Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe
-
Size
454KB
-
MD5
5ea2014faa6a77cd2a1e0fe5355f5ac5
-
SHA1
9a333bfa94a204dacdcb4053d1db986340dce54e
-
SHA256
7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4
-
SHA512
6a846ef06135d9cf33d660755f338f9f622ffd61085dd7ca0e9c7551141964ea7d874d92cdca3ca6406c683f41b371ccfab8a1183372614c24479902b387b95c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 54 IoCs
resource yara_rule behavioral1/memory/2320-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-44-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1248-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1248-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/496-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1360-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1036-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-293-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2516-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-307-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2668-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-357-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2716-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1872-477-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/644-533-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2508-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-547-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2252-572-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/820-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-660-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2088-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1460-444-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2424-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-258-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1992-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-921-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-934-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-942-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1244-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-1011-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2372-1031-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1836-1068-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2352-1085-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-1121-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2120-1311-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 c024406.exe 1976 042840.exe 3060 vjvvd.exe 596 0222480.exe 2824 9xlfrlr.exe 2156 420624.exe 2572 pdpvv.exe 2716 a8248.exe 2556 lfffllx.exe 1248 086022.exe 2588 6888068.exe 2360 hbbttt.exe 2064 fllxffr.exe 496 k60284.exe 1244 3nbhht.exe 2908 0806886.exe 2924 pdvdv.exe 2400 a0806.exe 2248 fxrxllx.exe 1036 vjvjp.exe 1812 m4446.exe 1360 m2624.exe 1740 2262024.exe 1516 vddjp.exe 1984 bbbhth.exe 1992 6428662.exe 2520 tthhnn.exe 3000 0000828.exe 2196 a6068.exe 552 8200624.exe 896 xxrxflf.exe 2284 hhhttb.exe 2016 8680240.exe 2516 q46288.exe 2772 0040464.exe 2136 xrflrrx.exe 2648 82026.exe 2804 llffxfr.exe 2696 q68028.exe 2552 tttbnt.exe 2668 64264.exe 2580 228028.exe 2744 xrrfrlr.exe 2716 nbnbhh.exe 3052 vpdjv.exe 2832 k48066.exe 572 6044246.exe 2884 a4684.exe 2360 xlfflxf.exe 1240 7xxllxl.exe 1508 fxxlrrl.exe 852 ffxlxfx.exe 3036 86842.exe 2920 bbbnbh.exe 1460 6608002.exe 2456 60808.exe 1728 8262024.exe 2088 9jvvd.exe 328 624066.exe 1872 xrflrrx.exe 2124 8240228.exe 912 u266882.exe 2504 ntbhnt.exe 1516 pjpvj.exe -
resource yara_rule behavioral1/memory/2320-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-44-0x0000000001C60000-0x0000000001C8A000-memory.dmp upx behavioral1/memory/2824-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/496-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1360-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/820-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-727-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2424-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-747-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/572-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-914-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-934-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1244-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-1057-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1836-1068-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2352-1085-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1788-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-1121-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2552-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-1207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-1311-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1288-1342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1820-1367-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4868024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o600620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4862446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k20680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080622.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2096 2320 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 31 PID 2320 wrote to memory of 2096 2320 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 31 PID 2320 wrote to memory of 2096 2320 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 31 PID 2320 wrote to memory of 2096 2320 7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe 31 PID 2096 wrote to memory of 1976 2096 c024406.exe 32 PID 2096 wrote to memory of 1976 2096 c024406.exe 32 PID 2096 wrote to memory of 1976 2096 c024406.exe 32 PID 2096 wrote to memory of 1976 2096 c024406.exe 32 PID 1976 wrote to memory of 3060 1976 042840.exe 33 PID 1976 wrote to memory of 3060 1976 042840.exe 33 PID 1976 wrote to memory of 3060 1976 042840.exe 33 PID 1976 wrote to memory of 3060 1976 042840.exe 33 PID 3060 wrote to memory of 596 3060 vjvvd.exe 34 PID 3060 wrote to memory of 596 3060 vjvvd.exe 34 PID 3060 wrote to memory of 596 3060 vjvvd.exe 34 PID 3060 wrote to memory of 596 3060 vjvvd.exe 34 PID 596 wrote to memory of 2824 596 0222480.exe 35 PID 596 wrote to memory of 2824 596 0222480.exe 35 PID 596 wrote to memory of 2824 596 0222480.exe 35 PID 596 wrote to memory of 2824 596 0222480.exe 35 PID 2824 wrote to memory of 2156 2824 9xlfrlr.exe 36 PID 2824 wrote to memory of 2156 2824 9xlfrlr.exe 36 PID 2824 wrote to memory of 2156 2824 9xlfrlr.exe 36 PID 2824 wrote to memory of 2156 2824 9xlfrlr.exe 36 PID 2156 wrote to memory of 2572 2156 420624.exe 37 PID 2156 wrote to memory of 2572 2156 420624.exe 37 PID 2156 wrote to memory of 2572 2156 420624.exe 37 PID 2156 wrote to memory of 2572 2156 420624.exe 37 PID 2572 wrote to memory of 2716 2572 pdpvv.exe 117 PID 2572 wrote to memory of 2716 2572 pdpvv.exe 117 PID 2572 wrote to memory of 2716 2572 pdpvv.exe 117 PID 2572 wrote to memory of 2716 2572 pdpvv.exe 117 PID 2716 wrote to memory of 2556 2716 a8248.exe 39 PID 2716 wrote to memory of 2556 2716 a8248.exe 39 PID 2716 wrote to memory of 2556 2716 a8248.exe 39 PID 2716 wrote to memory of 2556 2716 a8248.exe 39 PID 2556 wrote to memory of 1248 2556 lfffllx.exe 40 PID 2556 wrote to memory of 1248 2556 lfffllx.exe 40 PID 2556 wrote to memory of 1248 2556 lfffllx.exe 40 PID 2556 wrote to memory of 1248 2556 lfffllx.exe 40 PID 1248 wrote to memory of 2588 1248 086022.exe 41 PID 1248 wrote to memory of 2588 1248 086022.exe 41 PID 1248 wrote to memory of 2588 1248 086022.exe 41 PID 1248 wrote to memory of 2588 1248 086022.exe 41 PID 2588 wrote to memory of 2360 2588 6888068.exe 122 PID 2588 wrote to memory of 2360 2588 6888068.exe 122 PID 2588 wrote to memory of 2360 2588 6888068.exe 122 PID 2588 wrote to memory of 2360 2588 6888068.exe 122 PID 2360 wrote to memory of 2064 2360 hbbttt.exe 43 PID 2360 wrote to memory of 2064 2360 hbbttt.exe 43 PID 2360 wrote to memory of 2064 2360 hbbttt.exe 43 PID 2360 wrote to memory of 2064 2360 hbbttt.exe 43 PID 2064 wrote to memory of 496 2064 fllxffr.exe 44 PID 2064 wrote to memory of 496 2064 fllxffr.exe 44 PID 2064 wrote to memory of 496 2064 fllxffr.exe 44 PID 2064 wrote to memory of 496 2064 fllxffr.exe 44 PID 496 wrote to memory of 1244 496 k60284.exe 45 PID 496 wrote to memory of 1244 496 k60284.exe 45 PID 496 wrote to memory of 1244 496 k60284.exe 45 PID 496 wrote to memory of 1244 496 k60284.exe 45 PID 1244 wrote to memory of 2908 1244 3nbhht.exe 126 PID 1244 wrote to memory of 2908 1244 3nbhht.exe 126 PID 1244 wrote to memory of 2908 1244 3nbhht.exe 126 PID 1244 wrote to memory of 2908 1244 3nbhht.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe"C:\Users\Admin\AppData\Local\Temp\7d61d0f72e9f741ad30bcaaacc3e0437cb5616c7ceb1f02542da5257892b94d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\c024406.exec:\c024406.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\042840.exec:\042840.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\vjvvd.exec:\vjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\0222480.exec:\0222480.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\9xlfrlr.exec:\9xlfrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\420624.exec:\420624.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\pdpvv.exec:\pdpvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\a8248.exec:\a8248.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\lfffllx.exec:\lfffllx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\086022.exec:\086022.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\6888068.exec:\6888068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\hbbttt.exec:\hbbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\fllxffr.exec:\fllxffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\k60284.exec:\k60284.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496 -
\??\c:\3nbhht.exec:\3nbhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\0806886.exec:\0806886.exe17⤵
- Executes dropped EXE
PID:2908 -
\??\c:\pdvdv.exec:\pdvdv.exe18⤵
- Executes dropped EXE
PID:2924 -
\??\c:\a0806.exec:\a0806.exe19⤵
- Executes dropped EXE
PID:2400 -
\??\c:\fxrxllx.exec:\fxrxllx.exe20⤵
- Executes dropped EXE
PID:2248 -
\??\c:\vjvjp.exec:\vjvjp.exe21⤵
- Executes dropped EXE
PID:1036 -
\??\c:\m4446.exec:\m4446.exe22⤵
- Executes dropped EXE
PID:1812 -
\??\c:\m2624.exec:\m2624.exe23⤵
- Executes dropped EXE
PID:1360 -
\??\c:\2262024.exec:\2262024.exe24⤵
- Executes dropped EXE
PID:1740 -
\??\c:\vddjp.exec:\vddjp.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bbbhth.exec:\bbbhth.exe26⤵
- Executes dropped EXE
PID:1984 -
\??\c:\6428662.exec:\6428662.exe27⤵
- Executes dropped EXE
PID:1992 -
\??\c:\tthhnn.exec:\tthhnn.exe28⤵
- Executes dropped EXE
PID:2520 -
\??\c:\0000828.exec:\0000828.exe29⤵
- Executes dropped EXE
PID:3000 -
\??\c:\a6068.exec:\a6068.exe30⤵
- Executes dropped EXE
PID:2196 -
\??\c:\8200624.exec:\8200624.exe31⤵
- Executes dropped EXE
PID:552 -
\??\c:\xxrxflf.exec:\xxrxflf.exe32⤵
- Executes dropped EXE
PID:896 -
\??\c:\hhhttb.exec:\hhhttb.exe33⤵
- Executes dropped EXE
PID:2284 -
\??\c:\8680240.exec:\8680240.exe34⤵
- Executes dropped EXE
PID:2016 -
\??\c:\q46288.exec:\q46288.exe35⤵
- Executes dropped EXE
PID:2516 -
\??\c:\0040464.exec:\0040464.exe36⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xrflrrx.exec:\xrflrrx.exe37⤵
- Executes dropped EXE
PID:2136 -
\??\c:\82026.exec:\82026.exe38⤵
- Executes dropped EXE
PID:2648 -
\??\c:\llffxfr.exec:\llffxfr.exe39⤵
- Executes dropped EXE
PID:2804 -
\??\c:\q68028.exec:\q68028.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\tttbnt.exec:\tttbnt.exe41⤵
- Executes dropped EXE
PID:2552 -
\??\c:\64264.exec:\64264.exe42⤵
- Executes dropped EXE
PID:2668 -
\??\c:\228028.exec:\228028.exe43⤵
- Executes dropped EXE
PID:2580 -
\??\c:\xrrfrlr.exec:\xrrfrlr.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\nbnbhh.exec:\nbnbhh.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vpdjv.exec:\vpdjv.exe46⤵
- Executes dropped EXE
PID:3052 -
\??\c:\k48066.exec:\k48066.exe47⤵
- Executes dropped EXE
PID:2832 -
\??\c:\6044246.exec:\6044246.exe48⤵
- Executes dropped EXE
PID:572 -
\??\c:\a4684.exec:\a4684.exe49⤵
- Executes dropped EXE
PID:2884 -
\??\c:\xlfflxf.exec:\xlfflxf.exe50⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7xxllxl.exec:\7xxllxl.exe51⤵
- Executes dropped EXE
PID:1240 -
\??\c:\fxxlrrl.exec:\fxxlrrl.exe52⤵
- Executes dropped EXE
PID:1508 -
\??\c:\ffxlxfx.exec:\ffxlxfx.exe53⤵
- Executes dropped EXE
PID:852 -
\??\c:\86842.exec:\86842.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bbbnbh.exec:\bbbnbh.exe55⤵
- Executes dropped EXE
PID:2920 -
\??\c:\6608002.exec:\6608002.exe56⤵
- Executes dropped EXE
PID:1460 -
\??\c:\60808.exec:\60808.exe57⤵
- Executes dropped EXE
PID:2456 -
\??\c:\8262024.exec:\8262024.exe58⤵
- Executes dropped EXE
PID:1728 -
\??\c:\9jvvd.exec:\9jvvd.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
\??\c:\624066.exec:\624066.exe60⤵
- Executes dropped EXE
PID:328 -
\??\c:\xrflrrx.exec:\xrflrrx.exe61⤵
- Executes dropped EXE
PID:1872 -
\??\c:\8240228.exec:\8240228.exe62⤵
- Executes dropped EXE
PID:2124 -
\??\c:\u266882.exec:\u266882.exe63⤵
- Executes dropped EXE
PID:912 -
\??\c:\ntbhnt.exec:\ntbhnt.exe64⤵
- Executes dropped EXE
PID:2504 -
\??\c:\pjpvj.exec:\pjpvj.exe65⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nhthnh.exec:\nhthnh.exe66⤵PID:2976
-
\??\c:\lfxrffl.exec:\lfxrffl.exe67⤵PID:3024
-
\??\c:\1tnhnn.exec:\1tnhnn.exe68⤵PID:1736
-
\??\c:\thhhbb.exec:\thhhbb.exe69⤵PID:1836
-
\??\c:\8022284.exec:\8022284.exe70⤵PID:644
-
\??\c:\606864.exec:\606864.exe71⤵PID:2060
-
\??\c:\jdvjd.exec:\jdvjd.exe72⤵PID:2508
-
\??\c:\g0222.exec:\g0222.exe73⤵PID:1788
-
\??\c:\8240624.exec:\8240624.exe74⤵PID:2628
-
\??\c:\rlfrflx.exec:\rlfrflx.exe75⤵PID:820
-
\??\c:\262862.exec:\262862.exe76⤵PID:2252
-
\??\c:\lfxflrf.exec:\lfxflrf.exe77⤵PID:2144
-
\??\c:\bhnnnn.exec:\bhnnnn.exe78⤵PID:2780
-
\??\c:\08440.exec:\08440.exe79⤵PID:2388
-
\??\c:\08006.exec:\08006.exe80⤵PID:2812
-
\??\c:\26846.exec:\26846.exe81⤵PID:2828
-
\??\c:\2644002.exec:\2644002.exe82⤵PID:2460
-
\??\c:\26840.exec:\26840.exe83⤵PID:2688
-
\??\c:\600240.exec:\600240.exe84⤵PID:2568
-
\??\c:\9hhhhh.exec:\9hhhhh.exe85⤵PID:2668
-
\??\c:\02068.exec:\02068.exe86⤵PID:2680
-
\??\c:\862604.exec:\862604.exe87⤵PID:2616
-
\??\c:\htbbhb.exec:\htbbhb.exe88⤵PID:2716
-
\??\c:\tnhhbn.exec:\tnhhbn.exe89⤵PID:320
-
\??\c:\202284.exec:\202284.exe90⤵PID:2832
-
\??\c:\1frrrrf.exec:\1frrrrf.exe91⤵PID:1708
-
\??\c:\404622.exec:\404622.exe92⤵PID:2884
-
\??\c:\vppvp.exec:\vppvp.exe93⤵PID:2360
-
\??\c:\20228.exec:\20228.exe94⤵PID:2836
-
\??\c:\8262446.exec:\8262446.exe95⤵PID:2612
-
\??\c:\hthhtt.exec:\hthhtt.exe96⤵PID:2940
-
\??\c:\c862262.exec:\c862262.exe97⤵PID:2908
-
\??\c:\3ppvj.exec:\3ppvj.exe98⤵PID:2708
-
\??\c:\vpjvv.exec:\vpjvv.exe99⤵PID:2892
-
\??\c:\llxlfxr.exec:\llxlfxr.exe100⤵PID:2400
-
\??\c:\204084.exec:\204084.exe101⤵PID:2424
-
\??\c:\088466.exec:\088466.exe102⤵PID:868
-
\??\c:\i602008.exec:\i602008.exe103⤵PID:712
-
\??\c:\4200662.exec:\4200662.exe104⤵PID:1720
-
\??\c:\bthntt.exec:\bthntt.exe105⤵PID:1448
-
\??\c:\1hbhnt.exec:\1hbhnt.exe106⤵PID:1336
-
\??\c:\48620.exec:\48620.exe107⤵PID:912
-
\??\c:\640066.exec:\640066.exe108⤵PID:1932
-
\??\c:\040066.exec:\040066.exe109⤵PID:1564
-
\??\c:\hbntbh.exec:\hbntbh.exe110⤵PID:1372
-
\??\c:\pppvj.exec:\pppvj.exe111⤵PID:900
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe112⤵PID:2948
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe113⤵PID:2212
-
\??\c:\bbthtb.exec:\bbthtb.exe114⤵PID:552
-
\??\c:\488684.exec:\488684.exe115⤵PID:3004
-
\??\c:\bbthnt.exec:\bbthnt.exe116⤵PID:1272
-
\??\c:\k60288.exec:\k60288.exe117⤵PID:316
-
\??\c:\w02480.exec:\w02480.exe118⤵PID:2096
-
\??\c:\ppvjv.exec:\ppvjv.exe119⤵PID:1864
-
\??\c:\w08468.exec:\w08468.exe120⤵PID:1608
-
\??\c:\i484008.exec:\i484008.exe121⤵PID:2280
-
\??\c:\btbbhh.exec:\btbbhh.exe122⤵PID:2796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-