Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 21:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe
-
Size
453KB
-
MD5
8b5aa080c60765f6220a679d1e6e55e2
-
SHA1
2b062247e10c2e36884b74cd6d6328aa41161633
-
SHA256
316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae
-
SHA512
59480ea92066b845d0b890881765443e0430feece551557f6e4a11b912c9458094f8b7b6a38c2a4f1a4d59d431dde234b8820d55282d767630d8516ad90dc9a0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2124-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-490-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1040-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-728-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1296-744-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2160-745-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-918-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/528-974-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2380 e40448.exe 2840 86846.exe 2156 e42244.exe 2796 a6068.exe 2656 jdpvd.exe 2928 thbhnn.exe 2696 02464.exe 2116 vpdpd.exe 1732 lflrxrx.exe 2428 8202468.exe 2232 q02804.exe 3008 c088888.exe 2900 6844480.exe 2864 208848.exe 2284 bnnhbn.exe 1152 ffrxlrf.exe 1716 22062.exe 2576 26026.exe 2120 1rxfflx.exe 2512 204462.exe 2320 5vvpd.exe 1680 fxrxxlx.exe 1104 ddvjv.exe 576 q04200.exe 1540 bbthtt.exe 2324 htnbth.exe 612 48286.exe 2508 222284.exe 1584 8240228.exe 1804 bbnbhh.exe 1992 2084484.exe 324 7httbb.exe 2780 046806.exe 2828 5pddd.exe 2840 082806.exe 1596 60288.exe 2740 004684.exe 2844 lxrfflx.exe 2636 a0008.exe 2752 66468.exe 1956 ppjpv.exe 2068 1dvdj.exe 2272 g0080.exe 2428 ddvdj.exe 1348 04242.exe 2896 rllrxfl.exe 2972 86002.exe 1248 1dppv.exe 2228 e26862.exe 1928 g6002.exe 2980 42844.exe 1444 2280224.exe 1924 2684620.exe 1716 a6220.exe 1984 9tntbn.exe 2244 rfllrrf.exe 2072 k88424.exe 2512 1bttth.exe 1916 268022.exe 1376 820688.exe 904 8240624.exe 2412 62004.exe 2236 c040284.exe 1532 26028.exe -
resource yara_rule behavioral1/memory/2124-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-145-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2284-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-883-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-929-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 046806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8606820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6428668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8202468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2380 2124 316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe 31 PID 2124 wrote to memory of 2380 2124 316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe 31 PID 2124 wrote to memory of 2380 2124 316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe 31 PID 2124 wrote to memory of 2380 2124 316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe 31 PID 2380 wrote to memory of 2840 2380 e40448.exe 32 PID 2380 wrote to memory of 2840 2380 e40448.exe 32 PID 2380 wrote to memory of 2840 2380 e40448.exe 32 PID 2380 wrote to memory of 2840 2380 e40448.exe 32 PID 2840 wrote to memory of 2156 2840 86846.exe 33 PID 2840 wrote to memory of 2156 2840 86846.exe 33 PID 2840 wrote to memory of 2156 2840 86846.exe 33 PID 2840 wrote to memory of 2156 2840 86846.exe 33 PID 2156 wrote to memory of 2796 2156 e42244.exe 34 PID 2156 wrote to memory of 2796 2156 e42244.exe 34 PID 2156 wrote to memory of 2796 2156 e42244.exe 34 PID 2156 wrote to memory of 2796 2156 e42244.exe 34 PID 2796 wrote to memory of 2656 2796 a6068.exe 35 PID 2796 wrote to memory of 2656 2796 a6068.exe 35 PID 2796 wrote to memory of 2656 2796 a6068.exe 35 PID 2796 wrote to memory of 2656 2796 a6068.exe 35 PID 2656 wrote to memory of 2928 2656 jdpvd.exe 36 PID 2656 wrote to memory of 2928 2656 jdpvd.exe 36 PID 2656 wrote to memory of 2928 2656 jdpvd.exe 36 PID 2656 wrote to memory of 2928 2656 jdpvd.exe 36 PID 2928 wrote to memory of 2696 2928 thbhnn.exe 37 PID 2928 wrote to memory of 2696 2928 thbhnn.exe 37 PID 2928 wrote to memory of 2696 2928 thbhnn.exe 37 PID 2928 wrote to memory of 2696 2928 thbhnn.exe 37 PID 2696 wrote to memory of 2116 2696 02464.exe 38 PID 2696 wrote to memory of 2116 2696 02464.exe 38 PID 2696 wrote to memory of 2116 2696 02464.exe 38 PID 2696 wrote to memory of 2116 2696 02464.exe 38 PID 2116 wrote to memory of 1732 2116 vpdpd.exe 39 PID 2116 wrote to memory of 1732 2116 vpdpd.exe 39 PID 2116 wrote to memory of 1732 2116 vpdpd.exe 39 PID 2116 wrote to memory of 1732 2116 vpdpd.exe 39 PID 1732 wrote to memory of 2428 1732 lflrxrx.exe 40 PID 1732 wrote to memory of 2428 1732 lflrxrx.exe 40 PID 1732 wrote to memory of 2428 1732 lflrxrx.exe 40 PID 1732 wrote to memory of 2428 1732 lflrxrx.exe 40 PID 2428 wrote to memory of 2232 2428 8202468.exe 41 PID 2428 wrote to memory of 2232 2428 8202468.exe 41 PID 2428 wrote to memory of 2232 2428 8202468.exe 41 PID 2428 wrote to memory of 2232 2428 8202468.exe 41 PID 2232 wrote to memory of 3008 2232 q02804.exe 42 PID 2232 wrote to memory of 3008 2232 q02804.exe 42 PID 2232 wrote to memory of 3008 2232 q02804.exe 42 PID 2232 wrote to memory of 3008 2232 q02804.exe 42 PID 3008 wrote to memory of 2900 3008 c088888.exe 43 PID 3008 wrote to memory of 2900 3008 c088888.exe 43 PID 3008 wrote to memory of 2900 3008 c088888.exe 43 PID 3008 wrote to memory of 2900 3008 c088888.exe 43 PID 2900 wrote to memory of 2864 2900 6844480.exe 44 PID 2900 wrote to memory of 2864 2900 6844480.exe 44 PID 2900 wrote to memory of 2864 2900 6844480.exe 44 PID 2900 wrote to memory of 2864 2900 6844480.exe 44 PID 2864 wrote to memory of 2284 2864 208848.exe 45 PID 2864 wrote to memory of 2284 2864 208848.exe 45 PID 2864 wrote to memory of 2284 2864 208848.exe 45 PID 2864 wrote to memory of 2284 2864 208848.exe 45 PID 2284 wrote to memory of 1152 2284 bnnhbn.exe 46 PID 2284 wrote to memory of 1152 2284 bnnhbn.exe 46 PID 2284 wrote to memory of 1152 2284 bnnhbn.exe 46 PID 2284 wrote to memory of 1152 2284 bnnhbn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe"C:\Users\Admin\AppData\Local\Temp\316b27db13ec1d8408e5de53968d482bf3edd1d07d1190af93fcebe39a428cae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\e40448.exec:\e40448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\86846.exec:\86846.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\e42244.exec:\e42244.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\a6068.exec:\a6068.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\jdpvd.exec:\jdpvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\thbhnn.exec:\thbhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\02464.exec:\02464.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\vpdpd.exec:\vpdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\lflrxrx.exec:\lflrxrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\8202468.exec:\8202468.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\q02804.exec:\q02804.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\c088888.exec:\c088888.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\6844480.exec:\6844480.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\208848.exec:\208848.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\bnnhbn.exec:\bnnhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe17⤵
- Executes dropped EXE
PID:1152 -
\??\c:\22062.exec:\22062.exe18⤵
- Executes dropped EXE
PID:1716 -
\??\c:\26026.exec:\26026.exe19⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1rxfflx.exec:\1rxfflx.exe20⤵
- Executes dropped EXE
PID:2120 -
\??\c:\204462.exec:\204462.exe21⤵
- Executes dropped EXE
PID:2512 -
\??\c:\5vvpd.exec:\5vvpd.exe22⤵
- Executes dropped EXE
PID:2320 -
\??\c:\fxrxxlx.exec:\fxrxxlx.exe23⤵
- Executes dropped EXE
PID:1680 -
\??\c:\ddvjv.exec:\ddvjv.exe24⤵
- Executes dropped EXE
PID:1104 -
\??\c:\q04200.exec:\q04200.exe25⤵
- Executes dropped EXE
PID:576 -
\??\c:\bbthtt.exec:\bbthtt.exe26⤵
- Executes dropped EXE
PID:1540 -
\??\c:\htnbth.exec:\htnbth.exe27⤵
- Executes dropped EXE
PID:2324 -
\??\c:\48286.exec:\48286.exe28⤵
- Executes dropped EXE
PID:612 -
\??\c:\222284.exec:\222284.exe29⤵
- Executes dropped EXE
PID:2508 -
\??\c:\8240228.exec:\8240228.exe30⤵
- Executes dropped EXE
PID:1584 -
\??\c:\bbnbhh.exec:\bbnbhh.exe31⤵
- Executes dropped EXE
PID:1804 -
\??\c:\2084484.exec:\2084484.exe32⤵
- Executes dropped EXE
PID:1992 -
\??\c:\7httbb.exec:\7httbb.exe33⤵
- Executes dropped EXE
PID:324 -
\??\c:\046806.exec:\046806.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\5pddd.exec:\5pddd.exe35⤵
- Executes dropped EXE
PID:2828 -
\??\c:\082806.exec:\082806.exe36⤵
- Executes dropped EXE
PID:2840 -
\??\c:\60288.exec:\60288.exe37⤵
- Executes dropped EXE
PID:1596 -
\??\c:\004684.exec:\004684.exe38⤵
- Executes dropped EXE
PID:2740 -
\??\c:\lxrfflx.exec:\lxrfflx.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\a0008.exec:\a0008.exe40⤵
- Executes dropped EXE
PID:2636 -
\??\c:\66468.exec:\66468.exe41⤵
- Executes dropped EXE
PID:2752 -
\??\c:\ppjpv.exec:\ppjpv.exe42⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1dvdj.exec:\1dvdj.exe43⤵
- Executes dropped EXE
PID:2068 -
\??\c:\g0080.exec:\g0080.exe44⤵
- Executes dropped EXE
PID:2272 -
\??\c:\ddvdj.exec:\ddvdj.exe45⤵
- Executes dropped EXE
PID:2428 -
\??\c:\04242.exec:\04242.exe46⤵
- Executes dropped EXE
PID:1348 -
\??\c:\rllrxfl.exec:\rllrxfl.exe47⤵
- Executes dropped EXE
PID:2896 -
\??\c:\86002.exec:\86002.exe48⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1dppv.exec:\1dppv.exe49⤵
- Executes dropped EXE
PID:1248 -
\??\c:\e26862.exec:\e26862.exe50⤵
- Executes dropped EXE
PID:2228 -
\??\c:\g6002.exec:\g6002.exe51⤵
- Executes dropped EXE
PID:1928 -
\??\c:\42844.exec:\42844.exe52⤵
- Executes dropped EXE
PID:2980 -
\??\c:\2280224.exec:\2280224.exe53⤵
- Executes dropped EXE
PID:1444 -
\??\c:\2684620.exec:\2684620.exe54⤵
- Executes dropped EXE
PID:1924 -
\??\c:\a6220.exec:\a6220.exe55⤵
- Executes dropped EXE
PID:1716 -
\??\c:\9tntbn.exec:\9tntbn.exe56⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rfllrrf.exec:\rfllrrf.exe57⤵
- Executes dropped EXE
PID:2244 -
\??\c:\k88424.exec:\k88424.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\1bttth.exec:\1bttth.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\268022.exec:\268022.exe60⤵
- Executes dropped EXE
PID:1916 -
\??\c:\820688.exec:\820688.exe61⤵
- Executes dropped EXE
PID:1376 -
\??\c:\8240624.exec:\8240624.exe62⤵
- Executes dropped EXE
PID:904 -
\??\c:\62004.exec:\62004.exe63⤵
- Executes dropped EXE
PID:2412 -
\??\c:\c040284.exec:\c040284.exe64⤵
- Executes dropped EXE
PID:2236 -
\??\c:\26028.exec:\26028.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\hbnbnt.exec:\hbnbnt.exe66⤵PID:1612
-
\??\c:\fxrxllf.exec:\fxrxllf.exe67⤵PID:692
-
\??\c:\3lflfxr.exec:\3lflfxr.exe68⤵PID:1040
-
\??\c:\m4408.exec:\m4408.exe69⤵PID:1240
-
\??\c:\628202.exec:\628202.exe70⤵PID:2052
-
\??\c:\g4224.exec:\g4224.exe71⤵PID:2524
-
\??\c:\2028468.exec:\2028468.exe72⤵PID:1960
-
\??\c:\jdvjp.exec:\jdvjp.exe73⤵PID:1652
-
\??\c:\608648.exec:\608648.exe74⤵PID:2724
-
\??\c:\222424.exec:\222424.exe75⤵PID:2424
-
\??\c:\2028046.exec:\2028046.exe76⤵PID:1564
-
\??\c:\2602402.exec:\2602402.exe77⤵PID:2828
-
\??\c:\a0064.exec:\a0064.exe78⤵PID:2820
-
\??\c:\fxllrrl.exec:\fxllrrl.exe79⤵PID:2932
-
\??\c:\64062.exec:\64062.exe80⤵PID:2668
-
\??\c:\9xffxxl.exec:\9xffxxl.exe81⤵PID:2784
-
\??\c:\2606002.exec:\2606002.exe82⤵PID:2812
-
\??\c:\dvpvp.exec:\dvpvp.exe83⤵PID:2708
-
\??\c:\086862.exec:\086862.exe84⤵PID:2484
-
\??\c:\6088440.exec:\6088440.exe85⤵PID:2868
-
\??\c:\hbtbhn.exec:\hbtbhn.exe86⤵PID:2460
-
\??\c:\k60640.exec:\k60640.exe87⤵PID:2272
-
\??\c:\vvjpv.exec:\vvjpv.exe88⤵PID:2176
-
\??\c:\btnbtn.exec:\btnbtn.exe89⤵PID:1088
-
\??\c:\488866.exec:\488866.exe90⤵PID:3016
-
\??\c:\pjvpj.exec:\pjvpj.exe91⤵
- System Location Discovery: System Language Discovery
PID:2736 -
\??\c:\22242.exec:\22242.exe92⤵PID:2984
-
\??\c:\hbnbhn.exec:\hbnbhn.exe93⤵PID:1744
-
\??\c:\40280.exec:\40280.exe94⤵PID:2020
-
\??\c:\048068.exec:\048068.exe95⤵PID:2284
-
\??\c:\lxrfxfl.exec:\lxrfxfl.exe96⤵PID:1624
-
\??\c:\o822046.exec:\o822046.exe97⤵PID:2160
-
\??\c:\244008.exec:\244008.exe98⤵PID:2100
-
\??\c:\nhbbtb.exec:\nhbbtb.exe99⤵PID:2216
-
\??\c:\7thhhh.exec:\7thhhh.exe100⤵PID:1296
-
\??\c:\4864220.exec:\4864220.exe101⤵PID:960
-
\??\c:\00804.exec:\00804.exe102⤵PID:2512
-
\??\c:\a2402.exec:\a2402.exe103⤵PID:1360
-
\??\c:\6002064.exec:\6002064.exe104⤵PID:916
-
\??\c:\bthnbh.exec:\bthnbh.exe105⤵PID:548
-
\??\c:\ffrxxxf.exec:\ffrxxxf.exe106⤵PID:2588
-
\??\c:\2622406.exec:\2622406.exe107⤵PID:340
-
\??\c:\660682.exec:\660682.exe108⤵PID:664
-
\??\c:\rlflxxr.exec:\rlflxxr.exe109⤵PID:2324
-
\??\c:\btnbtb.exec:\btnbtb.exe110⤵PID:1756
-
\??\c:\q86066.exec:\q86066.exe111⤵PID:1988
-
\??\c:\c044224.exec:\c044224.exe112⤵PID:1640
-
\??\c:\208066.exec:\208066.exe113⤵PID:1676
-
\??\c:\s2246.exec:\s2246.exe114⤵PID:1380
-
\??\c:\5hhhnt.exec:\5hhhnt.exe115⤵PID:2556
-
\??\c:\vdpjj.exec:\vdpjj.exe116⤵PID:1788
-
\??\c:\jpdjp.exec:\jpdjp.exe117⤵PID:324
-
\??\c:\lllrflx.exec:\lllrflx.exe118⤵
- System Location Discovery: System Language Discovery
PID:2144 -
\??\c:\820206.exec:\820206.exe119⤵PID:1580
-
\??\c:\6088624.exec:\6088624.exe120⤵PID:2848
-
\??\c:\lxxflfl.exec:\lxxflfl.exe121⤵PID:2344
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-