Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 23:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe
-
Size
454KB
-
MD5
767e95cbb3788d229908c341e53fb148
-
SHA1
2240ee838263c5e49311adc28e9ef4f70e78cf8a
-
SHA256
11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498
-
SHA512
27416b4ab219269e677134b231603e909caa15ac4704ecac0693ba301c528c5533086e7d9010fff9c17fba89142ea45006c9a3f4246ff95a714a03a0cbee42a5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2092-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-170-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2568-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-222-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/884-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1260-269-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/896-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-476-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2500-499-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2500-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-528-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-691-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1460-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-1125-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1556-1230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-1252-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2552 0400662.exe 2080 42440.exe 2228 882608.exe 2824 s4224.exe 2768 60666.exe 2728 9bnhnb.exe 2792 08822.exe 2832 642260.exe 2652 426200.exe 1760 ntbtnh.exe 2136 1ttntn.exe 2916 24628.exe 2040 3pjdd.exe 1448 rlxlrrx.exe 1984 64628.exe 2456 xlflxxr.exe 536 pdvpp.exe 2568 9fllfff.exe 264 9jppd.exe 2036 s0206.exe 1684 xlrrfxl.exe 2500 m8662.exe 1048 hthbtt.exe 2576 o860662.exe 580 080000.exe 2196 m4268.exe 884 68448.exe 2236 pvdvp.exe 1260 806008.exe 1936 lxllrrx.exe 2452 vddvv.exe 896 8600600.exe 1732 pvdjj.exe 1588 4806600.exe 2540 htbtnh.exe 2952 20828.exe 2132 802664.exe 864 xlrrrxf.exe 2836 642866.exe 2820 hbnntt.exe 2740 20084.exe 2880 8480840.exe 2920 86068.exe 2656 008080.exe 2620 pdpjj.exe 3048 a6828.exe 3052 6022040.exe 2660 jdppd.exe 1812 thnhnh.exe 2508 i240666.exe 1412 a4842.exe 692 vjvjp.exe 2164 0462284.exe 1928 vdjvv.exe 1952 bntthb.exe 2796 8240062.exe 2356 vjvjp.exe 652 688226.exe 2568 5tnnhn.exe 1352 648804.exe 236 084444.exe 844 djpdd.exe 2972 0804448.exe 2500 80226.exe -
resource yara_rule behavioral1/memory/2092-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-499-0x0000000000350000-0x000000000037A000-memory.dmp upx behavioral1/memory/2500-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-528-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2264-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1056-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-1230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-1292-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6860040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w68460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8244006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2552 2092 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 30 PID 2092 wrote to memory of 2552 2092 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 30 PID 2092 wrote to memory of 2552 2092 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 30 PID 2092 wrote to memory of 2552 2092 11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe 30 PID 2552 wrote to memory of 2080 2552 0400662.exe 31 PID 2552 wrote to memory of 2080 2552 0400662.exe 31 PID 2552 wrote to memory of 2080 2552 0400662.exe 31 PID 2552 wrote to memory of 2080 2552 0400662.exe 31 PID 2080 wrote to memory of 2228 2080 42440.exe 32 PID 2080 wrote to memory of 2228 2080 42440.exe 32 PID 2080 wrote to memory of 2228 2080 42440.exe 32 PID 2080 wrote to memory of 2228 2080 42440.exe 32 PID 2228 wrote to memory of 2824 2228 882608.exe 33 PID 2228 wrote to memory of 2824 2228 882608.exe 33 PID 2228 wrote to memory of 2824 2228 882608.exe 33 PID 2228 wrote to memory of 2824 2228 882608.exe 33 PID 2824 wrote to memory of 2768 2824 s4224.exe 34 PID 2824 wrote to memory of 2768 2824 s4224.exe 34 PID 2824 wrote to memory of 2768 2824 s4224.exe 34 PID 2824 wrote to memory of 2768 2824 s4224.exe 34 PID 2768 wrote to memory of 2728 2768 60666.exe 35 PID 2768 wrote to memory of 2728 2768 60666.exe 35 PID 2768 wrote to memory of 2728 2768 60666.exe 35 PID 2768 wrote to memory of 2728 2768 60666.exe 35 PID 2728 wrote to memory of 2792 2728 9bnhnb.exe 36 PID 2728 wrote to memory of 2792 2728 9bnhnb.exe 36 PID 2728 wrote to memory of 2792 2728 9bnhnb.exe 36 PID 2728 wrote to memory of 2792 2728 9bnhnb.exe 36 PID 2792 wrote to memory of 2832 2792 08822.exe 37 PID 2792 wrote to memory of 2832 2792 08822.exe 37 PID 2792 wrote to memory of 2832 2792 08822.exe 37 PID 2792 wrote to memory of 2832 2792 08822.exe 37 PID 2832 wrote to memory of 2652 2832 642260.exe 38 PID 2832 wrote to memory of 2652 2832 642260.exe 38 PID 2832 wrote to memory of 2652 2832 642260.exe 38 PID 2832 wrote to memory of 2652 2832 642260.exe 38 PID 2652 wrote to memory of 1760 2652 426200.exe 39 PID 2652 wrote to memory of 1760 2652 426200.exe 39 PID 2652 wrote to memory of 1760 2652 426200.exe 39 PID 2652 wrote to memory of 1760 2652 426200.exe 39 PID 1760 wrote to memory of 2136 1760 ntbtnh.exe 40 PID 1760 wrote to memory of 2136 1760 ntbtnh.exe 40 PID 1760 wrote to memory of 2136 1760 ntbtnh.exe 40 PID 1760 wrote to memory of 2136 1760 ntbtnh.exe 40 PID 2136 wrote to memory of 2916 2136 1ttntn.exe 41 PID 2136 wrote to memory of 2916 2136 1ttntn.exe 41 PID 2136 wrote to memory of 2916 2136 1ttntn.exe 41 PID 2136 wrote to memory of 2916 2136 1ttntn.exe 41 PID 2916 wrote to memory of 2040 2916 24628.exe 42 PID 2916 wrote to memory of 2040 2916 24628.exe 42 PID 2916 wrote to memory of 2040 2916 24628.exe 42 PID 2916 wrote to memory of 2040 2916 24628.exe 42 PID 2040 wrote to memory of 1448 2040 3pjdd.exe 43 PID 2040 wrote to memory of 1448 2040 3pjdd.exe 43 PID 2040 wrote to memory of 1448 2040 3pjdd.exe 43 PID 2040 wrote to memory of 1448 2040 3pjdd.exe 43 PID 1448 wrote to memory of 1984 1448 rlxlrrx.exe 44 PID 1448 wrote to memory of 1984 1448 rlxlrrx.exe 44 PID 1448 wrote to memory of 1984 1448 rlxlrrx.exe 44 PID 1448 wrote to memory of 1984 1448 rlxlrrx.exe 44 PID 1984 wrote to memory of 2456 1984 64628.exe 45 PID 1984 wrote to memory of 2456 1984 64628.exe 45 PID 1984 wrote to memory of 2456 1984 64628.exe 45 PID 1984 wrote to memory of 2456 1984 64628.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe"C:\Users\Admin\AppData\Local\Temp\11af54d87f97ec94f784d424c148f1cd689369e08e067cb534ae6aa47236f498.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\0400662.exec:\0400662.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\42440.exec:\42440.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\882608.exec:\882608.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\s4224.exec:\s4224.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\60666.exec:\60666.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\9bnhnb.exec:\9bnhnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\08822.exec:\08822.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\642260.exec:\642260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\426200.exec:\426200.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\ntbtnh.exec:\ntbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\1ttntn.exec:\1ttntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\24628.exec:\24628.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\3pjdd.exec:\3pjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\rlxlrrx.exec:\rlxlrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\64628.exec:\64628.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\xlflxxr.exec:\xlflxxr.exe17⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pdvpp.exec:\pdvpp.exe18⤵
- Executes dropped EXE
PID:536 -
\??\c:\9fllfff.exec:\9fllfff.exe19⤵
- Executes dropped EXE
PID:2568 -
\??\c:\9jppd.exec:\9jppd.exe20⤵
- Executes dropped EXE
PID:264 -
\??\c:\s0206.exec:\s0206.exe21⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xlrrfxl.exec:\xlrrfxl.exe22⤵
- Executes dropped EXE
PID:1684 -
\??\c:\m8662.exec:\m8662.exe23⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hthbtt.exec:\hthbtt.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\o860662.exec:\o860662.exe25⤵
- Executes dropped EXE
PID:2576 -
\??\c:\080000.exec:\080000.exe26⤵
- Executes dropped EXE
PID:580 -
\??\c:\m4268.exec:\m4268.exe27⤵
- Executes dropped EXE
PID:2196 -
\??\c:\68448.exec:\68448.exe28⤵
- Executes dropped EXE
PID:884 -
\??\c:\pvdvp.exec:\pvdvp.exe29⤵
- Executes dropped EXE
PID:2236 -
\??\c:\806008.exec:\806008.exe30⤵
- Executes dropped EXE
PID:1260 -
\??\c:\lxllrrx.exec:\lxllrrx.exe31⤵
- Executes dropped EXE
PID:1936 -
\??\c:\vddvv.exec:\vddvv.exe32⤵
- Executes dropped EXE
PID:2452 -
\??\c:\8600600.exec:\8600600.exe33⤵
- Executes dropped EXE
PID:896 -
\??\c:\pvdjj.exec:\pvdjj.exe34⤵
- Executes dropped EXE
PID:1732 -
\??\c:\4806600.exec:\4806600.exe35⤵
- Executes dropped EXE
PID:1588 -
\??\c:\htbtnh.exec:\htbtnh.exe36⤵
- Executes dropped EXE
PID:2540 -
\??\c:\20828.exec:\20828.exe37⤵
- Executes dropped EXE
PID:2952 -
\??\c:\802664.exec:\802664.exe38⤵
- Executes dropped EXE
PID:2132 -
\??\c:\xlrrrxf.exec:\xlrrrxf.exe39⤵
- Executes dropped EXE
PID:864 -
\??\c:\642866.exec:\642866.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hbnntt.exec:\hbnntt.exe41⤵
- Executes dropped EXE
PID:2820 -
\??\c:\20084.exec:\20084.exe42⤵
- Executes dropped EXE
PID:2740 -
\??\c:\8480840.exec:\8480840.exe43⤵
- Executes dropped EXE
PID:2880 -
\??\c:\86068.exec:\86068.exe44⤵
- Executes dropped EXE
PID:2920 -
\??\c:\008080.exec:\008080.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pdpjj.exec:\pdpjj.exe46⤵
- Executes dropped EXE
PID:2620 -
\??\c:\a6828.exec:\a6828.exe47⤵
- Executes dropped EXE
PID:3048 -
\??\c:\6022040.exec:\6022040.exe48⤵
- Executes dropped EXE
PID:3052 -
\??\c:\jdppd.exec:\jdppd.exe49⤵
- Executes dropped EXE
PID:2660 -
\??\c:\thnhnh.exec:\thnhnh.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\i240666.exec:\i240666.exe51⤵
- Executes dropped EXE
PID:2508 -
\??\c:\a4842.exec:\a4842.exe52⤵
- Executes dropped EXE
PID:1412 -
\??\c:\vjvjp.exec:\vjvjp.exe53⤵
- Executes dropped EXE
PID:692 -
\??\c:\0462284.exec:\0462284.exe54⤵
- Executes dropped EXE
PID:2164 -
\??\c:\vdjvv.exec:\vdjvv.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\bntthb.exec:\bntthb.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
\??\c:\8240062.exec:\8240062.exe57⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vjvjp.exec:\vjvjp.exe58⤵
- Executes dropped EXE
PID:2356 -
\??\c:\688226.exec:\688226.exe59⤵
- Executes dropped EXE
PID:652 -
\??\c:\5tnnhn.exec:\5tnnhn.exe60⤵
- Executes dropped EXE
PID:2568 -
\??\c:\648804.exec:\648804.exe61⤵
- Executes dropped EXE
PID:1352 -
\??\c:\084444.exec:\084444.exe62⤵
- Executes dropped EXE
PID:236 -
\??\c:\djpdd.exec:\djpdd.exe63⤵
- Executes dropped EXE
PID:844 -
\??\c:\0804448.exec:\0804448.exe64⤵
- Executes dropped EXE
PID:2972 -
\??\c:\80226.exec:\80226.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\fxrxflr.exec:\fxrxflr.exe66⤵PID:1048
-
\??\c:\7xlxxxx.exec:\7xlxxxx.exe67⤵PID:2576
-
\??\c:\4688284.exec:\4688284.exe68⤵PID:2588
-
\??\c:\5jjjp.exec:\5jjjp.exe69⤵PID:1568
-
\??\c:\bnhbbt.exec:\bnhbbt.exe70⤵PID:928
-
\??\c:\dpjpd.exec:\dpjpd.exe71⤵PID:904
-
\??\c:\6044480.exec:\6044480.exe72⤵PID:972
-
\??\c:\jvjjp.exec:\jvjjp.exe73⤵PID:2320
-
\??\c:\4246880.exec:\4246880.exe74⤵PID:2264
-
\??\c:\lxfxxrx.exec:\lxfxxrx.exe75⤵PID:2028
-
\??\c:\lfrrrxx.exec:\lfrrrxx.exe76⤵PID:1212
-
\??\c:\1rfxxxf.exec:\1rfxxxf.exe77⤵PID:340
-
\??\c:\4022846.exec:\4022846.exe78⤵PID:2184
-
\??\c:\3httnh.exec:\3httnh.exe79⤵PID:1600
-
\??\c:\602288.exec:\602288.exe80⤵PID:1708
-
\??\c:\lfffrrx.exec:\lfffrrx.exe81⤵PID:2552
-
\??\c:\tbhhnh.exec:\tbhhnh.exe82⤵PID:2528
-
\??\c:\1rlflxl.exec:\1rlflxl.exe83⤵PID:2704
-
\??\c:\20446.exec:\20446.exe84⤵PID:2868
-
\??\c:\g0822.exec:\g0822.exe85⤵PID:2836
-
\??\c:\64600.exec:\64600.exe86⤵PID:2824
-
\??\c:\vjppj.exec:\vjppj.exe87⤵PID:2740
-
\??\c:\64286.exec:\64286.exe88⤵PID:2728
-
\??\c:\u084482.exec:\u084482.exe89⤵PID:1464
-
\??\c:\m4266.exec:\m4266.exe90⤵PID:2636
-
\??\c:\208222.exec:\208222.exe91⤵PID:2832
-
\??\c:\vjppp.exec:\vjppp.exe92⤵PID:3040
-
\??\c:\jjjvv.exec:\jjjvv.exe93⤵PID:2180
-
\??\c:\nbhttn.exec:\nbhttn.exe94⤵PID:1620
-
\??\c:\pdddd.exec:\pdddd.exe95⤵PID:1736
-
\??\c:\m2006.exec:\m2006.exe96⤵PID:2936
-
\??\c:\o060686.exec:\o060686.exe97⤵PID:1460
-
\??\c:\e62622.exec:\e62622.exe98⤵PID:1268
-
\??\c:\0860488.exec:\0860488.exe99⤵PID:2008
-
\??\c:\684004.exec:\684004.exe100⤵PID:1984
-
\??\c:\1rfxfxx.exec:\1rfxfxx.exe101⤵PID:2708
-
\??\c:\3thhbt.exec:\3thhbt.exe102⤵PID:332
-
\??\c:\0208222.exec:\0208222.exe103⤵PID:2356
-
\??\c:\rlrlffx.exec:\rlrlffx.exe104⤵PID:2312
-
\??\c:\028282.exec:\028282.exe105⤵PID:1120
-
\??\c:\e46000.exec:\e46000.exe106⤵PID:2036
-
\??\c:\5vdvv.exec:\5vdvv.exe107⤵PID:2232
-
\??\c:\bnnhhb.exec:\bnnhhb.exe108⤵PID:2584
-
\??\c:\pjppv.exec:\pjppv.exe109⤵PID:2344
-
\??\c:\1lrlfxf.exec:\1lrlfxf.exe110⤵PID:1152
-
\??\c:\468882.exec:\468882.exe111⤵PID:1320
-
\??\c:\022288.exec:\022288.exe112⤵PID:1784
-
\??\c:\q28884.exec:\q28884.exe113⤵PID:1376
-
\??\c:\6864488.exec:\6864488.exe114⤵PID:1744
-
\??\c:\a2444.exec:\a2444.exe115⤵PID:944
-
\??\c:\80266.exec:\80266.exe116⤵PID:2436
-
\??\c:\42444.exec:\42444.exe117⤵PID:904
-
\??\c:\lfrlrrr.exec:\lfrlrrr.exe118⤵PID:2060
-
\??\c:\422222.exec:\422222.exe119⤵PID:2320
-
\??\c:\jvdpj.exec:\jvdpj.exe120⤵PID:2016
-
\??\c:\ppjjp.exec:\ppjjp.exe121⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-