Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27/12/2024, 20:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe
-
Size
454KB
-
MD5
e8da45fb7e5b3907eb0707f4cfa42bd1
-
SHA1
c322c394212830feb70693cde65fa260a12f6aaf
-
SHA256
31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784
-
SHA512
80904a31e0605bbbdcfe61cee92385851a4724cb117fbfbc033d930a9c4d15eeaebcf07d413402727caf4c390da237a9516a8313900d83e56d44f5cbc7e65038
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/648-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-106-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2788-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-132-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2392-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2336-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1820-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-340-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2928-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2456-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-471-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-617-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-656-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2228-843-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 rlrfxfr.exe 3064 0862806.exe 2852 084846.exe 1500 48066.exe 2168 64660.exe 2920 hbtbhn.exe 2792 64620.exe 648 26464.exe 2840 jvjpj.exe 2472 1xlxxfx.exe 2788 64288.exe 892 608040.exe 2392 q20624.exe 2184 lfrxlxl.exe 2376 486244.exe 708 jpdpv.exe 2336 tnbbnn.exe 1576 bthtbn.exe 1980 3xrflrf.exe 2112 tnbtbb.exe 1364 frflxrx.exe 1384 rrxlrrf.exe 1820 jdvdj.exe 760 fxlfllr.exe 1288 9btnbh.exe 1720 rrlxlrl.exe 2736 6428484.exe 2560 020244.exe 908 0468284.exe 2296 rrlfxfr.exe 2436 pjdjj.exe 2156 202022.exe 2500 42668.exe 2360 ddvjp.exe 2252 1jdjv.exe 1708 jddjj.exe 2952 5rffllx.exe 3052 3rxfrxl.exe 2928 04406.exe 2900 jdvjv.exe 2820 04622.exe 2700 fllxlll.exe 2844 fxlfllx.exe 2468 7lflxxl.exe 2680 0446446.exe 1804 48280.exe 2712 vddjv.exe 2256 tnbhtb.exe 2276 xxrxxlr.exe 2392 0800628.exe 2340 o084282.exe 2192 2202002.exe 1256 7hthhn.exe 1464 q82022.exe 2456 rxxxffx.exe 1548 202840.exe 1920 260688.exe 1980 6028446.exe 2112 ttntth.exe 952 26680.exe 1732 s4022.exe 1124 1rflrxf.exe 2088 04880.exe 872 vjvvd.exe -
resource yara_rule behavioral1/memory/2132-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2336-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-568-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2776-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-656-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2256-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-709-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2628-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-780-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-863-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g2406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2422484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbtt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2316 2132 31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe 30 PID 2132 wrote to memory of 2316 2132 31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe 30 PID 2132 wrote to memory of 2316 2132 31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe 30 PID 2132 wrote to memory of 2316 2132 31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe 30 PID 2316 wrote to memory of 3064 2316 rlrfxfr.exe 31 PID 2316 wrote to memory of 3064 2316 rlrfxfr.exe 31 PID 2316 wrote to memory of 3064 2316 rlrfxfr.exe 31 PID 2316 wrote to memory of 3064 2316 rlrfxfr.exe 31 PID 3064 wrote to memory of 2852 3064 0862806.exe 32 PID 3064 wrote to memory of 2852 3064 0862806.exe 32 PID 3064 wrote to memory of 2852 3064 0862806.exe 32 PID 3064 wrote to memory of 2852 3064 0862806.exe 32 PID 2852 wrote to memory of 1500 2852 084846.exe 33 PID 2852 wrote to memory of 1500 2852 084846.exe 33 PID 2852 wrote to memory of 1500 2852 084846.exe 33 PID 2852 wrote to memory of 1500 2852 084846.exe 33 PID 1500 wrote to memory of 2168 1500 48066.exe 34 PID 1500 wrote to memory of 2168 1500 48066.exe 34 PID 1500 wrote to memory of 2168 1500 48066.exe 34 PID 1500 wrote to memory of 2168 1500 48066.exe 34 PID 2168 wrote to memory of 2920 2168 64660.exe 35 PID 2168 wrote to memory of 2920 2168 64660.exe 35 PID 2168 wrote to memory of 2920 2168 64660.exe 35 PID 2168 wrote to memory of 2920 2168 64660.exe 35 PID 2920 wrote to memory of 2792 2920 hbtbhn.exe 36 PID 2920 wrote to memory of 2792 2920 hbtbhn.exe 36 PID 2920 wrote to memory of 2792 2920 hbtbhn.exe 36 PID 2920 wrote to memory of 2792 2920 hbtbhn.exe 36 PID 2792 wrote to memory of 648 2792 64620.exe 37 PID 2792 wrote to memory of 648 2792 64620.exe 37 PID 2792 wrote to memory of 648 2792 64620.exe 37 PID 2792 wrote to memory of 648 2792 64620.exe 37 PID 648 wrote to memory of 2840 648 26464.exe 38 PID 648 wrote to memory of 2840 648 26464.exe 38 PID 648 wrote to memory of 2840 648 26464.exe 38 PID 648 wrote to memory of 2840 648 26464.exe 38 PID 2840 wrote to memory of 2472 2840 jvjpj.exe 39 PID 2840 wrote to memory of 2472 2840 jvjpj.exe 39 PID 2840 wrote to memory of 2472 2840 jvjpj.exe 39 PID 2840 wrote to memory of 2472 2840 jvjpj.exe 39 PID 2472 wrote to memory of 2788 2472 1xlxxfx.exe 40 PID 2472 wrote to memory of 2788 2472 1xlxxfx.exe 40 PID 2472 wrote to memory of 2788 2472 1xlxxfx.exe 40 PID 2472 wrote to memory of 2788 2472 1xlxxfx.exe 40 PID 2788 wrote to memory of 892 2788 64288.exe 41 PID 2788 wrote to memory of 892 2788 64288.exe 41 PID 2788 wrote to memory of 892 2788 64288.exe 41 PID 2788 wrote to memory of 892 2788 64288.exe 41 PID 892 wrote to memory of 2392 892 608040.exe 42 PID 892 wrote to memory of 2392 892 608040.exe 42 PID 892 wrote to memory of 2392 892 608040.exe 42 PID 892 wrote to memory of 2392 892 608040.exe 42 PID 2392 wrote to memory of 2184 2392 q20624.exe 43 PID 2392 wrote to memory of 2184 2392 q20624.exe 43 PID 2392 wrote to memory of 2184 2392 q20624.exe 43 PID 2392 wrote to memory of 2184 2392 q20624.exe 43 PID 2184 wrote to memory of 2376 2184 lfrxlxl.exe 44 PID 2184 wrote to memory of 2376 2184 lfrxlxl.exe 44 PID 2184 wrote to memory of 2376 2184 lfrxlxl.exe 44 PID 2184 wrote to memory of 2376 2184 lfrxlxl.exe 44 PID 2376 wrote to memory of 708 2376 486244.exe 45 PID 2376 wrote to memory of 708 2376 486244.exe 45 PID 2376 wrote to memory of 708 2376 486244.exe 45 PID 2376 wrote to memory of 708 2376 486244.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe"C:\Users\Admin\AppData\Local\Temp\31178b1357aaecc4423ec0d55cd2c52759253abdff587abe02cf2515a09c2784.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\rlrfxfr.exec:\rlrfxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\0862806.exec:\0862806.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\084846.exec:\084846.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\48066.exec:\48066.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\64660.exec:\64660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\hbtbhn.exec:\hbtbhn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\64620.exec:\64620.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\26464.exec:\26464.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\jvjpj.exec:\jvjpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\1xlxxfx.exec:\1xlxxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\64288.exec:\64288.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\608040.exec:\608040.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\q20624.exec:\q20624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\lfrxlxl.exec:\lfrxlxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\486244.exec:\486244.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\jpdpv.exec:\jpdpv.exe17⤵
- Executes dropped EXE
PID:708 -
\??\c:\tnbbnn.exec:\tnbbnn.exe18⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bthtbn.exec:\bthtbn.exe19⤵
- Executes dropped EXE
PID:1576 -
\??\c:\3xrflrf.exec:\3xrflrf.exe20⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tnbtbb.exec:\tnbtbb.exe21⤵
- Executes dropped EXE
PID:2112 -
\??\c:\frflxrx.exec:\frflxrx.exe22⤵
- Executes dropped EXE
PID:1364 -
\??\c:\rrxlrrf.exec:\rrxlrrf.exe23⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jdvdj.exec:\jdvdj.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\fxlfllr.exec:\fxlfllr.exe25⤵
- Executes dropped EXE
PID:760 -
\??\c:\9btnbh.exec:\9btnbh.exe26⤵
- Executes dropped EXE
PID:1288 -
\??\c:\rrlxlrl.exec:\rrlxlrl.exe27⤵
- Executes dropped EXE
PID:1720 -
\??\c:\6428484.exec:\6428484.exe28⤵
- Executes dropped EXE
PID:2736 -
\??\c:\020244.exec:\020244.exe29⤵
- Executes dropped EXE
PID:2560 -
\??\c:\0468284.exec:\0468284.exe30⤵
- Executes dropped EXE
PID:908 -
\??\c:\rrlfxfr.exec:\rrlfxfr.exe31⤵
- Executes dropped EXE
PID:2296 -
\??\c:\pjdjj.exec:\pjdjj.exe32⤵
- Executes dropped EXE
PID:2436 -
\??\c:\202022.exec:\202022.exe33⤵
- Executes dropped EXE
PID:2156 -
\??\c:\42668.exec:\42668.exe34⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ddvjp.exec:\ddvjp.exe35⤵
- Executes dropped EXE
PID:2360 -
\??\c:\1jdjv.exec:\1jdjv.exe36⤵
- Executes dropped EXE
PID:2252 -
\??\c:\jddjj.exec:\jddjj.exe37⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5rffllx.exec:\5rffllx.exe38⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3rxfrxl.exec:\3rxfrxl.exe39⤵
- Executes dropped EXE
PID:3052 -
\??\c:\04406.exec:\04406.exe40⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jdvjv.exec:\jdvjv.exe41⤵
- Executes dropped EXE
PID:2900 -
\??\c:\04622.exec:\04622.exe42⤵
- Executes dropped EXE
PID:2820 -
\??\c:\fllxlll.exec:\fllxlll.exe43⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fxlfllx.exec:\fxlfllx.exe44⤵
- Executes dropped EXE
PID:2844 -
\??\c:\7lflxxl.exec:\7lflxxl.exe45⤵
- Executes dropped EXE
PID:2468 -
\??\c:\0446446.exec:\0446446.exe46⤵
- Executes dropped EXE
PID:2680 -
\??\c:\48280.exec:\48280.exe47⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vddjv.exec:\vddjv.exe48⤵
- Executes dropped EXE
PID:2712 -
\??\c:\tnbhtb.exec:\tnbhtb.exe49⤵
- Executes dropped EXE
PID:2256 -
\??\c:\xxrxxlr.exec:\xxrxxlr.exe50⤵
- Executes dropped EXE
PID:2276 -
\??\c:\0800628.exec:\0800628.exe51⤵
- Executes dropped EXE
PID:2392 -
\??\c:\o084282.exec:\o084282.exe52⤵
- Executes dropped EXE
PID:2340 -
\??\c:\2202002.exec:\2202002.exe53⤵
- Executes dropped EXE
PID:2192 -
\??\c:\7hthhn.exec:\7hthhn.exe54⤵
- Executes dropped EXE
PID:1256 -
\??\c:\q82022.exec:\q82022.exe55⤵
- Executes dropped EXE
PID:1464 -
\??\c:\rxxxffx.exec:\rxxxffx.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456 -
\??\c:\202840.exec:\202840.exe57⤵
- Executes dropped EXE
PID:1548 -
\??\c:\260688.exec:\260688.exe58⤵
- Executes dropped EXE
PID:1920 -
\??\c:\6028446.exec:\6028446.exe59⤵
- Executes dropped EXE
PID:1980 -
\??\c:\ttntth.exec:\ttntth.exe60⤵
- Executes dropped EXE
PID:2112 -
\??\c:\26680.exec:\26680.exe61⤵
- Executes dropped EXE
PID:952 -
\??\c:\s4022.exec:\s4022.exe62⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1rflrxf.exec:\1rflrxf.exe63⤵
- Executes dropped EXE
PID:1124 -
\??\c:\04880.exec:\04880.exe64⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vjvvd.exec:\vjvvd.exe65⤵
- Executes dropped EXE
PID:872 -
\??\c:\7rrrffr.exec:\7rrrffr.exe66⤵PID:880
-
\??\c:\ffrrxfr.exec:\ffrrxfr.exe67⤵PID:1004
-
\??\c:\048022.exec:\048022.exe68⤵PID:292
-
\??\c:\tnbbhh.exec:\tnbbhh.exe69⤵PID:2096
-
\??\c:\lfrxflx.exec:\lfrxflx.exe70⤵PID:2536
-
\??\c:\xfrflrx.exec:\xfrflrx.exe71⤵PID:2228
-
\??\c:\dppvd.exec:\dppvd.exe72⤵PID:2584
-
\??\c:\7ttbtt.exec:\7ttbtt.exe73⤵PID:2296
-
\??\c:\04844.exec:\04844.exe74⤵PID:2968
-
\??\c:\tnbbhh.exec:\tnbbhh.exe75⤵PID:1592
-
\??\c:\xxllrxx.exec:\xxllrxx.exe76⤵PID:2488
-
\??\c:\m4004.exec:\m4004.exe77⤵PID:2500
-
\??\c:\42880.exec:\42880.exe78⤵PID:3064
-
\??\c:\64620.exec:\64620.exe79⤵PID:1404
-
\??\c:\flxlxfr.exec:\flxlxfr.exe80⤵PID:2852
-
\??\c:\42402.exec:\42402.exe81⤵PID:3060
-
\??\c:\86402.exec:\86402.exe82⤵PID:2776
-
\??\c:\lxffrxl.exec:\lxffrxl.exe83⤵PID:2520
-
\??\c:\nhbntb.exec:\nhbntb.exe84⤵PID:3056
-
\??\c:\dvppd.exec:\dvppd.exe85⤵PID:2868
-
\??\c:\hhbbtb.exec:\hhbbtb.exe86⤵PID:2688
-
\??\c:\9vjvv.exec:\9vjvv.exe87⤵PID:2832
-
\??\c:\dpddj.exec:\dpddj.exe88⤵PID:2696
-
\??\c:\2088440.exec:\2088440.exe89⤵PID:2840
-
\??\c:\nbntbb.exec:\nbntbb.exe90⤵PID:2740
-
\??\c:\bbtbhn.exec:\bbtbhn.exe91⤵PID:2072
-
\??\c:\82668.exec:\82668.exe92⤵PID:2180
-
\??\c:\pjppp.exec:\pjppp.exe93⤵PID:2256
-
\??\c:\xrlrxxx.exec:\xrlrxxx.exe94⤵PID:2204
-
\??\c:\264428.exec:\264428.exe95⤵PID:2448
-
\??\c:\xxrflxf.exec:\xxrflxf.exe96⤵PID:2304
-
\??\c:\5pjpv.exec:\5pjpv.exe97⤵PID:1152
-
\??\c:\2646444.exec:\2646444.exe98⤵PID:1256
-
\??\c:\xrllxxl.exec:\xrllxxl.exe99⤵PID:1684
-
\??\c:\tthnhn.exec:\tthnhn.exe100⤵PID:2628
-
\??\c:\5hntth.exec:\5hntth.exe101⤵PID:1780
-
\??\c:\vvppv.exec:\vvppv.exe102⤵PID:2408
-
\??\c:\480266.exec:\480266.exe103⤵PID:2008
-
\??\c:\7jddp.exec:\7jddp.exe104⤵PID:1564
-
\??\c:\4200282.exec:\4200282.exe105⤵PID:2632
-
\??\c:\pjjjp.exec:\pjjjp.exe106⤵PID:1732
-
\??\c:\4884046.exec:\4884046.exe107⤵PID:1124
-
\??\c:\lfffrxl.exec:\lfffrxl.exe108⤵PID:2088
-
\??\c:\pddpd.exec:\pddpd.exe109⤵PID:1448
-
\??\c:\26006.exec:\26006.exe110⤵PID:2588
-
\??\c:\rrllrrf.exec:\rrllrrf.exe111⤵PID:2028
-
\??\c:\c422044.exec:\c422044.exe112⤵PID:2636
-
\??\c:\9vpvd.exec:\9vpvd.exe113⤵PID:1888
-
\??\c:\g4240.exec:\g4240.exe114⤵PID:2536
-
\??\c:\0428028.exec:\0428028.exe115⤵PID:2228
-
\??\c:\jpjjv.exec:\jpjjv.exe116⤵PID:2584
-
\??\c:\bbtbhh.exec:\bbtbhh.exe117⤵PID:2132
-
\??\c:\nbnntt.exec:\nbnntt.exe118⤵PID:1064
-
\??\c:\7xrxlfl.exec:\7xrxlfl.exe119⤵PID:2508
-
\??\c:\g2402.exec:\g2402.exe120⤵PID:1416
-
\??\c:\7bbhnt.exec:\7bbhnt.exe121⤵PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-