Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 09:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe
-
Size
453KB
-
MD5
757a4f10a0a7a7ae7754584cfeafdd31
-
SHA1
9bfd662d28c3e242ad82388e0a481e7c93c917dc
-
SHA256
7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a
-
SHA512
67134610eb6c35242bc891e795278d92698b36903200804b418e8c2b79bd32475b06e54a85c8717153fd9a87603f0803f7470574c2fcbad47d91c530ff0ddcc0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2668-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-128-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-180-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2296-185-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1260-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/860-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-274-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1652-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1552-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-644-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1872-652-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2164-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-710-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1156-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2708 0868002.exe 2764 jvjdj.exe 2720 flfrrrf.exe 2872 3flrffl.exe 2612 ddvdd.exe 2600 u084002.exe 3032 604404.exe 568 nbnnbb.exe 1712 04002.exe 2540 dvjjj.exe 1192 42402.exe 1796 86468.exe 1696 xllflrr.exe 1004 rxlffll.exe 480 66024.exe 1548 hbtbbh.exe 2372 u686868.exe 2352 rlxfrfr.exe 2296 486648.exe 2100 c824664.exe 1260 nhhnnt.exe 1092 nnhbnt.exe 1592 5hbnth.exe 860 04624.exe 1516 3lxlllf.exe 1692 0080286.exe 1428 xffllrl.exe 2524 hbthbh.exe 708 dpdpj.exe 1652 260266.exe 976 44628.exe 1056 86426.exe 2768 xrrrllx.exe 2940 ffrxxlx.exe 1576 rxrxrxr.exe 2128 lfrfrxx.exe 2740 btnbnb.exe 2924 9bhnbn.exe 2604 llfrrxr.exe 2624 64284.exe 3040 8868002.exe 2588 rxrfrxr.exe 2876 9fxfrfr.exe 444 66846.exe 1076 a2684.exe 2540 nhhtnb.exe 1192 k04206.exe 1616 0428668.exe 2204 008484.exe 2256 q20462.exe 1788 26440.exe 1552 4864060.exe 1896 rfxfxxr.exe 1156 lfxfxfx.exe 2400 84646.exe 2372 9rrfffl.exe 1852 20848.exe 2340 086486.exe 2336 7htnbh.exe 2516 m0204.exe 2452 c226026.exe 604 228602.exe 1060 600802.exe 2420 40868.exe -
resource yara_rule behavioral1/memory/2668-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1260-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/860-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/976-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1552-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-521-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1716-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-738-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2262840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4824668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8208068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g4026.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i206288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 220626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxflrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o446446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2708 2668 7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe 30 PID 2668 wrote to memory of 2708 2668 7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe 30 PID 2668 wrote to memory of 2708 2668 7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe 30 PID 2668 wrote to memory of 2708 2668 7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe 30 PID 2708 wrote to memory of 2764 2708 0868002.exe 31 PID 2708 wrote to memory of 2764 2708 0868002.exe 31 PID 2708 wrote to memory of 2764 2708 0868002.exe 31 PID 2708 wrote to memory of 2764 2708 0868002.exe 31 PID 2764 wrote to memory of 2720 2764 jvjdj.exe 32 PID 2764 wrote to memory of 2720 2764 jvjdj.exe 32 PID 2764 wrote to memory of 2720 2764 jvjdj.exe 32 PID 2764 wrote to memory of 2720 2764 jvjdj.exe 32 PID 2720 wrote to memory of 2872 2720 flfrrrf.exe 33 PID 2720 wrote to memory of 2872 2720 flfrrrf.exe 33 PID 2720 wrote to memory of 2872 2720 flfrrrf.exe 33 PID 2720 wrote to memory of 2872 2720 flfrrrf.exe 33 PID 2872 wrote to memory of 2612 2872 3flrffl.exe 34 PID 2872 wrote to memory of 2612 2872 3flrffl.exe 34 PID 2872 wrote to memory of 2612 2872 3flrffl.exe 34 PID 2872 wrote to memory of 2612 2872 3flrffl.exe 34 PID 2612 wrote to memory of 2600 2612 ddvdd.exe 35 PID 2612 wrote to memory of 2600 2612 ddvdd.exe 35 PID 2612 wrote to memory of 2600 2612 ddvdd.exe 35 PID 2612 wrote to memory of 2600 2612 ddvdd.exe 35 PID 2600 wrote to memory of 3032 2600 u084002.exe 36 PID 2600 wrote to memory of 3032 2600 u084002.exe 36 PID 2600 wrote to memory of 3032 2600 u084002.exe 36 PID 2600 wrote to memory of 3032 2600 u084002.exe 36 PID 3032 wrote to memory of 568 3032 604404.exe 37 PID 3032 wrote to memory of 568 3032 604404.exe 37 PID 3032 wrote to memory of 568 3032 604404.exe 37 PID 3032 wrote to memory of 568 3032 604404.exe 37 PID 568 wrote to memory of 1712 568 nbnnbb.exe 38 PID 568 wrote to memory of 1712 568 nbnnbb.exe 38 PID 568 wrote to memory of 1712 568 nbnnbb.exe 38 PID 568 wrote to memory of 1712 568 nbnnbb.exe 38 PID 1712 wrote to memory of 2540 1712 04002.exe 39 PID 1712 wrote to memory of 2540 1712 04002.exe 39 PID 1712 wrote to memory of 2540 1712 04002.exe 39 PID 1712 wrote to memory of 2540 1712 04002.exe 39 PID 2540 wrote to memory of 1192 2540 dvjjj.exe 40 PID 2540 wrote to memory of 1192 2540 dvjjj.exe 40 PID 2540 wrote to memory of 1192 2540 dvjjj.exe 40 PID 2540 wrote to memory of 1192 2540 dvjjj.exe 40 PID 1192 wrote to memory of 1796 1192 42402.exe 41 PID 1192 wrote to memory of 1796 1192 42402.exe 41 PID 1192 wrote to memory of 1796 1192 42402.exe 41 PID 1192 wrote to memory of 1796 1192 42402.exe 41 PID 1796 wrote to memory of 1696 1796 86468.exe 42 PID 1796 wrote to memory of 1696 1796 86468.exe 42 PID 1796 wrote to memory of 1696 1796 86468.exe 42 PID 1796 wrote to memory of 1696 1796 86468.exe 42 PID 1696 wrote to memory of 1004 1696 xllflrr.exe 43 PID 1696 wrote to memory of 1004 1696 xllflrr.exe 43 PID 1696 wrote to memory of 1004 1696 xllflrr.exe 43 PID 1696 wrote to memory of 1004 1696 xllflrr.exe 43 PID 1004 wrote to memory of 480 1004 rxlffll.exe 44 PID 1004 wrote to memory of 480 1004 rxlffll.exe 44 PID 1004 wrote to memory of 480 1004 rxlffll.exe 44 PID 1004 wrote to memory of 480 1004 rxlffll.exe 44 PID 480 wrote to memory of 1548 480 66024.exe 45 PID 480 wrote to memory of 1548 480 66024.exe 45 PID 480 wrote to memory of 1548 480 66024.exe 45 PID 480 wrote to memory of 1548 480 66024.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe"C:\Users\Admin\AppData\Local\Temp\7af618934a6c43ff4dd02ad7dc26bae62e1798f911af6cd4461c7b82ef196b4a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\0868002.exec:\0868002.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\jvjdj.exec:\jvjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\flfrrrf.exec:\flfrrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\3flrffl.exec:\3flrffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\ddvdd.exec:\ddvdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\u084002.exec:\u084002.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\604404.exec:\604404.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\nbnnbb.exec:\nbnnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\04002.exec:\04002.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\dvjjj.exec:\dvjjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\42402.exec:\42402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\86468.exec:\86468.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xllflrr.exec:\xllflrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\rxlffll.exec:\rxlffll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\66024.exec:\66024.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:480 -
\??\c:\hbtbbh.exec:\hbtbbh.exe17⤵
- Executes dropped EXE
PID:1548 -
\??\c:\u686868.exec:\u686868.exe18⤵
- Executes dropped EXE
PID:2372 -
\??\c:\rlxfrfr.exec:\rlxfrfr.exe19⤵
- Executes dropped EXE
PID:2352 -
\??\c:\486648.exec:\486648.exe20⤵
- Executes dropped EXE
PID:2296 -
\??\c:\c824664.exec:\c824664.exe21⤵
- Executes dropped EXE
PID:2100 -
\??\c:\nhhnnt.exec:\nhhnnt.exe22⤵
- Executes dropped EXE
PID:1260 -
\??\c:\nnhbnt.exec:\nnhbnt.exe23⤵
- Executes dropped EXE
PID:1092 -
\??\c:\5hbnth.exec:\5hbnth.exe24⤵
- Executes dropped EXE
PID:1592 -
\??\c:\04624.exec:\04624.exe25⤵
- Executes dropped EXE
PID:860 -
\??\c:\3lxlllf.exec:\3lxlllf.exe26⤵
- Executes dropped EXE
PID:1516 -
\??\c:\0080286.exec:\0080286.exe27⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xffllrl.exec:\xffllrl.exe28⤵
- Executes dropped EXE
PID:1428 -
\??\c:\hbthbh.exec:\hbthbh.exe29⤵
- Executes dropped EXE
PID:2524 -
\??\c:\dpdpj.exec:\dpdpj.exe30⤵
- Executes dropped EXE
PID:708 -
\??\c:\260266.exec:\260266.exe31⤵
- Executes dropped EXE
PID:1652 -
\??\c:\44628.exec:\44628.exe32⤵
- Executes dropped EXE
PID:976 -
\??\c:\86426.exec:\86426.exe33⤵
- Executes dropped EXE
PID:1056 -
\??\c:\xrrrllx.exec:\xrrrllx.exe34⤵
- Executes dropped EXE
PID:2768 -
\??\c:\ffrxxlx.exec:\ffrxxlx.exe35⤵
- Executes dropped EXE
PID:2940 -
\??\c:\rxrxrxr.exec:\rxrxrxr.exe36⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lfrfrxx.exec:\lfrfrxx.exe37⤵
- Executes dropped EXE
PID:2128 -
\??\c:\btnbnb.exec:\btnbnb.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\9bhnbn.exec:\9bhnbn.exe39⤵
- Executes dropped EXE
PID:2924 -
\??\c:\llfrrxr.exec:\llfrrxr.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\64284.exec:\64284.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\8868002.exec:\8868002.exe42⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rxrfrxr.exec:\rxrfrxr.exe43⤵
- Executes dropped EXE
PID:2588 -
\??\c:\9fxfrfr.exec:\9fxfrfr.exe44⤵
- Executes dropped EXE
PID:2876 -
\??\c:\66846.exec:\66846.exe45⤵
- Executes dropped EXE
PID:444 -
\??\c:\a2684.exec:\a2684.exe46⤵
- Executes dropped EXE
PID:1076 -
\??\c:\nhhtnb.exec:\nhhtnb.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\k04206.exec:\k04206.exe48⤵
- Executes dropped EXE
PID:1192 -
\??\c:\0428668.exec:\0428668.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
\??\c:\008484.exec:\008484.exe50⤵
- Executes dropped EXE
PID:2204 -
\??\c:\q20462.exec:\q20462.exe51⤵
- Executes dropped EXE
PID:2256 -
\??\c:\26440.exec:\26440.exe52⤵
- Executes dropped EXE
PID:1788 -
\??\c:\4864060.exec:\4864060.exe53⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rfxfxxr.exec:\rfxfxxr.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe55⤵
- Executes dropped EXE
PID:1156 -
\??\c:\84646.exec:\84646.exe56⤵
- Executes dropped EXE
PID:2400 -
\??\c:\9rrfffl.exec:\9rrfffl.exe57⤵
- Executes dropped EXE
PID:2372 -
\??\c:\20848.exec:\20848.exe58⤵
- Executes dropped EXE
PID:1852 -
\??\c:\086486.exec:\086486.exe59⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7htnbh.exec:\7htnbh.exe60⤵
- Executes dropped EXE
PID:2336 -
\??\c:\m0204.exec:\m0204.exe61⤵
- Executes dropped EXE
PID:2516 -
\??\c:\c226026.exec:\c226026.exe62⤵
- Executes dropped EXE
PID:2452 -
\??\c:\228602.exec:\228602.exe63⤵
- Executes dropped EXE
PID:604 -
\??\c:\600802.exec:\600802.exe64⤵
- Executes dropped EXE
PID:1060 -
\??\c:\40868.exec:\40868.exe65⤵
- Executes dropped EXE
PID:2420 -
\??\c:\k04202.exec:\k04202.exe66⤵PID:580
-
\??\c:\9xrxfxx.exec:\9xrxfxx.exe67⤵PID:1716
-
\??\c:\62484.exec:\62484.exe68⤵PID:1980
-
\??\c:\tnhnhh.exec:\tnhnhh.exe69⤵PID:2328
-
\??\c:\nhnnnh.exec:\nhnnnh.exe70⤵PID:2520
-
\??\c:\jvvjj.exec:\jvvjj.exe71⤵PID:2524
-
\??\c:\48440.exec:\48440.exe72⤵PID:2532
-
\??\c:\pddvv.exec:\pddvv.exe73⤵PID:1956
-
\??\c:\3ppvd.exec:\3ppvd.exe74⤵PID:1652
-
\??\c:\jpvjj.exec:\jpvjj.exe75⤵PID:2228
-
\??\c:\ffrrfxf.exec:\ffrrfxf.exe76⤵PID:2028
-
\??\c:\frrlfrf.exec:\frrlfrf.exe77⤵PID:2492
-
\??\c:\nhbbht.exec:\nhbbht.exe78⤵PID:2768
-
\??\c:\hbttnt.exec:\hbttnt.exe79⤵PID:2712
-
\??\c:\008680.exec:\008680.exe80⤵PID:2824
-
\??\c:\s4240.exec:\s4240.exe81⤵PID:2128
-
\??\c:\0424002.exec:\0424002.exe82⤵PID:2740
-
\??\c:\26202.exec:\26202.exe83⤵PID:2924
-
\??\c:\nthbnn.exec:\nthbnn.exe84⤵PID:2584
-
\??\c:\bbthtb.exec:\bbthtb.exe85⤵PID:2600
-
\??\c:\2088406.exec:\2088406.exe86⤵PID:1872
-
\??\c:\q84024.exec:\q84024.exe87⤵PID:2560
-
\??\c:\nhhnht.exec:\nhhnht.exe88⤵PID:1992
-
\??\c:\44208.exec:\44208.exe89⤵PID:1036
-
\??\c:\m2062.exec:\m2062.exe90⤵PID:1656
-
\??\c:\04802.exec:\04802.exe91⤵PID:2164
-
\??\c:\llrfxfl.exec:\llrfxfl.exe92⤵PID:2956
-
\??\c:\w66806.exec:\w66806.exe93⤵PID:2852
-
\??\c:\0804624.exec:\0804624.exe94⤵PID:2880
-
\??\c:\8002022.exec:\8002022.exe95⤵PID:740
-
\??\c:\dvjvd.exec:\dvjvd.exe96⤵PID:1244
-
\??\c:\bhbbtn.exec:\bhbbtn.exe97⤵PID:1176
-
\??\c:\26842.exec:\26842.exe98⤵PID:1156
-
\??\c:\60806.exec:\60806.exe99⤵PID:2400
-
\??\c:\86884.exec:\86884.exe100⤵PID:2432
-
\??\c:\9vjpv.exec:\9vjpv.exe101⤵PID:560
-
\??\c:\7fxlrff.exec:\7fxlrff.exe102⤵PID:2392
-
\??\c:\42624.exec:\42624.exe103⤵PID:1804
-
\??\c:\btnthn.exec:\btnthn.exe104⤵PID:2100
-
\??\c:\lxllxxf.exec:\lxllxxf.exe105⤵PID:2452
-
\??\c:\080448.exec:\080448.exe106⤵PID:2984
-
\??\c:\1flllxx.exec:\1flllxx.exe107⤵PID:1680
-
\??\c:\9htbnh.exec:\9htbnh.exe108⤵PID:1708
-
\??\c:\0422064.exec:\0422064.exe109⤵PID:1404
-
\??\c:\m8000.exec:\m8000.exe110⤵PID:1716
-
\??\c:\a4228.exec:\a4228.exe111⤵PID:1464
-
\??\c:\hbbntb.exec:\hbbntb.exe112⤵PID:2304
-
\??\c:\64288.exec:\64288.exe113⤵PID:2992
-
\??\c:\htbhhn.exec:\htbhhn.exe114⤵PID:2524
-
\??\c:\pdpjd.exec:\pdpjd.exe115⤵PID:1532
-
\??\c:\3ntnhn.exec:\3ntnhn.exe116⤵PID:1052
-
\??\c:\68086.exec:\68086.exe117⤵PID:1652
-
\??\c:\xrlrrfl.exec:\xrlrrfl.exe118⤵PID:2480
-
\??\c:\rlfxlrl.exec:\rlfxlrl.exe119⤵PID:2028
-
\??\c:\s6020.exec:\s6020.exe120⤵PID:1580
-
\??\c:\ffllllr.exec:\ffllllr.exe121⤵PID:1568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-