Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe
-
Size
454KB
-
MD5
3924396d3afe4570f09e2419b4203000
-
SHA1
505e7f8dcd61dc7259e53569fc07bf408685da53
-
SHA256
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7
-
SHA512
b1019c53afc239ed7fb72b48743ced645d0354ebedcf7f3d82f4d348dbb1dbea78b4458ebb770be9242fe288f1a7a63e3f02cd1c123c01e6b2db8e916d50071e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 59 IoCs
resource yara_rule behavioral1/memory/2312-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2028-17-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2028-16-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2572-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2532-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-47-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1504-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-162-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1964-167-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/548-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-186-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1620-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-216-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/408-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1836-239-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/856-251-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/768-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-298-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2348-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-309-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2320-311-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2556-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-347-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1848-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2328-400-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1696-439-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1696-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/912-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/448-504-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2384-626-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1780-712-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2800-732-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1884-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-759-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/900-797-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2384-905-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2852-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-1249-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/928-1339-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/928-1357-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1048-1359-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2028 1jpvv.exe 2572 3hbhtt.exe 2532 7pdvd.exe 2420 fxxfrrx.exe 2948 7xrflff.exe 2752 w46288.exe 2876 xlrlllf.exe 536 240048.exe 2112 nbhhhb.exe 2480 684460.exe 2636 jdvdj.exe 2308 lxlffxx.exe 2512 4244006.exe 1992 s2000.exe 1504 48846.exe 2288 o428040.exe 1964 g8044.exe 2836 a4668.exe 548 864028.exe 2188 k04462.exe 1620 jpddp.exe 408 3nhbnn.exe 1564 20280.exe 1104 6484224.exe 1836 tntbhn.exe 856 ffrrxxl.exe 1052 8206886.exe 768 3pdjv.exe 696 7lfrxfl.exe 580 vvjjp.exe 836 a2666.exe 2348 hbnhtt.exe 2320 nhbhbb.exe 2556 86446.exe 2052 tthhnn.exe 1316 04840.exe 2708 6022884.exe 1848 420244.exe 964 vjvvv.exe 2936 4066204.exe 2728 vvdpp.exe 2816 pppvd.exe 536 2684006.exe 2656 642244.exe 1648 thttbb.exe 2328 pdpjv.exe 2032 m8228.exe 2436 bhbhtb.exe 1512 bthntb.exe 2692 64668.exe 2356 rfrlxrx.exe 1696 k42800.exe 1920 lxxflxf.exe 1236 ffflfxl.exe 3004 tbbtbh.exe 2276 4060646.exe 2268 rflfllr.exe 2452 g4006.exe 2060 868462.exe 1124 vvpvj.exe 912 llfxlxr.exe 448 nbnttn.exe 2592 868244.exe 828 hbthnt.exe -
resource yara_rule behavioral1/memory/2312-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2532-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-347-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1848-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-400-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2356-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/448-504-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1048-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-633-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2076-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-878-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-967-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8228620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0862006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i428440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c600880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2684006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o046884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2028 2312 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 30 PID 2312 wrote to memory of 2028 2312 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 30 PID 2312 wrote to memory of 2028 2312 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 30 PID 2312 wrote to memory of 2028 2312 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 30 PID 2028 wrote to memory of 2572 2028 1jpvv.exe 31 PID 2028 wrote to memory of 2572 2028 1jpvv.exe 31 PID 2028 wrote to memory of 2572 2028 1jpvv.exe 31 PID 2028 wrote to memory of 2572 2028 1jpvv.exe 31 PID 2572 wrote to memory of 2532 2572 3hbhtt.exe 32 PID 2572 wrote to memory of 2532 2572 3hbhtt.exe 32 PID 2572 wrote to memory of 2532 2572 3hbhtt.exe 32 PID 2572 wrote to memory of 2532 2572 3hbhtt.exe 32 PID 2532 wrote to memory of 2420 2532 7pdvd.exe 33 PID 2532 wrote to memory of 2420 2532 7pdvd.exe 33 PID 2532 wrote to memory of 2420 2532 7pdvd.exe 33 PID 2532 wrote to memory of 2420 2532 7pdvd.exe 33 PID 2420 wrote to memory of 2948 2420 fxxfrrx.exe 34 PID 2420 wrote to memory of 2948 2420 fxxfrrx.exe 34 PID 2420 wrote to memory of 2948 2420 fxxfrrx.exe 34 PID 2420 wrote to memory of 2948 2420 fxxfrrx.exe 34 PID 2948 wrote to memory of 2752 2948 7xrflff.exe 35 PID 2948 wrote to memory of 2752 2948 7xrflff.exe 35 PID 2948 wrote to memory of 2752 2948 7xrflff.exe 35 PID 2948 wrote to memory of 2752 2948 7xrflff.exe 35 PID 2752 wrote to memory of 2876 2752 w46288.exe 36 PID 2752 wrote to memory of 2876 2752 w46288.exe 36 PID 2752 wrote to memory of 2876 2752 w46288.exe 36 PID 2752 wrote to memory of 2876 2752 w46288.exe 36 PID 2876 wrote to memory of 536 2876 xlrlllf.exe 37 PID 2876 wrote to memory of 536 2876 xlrlllf.exe 37 PID 2876 wrote to memory of 536 2876 xlrlllf.exe 37 PID 2876 wrote to memory of 536 2876 xlrlllf.exe 37 PID 536 wrote to memory of 2112 536 240048.exe 38 PID 536 wrote to memory of 2112 536 240048.exe 38 PID 536 wrote to memory of 2112 536 240048.exe 38 PID 536 wrote to memory of 2112 536 240048.exe 38 PID 2112 wrote to memory of 2480 2112 nbhhhb.exe 39 PID 2112 wrote to memory of 2480 2112 nbhhhb.exe 39 PID 2112 wrote to memory of 2480 2112 nbhhhb.exe 39 PID 2112 wrote to memory of 2480 2112 nbhhhb.exe 39 PID 2480 wrote to memory of 2636 2480 684460.exe 40 PID 2480 wrote to memory of 2636 2480 684460.exe 40 PID 2480 wrote to memory of 2636 2480 684460.exe 40 PID 2480 wrote to memory of 2636 2480 684460.exe 40 PID 2636 wrote to memory of 2308 2636 jdvdj.exe 41 PID 2636 wrote to memory of 2308 2636 jdvdj.exe 41 PID 2636 wrote to memory of 2308 2636 jdvdj.exe 41 PID 2636 wrote to memory of 2308 2636 jdvdj.exe 41 PID 2308 wrote to memory of 2512 2308 lxlffxx.exe 42 PID 2308 wrote to memory of 2512 2308 lxlffxx.exe 42 PID 2308 wrote to memory of 2512 2308 lxlffxx.exe 42 PID 2308 wrote to memory of 2512 2308 lxlffxx.exe 42 PID 2512 wrote to memory of 1992 2512 4244006.exe 43 PID 2512 wrote to memory of 1992 2512 4244006.exe 43 PID 2512 wrote to memory of 1992 2512 4244006.exe 43 PID 2512 wrote to memory of 1992 2512 4244006.exe 43 PID 1992 wrote to memory of 1504 1992 s2000.exe 44 PID 1992 wrote to memory of 1504 1992 s2000.exe 44 PID 1992 wrote to memory of 1504 1992 s2000.exe 44 PID 1992 wrote to memory of 1504 1992 s2000.exe 44 PID 1504 wrote to memory of 2288 1504 48846.exe 45 PID 1504 wrote to memory of 2288 1504 48846.exe 45 PID 1504 wrote to memory of 2288 1504 48846.exe 45 PID 1504 wrote to memory of 2288 1504 48846.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe"C:\Users\Admin\AppData\Local\Temp\0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\1jpvv.exec:\1jpvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\3hbhtt.exec:\3hbhtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\7pdvd.exec:\7pdvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\fxxfrrx.exec:\fxxfrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\7xrflff.exec:\7xrflff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\w46288.exec:\w46288.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\xlrlllf.exec:\xlrlllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\240048.exec:\240048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\nbhhhb.exec:\nbhhhb.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\684460.exec:\684460.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\jdvdj.exec:\jdvdj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\lxlffxx.exec:\lxlffxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\4244006.exec:\4244006.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\s2000.exec:\s2000.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\48846.exec:\48846.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\o428040.exec:\o428040.exe17⤵
- Executes dropped EXE
PID:2288 -
\??\c:\g8044.exec:\g8044.exe18⤵
- Executes dropped EXE
PID:1964 -
\??\c:\a4668.exec:\a4668.exe19⤵
- Executes dropped EXE
PID:2836 -
\??\c:\864028.exec:\864028.exe20⤵
- Executes dropped EXE
PID:548 -
\??\c:\k04462.exec:\k04462.exe21⤵
- Executes dropped EXE
PID:2188 -
\??\c:\jpddp.exec:\jpddp.exe22⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3nhbnn.exec:\3nhbnn.exe23⤵
- Executes dropped EXE
PID:408 -
\??\c:\20280.exec:\20280.exe24⤵
- Executes dropped EXE
PID:1564 -
\??\c:\6484224.exec:\6484224.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\tntbhn.exec:\tntbhn.exe26⤵
- Executes dropped EXE
PID:1836 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe27⤵
- Executes dropped EXE
PID:856 -
\??\c:\8206886.exec:\8206886.exe28⤵
- Executes dropped EXE
PID:1052 -
\??\c:\3pdjv.exec:\3pdjv.exe29⤵
- Executes dropped EXE
PID:768 -
\??\c:\7lfrxfl.exec:\7lfrxfl.exe30⤵
- Executes dropped EXE
PID:696 -
\??\c:\vvjjp.exec:\vvjjp.exe31⤵
- Executes dropped EXE
PID:580 -
\??\c:\a2666.exec:\a2666.exe32⤵
- Executes dropped EXE
PID:836 -
\??\c:\hbnhtt.exec:\hbnhtt.exe33⤵
- Executes dropped EXE
PID:2348 -
\??\c:\nhbhbb.exec:\nhbhbb.exe34⤵
- Executes dropped EXE
PID:2320 -
\??\c:\86446.exec:\86446.exe35⤵
- Executes dropped EXE
PID:2556 -
\??\c:\tthhnn.exec:\tthhnn.exe36⤵
- Executes dropped EXE
PID:2052 -
\??\c:\04840.exec:\04840.exe37⤵
- Executes dropped EXE
PID:1316 -
\??\c:\6022884.exec:\6022884.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\420244.exec:\420244.exe39⤵
- Executes dropped EXE
PID:1848 -
\??\c:\vjvvv.exec:\vjvvv.exe40⤵
- Executes dropped EXE
PID:964 -
\??\c:\4066204.exec:\4066204.exe41⤵
- Executes dropped EXE
PID:2936 -
\??\c:\vvdpp.exec:\vvdpp.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\pppvd.exec:\pppvd.exe43⤵
- Executes dropped EXE
PID:2816 -
\??\c:\2684006.exec:\2684006.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\642244.exec:\642244.exe45⤵
- Executes dropped EXE
PID:2656 -
\??\c:\thttbb.exec:\thttbb.exe46⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pdpjv.exec:\pdpjv.exe47⤵
- Executes dropped EXE
PID:2328 -
\??\c:\m8228.exec:\m8228.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\bhbhtb.exec:\bhbhtb.exe49⤵
- Executes dropped EXE
PID:2436 -
\??\c:\bthntb.exec:\bthntb.exe50⤵
- Executes dropped EXE
PID:1512 -
\??\c:\64668.exec:\64668.exe51⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rfrlxrx.exec:\rfrlxrx.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\k42800.exec:\k42800.exe53⤵
- Executes dropped EXE
PID:1696 -
\??\c:\lxxflxf.exec:\lxxflxf.exe54⤵
- Executes dropped EXE
PID:1920 -
\??\c:\ffflfxl.exec:\ffflfxl.exe55⤵
- Executes dropped EXE
PID:1236 -
\??\c:\tbbtbh.exec:\tbbtbh.exe56⤵
- Executes dropped EXE
PID:3004 -
\??\c:\4060646.exec:\4060646.exe57⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rflfllr.exec:\rflfllr.exe58⤵
- Executes dropped EXE
PID:2268 -
\??\c:\g4006.exec:\g4006.exe59⤵
- Executes dropped EXE
PID:2452 -
\??\c:\868462.exec:\868462.exe60⤵
- Executes dropped EXE
PID:2060 -
\??\c:\vvpvj.exec:\vvpvj.exe61⤵
- Executes dropped EXE
PID:1124 -
\??\c:\llfxlxr.exec:\llfxlxr.exe62⤵
- Executes dropped EXE
PID:912 -
\??\c:\nbnttn.exec:\nbnttn.exe63⤵
- Executes dropped EXE
PID:448 -
\??\c:\868244.exec:\868244.exe64⤵
- Executes dropped EXE
PID:2592 -
\??\c:\hbthnt.exec:\hbthnt.exe65⤵
- Executes dropped EXE
PID:828 -
\??\c:\rfxxfxl.exec:\rfxxfxl.exe66⤵PID:1148
-
\??\c:\g4846.exec:\g4846.exe67⤵PID:1544
-
\??\c:\ffxfffx.exec:\ffxfffx.exe68⤵PID:2508
-
\??\c:\64284.exec:\64284.exe69⤵PID:1048
-
\??\c:\3frllll.exec:\3frllll.exe70⤵PID:484
-
\??\c:\4206240.exec:\4206240.exe71⤵PID:2388
-
\??\c:\1pjpv.exec:\1pjpv.exe72⤵PID:2600
-
\??\c:\600064.exec:\600064.exe73⤵PID:2404
-
\??\c:\a4802.exec:\a4802.exe74⤵PID:1880
-
\??\c:\lfxxxlr.exec:\lfxxxlr.exe75⤵PID:1708
-
\??\c:\42444.exec:\42444.exe76⤵PID:1892
-
\??\c:\1jvpp.exec:\1jvpp.exe77⤵PID:1668
-
\??\c:\466282.exec:\466282.exe78⤵PID:356
-
\??\c:\e20406.exec:\e20406.exe79⤵PID:2572
-
\??\c:\xrffxxl.exec:\xrffxxl.exe80⤵PID:2052
-
\??\c:\886822.exec:\886822.exe81⤵PID:2704
-
\??\c:\fxlllrf.exec:\fxlllrf.exe82⤵PID:2016
-
\??\c:\46402.exec:\46402.exe83⤵PID:2384
-
\??\c:\w60628.exec:\w60628.exe84⤵PID:2900
-
\??\c:\pjvdj.exec:\pjvdj.exe85⤵PID:2940
-
\??\c:\086288.exec:\086288.exe86⤵PID:2740
-
\??\c:\82668.exec:\82668.exe87⤵PID:2784
-
\??\c:\4646804.exec:\4646804.exe88⤵PID:1704
-
\??\c:\xxrrrxx.exec:\xxrrrxx.exe89⤵PID:2796
-
\??\c:\04884.exec:\04884.exe90⤵PID:2684
-
\??\c:\5jddp.exec:\5jddp.exe91⤵PID:2668
-
\??\c:\9vvvv.exec:\9vvvv.exe92⤵PID:2428
-
\??\c:\vpddd.exec:\vpddd.exe93⤵PID:848
-
\??\c:\6026602.exec:\6026602.exe94⤵PID:1320
-
\??\c:\7pppv.exec:\7pppv.exe95⤵
- System Location Discovery: System Language Discovery
PID:1832 -
\??\c:\rlxxffr.exec:\rlxxffr.exe96⤵PID:1664
-
\??\c:\3rxxxxx.exec:\3rxxxxx.exe97⤵PID:1780
-
\??\c:\vpdpp.exec:\vpdpp.exe98⤵PID:2076
-
\??\c:\ppddd.exec:\ppddd.exe99⤵PID:3012
-
\??\c:\686622.exec:\686622.exe100⤵PID:2800
-
\??\c:\htbtnn.exec:\htbtnn.exe101⤵PID:3004
-
\??\c:\2680044.exec:\2680044.exe102⤵PID:2376
-
\??\c:\s6008.exec:\s6008.exe103⤵PID:1884
-
\??\c:\pddvp.exec:\pddvp.exe104⤵PID:2128
-
\??\c:\4868002.exec:\4868002.exe105⤵PID:2160
-
\??\c:\2644666.exec:\2644666.exe106⤵PID:740
-
\??\c:\fxllrrf.exec:\fxllrrf.exe107⤵PID:1976
-
\??\c:\826622.exec:\826622.exe108⤵PID:1376
-
\??\c:\rlxlrxl.exec:\rlxlrxl.exe109⤵PID:1728
-
\??\c:\a4844.exec:\a4844.exe110⤵PID:900
-
\??\c:\26842.exec:\26842.exe111⤵PID:908
-
\??\c:\bhhthn.exec:\bhhthn.exe112⤵PID:1528
-
\??\c:\6466842.exec:\6466842.exe113⤵PID:300
-
\??\c:\9tnbhb.exec:\9tnbhb.exe114⤵PID:572
-
\??\c:\26464.exec:\26464.exe115⤵PID:2568
-
\??\c:\60068.exec:\60068.exe116⤵PID:876
-
\??\c:\i428440.exec:\i428440.exe117⤵
- System Location Discovery: System Language Discovery
PID:2084 -
\??\c:\864400.exec:\864400.exe118⤵PID:1596
-
\??\c:\c206488.exec:\c206488.exe119⤵PID:2348
-
\??\c:\6400624.exec:\6400624.exe120⤵PID:1640
-
\??\c:\bnhhnn.exec:\bnhhnn.exe121⤵PID:1520
-
\??\c:\5jdvv.exec:\5jdvv.exe122⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-