Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe
-
Size
456KB
-
MD5
cdb1e57bdfa00fa8b9fc12c3c5331be1
-
SHA1
e31f2af6c65a1ae7640715749da46332f412374c
-
SHA256
a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b
-
SHA512
715fbb0bbcd12cca42fe8ab941c25d341d2d2cee7578e5545bedfc121411987838afce16d4e7d75beb4961df4f596ba6e2a937b271427415649c83a11ca604c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRk:q7Tc2NYHUrAwfMp3CDRk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/1304-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1032-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-105-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2108-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1312-124-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2956-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/632-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1236-227-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1508-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-280-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/884-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1028-296-0x0000000077620000-0x000000007773F000-memory.dmp family_blackmoon behavioral1/memory/1028-297-0x0000000077520000-0x000000007761A000-memory.dmp family_blackmoon behavioral1/memory/2248-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-372-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2964-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-391-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2700-389-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2988-394-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2988-399-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2764-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-597-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-791-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/952-814-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/664-953-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-1106-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2340-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 c422406.exe 1032 rffffxx.exe 2444 nhbbbb.exe 1736 6866806.exe 2820 4006222.exe 3008 lxlllrr.exe 2236 rxfxfxx.exe 2904 088804.exe 2964 c862828.exe 1048 20622.exe 2796 646060.exe 2108 nhbhnb.exe 1312 0804404.exe 3060 a2624.exe 2956 600680.exe 2916 42606.exe 108 7lxflfr.exe 2212 xlxxxrx.exe 1620 frfllrf.exe 1852 jvjdj.exe 1912 4200600.exe 632 hthhhb.exe 2656 246664.exe 668 ffllfrl.exe 1236 w42804.exe 3032 3vdvd.exe 1508 64400.exe 2412 xlrflff.exe 2640 1vvvv.exe 2588 s0840.exe 1928 4042444.exe 884 vppdd.exe 1028 9djvd.exe 2248 42406.exe 112 20840.exe 2436 bnbnnt.exe 316 20882.exe 2092 vjpdp.exe 2784 260288.exe 2828 86442.exe 2304 jvppv.exe 2976 428848.exe 2700 fxfxxxf.exe 2844 7djjd.exe 2964 s8206.exe 2536 lfrlrrx.exe 2988 rllxfrl.exe 2256 htbhbt.exe 2764 1bnbhb.exe 3056 u022202.exe 2776 btnhbh.exe 2908 0800604.exe 2912 dpddj.exe 3028 xfrrllr.exe 1264 nhbhhn.exe 1712 hbnbnb.exe 1648 64880.exe 2364 o626040.exe 2172 vpjjv.exe 448 86482.exe 572 024400.exe 772 thnhhh.exe 956 426688.exe 320 824688.exe -
resource yara_rule behavioral1/memory/1304-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1032-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/632-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-227-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1508-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-280-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/884-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/684-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-915-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-928-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-953-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-1074-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-1081-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-1126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-1169-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 648482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 444028.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8206280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1616 1304 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 30 PID 1304 wrote to memory of 1616 1304 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 30 PID 1304 wrote to memory of 1616 1304 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 30 PID 1304 wrote to memory of 1616 1304 a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe 30 PID 1616 wrote to memory of 1032 1616 c422406.exe 31 PID 1616 wrote to memory of 1032 1616 c422406.exe 31 PID 1616 wrote to memory of 1032 1616 c422406.exe 31 PID 1616 wrote to memory of 1032 1616 c422406.exe 31 PID 1032 wrote to memory of 2444 1032 rffffxx.exe 32 PID 1032 wrote to memory of 2444 1032 rffffxx.exe 32 PID 1032 wrote to memory of 2444 1032 rffffxx.exe 32 PID 1032 wrote to memory of 2444 1032 rffffxx.exe 32 PID 2444 wrote to memory of 1736 2444 nhbbbb.exe 33 PID 2444 wrote to memory of 1736 2444 nhbbbb.exe 33 PID 2444 wrote to memory of 1736 2444 nhbbbb.exe 33 PID 2444 wrote to memory of 1736 2444 nhbbbb.exe 33 PID 1736 wrote to memory of 2820 1736 6866806.exe 34 PID 1736 wrote to memory of 2820 1736 6866806.exe 34 PID 1736 wrote to memory of 2820 1736 6866806.exe 34 PID 1736 wrote to memory of 2820 1736 6866806.exe 34 PID 2820 wrote to memory of 3008 2820 4006222.exe 35 PID 2820 wrote to memory of 3008 2820 4006222.exe 35 PID 2820 wrote to memory of 3008 2820 4006222.exe 35 PID 2820 wrote to memory of 3008 2820 4006222.exe 35 PID 3008 wrote to memory of 2236 3008 lxlllrr.exe 36 PID 3008 wrote to memory of 2236 3008 lxlllrr.exe 36 PID 3008 wrote to memory of 2236 3008 lxlllrr.exe 36 PID 3008 wrote to memory of 2236 3008 lxlllrr.exe 36 PID 2236 wrote to memory of 2904 2236 rxfxfxx.exe 37 PID 2236 wrote to memory of 2904 2236 rxfxfxx.exe 37 PID 2236 wrote to memory of 2904 2236 rxfxfxx.exe 37 PID 2236 wrote to memory of 2904 2236 rxfxfxx.exe 37 PID 2904 wrote to memory of 2964 2904 088804.exe 38 PID 2904 wrote to memory of 2964 2904 088804.exe 38 PID 2904 wrote to memory of 2964 2904 088804.exe 38 PID 2904 wrote to memory of 2964 2904 088804.exe 38 PID 2964 wrote to memory of 1048 2964 c862828.exe 39 PID 2964 wrote to memory of 1048 2964 c862828.exe 39 PID 2964 wrote to memory of 1048 2964 c862828.exe 39 PID 2964 wrote to memory of 1048 2964 c862828.exe 39 PID 1048 wrote to memory of 2796 1048 20622.exe 40 PID 1048 wrote to memory of 2796 1048 20622.exe 40 PID 1048 wrote to memory of 2796 1048 20622.exe 40 PID 1048 wrote to memory of 2796 1048 20622.exe 40 PID 2796 wrote to memory of 2108 2796 646060.exe 41 PID 2796 wrote to memory of 2108 2796 646060.exe 41 PID 2796 wrote to memory of 2108 2796 646060.exe 41 PID 2796 wrote to memory of 2108 2796 646060.exe 41 PID 2108 wrote to memory of 1312 2108 nhbhnb.exe 42 PID 2108 wrote to memory of 1312 2108 nhbhnb.exe 42 PID 2108 wrote to memory of 1312 2108 nhbhnb.exe 42 PID 2108 wrote to memory of 1312 2108 nhbhnb.exe 42 PID 1312 wrote to memory of 3060 1312 0804404.exe 43 PID 1312 wrote to memory of 3060 1312 0804404.exe 43 PID 1312 wrote to memory of 3060 1312 0804404.exe 43 PID 1312 wrote to memory of 3060 1312 0804404.exe 43 PID 3060 wrote to memory of 2956 3060 a2624.exe 44 PID 3060 wrote to memory of 2956 3060 a2624.exe 44 PID 3060 wrote to memory of 2956 3060 a2624.exe 44 PID 3060 wrote to memory of 2956 3060 a2624.exe 44 PID 2956 wrote to memory of 2916 2956 600680.exe 45 PID 2956 wrote to memory of 2916 2956 600680.exe 45 PID 2956 wrote to memory of 2916 2956 600680.exe 45 PID 2956 wrote to memory of 2916 2956 600680.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe"C:\Users\Admin\AppData\Local\Temp\a1e3115b51159f4d0d67bfa92d8365d7730daeb7ca58476800f77df021770e4b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\c422406.exec:\c422406.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\rffffxx.exec:\rffffxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\nhbbbb.exec:\nhbbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\6866806.exec:\6866806.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\4006222.exec:\4006222.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\lxlllrr.exec:\lxlllrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\rxfxfxx.exec:\rxfxfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\088804.exec:\088804.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\c862828.exec:\c862828.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\20622.exec:\20622.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\646060.exec:\646060.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\nhbhnb.exec:\nhbhnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\0804404.exec:\0804404.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\a2624.exec:\a2624.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\600680.exec:\600680.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\42606.exec:\42606.exe17⤵
- Executes dropped EXE
PID:2916 -
\??\c:\7lxflfr.exec:\7lxflfr.exe18⤵
- Executes dropped EXE
PID:108 -
\??\c:\xlxxxrx.exec:\xlxxxrx.exe19⤵
- Executes dropped EXE
PID:2212 -
\??\c:\frfllrf.exec:\frfllrf.exe20⤵
- Executes dropped EXE
PID:1620 -
\??\c:\jvjdj.exec:\jvjdj.exe21⤵
- Executes dropped EXE
PID:1852 -
\??\c:\4200600.exec:\4200600.exe22⤵
- Executes dropped EXE
PID:1912 -
\??\c:\hthhhb.exec:\hthhhb.exe23⤵
- Executes dropped EXE
PID:632 -
\??\c:\246664.exec:\246664.exe24⤵
- Executes dropped EXE
PID:2656 -
\??\c:\ffllfrl.exec:\ffllfrl.exe25⤵
- Executes dropped EXE
PID:668 -
\??\c:\w42804.exec:\w42804.exe26⤵
- Executes dropped EXE
PID:1236 -
\??\c:\3vdvd.exec:\3vdvd.exe27⤵
- Executes dropped EXE
PID:3032 -
\??\c:\64400.exec:\64400.exe28⤵
- Executes dropped EXE
PID:1508 -
\??\c:\xlrflff.exec:\xlrflff.exe29⤵
- Executes dropped EXE
PID:2412 -
\??\c:\1vvvv.exec:\1vvvv.exe30⤵
- Executes dropped EXE
PID:2640 -
\??\c:\s0840.exec:\s0840.exe31⤵
- Executes dropped EXE
PID:2588 -
\??\c:\4042444.exec:\4042444.exe32⤵
- Executes dropped EXE
PID:1928 -
\??\c:\vppdd.exec:\vppdd.exe33⤵
- Executes dropped EXE
PID:884 -
\??\c:\9djvd.exec:\9djvd.exe34⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rfrflff.exec:\rfrflff.exe35⤵PID:1584
-
\??\c:\42406.exec:\42406.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\20840.exec:\20840.exe37⤵
- Executes dropped EXE
PID:112 -
\??\c:\bnbnnt.exec:\bnbnnt.exe38⤵
- Executes dropped EXE
PID:2436 -
\??\c:\20882.exec:\20882.exe39⤵
- Executes dropped EXE
PID:316 -
\??\c:\vjpdp.exec:\vjpdp.exe40⤵
- Executes dropped EXE
PID:2092 -
\??\c:\260288.exec:\260288.exe41⤵
- Executes dropped EXE
PID:2784 -
\??\c:\86442.exec:\86442.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\jvppv.exec:\jvppv.exe43⤵
- Executes dropped EXE
PID:2304 -
\??\c:\428848.exec:\428848.exe44⤵
- Executes dropped EXE
PID:2976 -
\??\c:\fxfxxxf.exec:\fxfxxxf.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\7djjd.exec:\7djjd.exe46⤵
- Executes dropped EXE
PID:2844 -
\??\c:\s8206.exec:\s8206.exe47⤵
- Executes dropped EXE
PID:2964 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe48⤵
- Executes dropped EXE
PID:2536 -
\??\c:\rllxfrl.exec:\rllxfrl.exe49⤵
- Executes dropped EXE
PID:2988 -
\??\c:\htbhbt.exec:\htbhbt.exe50⤵
- Executes dropped EXE
PID:2256 -
\??\c:\1bnbhb.exec:\1bnbhb.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\u022202.exec:\u022202.exe52⤵
- Executes dropped EXE
PID:3056 -
\??\c:\btnhbh.exec:\btnhbh.exe53⤵
- Executes dropped EXE
PID:2776 -
\??\c:\0800604.exec:\0800604.exe54⤵
- Executes dropped EXE
PID:2908 -
\??\c:\dpddj.exec:\dpddj.exe55⤵
- Executes dropped EXE
PID:2912 -
\??\c:\xfrrllr.exec:\xfrrllr.exe56⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhbhhn.exec:\nhbhhn.exe57⤵
- Executes dropped EXE
PID:1264 -
\??\c:\hbnbnb.exec:\hbnbnb.exe58⤵
- Executes dropped EXE
PID:1712 -
\??\c:\64880.exec:\64880.exe59⤵
- Executes dropped EXE
PID:1648 -
\??\c:\o626040.exec:\o626040.exe60⤵
- Executes dropped EXE
PID:2364 -
\??\c:\vpjjv.exec:\vpjjv.exe61⤵
- Executes dropped EXE
PID:2172 -
\??\c:\86482.exec:\86482.exe62⤵
- Executes dropped EXE
PID:448 -
\??\c:\024400.exec:\024400.exe63⤵
- Executes dropped EXE
PID:572 -
\??\c:\thnhhh.exec:\thnhhh.exe64⤵
- Executes dropped EXE
PID:772 -
\??\c:\426688.exec:\426688.exe65⤵
- Executes dropped EXE
PID:956 -
\??\c:\824688.exec:\824688.exe66⤵
- Executes dropped EXE
PID:320 -
\??\c:\jvddj.exec:\jvddj.exe67⤵PID:2480
-
\??\c:\hbtbbh.exec:\hbtbbh.exe68⤵PID:1596
-
\??\c:\646000.exec:\646000.exe69⤵
- System Location Discovery: System Language Discovery
PID:952 -
\??\c:\hthhnn.exec:\hthhnn.exe70⤵PID:1508
-
\??\c:\642806.exec:\642806.exe71⤵PID:1316
-
\??\c:\nbhhhn.exec:\nbhhhn.exe72⤵PID:2060
-
\??\c:\426660.exec:\426660.exe73⤵PID:2588
-
\??\c:\4244662.exec:\4244662.exe74⤵PID:600
-
\??\c:\4862402.exec:\4862402.exe75⤵PID:1928
-
\??\c:\820240.exec:\820240.exe76⤵PID:1748
-
\??\c:\824622.exec:\824622.exe77⤵PID:1700
-
\??\c:\tnbbnn.exec:\tnbbnn.exe78⤵PID:2756
-
\??\c:\2000666.exec:\2000666.exe79⤵PID:2248
-
\??\c:\lfxflrx.exec:\lfxflrx.exe80⤵PID:2264
-
\??\c:\608464.exec:\608464.exe81⤵PID:2436
-
\??\c:\2084084.exec:\2084084.exe82⤵PID:2832
-
\??\c:\c046284.exec:\c046284.exe83⤵PID:2632
-
\??\c:\868440.exec:\868440.exe84⤵PID:2784
-
\??\c:\vjjdv.exec:\vjjdv.exe85⤵PID:2836
-
\??\c:\frfflfr.exec:\frfflfr.exe86⤵PID:2792
-
\??\c:\hbttbh.exec:\hbttbh.exe87⤵PID:2976
-
\??\c:\3nhttn.exec:\3nhttn.exe88⤵PID:2924
-
\??\c:\420626.exec:\420626.exe89⤵PID:2732
-
\??\c:\9htnnh.exec:\9htnnh.exe90⤵PID:2688
-
\??\c:\q42804.exec:\q42804.exe91⤵PID:664
-
\??\c:\24666.exec:\24666.exe92⤵PID:2988
-
\??\c:\dvjpd.exec:\dvjpd.exe93⤵PID:1632
-
\??\c:\20266.exec:\20266.exe94⤵PID:3040
-
\??\c:\jdpdp.exec:\jdpdp.exe95⤵PID:3060
-
\??\c:\jdjjp.exec:\jdjjp.exe96⤵PID:708
-
\??\c:\5bbbhb.exec:\5bbbhb.exe97⤵PID:2080
-
\??\c:\5rxrrrx.exec:\5rxrrrx.exe98⤵PID:1080
-
\??\c:\rflffxf.exec:\rflffxf.exe99⤵PID:1260
-
\??\c:\dvvvj.exec:\dvvvj.exe100⤵PID:2232
-
\??\c:\42406.exec:\42406.exe101⤵PID:2176
-
\??\c:\frlxfxx.exec:\frlxfxx.exe102⤵PID:2140
-
\??\c:\nnbhbt.exec:\nnbhbt.exe103⤵PID:1852
-
\??\c:\hhtbhn.exec:\hhtbhn.exe104⤵PID:2084
-
\??\c:\e20004.exec:\e20004.exe105⤵PID:2516
-
\??\c:\24246.exec:\24246.exe106⤵PID:1784
-
\??\c:\q64804.exec:\q64804.exe107⤵PID:1588
-
\??\c:\rrlxllx.exec:\rrlxllx.exe108⤵PID:1112
-
\??\c:\nbnthh.exec:\nbnthh.exe109⤵PID:1824
-
\??\c:\7bnhhb.exec:\7bnhhb.exe110⤵PID:320
-
\??\c:\e46282.exec:\e46282.exe111⤵PID:2480
-
\??\c:\826684.exec:\826684.exe112⤵PID:1596
-
\??\c:\3pvvv.exec:\3pvvv.exe113⤵PID:952
-
\??\c:\pjdjv.exec:\pjdjv.exe114⤵PID:2504
-
\??\c:\tbhthh.exec:\tbhthh.exe115⤵PID:1780
-
\??\c:\i428888.exec:\i428888.exe116⤵PID:328
-
\??\c:\fxflrxf.exec:\fxflrxf.exe117⤵PID:976
-
\??\c:\rlfflrf.exec:\rlfflrf.exe118⤵PID:2612
-
\??\c:\82002.exec:\82002.exe119⤵PID:1928
-
\??\c:\8606200.exec:\8606200.exe120⤵PID:1748
-
\??\c:\60226.exec:\60226.exe121⤵PID:768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-