Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe
-
Size
454KB
-
MD5
c792b5ba0f3418a01c910352f5783ff0
-
SHA1
4da115c9bee81ec3e11367a57fa5f03f747de1f3
-
SHA256
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5e
-
SHA512
aa13906156c9e8915ba2523ec6db149def34d67b0a07ccc07a2a3a0ec05fe1d0b5de71e224cea1d1ccaa376026809d482780aed2a78a48cdc6a09abf665b1188
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber7:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/1740-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-136-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/1704-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-164-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2252-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-183-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2448-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1148-468-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2476-499-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/288-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-650-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2016-675-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2608-841-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2092-856-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1280-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2820 468882.exe 2928 nbhntn.exe 3044 08068.exe 3008 0026822.exe 2840 1vjjp.exe 2684 pvdvj.exe 2312 8868864.exe 2848 7ttbhh.exe 648 48628.exe 2136 rrxfllx.exe 768 1hbthn.exe 2284 5xfrlff.exe 2040 btnttb.exe 2988 64622.exe 1704 1xllrrf.exe 1036 g6840.exe 2252 bthhtt.exe 2096 64624.exe 2208 480888.exe 2560 8022824.exe 636 xxlfllx.exe 2448 202226.exe 1632 rfrxffl.exe 3068 q46288.exe 1628 442620.exe 1664 u484846.exe 1784 00420.exe 1224 86206.exe 1592 3hnbtt.exe 2624 642404.exe 1032 lxrxrlx.exe 872 2066624.exe 1936 04046.exe 2924 1rxllrr.exe 2828 7ddvv.exe 1548 9htbbb.exe 2920 08606.exe 2808 486200.exe 3008 btntbb.exe 2972 242806.exe 2720 48668.exe 2204 dvdvp.exe 2064 20224.exe 1280 a8224.exe 1104 7hbnbn.exe 2264 dvpvv.exe 2328 82028.exe 768 422888.exe 2284 9bnnth.exe 2032 048028.exe 2412 llfrxfr.exe 2996 rrflxxx.exe 1420 rrrxlxr.exe 1148 hbntbh.exe 1124 q02844.exe 3064 4428686.exe 2096 488022.exe 2160 lxrrflx.exe 2280 62644.exe 448 6084024.exe 880 bttnhb.exe 2476 pvpvp.exe 1976 6642280.exe 1768 444040.exe -
resource yara_rule behavioral1/memory/1740-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-387-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2328-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1936-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-945-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 082860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s2800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 048022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u280620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604422.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2820 1740 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 30 PID 1740 wrote to memory of 2820 1740 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 30 PID 1740 wrote to memory of 2820 1740 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 30 PID 1740 wrote to memory of 2820 1740 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 30 PID 2820 wrote to memory of 2928 2820 468882.exe 31 PID 2820 wrote to memory of 2928 2820 468882.exe 31 PID 2820 wrote to memory of 2928 2820 468882.exe 31 PID 2820 wrote to memory of 2928 2820 468882.exe 31 PID 2928 wrote to memory of 3044 2928 nbhntn.exe 32 PID 2928 wrote to memory of 3044 2928 nbhntn.exe 32 PID 2928 wrote to memory of 3044 2928 nbhntn.exe 32 PID 2928 wrote to memory of 3044 2928 nbhntn.exe 32 PID 3044 wrote to memory of 3008 3044 08068.exe 33 PID 3044 wrote to memory of 3008 3044 08068.exe 33 PID 3044 wrote to memory of 3008 3044 08068.exe 33 PID 3044 wrote to memory of 3008 3044 08068.exe 33 PID 3008 wrote to memory of 2840 3008 0026822.exe 34 PID 3008 wrote to memory of 2840 3008 0026822.exe 34 PID 3008 wrote to memory of 2840 3008 0026822.exe 34 PID 3008 wrote to memory of 2840 3008 0026822.exe 34 PID 2840 wrote to memory of 2684 2840 1vjjp.exe 35 PID 2840 wrote to memory of 2684 2840 1vjjp.exe 35 PID 2840 wrote to memory of 2684 2840 1vjjp.exe 35 PID 2840 wrote to memory of 2684 2840 1vjjp.exe 35 PID 2684 wrote to memory of 2312 2684 pvdvj.exe 36 PID 2684 wrote to memory of 2312 2684 pvdvj.exe 36 PID 2684 wrote to memory of 2312 2684 pvdvj.exe 36 PID 2684 wrote to memory of 2312 2684 pvdvj.exe 36 PID 2312 wrote to memory of 2848 2312 8868864.exe 37 PID 2312 wrote to memory of 2848 2312 8868864.exe 37 PID 2312 wrote to memory of 2848 2312 8868864.exe 37 PID 2312 wrote to memory of 2848 2312 8868864.exe 37 PID 2848 wrote to memory of 648 2848 7ttbhh.exe 38 PID 2848 wrote to memory of 648 2848 7ttbhh.exe 38 PID 2848 wrote to memory of 648 2848 7ttbhh.exe 38 PID 2848 wrote to memory of 648 2848 7ttbhh.exe 38 PID 648 wrote to memory of 2136 648 48628.exe 39 PID 648 wrote to memory of 2136 648 48628.exe 39 PID 648 wrote to memory of 2136 648 48628.exe 39 PID 648 wrote to memory of 2136 648 48628.exe 39 PID 2136 wrote to memory of 768 2136 rrxfllx.exe 40 PID 2136 wrote to memory of 768 2136 rrxfllx.exe 40 PID 2136 wrote to memory of 768 2136 rrxfllx.exe 40 PID 2136 wrote to memory of 768 2136 rrxfllx.exe 40 PID 768 wrote to memory of 2284 768 1hbthn.exe 41 PID 768 wrote to memory of 2284 768 1hbthn.exe 41 PID 768 wrote to memory of 2284 768 1hbthn.exe 41 PID 768 wrote to memory of 2284 768 1hbthn.exe 41 PID 2284 wrote to memory of 2040 2284 5xfrlff.exe 42 PID 2284 wrote to memory of 2040 2284 5xfrlff.exe 42 PID 2284 wrote to memory of 2040 2284 5xfrlff.exe 42 PID 2284 wrote to memory of 2040 2284 5xfrlff.exe 42 PID 2040 wrote to memory of 2988 2040 btnttb.exe 43 PID 2040 wrote to memory of 2988 2040 btnttb.exe 43 PID 2040 wrote to memory of 2988 2040 btnttb.exe 43 PID 2040 wrote to memory of 2988 2040 btnttb.exe 43 PID 2988 wrote to memory of 1704 2988 64622.exe 44 PID 2988 wrote to memory of 1704 2988 64622.exe 44 PID 2988 wrote to memory of 1704 2988 64622.exe 44 PID 2988 wrote to memory of 1704 2988 64622.exe 44 PID 1704 wrote to memory of 1036 1704 1xllrrf.exe 45 PID 1704 wrote to memory of 1036 1704 1xllrrf.exe 45 PID 1704 wrote to memory of 1036 1704 1xllrrf.exe 45 PID 1704 wrote to memory of 1036 1704 1xllrrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe"C:\Users\Admin\AppData\Local\Temp\0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\468882.exec:\468882.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\nbhntn.exec:\nbhntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\08068.exec:\08068.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\0026822.exec:\0026822.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\1vjjp.exec:\1vjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\pvdvj.exec:\pvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\8868864.exec:\8868864.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\7ttbhh.exec:\7ttbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\48628.exec:\48628.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\rrxfllx.exec:\rrxfllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\1hbthn.exec:\1hbthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\5xfrlff.exec:\5xfrlff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\btnttb.exec:\btnttb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\64622.exec:\64622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\1xllrrf.exec:\1xllrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\g6840.exec:\g6840.exe17⤵
- Executes dropped EXE
PID:1036 -
\??\c:\bthhtt.exec:\bthhtt.exe18⤵
- Executes dropped EXE
PID:2252 -
\??\c:\64624.exec:\64624.exe19⤵
- Executes dropped EXE
PID:2096 -
\??\c:\480888.exec:\480888.exe20⤵
- Executes dropped EXE
PID:2208 -
\??\c:\8022824.exec:\8022824.exe21⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xxlfllx.exec:\xxlfllx.exe22⤵
- Executes dropped EXE
PID:636 -
\??\c:\202226.exec:\202226.exe23⤵
- Executes dropped EXE
PID:2448 -
\??\c:\rfrxffl.exec:\rfrxffl.exe24⤵
- Executes dropped EXE
PID:1632 -
\??\c:\q46288.exec:\q46288.exe25⤵
- Executes dropped EXE
PID:3068 -
\??\c:\442620.exec:\442620.exe26⤵
- Executes dropped EXE
PID:1628 -
\??\c:\u484846.exec:\u484846.exe27⤵
- Executes dropped EXE
PID:1664 -
\??\c:\00420.exec:\00420.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\86206.exec:\86206.exe29⤵
- Executes dropped EXE
PID:1224 -
\??\c:\3hnbtt.exec:\3hnbtt.exe30⤵
- Executes dropped EXE
PID:1592 -
\??\c:\642404.exec:\642404.exe31⤵
- Executes dropped EXE
PID:2624 -
\??\c:\lxrxrlx.exec:\lxrxrlx.exe32⤵
- Executes dropped EXE
PID:1032 -
\??\c:\2066624.exec:\2066624.exe33⤵
- Executes dropped EXE
PID:872 -
\??\c:\04046.exec:\04046.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
\??\c:\1rxllrr.exec:\1rxllrr.exe35⤵
- Executes dropped EXE
PID:2924 -
\??\c:\7ddvv.exec:\7ddvv.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\9htbbb.exec:\9htbbb.exe37⤵
- Executes dropped EXE
PID:1548 -
\??\c:\08606.exec:\08606.exe38⤵
- Executes dropped EXE
PID:2920 -
\??\c:\486200.exec:\486200.exe39⤵
- Executes dropped EXE
PID:2808 -
\??\c:\btntbb.exec:\btntbb.exe40⤵
- Executes dropped EXE
PID:3008 -
\??\c:\242806.exec:\242806.exe41⤵
- Executes dropped EXE
PID:2972 -
\??\c:\48668.exec:\48668.exe42⤵
- Executes dropped EXE
PID:2720 -
\??\c:\dvdvp.exec:\dvdvp.exe43⤵
- Executes dropped EXE
PID:2204 -
\??\c:\20224.exec:\20224.exe44⤵
- Executes dropped EXE
PID:2064 -
\??\c:\a8224.exec:\a8224.exe45⤵
- Executes dropped EXE
PID:1280 -
\??\c:\7hbnbn.exec:\7hbnbn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1104 -
\??\c:\dvpvv.exec:\dvpvv.exe47⤵
- Executes dropped EXE
PID:2264 -
\??\c:\82028.exec:\82028.exe48⤵
- Executes dropped EXE
PID:2328 -
\??\c:\422888.exec:\422888.exe49⤵
- Executes dropped EXE
PID:768 -
\??\c:\9bnnth.exec:\9bnnth.exe50⤵
- Executes dropped EXE
PID:2284 -
\??\c:\048028.exec:\048028.exe51⤵
- Executes dropped EXE
PID:2032 -
\??\c:\llfrxfr.exec:\llfrxfr.exe52⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rrflxxx.exec:\rrflxxx.exe53⤵
- Executes dropped EXE
PID:2996 -
\??\c:\rrrxlxr.exec:\rrrxlxr.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420 -
\??\c:\hbntbh.exec:\hbntbh.exe55⤵
- Executes dropped EXE
PID:1148 -
\??\c:\q02844.exec:\q02844.exe56⤵
- Executes dropped EXE
PID:1124 -
\??\c:\4428686.exec:\4428686.exe57⤵
- Executes dropped EXE
PID:3064 -
\??\c:\488022.exec:\488022.exe58⤵
- Executes dropped EXE
PID:2096 -
\??\c:\lxrrflx.exec:\lxrrflx.exe59⤵
- Executes dropped EXE
PID:2160 -
\??\c:\62644.exec:\62644.exe60⤵
- Executes dropped EXE
PID:2280 -
\??\c:\6084024.exec:\6084024.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\bttnhb.exec:\bttnhb.exe62⤵
- Executes dropped EXE
PID:880 -
\??\c:\pvpvp.exec:\pvpvp.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\6642280.exec:\6642280.exe64⤵
- Executes dropped EXE
PID:1976 -
\??\c:\444040.exec:\444040.exe65⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hnhnbh.exec:\hnhnbh.exe66⤵PID:660
-
\??\c:\6022000.exec:\6022000.exe67⤵PID:288
-
\??\c:\btntnn.exec:\btntnn.exe68⤵PID:1664
-
\??\c:\fllrxfr.exec:\fllrxfr.exe69⤵PID:2592
-
\??\c:\1vpvp.exec:\1vpvp.exe70⤵PID:1224
-
\??\c:\3vjvj.exec:\3vjvj.exe71⤵PID:2608
-
\??\c:\ddvvj.exec:\ddvvj.exe72⤵PID:976
-
\??\c:\jpjpd.exec:\jpjpd.exe73⤵PID:2588
-
\??\c:\xxrfxff.exec:\xxrfxff.exe74⤵PID:1032
-
\??\c:\rlfxxrx.exec:\rlfxxrx.exe75⤵PID:872
-
\??\c:\6404060.exec:\6404060.exe76⤵PID:2876
-
\??\c:\ffrxflf.exec:\ffrxflf.exe77⤵PID:1720
-
\??\c:\044664.exec:\044664.exe78⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\208462.exec:\208462.exe79⤵PID:1572
-
\??\c:\u264626.exec:\u264626.exe80⤵PID:2916
-
\??\c:\3dvdp.exec:\3dvdp.exe81⤵PID:3000
-
\??\c:\ffxlllr.exec:\ffxlllr.exe82⤵PID:2740
-
\??\c:\882808.exec:\882808.exe83⤵PID:2972
-
\??\c:\pjjpv.exec:\pjjpv.exe84⤵PID:2732
-
\??\c:\9jjdp.exec:\9jjdp.exe85⤵PID:2204
-
\??\c:\u266402.exec:\u266402.exe86⤵PID:1496
-
\??\c:\nbhnnn.exec:\nbhnnn.exe87⤵PID:828
-
\??\c:\i860248.exec:\i860248.exe88⤵PID:2148
-
\??\c:\lflfffl.exec:\lflfffl.exe89⤵PID:2016
-
\??\c:\60680.exec:\60680.exe90⤵PID:1292
-
\??\c:\864428.exec:\864428.exe91⤵PID:2024
-
\??\c:\3hnbtb.exec:\3hnbtb.exe92⤵PID:2964
-
\??\c:\08044.exec:\08044.exe93⤵PID:2164
-
\??\c:\pvpvp.exec:\pvpvp.exe94⤵PID:2852
-
\??\c:\jpjjp.exec:\jpjjp.exe95⤵PID:1744
-
\??\c:\2606848.exec:\2606848.exe96⤵PID:1704
-
\??\c:\8820246.exec:\8820246.exe97⤵PID:1420
-
\??\c:\48684.exec:\48684.exe98⤵PID:1760
-
\??\c:\1jpdp.exec:\1jpdp.exe99⤵PID:1124
-
\??\c:\c262446.exec:\c262446.exe100⤵PID:3064
-
\??\c:\6424280.exec:\6424280.exe101⤵PID:2232
-
\??\c:\ffxfrxx.exec:\ffxfrxx.exe102⤵PID:2452
-
\??\c:\dppvd.exec:\dppvd.exe103⤵PID:2248
-
\??\c:\86008.exec:\86008.exe104⤵PID:1716
-
\??\c:\i202442.exec:\i202442.exe105⤵PID:2556
-
\??\c:\tnbnbn.exec:\tnbnbn.exe106⤵PID:944
-
\??\c:\42268.exec:\42268.exe107⤵PID:468
-
\??\c:\5dpdd.exec:\5dpdd.exe108⤵PID:1044
-
\??\c:\pvjvp.exec:\pvjvp.exe109⤵PID:2756
-
\??\c:\6600242.exec:\6600242.exe110⤵PID:352
-
\??\c:\xlfrxrr.exec:\xlfrxrr.exe111⤵PID:688
-
\??\c:\8240228.exec:\8240228.exe112⤵PID:1784
-
\??\c:\bbbntb.exec:\bbbntb.exe113⤵PID:2340
-
\??\c:\82620.exec:\82620.exe114⤵PID:1736
-
\??\c:\26842.exec:\26842.exe115⤵PID:2608
-
\??\c:\a8020.exec:\a8020.exe116⤵PID:1008
-
\??\c:\bhbhnt.exec:\bhbhnt.exe117⤵PID:2092
-
\??\c:\420066.exec:\420066.exe118⤵PID:1032
-
\??\c:\bhbhtb.exec:\bhbhtb.exe119⤵PID:1936
-
\??\c:\ddpdj.exec:\ddpdj.exe120⤵PID:3060
-
\??\c:\q24428.exec:\q24428.exe121⤵PID:2940
-
\??\c:\26442.exec:\26442.exe122⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-