Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe
-
Size
456KB
-
MD5
e91f5d4d855864c328e99d8e25a85c01
-
SHA1
f8f47a89ac1f3f845aa816e944ddb2220f59b124
-
SHA256
baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1
-
SHA512
addb76e00ae6566614d920419fd703d8632508db6ec5740d3309def0a7d9ed94cdb71c8b95bed2832c74945c18aa641ddec4eb3c5380a62c45af91523ae9b550
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-122-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1492-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/776-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1828-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-161-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1604-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2384-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-316-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2864-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-354-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2924-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-453-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/636-475-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2260-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/968-507-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1640-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-541-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/2352-540-0x0000000000530000-0x000000000055A000-memory.dmp family_blackmoon behavioral1/memory/1728-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-620-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-666-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/592-707-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2932-720-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/636-733-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2180-749-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/992-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-851-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-866-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-884-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2744-910-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1768-955-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1268 5xxrffr.exe 1088 lfffrxl.exe 2892 7xllxlx.exe 1988 ddpvd.exe 2080 hhthtb.exe 2584 08624.exe 2904 660666.exe 2764 4262880.exe 2780 22068.exe 2520 8262046.exe 1172 5frflrl.exe 1492 ppjpd.exe 776 jvddj.exe 1104 q66808.exe 1828 xrrrrxl.exe 1940 jjpvd.exe 2472 60406.exe 1604 82068.exe 2384 1tntbh.exe 2116 48624.exe 444 66608.exe 3016 rllxrrr.exe 1636 1dddj.exe 2164 2848840.exe 2572 040622.exe 2576 048846.exe 1992 xflrxrr.exe 2068 u484680.exe 2488 hbntht.exe 1756 w64028.exe 2280 e26800.exe 2356 hbthnn.exe 2196 vvpdp.exe 1596 vpdjv.exe 2216 pvjvp.exe 2852 0468668.exe 2500 frrrflx.exe 2252 rlxlffx.exe 2864 7nhtht.exe 2936 vjvdp.exe 2992 fxfflrr.exe 2924 646626.exe 2712 frffllx.exe 2360 jjdjd.exe 2760 86040.exe 788 7vjdj.exe 1768 c200006.exe 688 jvjjp.exe 332 9rxfflr.exe 3028 tbnnhb.exe 592 dvjpd.exe 320 tnhthh.exe 2932 24468.exe 2916 646626.exe 636 hbthtb.exe 3044 8206280.exe 1724 6462402.exe 2392 hhhhnn.exe 556 bbtbnt.exe 2260 5hbttn.exe 836 86446.exe 2692 tnnhtb.exe 968 8266480.exe 1692 pdjjv.exe -
resource yara_rule behavioral1/memory/2404-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2892-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2584-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1828-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-540-0x0000000000530000-0x000000000055A000-memory.dmp upx behavioral1/memory/1728-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-707-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/992-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-866-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2948-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-910-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-963-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8262046.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6046886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4646484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644224.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 1268 2404 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2404 wrote to memory of 1268 2404 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2404 wrote to memory of 1268 2404 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 2404 wrote to memory of 1268 2404 baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe 30 PID 1268 wrote to memory of 1088 1268 5xxrffr.exe 31 PID 1268 wrote to memory of 1088 1268 5xxrffr.exe 31 PID 1268 wrote to memory of 1088 1268 5xxrffr.exe 31 PID 1268 wrote to memory of 1088 1268 5xxrffr.exe 31 PID 1088 wrote to memory of 2892 1088 lfffrxl.exe 32 PID 1088 wrote to memory of 2892 1088 lfffrxl.exe 32 PID 1088 wrote to memory of 2892 1088 lfffrxl.exe 32 PID 1088 wrote to memory of 2892 1088 lfffrxl.exe 32 PID 2892 wrote to memory of 1988 2892 7xllxlx.exe 33 PID 2892 wrote to memory of 1988 2892 7xllxlx.exe 33 PID 2892 wrote to memory of 1988 2892 7xllxlx.exe 33 PID 2892 wrote to memory of 1988 2892 7xllxlx.exe 33 PID 1988 wrote to memory of 2080 1988 ddpvd.exe 34 PID 1988 wrote to memory of 2080 1988 ddpvd.exe 34 PID 1988 wrote to memory of 2080 1988 ddpvd.exe 34 PID 1988 wrote to memory of 2080 1988 ddpvd.exe 34 PID 2080 wrote to memory of 2584 2080 hhthtb.exe 35 PID 2080 wrote to memory of 2584 2080 hhthtb.exe 35 PID 2080 wrote to memory of 2584 2080 hhthtb.exe 35 PID 2080 wrote to memory of 2584 2080 hhthtb.exe 35 PID 2584 wrote to memory of 2904 2584 08624.exe 36 PID 2584 wrote to memory of 2904 2584 08624.exe 36 PID 2584 wrote to memory of 2904 2584 08624.exe 36 PID 2584 wrote to memory of 2904 2584 08624.exe 36 PID 2904 wrote to memory of 2764 2904 660666.exe 37 PID 2904 wrote to memory of 2764 2904 660666.exe 37 PID 2904 wrote to memory of 2764 2904 660666.exe 37 PID 2904 wrote to memory of 2764 2904 660666.exe 37 PID 2764 wrote to memory of 2780 2764 4262880.exe 38 PID 2764 wrote to memory of 2780 2764 4262880.exe 38 PID 2764 wrote to memory of 2780 2764 4262880.exe 38 PID 2764 wrote to memory of 2780 2764 4262880.exe 38 PID 2780 wrote to memory of 2520 2780 22068.exe 39 PID 2780 wrote to memory of 2520 2780 22068.exe 39 PID 2780 wrote to memory of 2520 2780 22068.exe 39 PID 2780 wrote to memory of 2520 2780 22068.exe 39 PID 2520 wrote to memory of 1172 2520 8262046.exe 40 PID 2520 wrote to memory of 1172 2520 8262046.exe 40 PID 2520 wrote to memory of 1172 2520 8262046.exe 40 PID 2520 wrote to memory of 1172 2520 8262046.exe 40 PID 1172 wrote to memory of 1492 1172 5frflrl.exe 41 PID 1172 wrote to memory of 1492 1172 5frflrl.exe 41 PID 1172 wrote to memory of 1492 1172 5frflrl.exe 41 PID 1172 wrote to memory of 1492 1172 5frflrl.exe 41 PID 1492 wrote to memory of 776 1492 ppjpd.exe 42 PID 1492 wrote to memory of 776 1492 ppjpd.exe 42 PID 1492 wrote to memory of 776 1492 ppjpd.exe 42 PID 1492 wrote to memory of 776 1492 ppjpd.exe 42 PID 776 wrote to memory of 1104 776 jvddj.exe 43 PID 776 wrote to memory of 1104 776 jvddj.exe 43 PID 776 wrote to memory of 1104 776 jvddj.exe 43 PID 776 wrote to memory of 1104 776 jvddj.exe 43 PID 1104 wrote to memory of 1828 1104 q66808.exe 44 PID 1104 wrote to memory of 1828 1104 q66808.exe 44 PID 1104 wrote to memory of 1828 1104 q66808.exe 44 PID 1104 wrote to memory of 1828 1104 q66808.exe 44 PID 1828 wrote to memory of 1940 1828 xrrrrxl.exe 45 PID 1828 wrote to memory of 1940 1828 xrrrrxl.exe 45 PID 1828 wrote to memory of 1940 1828 xrrrrxl.exe 45 PID 1828 wrote to memory of 1940 1828 xrrrrxl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"C:\Users\Admin\AppData\Local\Temp\baa896de966d991b59bc3277a4b65b017eca2983daa7a22b08902bd8fa387ec1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\5xxrffr.exec:\5xxrffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\lfffrxl.exec:\lfffrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\7xllxlx.exec:\7xllxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\ddpvd.exec:\ddpvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\hhthtb.exec:\hhthtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\08624.exec:\08624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\660666.exec:\660666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\4262880.exec:\4262880.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\22068.exec:\22068.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\8262046.exec:\8262046.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5frflrl.exec:\5frflrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\ppjpd.exec:\ppjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\jvddj.exec:\jvddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:776 -
\??\c:\q66808.exec:\q66808.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\xrrrrxl.exec:\xrrrrxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\jjpvd.exec:\jjpvd.exe17⤵
- Executes dropped EXE
PID:1940 -
\??\c:\60406.exec:\60406.exe18⤵
- Executes dropped EXE
PID:2472 -
\??\c:\82068.exec:\82068.exe19⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1tntbh.exec:\1tntbh.exe20⤵
- Executes dropped EXE
PID:2384 -
\??\c:\48624.exec:\48624.exe21⤵
- Executes dropped EXE
PID:2116 -
\??\c:\66608.exec:\66608.exe22⤵
- Executes dropped EXE
PID:444 -
\??\c:\rllxrrr.exec:\rllxrrr.exe23⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1dddj.exec:\1dddj.exe24⤵
- Executes dropped EXE
PID:1636 -
\??\c:\2848840.exec:\2848840.exe25⤵
- Executes dropped EXE
PID:2164 -
\??\c:\040622.exec:\040622.exe26⤵
- Executes dropped EXE
PID:2572 -
\??\c:\048846.exec:\048846.exe27⤵
- Executes dropped EXE
PID:2576 -
\??\c:\xflrxrr.exec:\xflrxrr.exe28⤵
- Executes dropped EXE
PID:1992 -
\??\c:\u484680.exec:\u484680.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\hbntht.exec:\hbntht.exe30⤵
- Executes dropped EXE
PID:2488 -
\??\c:\w64028.exec:\w64028.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\e26800.exec:\e26800.exe32⤵
- Executes dropped EXE
PID:2280 -
\??\c:\hbthnn.exec:\hbthnn.exe33⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vvpdp.exec:\vvpdp.exe34⤵
- Executes dropped EXE
PID:2196 -
\??\c:\vpdjv.exec:\vpdjv.exe35⤵
- Executes dropped EXE
PID:1596 -
\??\c:\pvjvp.exec:\pvjvp.exe36⤵
- Executes dropped EXE
PID:2216 -
\??\c:\0468668.exec:\0468668.exe37⤵
- Executes dropped EXE
PID:2852 -
\??\c:\frrrflx.exec:\frrrflx.exe38⤵
- Executes dropped EXE
PID:2500 -
\??\c:\rlxlffx.exec:\rlxlffx.exe39⤵
- Executes dropped EXE
PID:2252 -
\??\c:\7nhtht.exec:\7nhtht.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\vjvdp.exec:\vjvdp.exe41⤵
- Executes dropped EXE
PID:2936 -
\??\c:\fxfflrr.exec:\fxfflrr.exe42⤵
- Executes dropped EXE
PID:2992 -
\??\c:\646626.exec:\646626.exe43⤵
- Executes dropped EXE
PID:2924 -
\??\c:\frffllx.exec:\frffllx.exe44⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jjdjd.exec:\jjdjd.exe45⤵
- Executes dropped EXE
PID:2360 -
\??\c:\86040.exec:\86040.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\7vjdj.exec:\7vjdj.exe47⤵
- Executes dropped EXE
PID:788 -
\??\c:\c200006.exec:\c200006.exe48⤵
- Executes dropped EXE
PID:1768 -
\??\c:\jvjjp.exec:\jvjjp.exe49⤵
- Executes dropped EXE
PID:688 -
\??\c:\9rxfflr.exec:\9rxfflr.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:332 -
\??\c:\tbnnhb.exec:\tbnnhb.exe51⤵
- Executes dropped EXE
PID:3028 -
\??\c:\dvjpd.exec:\dvjpd.exe52⤵
- Executes dropped EXE
PID:592 -
\??\c:\tnhthh.exec:\tnhthh.exe53⤵
- Executes dropped EXE
PID:320 -
\??\c:\24468.exec:\24468.exe54⤵
- Executes dropped EXE
PID:2932 -
\??\c:\646626.exec:\646626.exe55⤵
- Executes dropped EXE
PID:2916 -
\??\c:\hbthtb.exec:\hbthtb.exe56⤵
- Executes dropped EXE
PID:636 -
\??\c:\8206280.exec:\8206280.exe57⤵
- Executes dropped EXE
PID:3044 -
\??\c:\6462402.exec:\6462402.exe58⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhhhnn.exec:\hhhhnn.exe59⤵
- Executes dropped EXE
PID:2392 -
\??\c:\bbtbnt.exec:\bbtbnt.exe60⤵
- Executes dropped EXE
PID:556 -
\??\c:\5hbttn.exec:\5hbttn.exe61⤵
- Executes dropped EXE
PID:2260 -
\??\c:\86446.exec:\86446.exe62⤵
- Executes dropped EXE
PID:836 -
\??\c:\tnnhtb.exec:\tnnhtb.exe63⤵
- Executes dropped EXE
PID:2692 -
\??\c:\8266480.exec:\8266480.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\pdjjv.exec:\pdjjv.exe65⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9rllflr.exec:\9rllflr.exe66⤵PID:2164
-
\??\c:\7hhnbh.exec:\7hhnbh.exe67⤵PID:1640
-
\??\c:\jdvjp.exec:\jdvjp.exe68⤵PID:2228
-
\??\c:\2680284.exec:\2680284.exe69⤵PID:2352
-
\??\c:\5nttbb.exec:\5nttbb.exe70⤵
- System Location Discovery: System Language Discovery
PID:1728 -
\??\c:\c084668.exec:\c084668.exe71⤵PID:2324
-
\??\c:\20846.exec:\20846.exe72⤵PID:2176
-
\??\c:\hthhnt.exec:\hthhnt.exe73⤵PID:1756
-
\??\c:\448400.exec:\448400.exe74⤵PID:2508
-
\??\c:\04884.exec:\04884.exe75⤵PID:1264
-
\??\c:\1hbbbb.exec:\1hbbbb.exe76⤵PID:2444
-
\??\c:\5rxxrlf.exec:\5rxxrlf.exe77⤵PID:1624
-
\??\c:\xlrrlfl.exec:\xlrrlfl.exe78⤵PID:1088
-
\??\c:\i828000.exec:\i828000.exe79⤵PID:2216
-
\??\c:\8644224.exec:\8644224.exe80⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\0868062.exec:\0868062.exe81⤵PID:2964
-
\??\c:\5rflllr.exec:\5rflllr.exe82⤵PID:2080
-
\??\c:\6242224.exec:\6242224.exe83⤵PID:2864
-
\??\c:\btttbh.exec:\btttbh.exe84⤵PID:2848
-
\??\c:\jdppv.exec:\jdppv.exe85⤵PID:2992
-
\??\c:\82024.exec:\82024.exe86⤵PID:2924
-
\??\c:\u022040.exec:\u022040.exe87⤵PID:2712
-
\??\c:\640068.exec:\640068.exe88⤵PID:2480
-
\??\c:\hhhhbh.exec:\hhhhbh.exe89⤵PID:1648
-
\??\c:\080644.exec:\080644.exe90⤵PID:1256
-
\??\c:\k20062.exec:\k20062.exe91⤵PID:2888
-
\??\c:\608462.exec:\608462.exe92⤵PID:1508
-
\??\c:\64846.exec:\64846.exe93⤵PID:784
-
\??\c:\m0884.exec:\m0884.exe94⤵PID:3028
-
\??\c:\8044602.exec:\8044602.exe95⤵PID:592
-
\??\c:\60822.exec:\60822.exe96⤵PID:1976
-
\??\c:\htbhtt.exec:\htbhtt.exe97⤵PID:2932
-
\??\c:\860022.exec:\860022.exe98⤵PID:2160
-
\??\c:\8480080.exec:\8480080.exe99⤵PID:636
-
\??\c:\9rflllx.exec:\9rflllx.exe100⤵PID:2064
-
\??\c:\04888.exec:\04888.exe101⤵PID:2180
-
\??\c:\djpvd.exec:\djpvd.exe102⤵PID:768
-
\??\c:\tnhnnb.exec:\tnhnnb.exe103⤵PID:916
-
\??\c:\082288.exec:\082288.exe104⤵PID:2260
-
\??\c:\9nnthn.exec:\9nnthn.exe105⤵PID:1388
-
\??\c:\nnnnhn.exec:\nnnnhn.exe106⤵PID:1876
-
\??\c:\6044680.exec:\6044680.exe107⤵PID:992
-
\??\c:\k60688.exec:\k60688.exe108⤵PID:1692
-
\??\c:\o668664.exec:\o668664.exe109⤵PID:904
-
\??\c:\ffxlxfl.exec:\ffxlxfl.exe110⤵PID:2184
-
\??\c:\04840.exec:\04840.exe111⤵PID:1984
-
\??\c:\vvjpj.exec:\vvjpj.exe112⤵PID:2104
-
\??\c:\448466.exec:\448466.exe113⤵PID:2524
-
\??\c:\608460.exec:\608460.exe114⤵PID:892
-
\??\c:\ffxrrxr.exec:\ffxrrxr.exe115⤵PID:888
-
\??\c:\jdvdp.exec:\jdvdp.exe116⤵PID:2264
-
\??\c:\xrllrxl.exec:\xrllrxl.exe117⤵PID:3056
-
\??\c:\tnbhnb.exec:\tnbhnb.exe118⤵PID:2212
-
\??\c:\608648.exec:\608648.exe119⤵PID:1512
-
\??\c:\o208020.exec:\o208020.exe120⤵PID:2444
-
\??\c:\thhnbh.exec:\thhnbh.exe121⤵PID:2660
-
\??\c:\822800.exec:\822800.exe122⤵PID:2960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-