Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe
-
Size
454KB
-
MD5
4c5e831e17bdbe5a12e353f3d4e3debf
-
SHA1
68d40e6829b7a3d040086abf68e3d1fe58fcb36b
-
SHA256
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3
-
SHA512
0bd7fe7a742ec891d5582feccd030f68daecbba1659bca416b1b1e3faaa15c45ef834ac89c81a0c6c3a15857f5287f75acd21af7aeb44b5a3f691e58b6e7e5d5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2996-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-205-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2012-335-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2176-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-322-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1556-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-224-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1640-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-78-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-40-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2852-22-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/796-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/984-1040-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-1060-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2664-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-1304-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2324 nbhhhb.exe 2852 82888.exe 1916 4204000.exe 2140 20284.exe 2744 64004.exe 2200 6808444.exe 816 0800662.exe 1476 7djdd.exe 2356 pvvvp.exe 2024 jpdvp.exe 2920 lxfllfl.exe 2916 frlrxlx.exe 3060 08044.exe 3032 0866824.exe 2732 u466666.exe 1628 4282262.exe 628 3flfffl.exe 2168 2060624.exe 2192 64662.exe 2220 6022402.exe 2664 864440.exe 1940 pdpjp.exe 1640 lfxrfxl.exe 1972 2088040.exe 900 7hnhtt.exe 612 86266.exe 1812 o844004.exe 2396 bntbbb.exe 1700 24660.exe 1848 0800602.exe 2944 426684.exe 2340 e86284.exe 2852 lfllfxx.exe 1556 bnbtbb.exe 2856 44680.exe 2880 86288.exe 1584 u424660.exe 2012 rflrrrx.exe 2176 64640.exe 1488 7jvjp.exe 2548 0462484.exe 2080 c244488.exe 2596 u026262.exe 2388 3thnnn.exe 2372 c806840.exe 1652 08662.exe 2000 xlrxfxr.exe 776 pdppv.exe 3048 8688042.exe 2336 lxlllfx.exe 1856 200808.exe 1988 420660.exe 2212 1frlrff.exe 2216 080688.exe 1816 fxfxrrx.exe 2312 0888422.exe 2072 s6400.exe 1040 u426888.exe 896 rfrrfxf.exe 1144 04662.exe 1608 pdppd.exe 984 42866.exe 768 rlfflfl.exe 2628 tnbbhb.exe -
resource yara_rule behavioral1/memory/2324-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-224-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1640-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/896-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1460-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1015-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-1197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-1234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-1274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-1279-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8824402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 264844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e86284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6866268.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6460040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u862886.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e80408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e24006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 602862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2324 2996 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 30 PID 2996 wrote to memory of 2324 2996 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 30 PID 2996 wrote to memory of 2324 2996 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 30 PID 2996 wrote to memory of 2324 2996 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 30 PID 2324 wrote to memory of 2852 2324 nbhhhb.exe 62 PID 2324 wrote to memory of 2852 2324 nbhhhb.exe 62 PID 2324 wrote to memory of 2852 2324 nbhhhb.exe 62 PID 2324 wrote to memory of 2852 2324 nbhhhb.exe 62 PID 2852 wrote to memory of 1916 2852 82888.exe 32 PID 2852 wrote to memory of 1916 2852 82888.exe 32 PID 2852 wrote to memory of 1916 2852 82888.exe 32 PID 2852 wrote to memory of 1916 2852 82888.exe 32 PID 1916 wrote to memory of 2140 1916 4204000.exe 33 PID 1916 wrote to memory of 2140 1916 4204000.exe 33 PID 1916 wrote to memory of 2140 1916 4204000.exe 33 PID 1916 wrote to memory of 2140 1916 4204000.exe 33 PID 2140 wrote to memory of 2744 2140 20284.exe 34 PID 2140 wrote to memory of 2744 2140 20284.exe 34 PID 2140 wrote to memory of 2744 2140 20284.exe 34 PID 2140 wrote to memory of 2744 2140 20284.exe 34 PID 2744 wrote to memory of 2200 2744 64004.exe 35 PID 2744 wrote to memory of 2200 2744 64004.exe 35 PID 2744 wrote to memory of 2200 2744 64004.exe 35 PID 2744 wrote to memory of 2200 2744 64004.exe 35 PID 2200 wrote to memory of 816 2200 6808444.exe 36 PID 2200 wrote to memory of 816 2200 6808444.exe 36 PID 2200 wrote to memory of 816 2200 6808444.exe 36 PID 2200 wrote to memory of 816 2200 6808444.exe 36 PID 816 wrote to memory of 1476 816 0800662.exe 37 PID 816 wrote to memory of 1476 816 0800662.exe 37 PID 816 wrote to memory of 1476 816 0800662.exe 37 PID 816 wrote to memory of 1476 816 0800662.exe 37 PID 1476 wrote to memory of 2356 1476 7djdd.exe 38 PID 1476 wrote to memory of 2356 1476 7djdd.exe 38 PID 1476 wrote to memory of 2356 1476 7djdd.exe 38 PID 1476 wrote to memory of 2356 1476 7djdd.exe 38 PID 2356 wrote to memory of 2024 2356 pvvvp.exe 39 PID 2356 wrote to memory of 2024 2356 pvvvp.exe 39 PID 2356 wrote to memory of 2024 2356 pvvvp.exe 39 PID 2356 wrote to memory of 2024 2356 pvvvp.exe 39 PID 2024 wrote to memory of 2920 2024 jpdvp.exe 40 PID 2024 wrote to memory of 2920 2024 jpdvp.exe 40 PID 2024 wrote to memory of 2920 2024 jpdvp.exe 40 PID 2024 wrote to memory of 2920 2024 jpdvp.exe 40 PID 2920 wrote to memory of 2916 2920 lxfllfl.exe 41 PID 2920 wrote to memory of 2916 2920 lxfllfl.exe 41 PID 2920 wrote to memory of 2916 2920 lxfllfl.exe 41 PID 2920 wrote to memory of 2916 2920 lxfllfl.exe 41 PID 2916 wrote to memory of 3060 2916 frlrxlx.exe 42 PID 2916 wrote to memory of 3060 2916 frlrxlx.exe 42 PID 2916 wrote to memory of 3060 2916 frlrxlx.exe 42 PID 2916 wrote to memory of 3060 2916 frlrxlx.exe 42 PID 3060 wrote to memory of 3032 3060 08044.exe 43 PID 3060 wrote to memory of 3032 3060 08044.exe 43 PID 3060 wrote to memory of 3032 3060 08044.exe 43 PID 3060 wrote to memory of 3032 3060 08044.exe 43 PID 3032 wrote to memory of 2732 3032 0866824.exe 44 PID 3032 wrote to memory of 2732 3032 0866824.exe 44 PID 3032 wrote to memory of 2732 3032 0866824.exe 44 PID 3032 wrote to memory of 2732 3032 0866824.exe 44 PID 2732 wrote to memory of 1628 2732 u466666.exe 45 PID 2732 wrote to memory of 1628 2732 u466666.exe 45 PID 2732 wrote to memory of 1628 2732 u466666.exe 45 PID 2732 wrote to memory of 1628 2732 u466666.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe"C:\Users\Admin\AppData\Local\Temp\c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\nbhhhb.exec:\nbhhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\82888.exec:\82888.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\4204000.exec:\4204000.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\20284.exec:\20284.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\64004.exec:\64004.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\6808444.exec:\6808444.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\0800662.exec:\0800662.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\7djdd.exec:\7djdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\pvvvp.exec:\pvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\jpdvp.exec:\jpdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\lxfllfl.exec:\lxfllfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\frlrxlx.exec:\frlrxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\08044.exec:\08044.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\0866824.exec:\0866824.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\u466666.exec:\u466666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\4282262.exec:\4282262.exe17⤵
- Executes dropped EXE
PID:1628 -
\??\c:\3flfffl.exec:\3flfffl.exe18⤵
- Executes dropped EXE
PID:628 -
\??\c:\2060624.exec:\2060624.exe19⤵
- Executes dropped EXE
PID:2168 -
\??\c:\64662.exec:\64662.exe20⤵
- Executes dropped EXE
PID:2192 -
\??\c:\6022402.exec:\6022402.exe21⤵
- Executes dropped EXE
PID:2220 -
\??\c:\864440.exec:\864440.exe22⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pdpjp.exec:\pdpjp.exe23⤵
- Executes dropped EXE
PID:1940 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe24⤵
- Executes dropped EXE
PID:1640 -
\??\c:\2088040.exec:\2088040.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\7hnhtt.exec:\7hnhtt.exe26⤵
- Executes dropped EXE
PID:900 -
\??\c:\86266.exec:\86266.exe27⤵
- Executes dropped EXE
PID:612 -
\??\c:\o844004.exec:\o844004.exe28⤵
- Executes dropped EXE
PID:1812 -
\??\c:\bntbbb.exec:\bntbbb.exe29⤵
- Executes dropped EXE
PID:2396 -
\??\c:\24660.exec:\24660.exe30⤵
- Executes dropped EXE
PID:1700 -
\??\c:\0800602.exec:\0800602.exe31⤵
- Executes dropped EXE
PID:1848 -
\??\c:\426684.exec:\426684.exe32⤵
- Executes dropped EXE
PID:2944 -
\??\c:\e86284.exec:\e86284.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
\??\c:\lfllfxx.exec:\lfllfxx.exe34⤵
- Executes dropped EXE
PID:2852 -
\??\c:\bnbtbb.exec:\bnbtbb.exe35⤵
- Executes dropped EXE
PID:1556 -
\??\c:\44680.exec:\44680.exe36⤵
- Executes dropped EXE
PID:2856 -
\??\c:\86288.exec:\86288.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\u424660.exec:\u424660.exe38⤵
- Executes dropped EXE
PID:1584 -
\??\c:\rflrrrx.exec:\rflrrrx.exe39⤵
- Executes dropped EXE
PID:2012 -
\??\c:\64640.exec:\64640.exe40⤵
- Executes dropped EXE
PID:2176 -
\??\c:\7jvjp.exec:\7jvjp.exe41⤵
- Executes dropped EXE
PID:1488 -
\??\c:\0462484.exec:\0462484.exe42⤵
- Executes dropped EXE
PID:2548 -
\??\c:\c244488.exec:\c244488.exe43⤵
- Executes dropped EXE
PID:2080 -
\??\c:\u026262.exec:\u026262.exe44⤵
- Executes dropped EXE
PID:2596 -
\??\c:\3thnnn.exec:\3thnnn.exe45⤵
- Executes dropped EXE
PID:2388 -
\??\c:\c806840.exec:\c806840.exe46⤵
- Executes dropped EXE
PID:2372 -
\??\c:\08662.exec:\08662.exe47⤵
- Executes dropped EXE
PID:1652 -
\??\c:\xlrxfxr.exec:\xlrxfxr.exe48⤵
- Executes dropped EXE
PID:2000 -
\??\c:\pdppv.exec:\pdppv.exe49⤵
- Executes dropped EXE
PID:776 -
\??\c:\8688042.exec:\8688042.exe50⤵
- Executes dropped EXE
PID:3048 -
\??\c:\lxlllfx.exec:\lxlllfx.exe51⤵
- Executes dropped EXE
PID:2336 -
\??\c:\200808.exec:\200808.exe52⤵
- Executes dropped EXE
PID:1856 -
\??\c:\420660.exec:\420660.exe53⤵
- Executes dropped EXE
PID:1988 -
\??\c:\1frlrff.exec:\1frlrff.exe54⤵
- Executes dropped EXE
PID:2212 -
\??\c:\080688.exec:\080688.exe55⤵
- Executes dropped EXE
PID:2216 -
\??\c:\fxfxrrx.exec:\fxfxrrx.exe56⤵
- Executes dropped EXE
PID:1816 -
\??\c:\0888422.exec:\0888422.exe57⤵
- Executes dropped EXE
PID:2312 -
\??\c:\s6400.exec:\s6400.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\u426888.exec:\u426888.exe59⤵
- Executes dropped EXE
PID:1040 -
\??\c:\rfrrfxf.exec:\rfrrfxf.exe60⤵
- Executes dropped EXE
PID:896 -
\??\c:\04662.exec:\04662.exe61⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pdppd.exec:\pdppd.exe62⤵
- Executes dropped EXE
PID:1608 -
\??\c:\42866.exec:\42866.exe63⤵
- Executes dropped EXE
PID:984 -
\??\c:\rlfflfl.exec:\rlfflfl.exe64⤵
- Executes dropped EXE
PID:768 -
\??\c:\tnbbhb.exec:\tnbbhb.exe65⤵
- Executes dropped EXE
PID:2628 -
\??\c:\20284.exec:\20284.exe66⤵PID:1604
-
\??\c:\s2044.exec:\s2044.exe67⤵PID:2144
-
\??\c:\4862866.exec:\4862866.exe68⤵PID:1204
-
\??\c:\vdjjd.exec:\vdjjd.exe69⤵PID:2752
-
\??\c:\g4662.exec:\g4662.exe70⤵PID:988
-
\??\c:\nbnntn.exec:\nbnntn.exe71⤵PID:2228
-
\??\c:\04602.exec:\04602.exe72⤵PID:1676
-
\??\c:\4666228.exec:\4666228.exe73⤵PID:2980
-
\??\c:\4682826.exec:\4682826.exe74⤵PID:2416
-
\??\c:\nhtbhb.exec:\nhtbhb.exe75⤵PID:2964
-
\??\c:\9dppv.exec:\9dppv.exe76⤵PID:1588
-
\??\c:\u600044.exec:\u600044.exe77⤵PID:1916
-
\??\c:\lxlrllr.exec:\lxlrllr.exe78⤵PID:2696
-
\??\c:\2688828.exec:\2688828.exe79⤵PID:2468
-
\??\c:\0806224.exec:\0806224.exe80⤵PID:2012
-
\??\c:\5rfllrx.exec:\5rfllrx.exe81⤵PID:1720
-
\??\c:\w80022.exec:\w80022.exe82⤵PID:2740
-
\??\c:\m4206.exec:\m4206.exe83⤵PID:1488
-
\??\c:\64262.exec:\64262.exe84⤵PID:816
-
\??\c:\1lllrrx.exec:\1lllrrx.exe85⤵PID:264
-
\??\c:\rfxfllr.exec:\rfxfllr.exe86⤵PID:2712
-
\??\c:\bthtbh.exec:\bthtbh.exe87⤵PID:1704
-
\??\c:\4240880.exec:\4240880.exe88⤵PID:1832
-
\??\c:\4206228.exec:\4206228.exe89⤵PID:1808
-
\??\c:\k48808.exec:\k48808.exe90⤵PID:2920
-
\??\c:\lrfffrx.exec:\lrfffrx.exe91⤵PID:2424
-
\??\c:\g6462.exec:\g6462.exe92⤵PID:2528
-
\??\c:\0268662.exec:\0268662.exe93⤵PID:796
-
\??\c:\824682.exec:\824682.exe94⤵PID:2404
-
\??\c:\486022.exec:\486022.exe95⤵PID:2104
-
\??\c:\2684028.exec:\2684028.exe96⤵PID:2780
-
\??\c:\xrffrrr.exec:\xrffrrr.exe97⤵PID:1956
-
\??\c:\frllrrx.exec:\frllrrx.exe98⤵PID:3052
-
\??\c:\xrflxxr.exec:\xrflxxr.exe99⤵PID:2192
-
\??\c:\4688884.exec:\4688884.exe100⤵PID:1612
-
\??\c:\2426228.exec:\2426228.exe101⤵PID:2300
-
\??\c:\08068.exec:\08068.exe102⤵PID:2232
-
\??\c:\ppdpj.exec:\ppdpj.exe103⤵PID:2432
-
\??\c:\k86622.exec:\k86622.exe104⤵PID:1768
-
\??\c:\428684.exec:\428684.exe105⤵PID:1972
-
\??\c:\jjvpv.exec:\jjvpv.exe106⤵PID:1080
-
\??\c:\vjvjv.exec:\vjvjv.exe107⤵PID:300
-
\??\c:\608400.exec:\608400.exe108⤵PID:1460
-
\??\c:\thnhhh.exec:\thnhhh.exe109⤵PID:1812
-
\??\c:\604062.exec:\604062.exe110⤵PID:2396
-
\??\c:\rllrxrx.exec:\rllrxrx.exe111⤵PID:2536
-
\??\c:\btbhnt.exec:\btbhnt.exe112⤵PID:2036
-
\??\c:\04048.exec:\04048.exe113⤵PID:1848
-
\??\c:\64824.exec:\64824.exe114⤵PID:1340
-
\??\c:\9lxfrxl.exec:\9lxfrxl.exe115⤵PID:2944
-
\??\c:\dvjjp.exec:\dvjjp.exe116⤵PID:2844
-
\??\c:\6426000.exec:\6426000.exe117⤵PID:2824
-
\??\c:\1vppp.exec:\1vppp.exe118⤵PID:1556
-
\??\c:\a0284.exec:\a0284.exe119⤵PID:2836
-
\??\c:\4868406.exec:\4868406.exe120⤵PID:2860
-
\??\c:\a0284.exec:\a0284.exe121⤵PID:2880
-
\??\c:\9dpjp.exec:\9dpjp.exe122⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-