Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 19:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe
-
Size
456KB
-
MD5
443052e9800f0d61d60aabbb01a4ea5d
-
SHA1
d1507fdaa9daaf8610623bcc0807908f3cb6777f
-
SHA256
0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a
-
SHA512
38a918615a30154265eb75cadee19c197c9c871ffa103da4523b91d0e051bb4148c584f07f44f3b5299f3ef4129c1866975c140934bd48167e334c375fcdf990
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-116-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2720-120-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1540-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1436-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1072-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/600-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-224-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1144-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-240-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/352-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-261-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1644-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-301-0x0000000077B80000-0x0000000077C9F000-memory.dmp family_blackmoon behavioral1/memory/1712-302-0x0000000077A80000-0x0000000077B7A000-memory.dmp family_blackmoon behavioral1/memory/2296-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-514-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1880-527-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1692-541-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1692-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-548-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1228-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-586-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2360-619-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-760-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-860-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2340-864-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1496-869-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2260-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-911-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2848-929-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2848-928-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-986-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/908-1186-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2076 lxlxxlr.exe 2116 4200668.exe 2564 flflllr.exe 2300 lxlfllr.exe 2864 04628.exe 3020 42822.exe 3016 2040220.exe 1256 pdppp.exe 2716 64280.exe 1840 4840228.exe 2420 vpddp.exe 2720 c828446.exe 1540 1dpjp.exe 1436 26840.exe 2112 824404.exe 2052 4480460.exe 1072 648406.exe 2972 s0220.exe 2256 jvddj.exe 1700 w80840.exe 1064 tnbbbb.exe 1084 tnhntt.exe 600 thbthh.exe 1144 1frxffl.exe 352 rrlfrlr.exe 2476 bnhntn.exe 988 20284.exe 3036 pppdj.exe 1644 4862406.exe 2132 226222.exe 3052 48068.exe 1424 bnbbnn.exe 1712 2022440.exe 2080 5dvjj.exe 1652 lrrxrff.exe 2360 lflrxxl.exe 2296 64608.exe 2572 486466.exe 2868 hhthhn.exe 2764 5jddj.exe 2480 1vjvp.exe 2896 ppjvp.exe 2824 5tbtnn.exe 2880 xrlxlxl.exe 2708 6084662.exe 2716 7nbttb.exe 1840 80406.exe 2504 ddppv.exe 1508 nbnntn.exe 2728 k86240.exe 1656 djdvj.exe 1344 5jpjj.exe 1412 1frxfff.exe 620 5pjjj.exe 2004 hbbbnn.exe 1348 42068.exe 2748 820660.exe 2376 42448.exe 2084 60880.exe 2536 g8048.exe 852 w84488.exe 2640 rfrxlfr.exe 1500 3xxrrrr.exe 1564 7bbhhb.exe -
resource yara_rule behavioral1/memory/2344-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2076-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1072-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/600-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-301-0x0000000077B80000-0x0000000077C9F000-memory.dmp upx behavioral1/memory/2296-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-586-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2564-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-760-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-853-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-870-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-974-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-981-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-1050-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-1148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 604622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 260206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2688402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2076 2344 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 30 PID 2344 wrote to memory of 2076 2344 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 30 PID 2344 wrote to memory of 2076 2344 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 30 PID 2344 wrote to memory of 2076 2344 0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe 30 PID 2076 wrote to memory of 2116 2076 lxlxxlr.exe 31 PID 2076 wrote to memory of 2116 2076 lxlxxlr.exe 31 PID 2076 wrote to memory of 2116 2076 lxlxxlr.exe 31 PID 2076 wrote to memory of 2116 2076 lxlxxlr.exe 31 PID 2116 wrote to memory of 2564 2116 4200668.exe 32 PID 2116 wrote to memory of 2564 2116 4200668.exe 32 PID 2116 wrote to memory of 2564 2116 4200668.exe 32 PID 2116 wrote to memory of 2564 2116 4200668.exe 32 PID 2564 wrote to memory of 2300 2564 flflllr.exe 33 PID 2564 wrote to memory of 2300 2564 flflllr.exe 33 PID 2564 wrote to memory of 2300 2564 flflllr.exe 33 PID 2564 wrote to memory of 2300 2564 flflllr.exe 33 PID 2300 wrote to memory of 2864 2300 lxlfllr.exe 34 PID 2300 wrote to memory of 2864 2300 lxlfllr.exe 34 PID 2300 wrote to memory of 2864 2300 lxlfllr.exe 34 PID 2300 wrote to memory of 2864 2300 lxlfllr.exe 34 PID 2864 wrote to memory of 3020 2864 04628.exe 35 PID 2864 wrote to memory of 3020 2864 04628.exe 35 PID 2864 wrote to memory of 3020 2864 04628.exe 35 PID 2864 wrote to memory of 3020 2864 04628.exe 35 PID 3020 wrote to memory of 3016 3020 42822.exe 36 PID 3020 wrote to memory of 3016 3020 42822.exe 36 PID 3020 wrote to memory of 3016 3020 42822.exe 36 PID 3020 wrote to memory of 3016 3020 42822.exe 36 PID 3016 wrote to memory of 1256 3016 2040220.exe 37 PID 3016 wrote to memory of 1256 3016 2040220.exe 37 PID 3016 wrote to memory of 1256 3016 2040220.exe 37 PID 3016 wrote to memory of 1256 3016 2040220.exe 37 PID 1256 wrote to memory of 2716 1256 pdppp.exe 38 PID 1256 wrote to memory of 2716 1256 pdppp.exe 38 PID 1256 wrote to memory of 2716 1256 pdppp.exe 38 PID 1256 wrote to memory of 2716 1256 pdppp.exe 38 PID 2716 wrote to memory of 1840 2716 64280.exe 39 PID 2716 wrote to memory of 1840 2716 64280.exe 39 PID 2716 wrote to memory of 1840 2716 64280.exe 39 PID 2716 wrote to memory of 1840 2716 64280.exe 39 PID 1840 wrote to memory of 2420 1840 4840228.exe 40 PID 1840 wrote to memory of 2420 1840 4840228.exe 40 PID 1840 wrote to memory of 2420 1840 4840228.exe 40 PID 1840 wrote to memory of 2420 1840 4840228.exe 40 PID 2420 wrote to memory of 2720 2420 vpddp.exe 41 PID 2420 wrote to memory of 2720 2420 vpddp.exe 41 PID 2420 wrote to memory of 2720 2420 vpddp.exe 41 PID 2420 wrote to memory of 2720 2420 vpddp.exe 41 PID 2720 wrote to memory of 1540 2720 c828446.exe 42 PID 2720 wrote to memory of 1540 2720 c828446.exe 42 PID 2720 wrote to memory of 1540 2720 c828446.exe 42 PID 2720 wrote to memory of 1540 2720 c828446.exe 42 PID 1540 wrote to memory of 1436 1540 1dpjp.exe 43 PID 1540 wrote to memory of 1436 1540 1dpjp.exe 43 PID 1540 wrote to memory of 1436 1540 1dpjp.exe 43 PID 1540 wrote to memory of 1436 1540 1dpjp.exe 43 PID 1436 wrote to memory of 2112 1436 26840.exe 44 PID 1436 wrote to memory of 2112 1436 26840.exe 44 PID 1436 wrote to memory of 2112 1436 26840.exe 44 PID 1436 wrote to memory of 2112 1436 26840.exe 44 PID 2112 wrote to memory of 2052 2112 824404.exe 45 PID 2112 wrote to memory of 2052 2112 824404.exe 45 PID 2112 wrote to memory of 2052 2112 824404.exe 45 PID 2112 wrote to memory of 2052 2112 824404.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe"C:\Users\Admin\AppData\Local\Temp\0c77247a83e8223ae3023c5c8c972cb055c792edce9c8c02b2b15c74b0057b3a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\lxlxxlr.exec:\lxlxxlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\4200668.exec:\4200668.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\flflllr.exec:\flflllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\lxlfllr.exec:\lxlfllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\04628.exec:\04628.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\42822.exec:\42822.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\2040220.exec:\2040220.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\pdppp.exec:\pdppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\64280.exec:\64280.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\4840228.exec:\4840228.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\vpddp.exec:\vpddp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\c828446.exec:\c828446.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\1dpjp.exec:\1dpjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\26840.exec:\26840.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\824404.exec:\824404.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\4480460.exec:\4480460.exe17⤵
- Executes dropped EXE
PID:2052 -
\??\c:\648406.exec:\648406.exe18⤵
- Executes dropped EXE
PID:1072 -
\??\c:\s0220.exec:\s0220.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jvddj.exec:\jvddj.exe20⤵
- Executes dropped EXE
PID:2256 -
\??\c:\w80840.exec:\w80840.exe21⤵
- Executes dropped EXE
PID:1700 -
\??\c:\tnbbbb.exec:\tnbbbb.exe22⤵
- Executes dropped EXE
PID:1064 -
\??\c:\tnhntt.exec:\tnhntt.exe23⤵
- Executes dropped EXE
PID:1084 -
\??\c:\thbthh.exec:\thbthh.exe24⤵
- Executes dropped EXE
PID:600 -
\??\c:\1frxffl.exec:\1frxffl.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\rrlfrlr.exec:\rrlfrlr.exe26⤵
- Executes dropped EXE
PID:352 -
\??\c:\bnhntn.exec:\bnhntn.exe27⤵
- Executes dropped EXE
PID:2476 -
\??\c:\20284.exec:\20284.exe28⤵
- Executes dropped EXE
PID:988 -
\??\c:\pppdj.exec:\pppdj.exe29⤵
- Executes dropped EXE
PID:3036 -
\??\c:\4862406.exec:\4862406.exe30⤵
- Executes dropped EXE
PID:1644 -
\??\c:\226222.exec:\226222.exe31⤵
- Executes dropped EXE
PID:2132 -
\??\c:\48068.exec:\48068.exe32⤵
- Executes dropped EXE
PID:3052 -
\??\c:\bnbbnn.exec:\bnbbnn.exe33⤵
- Executes dropped EXE
PID:1424 -
\??\c:\2022440.exec:\2022440.exe34⤵
- Executes dropped EXE
PID:1712 -
\??\c:\424022.exec:\424022.exe35⤵PID:1532
-
\??\c:\5dvjj.exec:\5dvjj.exe36⤵
- Executes dropped EXE
PID:2080 -
\??\c:\lrrxrff.exec:\lrrxrff.exe37⤵
- Executes dropped EXE
PID:1652 -
\??\c:\lflrxxl.exec:\lflrxxl.exe38⤵
- Executes dropped EXE
PID:2360 -
\??\c:\64608.exec:\64608.exe39⤵
- Executes dropped EXE
PID:2296 -
\??\c:\486466.exec:\486466.exe40⤵
- Executes dropped EXE
PID:2572 -
\??\c:\hhthhn.exec:\hhthhn.exe41⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5jddj.exec:\5jddj.exe42⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1vjvp.exec:\1vjvp.exe43⤵
- Executes dropped EXE
PID:2480 -
\??\c:\ppjvp.exec:\ppjvp.exe44⤵
- Executes dropped EXE
PID:2896 -
\??\c:\5tbtnn.exec:\5tbtnn.exe45⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xrlxlxl.exec:\xrlxlxl.exe46⤵
- Executes dropped EXE
PID:2880 -
\??\c:\6084662.exec:\6084662.exe47⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7nbttb.exec:\7nbttb.exe48⤵
- Executes dropped EXE
PID:2716 -
\??\c:\80406.exec:\80406.exe49⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ddppv.exec:\ddppv.exe50⤵
- Executes dropped EXE
PID:2504 -
\??\c:\nbnntn.exec:\nbnntn.exe51⤵
- Executes dropped EXE
PID:1508 -
\??\c:\k86240.exec:\k86240.exe52⤵
- Executes dropped EXE
PID:2728 -
\??\c:\djdvj.exec:\djdvj.exe53⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5jpjj.exec:\5jpjj.exe54⤵
- Executes dropped EXE
PID:1344 -
\??\c:\1frxfff.exec:\1frxfff.exe55⤵
- Executes dropped EXE
PID:1412 -
\??\c:\5pjjj.exec:\5pjjj.exe56⤵
- Executes dropped EXE
PID:620 -
\??\c:\hbbbnn.exec:\hbbbnn.exe57⤵
- Executes dropped EXE
PID:2004 -
\??\c:\42068.exec:\42068.exe58⤵
- Executes dropped EXE
PID:1348 -
\??\c:\820660.exec:\820660.exe59⤵
- Executes dropped EXE
PID:2748 -
\??\c:\42448.exec:\42448.exe60⤵
- Executes dropped EXE
PID:2376 -
\??\c:\60880.exec:\60880.exe61⤵
- Executes dropped EXE
PID:2084 -
\??\c:\g8048.exec:\g8048.exe62⤵
- Executes dropped EXE
PID:2536 -
\??\c:\w84488.exec:\w84488.exe63⤵
- Executes dropped EXE
PID:852 -
\??\c:\rfrxlfr.exec:\rfrxlfr.exe64⤵
- Executes dropped EXE
PID:2640 -
\??\c:\3xxrrrr.exec:\3xxrrrr.exe65⤵
- Executes dropped EXE
PID:1500 -
\??\c:\7bbhhb.exec:\7bbhhb.exe66⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9rfxrrx.exec:\9rfxrrx.exe67⤵PID:1996
-
\??\c:\jvvpv.exec:\jvvpv.exe68⤵PID:1852
-
\??\c:\pjddp.exec:\pjddp.exe69⤵PID:1880
-
\??\c:\480688.exec:\480688.exe70⤵PID:1896
-
\??\c:\frxrffl.exec:\frxrffl.exe71⤵PID:1692
-
\??\c:\260206.exec:\260206.exe72⤵
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\k08484.exec:\k08484.exe73⤵PID:3036
-
\??\c:\lfrrxfl.exec:\lfrrxfl.exe74⤵PID:2400
-
\??\c:\rrfxlfl.exec:\rrfxlfl.exe75⤵PID:2132
-
\??\c:\1jvvv.exec:\1jvvv.exe76⤵PID:1228
-
\??\c:\xrflrxf.exec:\xrflrxf.exe77⤵PID:1920
-
\??\c:\5rfxlll.exec:\5rfxlll.exe78⤵PID:1304
-
\??\c:\5tnhtt.exec:\5tnhtt.exe79⤵PID:1528
-
\??\c:\jjvdd.exec:\jjvdd.exe80⤵PID:2620
-
\??\c:\lxllrlx.exec:\lxllrlx.exe81⤵PID:796
-
\??\c:\8622846.exec:\8622846.exe82⤵PID:2116
-
\??\c:\xxrxlfr.exec:\xxrxlfr.exe83⤵PID:2360
-
\??\c:\a4262.exec:\a4262.exe84⤵PID:2524
-
\??\c:\vvppv.exec:\vvppv.exe85⤵PID:2564
-
\??\c:\4824624.exec:\4824624.exe86⤵PID:3024
-
\??\c:\g8622.exec:\g8622.exe87⤵PID:2924
-
\??\c:\ffxrflx.exec:\ffxrflx.exe88⤵PID:2820
-
\??\c:\7hhnhh.exec:\7hhnhh.exe89⤵PID:2684
-
\??\c:\8226442.exec:\8226442.exe90⤵PID:2796
-
\??\c:\jvddp.exec:\jvddp.exe91⤵PID:2828
-
\??\c:\btthnb.exec:\btthnb.exe92⤵PID:2704
-
\??\c:\btthtt.exec:\btthtt.exe93⤵PID:2716
-
\??\c:\7hnnnt.exec:\7hnnnt.exe94⤵PID:948
-
\??\c:\bttntb.exec:\bttntb.exe95⤵PID:1672
-
\??\c:\264044.exec:\264044.exe96⤵PID:772
-
\??\c:\nhthnn.exec:\nhthnn.exe97⤵PID:2728
-
\??\c:\82240.exec:\82240.exe98⤵PID:1656
-
\??\c:\s0280.exec:\s0280.exe99⤵PID:1436
-
\??\c:\480662.exec:\480662.exe100⤵PID:1720
-
\??\c:\rrflllx.exec:\rrflllx.exe101⤵PID:620
-
\??\c:\5jdpd.exec:\5jdpd.exe102⤵PID:2944
-
\??\c:\06648.exec:\06648.exe103⤵PID:1172
-
\??\c:\o466222.exec:\o466222.exe104⤵PID:2908
-
\??\c:\8044006.exec:\8044006.exe105⤵PID:2836
-
\??\c:\u262828.exec:\u262828.exe106⤵PID:2628
-
\??\c:\20224.exec:\20224.exe107⤵PID:2536
-
\??\c:\8240228.exec:\8240228.exe108⤵PID:1776
-
\??\c:\hbhhhh.exec:\hbhhhh.exe109⤵PID:2640
-
\??\c:\642244.exec:\642244.exe110⤵PID:1500
-
\??\c:\lxlrffl.exec:\lxlrffl.exe111⤵PID:1312
-
\??\c:\20488.exec:\20488.exe112⤵PID:1856
-
\??\c:\264028.exec:\264028.exe113⤵PID:2252
-
\??\c:\fxlrffr.exec:\fxlrffr.exe114⤵PID:1400
-
\??\c:\k46022.exec:\k46022.exe115⤵PID:2232
-
\??\c:\3fxflrr.exec:\3fxflrr.exe116⤵PID:1692
-
\??\c:\1jvvd.exec:\1jvvd.exe117⤵PID:2636
-
\??\c:\thnnbb.exec:\thnnbb.exe118⤵PID:2340
-
\??\c:\llfrffr.exec:\llfrffr.exe119⤵PID:2392
-
\??\c:\dddjp.exec:\dddjp.exe120⤵PID:2740
-
\??\c:\6804406.exec:\6804406.exe121⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-