Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 13:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe
-
Size
454KB
-
MD5
3e4a6ff5aa3bc6d80d6b0bcd852c22cf
-
SHA1
cd9ab18cf7e2680e15c1632b0be7e9a11e916476
-
SHA256
a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8
-
SHA512
cef8a338d35b18b72c8121a80d6f58edc01939ccb89e8e5ee80541a9cbc660c64a43aebe9600007d9a3851c523a69d8391a08e66355f8e56824b26a3d48f169d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2176-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-21-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/652-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-83-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-195-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1672-209-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1280-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1440-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2588-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-367-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1604-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-601-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-615-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-634-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-658-0x0000000000280000-0x00000000002AA000-memory.dmp family_blackmoon behavioral1/memory/2560-748-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-786-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2064-836-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-898-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-905-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-932-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2488-1072-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1168-1225-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-1343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2520 hbhhhn.exe 2596 1xrlrrx.exe 2588 dpdjp.exe 1488 640244.exe 652 jpjjv.exe 2924 fxrrrxf.exe 2792 xxfxlrf.exe 2964 8640224.exe 2712 5fllrrf.exe 2688 2668646.exe 2808 0862402.exe 2196 jjdpd.exe 1944 0422406.exe 1644 3lxfxfr.exe 2676 1xfxffl.exe 1784 60280.exe 2004 tnthnn.exe 1452 6406408.exe 2788 26806.exe 2224 ddvvj.exe 2236 w04462.exe 1672 m2446.exe 1280 0828408.exe 2032 866222.exe 972 ffxfrxf.exe 1068 dppvp.exe 2216 68482.exe 564 vdppp.exe 1344 rlfrlfr.exe 892 2406828.exe 2144 4202064.exe 2160 646004.exe 2388 8640628.exe 1440 3llrxff.exe 3028 lflllrx.exe 2588 pjdjp.exe 2380 5thnnn.exe 2540 bhntbt.exe 3048 3jdjv.exe 1912 8262840.exe 2696 rrrxlrf.exe 2820 486244.exe 2860 5pvdj.exe 2952 8206068.exe 1920 s8684.exe 2336 1nbbtt.exe 1992 fxrxlfl.exe 1588 frllffr.exe 1076 g2400.exe 644 o600262.exe 2748 42688.exe 1216 2606888.exe 1336 2088068.exe 1040 o822440.exe 1248 pdpvd.exe 2560 jvjdj.exe 2728 e20628.exe 2252 86446.exe 2124 e42200.exe 1036 c628040.exe 1636 26802.exe 1620 g4288.exe 2656 208844.exe 1200 264400.exe -
resource yara_rule behavioral1/memory/2176-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/652-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1440-312-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2588-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-658-0x0000000000280000-0x00000000002AA000-memory.dmp upx behavioral1/memory/1216-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-786-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2608-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-836-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2056-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-905-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1336-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-1040-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2504-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-1096-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-1141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-1225-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2636-1288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-1343-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0462888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2606880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26062.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 086684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k86200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2520 2176 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 30 PID 2176 wrote to memory of 2520 2176 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 30 PID 2176 wrote to memory of 2520 2176 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 30 PID 2176 wrote to memory of 2520 2176 a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe 30 PID 2520 wrote to memory of 2596 2520 hbhhhn.exe 31 PID 2520 wrote to memory of 2596 2520 hbhhhn.exe 31 PID 2520 wrote to memory of 2596 2520 hbhhhn.exe 31 PID 2520 wrote to memory of 2596 2520 hbhhhn.exe 31 PID 2596 wrote to memory of 2588 2596 1xrlrrx.exe 32 PID 2596 wrote to memory of 2588 2596 1xrlrrx.exe 32 PID 2596 wrote to memory of 2588 2596 1xrlrrx.exe 32 PID 2596 wrote to memory of 2588 2596 1xrlrrx.exe 32 PID 2588 wrote to memory of 1488 2588 dpdjp.exe 33 PID 2588 wrote to memory of 1488 2588 dpdjp.exe 33 PID 2588 wrote to memory of 1488 2588 dpdjp.exe 33 PID 2588 wrote to memory of 1488 2588 dpdjp.exe 33 PID 1488 wrote to memory of 652 1488 640244.exe 34 PID 1488 wrote to memory of 652 1488 640244.exe 34 PID 1488 wrote to memory of 652 1488 640244.exe 34 PID 1488 wrote to memory of 652 1488 640244.exe 34 PID 652 wrote to memory of 2924 652 jpjjv.exe 35 PID 652 wrote to memory of 2924 652 jpjjv.exe 35 PID 652 wrote to memory of 2924 652 jpjjv.exe 35 PID 652 wrote to memory of 2924 652 jpjjv.exe 35 PID 2924 wrote to memory of 2792 2924 fxrrrxf.exe 36 PID 2924 wrote to memory of 2792 2924 fxrrrxf.exe 36 PID 2924 wrote to memory of 2792 2924 fxrrrxf.exe 36 PID 2924 wrote to memory of 2792 2924 fxrrrxf.exe 36 PID 2792 wrote to memory of 2964 2792 xxfxlrf.exe 37 PID 2792 wrote to memory of 2964 2792 xxfxlrf.exe 37 PID 2792 wrote to memory of 2964 2792 xxfxlrf.exe 37 PID 2792 wrote to memory of 2964 2792 xxfxlrf.exe 37 PID 2964 wrote to memory of 2712 2964 8640224.exe 38 PID 2964 wrote to memory of 2712 2964 8640224.exe 38 PID 2964 wrote to memory of 2712 2964 8640224.exe 38 PID 2964 wrote to memory of 2712 2964 8640224.exe 38 PID 2712 wrote to memory of 2688 2712 5fllrrf.exe 39 PID 2712 wrote to memory of 2688 2712 5fllrrf.exe 39 PID 2712 wrote to memory of 2688 2712 5fllrrf.exe 39 PID 2712 wrote to memory of 2688 2712 5fllrrf.exe 39 PID 2688 wrote to memory of 2808 2688 2668646.exe 40 PID 2688 wrote to memory of 2808 2688 2668646.exe 40 PID 2688 wrote to memory of 2808 2688 2668646.exe 40 PID 2688 wrote to memory of 2808 2688 2668646.exe 40 PID 2808 wrote to memory of 2196 2808 0862402.exe 41 PID 2808 wrote to memory of 2196 2808 0862402.exe 41 PID 2808 wrote to memory of 2196 2808 0862402.exe 41 PID 2808 wrote to memory of 2196 2808 0862402.exe 41 PID 2196 wrote to memory of 1944 2196 jjdpd.exe 42 PID 2196 wrote to memory of 1944 2196 jjdpd.exe 42 PID 2196 wrote to memory of 1944 2196 jjdpd.exe 42 PID 2196 wrote to memory of 1944 2196 jjdpd.exe 42 PID 1944 wrote to memory of 1644 1944 0422406.exe 43 PID 1944 wrote to memory of 1644 1944 0422406.exe 43 PID 1944 wrote to memory of 1644 1944 0422406.exe 43 PID 1944 wrote to memory of 1644 1944 0422406.exe 43 PID 1644 wrote to memory of 2676 1644 3lxfxfr.exe 44 PID 1644 wrote to memory of 2676 1644 3lxfxfr.exe 44 PID 1644 wrote to memory of 2676 1644 3lxfxfr.exe 44 PID 1644 wrote to memory of 2676 1644 3lxfxfr.exe 44 PID 2676 wrote to memory of 1784 2676 1xfxffl.exe 45 PID 2676 wrote to memory of 1784 2676 1xfxffl.exe 45 PID 2676 wrote to memory of 1784 2676 1xfxffl.exe 45 PID 2676 wrote to memory of 1784 2676 1xfxffl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe"C:\Users\Admin\AppData\Local\Temp\a601f4f0e79d977b465702819ba5fefcc85472326b0a2e1b180a25d1ab07b1c8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\hbhhhn.exec:\hbhhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\1xrlrrx.exec:\1xrlrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\dpdjp.exec:\dpdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\640244.exec:\640244.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\jpjjv.exec:\jpjjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\fxrrrxf.exec:\fxrrrxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\xxfxlrf.exec:\xxfxlrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\8640224.exec:\8640224.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\5fllrrf.exec:\5fllrrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\2668646.exec:\2668646.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\0862402.exec:\0862402.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\jjdpd.exec:\jjdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\0422406.exec:\0422406.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\3lxfxfr.exec:\3lxfxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\1xfxffl.exec:\1xfxffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\60280.exec:\60280.exe17⤵
- Executes dropped EXE
PID:1784 -
\??\c:\tnthnn.exec:\tnthnn.exe18⤵
- Executes dropped EXE
PID:2004 -
\??\c:\6406408.exec:\6406408.exe19⤵
- Executes dropped EXE
PID:1452 -
\??\c:\26806.exec:\26806.exe20⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ddvvj.exec:\ddvvj.exe21⤵
- Executes dropped EXE
PID:2224 -
\??\c:\w04462.exec:\w04462.exe22⤵
- Executes dropped EXE
PID:2236 -
\??\c:\m2446.exec:\m2446.exe23⤵
- Executes dropped EXE
PID:1672 -
\??\c:\0828408.exec:\0828408.exe24⤵
- Executes dropped EXE
PID:1280 -
\??\c:\866222.exec:\866222.exe25⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ffxfrxf.exec:\ffxfrxf.exe26⤵
- Executes dropped EXE
PID:972 -
\??\c:\dppvp.exec:\dppvp.exe27⤵
- Executes dropped EXE
PID:1068 -
\??\c:\68482.exec:\68482.exe28⤵
- Executes dropped EXE
PID:2216 -
\??\c:\vdppp.exec:\vdppp.exe29⤵
- Executes dropped EXE
PID:564 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe30⤵
- Executes dropped EXE
PID:1344 -
\??\c:\2406828.exec:\2406828.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\4202064.exec:\4202064.exe32⤵
- Executes dropped EXE
PID:2144 -
\??\c:\646004.exec:\646004.exe33⤵
- Executes dropped EXE
PID:2160 -
\??\c:\8640628.exec:\8640628.exe34⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3llrxff.exec:\3llrxff.exe35⤵
- Executes dropped EXE
PID:1440 -
\??\c:\lflllrx.exec:\lflllrx.exe36⤵
- Executes dropped EXE
PID:3028 -
\??\c:\pjdjp.exec:\pjdjp.exe37⤵
- Executes dropped EXE
PID:2588 -
\??\c:\5thnnn.exec:\5thnnn.exe38⤵
- Executes dropped EXE
PID:2380 -
\??\c:\bhntbt.exec:\bhntbt.exe39⤵
- Executes dropped EXE
PID:2540 -
\??\c:\3jdjv.exec:\3jdjv.exe40⤵
- Executes dropped EXE
PID:3048 -
\??\c:\8262840.exec:\8262840.exe41⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rrrxlrf.exec:\rrrxlrf.exe42⤵
- Executes dropped EXE
PID:2696 -
\??\c:\486244.exec:\486244.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5pvdj.exec:\5pvdj.exe44⤵
- Executes dropped EXE
PID:2860 -
\??\c:\8206068.exec:\8206068.exe45⤵
- Executes dropped EXE
PID:2952 -
\??\c:\s8684.exec:\s8684.exe46⤵
- Executes dropped EXE
PID:1920 -
\??\c:\1nbbtt.exec:\1nbbtt.exe47⤵
- Executes dropped EXE
PID:2336 -
\??\c:\fxrxlfl.exec:\fxrxlfl.exe48⤵
- Executes dropped EXE
PID:1992 -
\??\c:\frllffr.exec:\frllffr.exe49⤵
- Executes dropped EXE
PID:1588 -
\??\c:\g2400.exec:\g2400.exe50⤵
- Executes dropped EXE
PID:1076 -
\??\c:\o600262.exec:\o600262.exe51⤵
- Executes dropped EXE
PID:644 -
\??\c:\42688.exec:\42688.exe52⤵
- Executes dropped EXE
PID:2748 -
\??\c:\2606888.exec:\2606888.exe53⤵
- Executes dropped EXE
PID:1216 -
\??\c:\2088068.exec:\2088068.exe54⤵
- Executes dropped EXE
PID:1336 -
\??\c:\o822440.exec:\o822440.exe55⤵
- Executes dropped EXE
PID:1040 -
\??\c:\pdpvd.exec:\pdpvd.exe56⤵
- Executes dropped EXE
PID:1248 -
\??\c:\jvjdj.exec:\jvjdj.exe57⤵
- Executes dropped EXE
PID:2560 -
\??\c:\e20628.exec:\e20628.exe58⤵
- Executes dropped EXE
PID:2728 -
\??\c:\86446.exec:\86446.exe59⤵
- Executes dropped EXE
PID:2252 -
\??\c:\e42200.exec:\e42200.exe60⤵
- Executes dropped EXE
PID:2124 -
\??\c:\c628040.exec:\c628040.exe61⤵
- Executes dropped EXE
PID:1036 -
\??\c:\26802.exec:\26802.exe62⤵
- Executes dropped EXE
PID:1636 -
\??\c:\g4288.exec:\g4288.exe63⤵
- Executes dropped EXE
PID:1620 -
\??\c:\208844.exec:\208844.exe64⤵
- Executes dropped EXE
PID:2656 -
\??\c:\264400.exec:\264400.exe65⤵
- Executes dropped EXE
PID:1200 -
\??\c:\u428002.exec:\u428002.exe66⤵PID:1696
-
\??\c:\nbnntn.exec:\nbnntn.exe67⤵PID:548
-
\??\c:\fxrrxlr.exec:\fxrrxlr.exe68⤵PID:964
-
\??\c:\tntbnt.exec:\tntbnt.exe69⤵PID:1756
-
\??\c:\9ttbtt.exec:\9ttbtt.exe70⤵PID:924
-
\??\c:\xlrllfl.exec:\xlrllfl.exe71⤵PID:1008
-
\??\c:\6444602.exec:\6444602.exe72⤵PID:1344
-
\??\c:\bnhhbt.exec:\bnhhbt.exe73⤵PID:2912
-
\??\c:\xfflrxl.exec:\xfflrxl.exe74⤵PID:1072
-
\??\c:\k60648.exec:\k60648.exe75⤵PID:1604
-
\??\c:\6022480.exec:\6022480.exe76⤵PID:1044
-
\??\c:\k86200.exec:\k86200.exe77⤵
- System Location Discovery: System Language Discovery
PID:844 -
\??\c:\bhnttb.exec:\bhnttb.exe78⤵PID:2600
-
\??\c:\1thhtb.exec:\1thhtb.exe79⤵PID:2592
-
\??\c:\fxlxfxx.exec:\fxlxfxx.exe80⤵PID:2884
-
\??\c:\llfrxlx.exec:\llfrxlx.exe81⤵PID:2816
-
\??\c:\rfrrrll.exec:\rfrrrll.exe82⤵PID:2896
-
\??\c:\40488.exec:\40488.exe83⤵PID:2888
-
\??\c:\2606880.exec:\2606880.exe84⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\c200280.exec:\c200280.exe85⤵PID:2848
-
\??\c:\hhbhnn.exec:\hhbhnn.exe86⤵PID:1780
-
\??\c:\9jvjp.exec:\9jvjp.exe87⤵PID:1752
-
\??\c:\1frxxfl.exec:\1frxxfl.exe88⤵PID:2720
-
\??\c:\o446886.exec:\o446886.exe89⤵PID:2732
-
\??\c:\bththb.exec:\bththb.exe90⤵PID:2760
-
\??\c:\vjppp.exec:\vjppp.exe91⤵PID:1648
-
\??\c:\1jddj.exec:\1jddj.exe92⤵PID:2496
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe93⤵PID:2344
-
\??\c:\486684.exec:\486684.exe94⤵PID:2024
-
\??\c:\bthhnn.exec:\bthhnn.exe95⤵PID:1652
-
\??\c:\dvvdp.exec:\dvvdp.exe96⤵PID:1216
-
\??\c:\q46060.exec:\q46060.exe97⤵PID:1368
-
\??\c:\jvppp.exec:\jvppp.exe98⤵PID:2184
-
\??\c:\86062.exec:\86062.exe99⤵PID:2276
-
\??\c:\ffrlrxf.exec:\ffrlrxf.exe100⤵PID:2560
-
\??\c:\fxllxrx.exec:\fxllxrx.exe101⤵PID:2272
-
\??\c:\bththh.exec:\bththh.exe102⤵PID:2244
-
\??\c:\q08026.exec:\q08026.exe103⤵PID:2204
-
\??\c:\428222.exec:\428222.exe104⤵PID:1672
-
\??\c:\822006.exec:\822006.exe105⤵PID:2316
-
\??\c:\820248.exec:\820248.exe106⤵PID:2036
-
\??\c:\hbnbbt.exec:\hbnbbt.exe107⤵PID:688
-
\??\c:\tnbhnh.exec:\tnbhnh.exe108⤵PID:112
-
\??\c:\1rlflfx.exec:\1rlflfx.exe109⤵PID:1628
-
\??\c:\pdjpp.exec:\pdjpp.exe110⤵PID:380
-
\??\c:\tnbntt.exec:\tnbntt.exe111⤵PID:1908
-
\??\c:\82624.exec:\82624.exe112⤵PID:1656
-
\??\c:\5htthh.exec:\5htthh.exe113⤵PID:2608
-
\??\c:\thbbnh.exec:\thbbnh.exe114⤵PID:2180
-
\??\c:\424006.exec:\424006.exe115⤵PID:2364
-
\??\c:\9bnntt.exec:\9bnntt.exe116⤵PID:1760
-
\??\c:\2646280.exec:\2646280.exe117⤵PID:2064
-
\??\c:\a6228.exec:\a6228.exe118⤵PID:2532
-
\??\c:\2088002.exec:\2088002.exe119⤵PID:2084
-
\??\c:\4862226.exec:\4862226.exe120⤵PID:1440
-
\??\c:\5btnnn.exec:\5btnnn.exe121⤵PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-