Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe
-
Size
454KB
-
MD5
c91ca7a7775240001c0561985e00f02f
-
SHA1
c2960e0fbe92f88afaf9530544d70c1747d56f8b
-
SHA256
bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777
-
SHA512
52f0328b29ab476a3a866e11b727befda9756455f43c14ec0da53ecc2f90a92a1912338cf487df5fc7bfd196cacc9a5c0a5e4c93535bfad1b19e328f89adfcb1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1336-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1540-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1308-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1676-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1000-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-532-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2340-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-634-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1368-698-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-731-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2192-738-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2660-890-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2840-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-930-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2976-1072-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2976-1070-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2660 60840.exe 2768 4828662.exe 2864 3bthtt.exe 2176 vppvp.exe 1704 vjdjp.exe 2552 lfxfxfx.exe 1336 80846.exe 1896 jdjvv.exe 1540 g0402.exe 1308 nhnntt.exe 3008 xrlxlrf.exe 1932 486806.exe 2348 448422.exe 2900 228066.exe 2460 fxrflrf.exe 540 64022.exe 2016 62222.exe 2504 3lflxfl.exe 2092 1nbbbb.exe 2440 hthnnh.exe 1732 0800688.exe 1824 1jdvd.exe 768 m0884.exe 1048 pjvdj.exe 1396 6668224.exe 1976 jvpvd.exe 1604 864028.exe 1676 6462888.exe 2088 lfxflxl.exe 1496 7btbhh.exe 1000 260688.exe 1516 7jpdp.exe 1640 042240.exe 2340 djpvp.exe 2692 q44022.exe 1608 xlxfrrx.exe 2784 26400.exe 2712 22646.exe 2988 5pdvd.exe 2716 i624280.exe 2548 s2028.exe 2672 5nbhnn.exe 2624 0646882.exe 1212 fxfxlrr.exe 2648 0440448.exe 444 7hbhnn.exe 2968 pdpjv.exe 2732 hnnbbh.exe 1708 nhttbb.exe 2416 9bhntt.exe 2804 nhbnth.exe 2348 664080.exe 2420 60240.exe 2360 nnntnn.exe 556 22240.exe 2332 e48822.exe 2016 88406.exe 2504 0424602.exe 264 8224280.exe 2188 4824840.exe 1320 22808.exe 2508 e82468.exe 2448 fxxxrxl.exe 1384 7nhtbb.exe -
resource yara_rule behavioral1/memory/2168-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1336-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1540-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-127-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2348-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1000-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1396-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-731-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2840-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-1013-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-1039-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-1058-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6480680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2648006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q08840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2660 2168 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2168 wrote to memory of 2660 2168 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2168 wrote to memory of 2660 2168 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2168 wrote to memory of 2660 2168 bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe 30 PID 2660 wrote to memory of 2768 2660 60840.exe 31 PID 2660 wrote to memory of 2768 2660 60840.exe 31 PID 2660 wrote to memory of 2768 2660 60840.exe 31 PID 2660 wrote to memory of 2768 2660 60840.exe 31 PID 2768 wrote to memory of 2864 2768 4828662.exe 32 PID 2768 wrote to memory of 2864 2768 4828662.exe 32 PID 2768 wrote to memory of 2864 2768 4828662.exe 32 PID 2768 wrote to memory of 2864 2768 4828662.exe 32 PID 2864 wrote to memory of 2176 2864 3bthtt.exe 33 PID 2864 wrote to memory of 2176 2864 3bthtt.exe 33 PID 2864 wrote to memory of 2176 2864 3bthtt.exe 33 PID 2864 wrote to memory of 2176 2864 3bthtt.exe 33 PID 2176 wrote to memory of 1704 2176 vppvp.exe 34 PID 2176 wrote to memory of 1704 2176 vppvp.exe 34 PID 2176 wrote to memory of 1704 2176 vppvp.exe 34 PID 2176 wrote to memory of 1704 2176 vppvp.exe 34 PID 1704 wrote to memory of 2552 1704 vjdjp.exe 35 PID 1704 wrote to memory of 2552 1704 vjdjp.exe 35 PID 1704 wrote to memory of 2552 1704 vjdjp.exe 35 PID 1704 wrote to memory of 2552 1704 vjdjp.exe 35 PID 2552 wrote to memory of 1336 2552 lfxfxfx.exe 36 PID 2552 wrote to memory of 1336 2552 lfxfxfx.exe 36 PID 2552 wrote to memory of 1336 2552 lfxfxfx.exe 36 PID 2552 wrote to memory of 1336 2552 lfxfxfx.exe 36 PID 1336 wrote to memory of 1896 1336 80846.exe 37 PID 1336 wrote to memory of 1896 1336 80846.exe 37 PID 1336 wrote to memory of 1896 1336 80846.exe 37 PID 1336 wrote to memory of 1896 1336 80846.exe 37 PID 1896 wrote to memory of 1540 1896 jdjvv.exe 38 PID 1896 wrote to memory of 1540 1896 jdjvv.exe 38 PID 1896 wrote to memory of 1540 1896 jdjvv.exe 38 PID 1896 wrote to memory of 1540 1896 jdjvv.exe 38 PID 1540 wrote to memory of 1308 1540 g0402.exe 39 PID 1540 wrote to memory of 1308 1540 g0402.exe 39 PID 1540 wrote to memory of 1308 1540 g0402.exe 39 PID 1540 wrote to memory of 1308 1540 g0402.exe 39 PID 1308 wrote to memory of 3008 1308 nhnntt.exe 40 PID 1308 wrote to memory of 3008 1308 nhnntt.exe 40 PID 1308 wrote to memory of 3008 1308 nhnntt.exe 40 PID 1308 wrote to memory of 3008 1308 nhnntt.exe 40 PID 3008 wrote to memory of 1932 3008 xrlxlrf.exe 41 PID 3008 wrote to memory of 1932 3008 xrlxlrf.exe 41 PID 3008 wrote to memory of 1932 3008 xrlxlrf.exe 41 PID 3008 wrote to memory of 1932 3008 xrlxlrf.exe 41 PID 1932 wrote to memory of 2348 1932 486806.exe 42 PID 1932 wrote to memory of 2348 1932 486806.exe 42 PID 1932 wrote to memory of 2348 1932 486806.exe 42 PID 1932 wrote to memory of 2348 1932 486806.exe 42 PID 2348 wrote to memory of 2900 2348 448422.exe 43 PID 2348 wrote to memory of 2900 2348 448422.exe 43 PID 2348 wrote to memory of 2900 2348 448422.exe 43 PID 2348 wrote to memory of 2900 2348 448422.exe 43 PID 2900 wrote to memory of 2460 2900 228066.exe 44 PID 2900 wrote to memory of 2460 2900 228066.exe 44 PID 2900 wrote to memory of 2460 2900 228066.exe 44 PID 2900 wrote to memory of 2460 2900 228066.exe 44 PID 2460 wrote to memory of 540 2460 fxrflrf.exe 45 PID 2460 wrote to memory of 540 2460 fxrflrf.exe 45 PID 2460 wrote to memory of 540 2460 fxrflrf.exe 45 PID 2460 wrote to memory of 540 2460 fxrflrf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"C:\Users\Admin\AppData\Local\Temp\bd8c213f826b95315bfde8e542a0ac20da007c81e216405d55bcfb866789a777.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\60840.exec:\60840.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\4828662.exec:\4828662.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\3bthtt.exec:\3bthtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\vppvp.exec:\vppvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vjdjp.exec:\vjdjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\80846.exec:\80846.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\jdjvv.exec:\jdjvv.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\g0402.exec:\g0402.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\nhnntt.exec:\nhnntt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\xrlxlrf.exec:\xrlxlrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\486806.exec:\486806.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\448422.exec:\448422.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\228066.exec:\228066.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\fxrflrf.exec:\fxrflrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\64022.exec:\64022.exe17⤵
- Executes dropped EXE
PID:540 -
\??\c:\62222.exec:\62222.exe18⤵
- Executes dropped EXE
PID:2016 -
\??\c:\3lflxfl.exec:\3lflxfl.exe19⤵
- Executes dropped EXE
PID:2504 -
\??\c:\1nbbbb.exec:\1nbbbb.exe20⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hthnnh.exec:\hthnnh.exe21⤵
- Executes dropped EXE
PID:2440 -
\??\c:\0800688.exec:\0800688.exe22⤵
- Executes dropped EXE
PID:1732 -
\??\c:\1jdvd.exec:\1jdvd.exe23⤵
- Executes dropped EXE
PID:1824 -
\??\c:\m0884.exec:\m0884.exe24⤵
- Executes dropped EXE
PID:768 -
\??\c:\pjvdj.exec:\pjvdj.exe25⤵
- Executes dropped EXE
PID:1048 -
\??\c:\6668224.exec:\6668224.exe26⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jvpvd.exec:\jvpvd.exe27⤵
- Executes dropped EXE
PID:1976 -
\??\c:\864028.exec:\864028.exe28⤵
- Executes dropped EXE
PID:1604 -
\??\c:\6462888.exec:\6462888.exe29⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lfxflxl.exec:\lfxflxl.exe30⤵
- Executes dropped EXE
PID:2088 -
\??\c:\7btbhh.exec:\7btbhh.exe31⤵
- Executes dropped EXE
PID:1496 -
\??\c:\260688.exec:\260688.exe32⤵
- Executes dropped EXE
PID:1000 -
\??\c:\7jpdp.exec:\7jpdp.exe33⤵
- Executes dropped EXE
PID:1516 -
\??\c:\042240.exec:\042240.exe34⤵
- Executes dropped EXE
PID:1640 -
\??\c:\djpvp.exec:\djpvp.exe35⤵
- Executes dropped EXE
PID:2340 -
\??\c:\q44022.exec:\q44022.exe36⤵
- Executes dropped EXE
PID:2692 -
\??\c:\xlxfrrx.exec:\xlxfrrx.exe37⤵
- Executes dropped EXE
PID:1608 -
\??\c:\26400.exec:\26400.exe38⤵
- Executes dropped EXE
PID:2784 -
\??\c:\22646.exec:\22646.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\5pdvd.exec:\5pdvd.exe40⤵
- Executes dropped EXE
PID:2988 -
\??\c:\i624280.exec:\i624280.exe41⤵
- Executes dropped EXE
PID:2716 -
\??\c:\s2028.exec:\s2028.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5nbhnn.exec:\5nbhnn.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\0646882.exec:\0646882.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\fxfxlrr.exec:\fxfxlrr.exe45⤵
- Executes dropped EXE
PID:1212 -
\??\c:\0440448.exec:\0440448.exe46⤵
- Executes dropped EXE
PID:2648 -
\??\c:\7hbhnn.exec:\7hbhnn.exe47⤵
- Executes dropped EXE
PID:444 -
\??\c:\pdpjv.exec:\pdpjv.exe48⤵
- Executes dropped EXE
PID:2968 -
\??\c:\hnnbbh.exec:\hnnbbh.exe49⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nhttbb.exec:\nhttbb.exe50⤵
- Executes dropped EXE
PID:1708 -
\??\c:\9bhntt.exec:\9bhntt.exe51⤵
- Executes dropped EXE
PID:2416 -
\??\c:\nhbnth.exec:\nhbnth.exe52⤵
- Executes dropped EXE
PID:2804 -
\??\c:\664080.exec:\664080.exe53⤵
- Executes dropped EXE
PID:2348 -
\??\c:\60240.exec:\60240.exe54⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nnntnn.exec:\nnntnn.exe55⤵
- Executes dropped EXE
PID:2360 -
\??\c:\22240.exec:\22240.exe56⤵
- Executes dropped EXE
PID:556 -
\??\c:\e48822.exec:\e48822.exe57⤵
- Executes dropped EXE
PID:2332 -
\??\c:\88406.exec:\88406.exe58⤵
- Executes dropped EXE
PID:2016 -
\??\c:\0424602.exec:\0424602.exe59⤵
- Executes dropped EXE
PID:2504 -
\??\c:\8224280.exec:\8224280.exe60⤵
- Executes dropped EXE
PID:264 -
\??\c:\4824840.exec:\4824840.exe61⤵
- Executes dropped EXE
PID:2188 -
\??\c:\22808.exec:\22808.exe62⤵
- Executes dropped EXE
PID:1320 -
\??\c:\e82468.exec:\e82468.exe63⤵
- Executes dropped EXE
PID:2508 -
\??\c:\fxxxrxl.exec:\fxxxrxl.exe64⤵
- Executes dropped EXE
PID:2448 -
\??\c:\7nhtbb.exec:\7nhtbb.exe65⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xxxfrrf.exec:\xxxfrrf.exe66⤵PID:2020
-
\??\c:\6044624.exec:\6044624.exe67⤵PID:1548
-
\??\c:\48680.exec:\48680.exe68⤵PID:1396
-
\??\c:\8824486.exec:\8824486.exe69⤵PID:2512
-
\??\c:\tnhtht.exec:\tnhtht.exe70⤵PID:1196
-
\??\c:\60628.exec:\60628.exe71⤵PID:1316
-
\??\c:\jdvvv.exec:\jdvvv.exe72⤵PID:2080
-
\??\c:\226828.exec:\226828.exe73⤵PID:2088
-
\??\c:\5hbntn.exec:\5hbntn.exe74⤵PID:1500
-
\??\c:\880806.exec:\880806.exe75⤵PID:1664
-
\??\c:\2602460.exec:\2602460.exe76⤵PID:2444
-
\??\c:\266468.exec:\266468.exe77⤵PID:2656
-
\??\c:\482240.exec:\482240.exe78⤵PID:2280
-
\??\c:\228400.exec:\228400.exe79⤵PID:2340
-
\??\c:\hhbntb.exec:\hhbntb.exe80⤵PID:2692
-
\??\c:\m4806.exec:\m4806.exe81⤵PID:2432
-
\??\c:\1frrlrx.exec:\1frrlrx.exe82⤵PID:2784
-
\??\c:\8200606.exec:\8200606.exe83⤵PID:2176
-
\??\c:\266028.exec:\266028.exe84⤵PID:2920
-
\??\c:\3rlrlrl.exec:\3rlrlrl.exe85⤵PID:2568
-
\??\c:\fllxxlx.exec:\fllxxlx.exe86⤵PID:2724
-
\??\c:\btbbnt.exec:\btbbnt.exe87⤵PID:2324
-
\??\c:\q64062.exec:\q64062.exe88⤵PID:1896
-
\??\c:\0806662.exec:\0806662.exe89⤵PID:1212
-
\??\c:\lfffrxf.exec:\lfffrxf.exe90⤵PID:2964
-
\??\c:\rffrxxx.exec:\rffrxxx.exe91⤵PID:444
-
\??\c:\vvjvj.exec:\vvjvj.exe92⤵PID:1892
-
\??\c:\044028.exec:\044028.exe93⤵PID:3004
-
\??\c:\00464.exec:\00464.exe94⤵PID:2496
-
\??\c:\0244826.exec:\0244826.exe95⤵PID:1368
-
\??\c:\80860.exec:\80860.exe96⤵PID:900
-
\??\c:\jvpdj.exec:\jvpdj.exe97⤵PID:2352
-
\??\c:\hhhtnb.exec:\hhhtnb.exe98⤵PID:2316
-
\??\c:\thhttn.exec:\thhttn.exe99⤵PID:1208
-
\??\c:\fxxfrxf.exec:\fxxfrxf.exe100⤵PID:1920
-
\??\c:\jjpvj.exec:\jjpvj.exe101⤵PID:2192
-
\??\c:\pdpjj.exec:\pdpjj.exe102⤵PID:2124
-
\??\c:\s4840.exec:\s4840.exe103⤵PID:2436
-
\??\c:\i824680.exec:\i824680.exe104⤵PID:2152
-
\??\c:\hbbnbh.exec:\hbbnbh.exe105⤵PID:2440
-
\??\c:\bhhbnb.exec:\bhhbnb.exe106⤵PID:1732
-
\??\c:\g4240.exec:\g4240.exe107⤵PID:1824
-
\??\c:\jjdpd.exec:\jjdpd.exe108⤵PID:568
-
\??\c:\xlrfflf.exec:\xlrfflf.exe109⤵PID:2976
-
\??\c:\84462.exec:\84462.exe110⤵PID:1560
-
\??\c:\k60244.exec:\k60244.exe111⤵PID:1244
-
\??\c:\nhbhth.exec:\nhbhth.exe112⤵PID:3032
-
\??\c:\w42462.exec:\w42462.exe113⤵PID:1984
-
\??\c:\480084.exec:\480084.exe114⤵PID:648
-
\??\c:\hhhthh.exec:\hhhthh.exe115⤵PID:1464
-
\??\c:\xflrrxf.exec:\xflrrxf.exe116⤵PID:2288
-
\??\c:\jpjdj.exec:\jpjdj.exe117⤵PID:2248
-
\??\c:\lffrrxr.exec:\lffrrxr.exe118⤵PID:1076
-
\??\c:\4800242.exec:\4800242.exe119⤵PID:1000
-
\??\c:\jddpd.exec:\jddpd.exe120⤵PID:2128
-
\??\c:\420684.exec:\420684.exe121⤵PID:3060
-
\??\c:\004246.exec:\004246.exe122⤵PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-