executes dropped EXE
PID:2168 -
\??\c:\q48846.exec:\q48846.exe30⤵
- Executes dropped EXE
PID:304 -
\??\c:\hbbtht.exec:\hbbtht.exe31⤵
- Executes dropped EXE
PID:1012 -
\??\c:\264028.exec:\264028.exe32⤵
- Executes dropped EXE
PID:1520 -
\??\c:\04628.exec:\04628.exe33⤵
- Executes dropped EXE
PID:2000 -
\??\c:\e44644.exec:\e44644.exe34⤵PID:1608
-
\??\c:\7htbhh.exec:\7htbhh.exe35⤵
- Executes dropped EXE
PID:1652 -
\??\c:\e04066.exec:\e04066.exe36⤵
- Executes dropped EXE
PID:2600 -
\??\c:\w64066.exec:\w64066.exe37⤵
- Executes dropped EXE
PID:2520 -
\??\c:\btntbb.exec:\btntbb.exe38⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rlxlxxl.exec:\rlxlxxl.exe39⤵
- Executes dropped EXE
PID:2524 -
\??\c:\08448.exec:\08448.exe40⤵
- Executes dropped EXE
PID:2916 -
\??\c:\i044824.exec:\i044824.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\9dvdj.exec:\9dvdj.exe42⤵
- Executes dropped EXE
PID:2856 -
\??\c:\20284.exec:\20284.exe43⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nbhnbh.exec:\nbhnbh.exe44⤵
- Executes dropped EXE
PID:2832 -
\??\c:\xfxfrrf.exec:\xfxfrrf.exe45⤵
- Executes dropped EXE
PID:2948 -
\??\c:\642860.exec:\642860.exe46⤵
- Executes dropped EXE
PID:2724 -
\??\c:\4200284.exec:\4200284.exe47⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nbhhhh.exec:\nbhhhh.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\i860262.exec:\i860262.exe49⤵
- Executes dropped EXE
PID:2764 -
\??\c:\jpjdd.exec:\jpjdd.exe50⤵
- Executes dropped EXE
PID:1804 -
\??\c:\22262.exec:\22262.exe51⤵
- Executes dropped EXE
PID:2432 -
\??\c:\ddppd.exec:\ddppd.exe52⤵
- Executes dropped EXE
PID:1992 -
\??\c:\08602.exec:\08602.exe53⤵
- Executes dropped EXE
PID:2992 -
\??\c:\08668.exec:\08668.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\o266220.exec:\o266220.exe55⤵
- Executes dropped EXE
PID:3020 -
\??\c:\s2084.exec:\s2084.exe56⤵
- Executes dropped EXE
PID:536 -
\??\c:\g8804.exec:\g8804.exe57⤵
- Executes dropped EXE
PID:1764 -
\??\c:\3xlfrrx.exec:\3xlfrrx.exe58⤵
- Executes dropped EXE
PID:2280 -
\??\c:\8688440.exec:\8688440.exe59⤵
- Executes dropped EXE
PID:2204 -
\??\c:\pdppd.exec:\pdppd.exe60⤵
- Executes dropped EXE
PID:1244 -
\??\c:\40240.exec:\40240.exe61⤵
- Executes dropped EXE
PID:2420 -
\??\c:\4802840.exec:\4802840.exe62⤵
- Executes dropped EXE
PID:2272 -
\??\c:\xfffrfl.exec:\xfffrfl.exe63⤵
- Executes dropped EXE
PID:2028 -
\??\c:\60884.exec:\60884.exe64⤵
- Executes dropped EXE
PID:1508 -
\??\c:\6406884.exec:\6406884.exe65⤵
- Executes dropped EXE
PID:2068 -
\??\c:\602644.exec:\602644.exe66⤵
- Executes dropped EXE
PID:2732 -
\??\c:\fxllffr.exec:\fxllffr.exe67⤵PID:1796
-
\??\c:\20406.exec:\20406.exe68⤵PID:2780
-
\??\c:\7tbtnt.exec:\7tbtnt.exe69⤵PID:2412
-
\??\c:\rxfxrfr.exec:\rxfxrfr.exe70⤵PID:2208
-
\??\c:\08662.exec:\08662.exe71⤵PID:2356
-
\??\c:\3ntnbb.exec:\3ntnbb.exe72⤵PID:304
-
\??\c:\jvddd.exec:\jvddd.exe73⤵PID:2316
-
\??\c:\tthnnh.exec:\tthnnh.exe74⤵PID:2536
-
\??\c:\c666484.exec:\c666484.exe75⤵PID:2000
-
\??\c:\frfrxfr.exec:\frfrxfr.exe76⤵PID:580
-
\??\c:\5vjpp.exec:\5vjpp.exe77⤵PID:2596
-
\??\c:\00420.exec:\00420.exe78⤵PID:1580
-
\??\c:\5rflxfr.exec:\5rflxfr.exe79⤵PID:2664
-
\??\c:\pjjpj.exec:\pjjpj.exe80⤵PID:320
-
\??\c:\fxxrlfl.exec:\fxxrlfl.exe81⤵PID:2440
-
\??\c:\rrflrlx.exec:\rrflrlx.exe82⤵PID:2524
-
\??\c:\m8628.exec:\m8628.exe83⤵PID:2916
-
\??\c:\482200.exec:\482200.exe84⤵PID:2848
-
\??\c:\a4084.exec:\a4084.exe85⤵PID:2324
-
\??\c:\8022228.exec:\8022228.exe86⤵PID:2912
-
\??\c:\60224.exec:\60224.exe87⤵PID:1936
-
\??\c:\0046026.exec:\0046026.exe88⤵PID:2720
-
\??\c:\djdjp.exec:\djdjp.exe89⤵PID:2704
-
\??\c:\hthbnt.exec:\hthbnt.exe90⤵PID:2864
-
\??\c:\e42206.exec:\e42206.exe91⤵PID:1856
-
\??\c:\bnbbhh.exec:\bnbbhh.exe92⤵PID:2764
-
\??\c:\68846.exec:\68846.exe93⤵PID:3000
-
\??\c:\a4442.exec:\a4442.exe94⤵PID:2432
-
\??\c:\4204606.exec:\4204606.exe95⤵PID:1696
-
\??\c:\lflxlrf.exec:\lflxlrf.exe96⤵PID:1440
-
\??\c:\8644262.exec:\8644262.exe97⤵PID:2116
-
\??\c:\pjjpj.exec:\pjjpj.exe98⤵PID:1448
-
\??\c:\208866.exec:\208866.exe99⤵PID:1960
-
\??\c:\42408.exec:\42408.exe100⤵PID:2184
-
\??\c:\68628.exec:\68628.exe101⤵PID:596
-
\??\c:\lfrrrrf.exec:\lfrrrrf.exe102⤵PID:2112
-
\??\c:\tthnhh.exec:\tthnhh.exe103⤵PID:2656
-
\??\c:\c600402.exec:\c600402.exe104⤵PID:1164
-
\??\c:\8644228.exec:\8644228.exe105⤵PID:640
-
\??\c:\jdvdp.exec:\jdvdp.exe106⤵PID:380
-
\??\c:\8644280.exec:\8644280.exe107⤵PID:2792
-
\??\c:\nbbhtb.exec:\nbbhtb.exe108⤵PID:620
-
\??\c:\xrfxlfl.exec:\xrfxlfl.exe109⤵PID:624
-
\??\c:\nbnnbb.exec:\nbnnbb.exe110⤵PID:836
-
\??\c:\nbbnnb.exec:\nbbnnb.exe111⤵PID:1360
-
\??\c:\xrflrxf.exec:\xrflrxf.exe112⤵PID:2304
-
\??\c:\pvdpv.exec:\pvdpv.exe113⤵PID:696
-
\??\c:\nthhnn.exec:\nthhnn.exe114⤵PID:2124
-
\??\c:\tnbhnh.exec:\tnbhnh.exe115⤵PID:1808
-
\??\c:\tthhnn.exec:\tthhnn.exe116⤵PID:1100
-
\??\c:\5nhhnb.exec:\5nhhnb.exe117⤵PID:1852
-
\??\c:\jdvdj.exec:\jdvdj.exe118⤵PID:1204
-
\??\c:\m8620.exec:\m8620.exe119⤵PID:1268
-
\??\c:\ppdjv.exec:\ppdjv.exe120⤵PID:1724
-
\??\c:\q86284.exec:\q86284.exe121⤵PID:2044
-
\??\c:\5nbhnn.exec:\5nbhnn.exe122⤵PID:2636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-