Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe
-
Size
458KB
-
MD5
8c3536d2885392ac1eb909d9cc40d073
-
SHA1
2209cc5e589f8f0687dd1618afee5569ce236184
-
SHA256
5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2
-
SHA512
142d95d144714db6556519dc63d98f4045e4fa019773b9fb06c71cafb3a55450b42145c477f912ebe9cb6127fa15cec5c2e0b060582da53066168d1814c2a63f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/1196-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1232-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-382-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/544-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1988-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/988-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-460-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2548-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/908-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-597-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2756-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1876-702-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1364-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-1012-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2128-1371-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2368 7xfxrrr.exe 1564 206660.exe 2416 6808424.exe 2276 xlfxxrr.exe 2992 q02660.exe 2832 2020228.exe 2360 c640004.exe 2176 6468044.exe 2744 pjvdd.exe 2708 e46626.exe 2576 s8662.exe 2132 m8002.exe 1864 hbbtbn.exe 3052 46888.exe 988 48084.exe 2676 xxlrxrf.exe 3028 426866.exe 1792 s2446.exe 1988 5rfxxxx.exe 2592 7nbttn.exe 1968 frflrrr.exe 544 vjjjd.exe 1980 646482.exe 1360 rrxxxrr.exe 2008 4088400.exe 1680 hthhnh.exe 2912 824006.exe 2652 4284882.exe 2280 2022428.exe 2544 pjvpp.exe 876 4288442.exe 2496 vpvjv.exe 1604 vjdpp.exe 1232 040060.exe 2028 868222.exe 1324 tbhttn.exe 2248 bnbbbb.exe 2276 nbbbbt.exe 3004 24600.exe 2812 pdpdd.exe 2972 0860624.exe 2476 rflffll.exe 2388 028886.exe 2736 80486.exe 2708 jvjvd.exe 2580 bnbttt.exe 2756 3pvpj.exe 1864 08484.exe 488 240482.exe 2684 862448.exe 2676 xlrrrlr.exe 2232 tnntnn.exe 1940 868208.exe 1760 a8440.exe 1140 20840.exe 2556 864440.exe 1820 a6888.exe 848 2086266.exe 1364 xrflrxl.exe 1548 thhhnn.exe 884 bthntt.exe 2548 6864448.exe 1008 tnbhhn.exe 2072 nhhhtt.exe -
resource yara_rule behavioral1/memory/1196-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1988-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/488-389-0x0000000001C60000-0x0000000001C8A000-memory.dmp upx behavioral1/memory/2676-404-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2232-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1140-433-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/848-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-460-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2548-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-597-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2756-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1232-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-999-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-1037-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-1056-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-1117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-1142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-1149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-1156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-1217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-1278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-1285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-1304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-1371-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080626.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86408.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k82244.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4806628.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8000488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m8002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c028484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824088.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2368 1196 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 30 PID 1196 wrote to memory of 2368 1196 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 30 PID 1196 wrote to memory of 2368 1196 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 30 PID 1196 wrote to memory of 2368 1196 5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe 30 PID 2368 wrote to memory of 1564 2368 7xfxrrr.exe 31 PID 2368 wrote to memory of 1564 2368 7xfxrrr.exe 31 PID 2368 wrote to memory of 1564 2368 7xfxrrr.exe 31 PID 2368 wrote to memory of 1564 2368 7xfxrrr.exe 31 PID 1564 wrote to memory of 2416 1564 206660.exe 32 PID 1564 wrote to memory of 2416 1564 206660.exe 32 PID 1564 wrote to memory of 2416 1564 206660.exe 32 PID 1564 wrote to memory of 2416 1564 206660.exe 32 PID 2416 wrote to memory of 2276 2416 6808424.exe 67 PID 2416 wrote to memory of 2276 2416 6808424.exe 67 PID 2416 wrote to memory of 2276 2416 6808424.exe 67 PID 2416 wrote to memory of 2276 2416 6808424.exe 67 PID 2276 wrote to memory of 2992 2276 xlfxxrr.exe 34 PID 2276 wrote to memory of 2992 2276 xlfxxrr.exe 34 PID 2276 wrote to memory of 2992 2276 xlfxxrr.exe 34 PID 2276 wrote to memory of 2992 2276 xlfxxrr.exe 34 PID 2992 wrote to memory of 2832 2992 q02660.exe 35 PID 2992 wrote to memory of 2832 2992 q02660.exe 35 PID 2992 wrote to memory of 2832 2992 q02660.exe 35 PID 2992 wrote to memory of 2832 2992 q02660.exe 35 PID 2832 wrote to memory of 2360 2832 2020228.exe 36 PID 2832 wrote to memory of 2360 2832 2020228.exe 36 PID 2832 wrote to memory of 2360 2832 2020228.exe 36 PID 2832 wrote to memory of 2360 2832 2020228.exe 36 PID 2360 wrote to memory of 2176 2360 c640004.exe 37 PID 2360 wrote to memory of 2176 2360 c640004.exe 37 PID 2360 wrote to memory of 2176 2360 c640004.exe 37 PID 2360 wrote to memory of 2176 2360 c640004.exe 37 PID 2176 wrote to memory of 2744 2176 6468044.exe 38 PID 2176 wrote to memory of 2744 2176 6468044.exe 38 PID 2176 wrote to memory of 2744 2176 6468044.exe 38 PID 2176 wrote to memory of 2744 2176 6468044.exe 38 PID 2744 wrote to memory of 2708 2744 pjvdd.exe 39 PID 2744 wrote to memory of 2708 2744 pjvdd.exe 39 PID 2744 wrote to memory of 2708 2744 pjvdd.exe 39 PID 2744 wrote to memory of 2708 2744 pjvdd.exe 39 PID 2708 wrote to memory of 2576 2708 e46626.exe 40 PID 2708 wrote to memory of 2576 2708 e46626.exe 40 PID 2708 wrote to memory of 2576 2708 e46626.exe 40 PID 2708 wrote to memory of 2576 2708 e46626.exe 40 PID 2576 wrote to memory of 2132 2576 s8662.exe 41 PID 2576 wrote to memory of 2132 2576 s8662.exe 41 PID 2576 wrote to memory of 2132 2576 s8662.exe 41 PID 2576 wrote to memory of 2132 2576 s8662.exe 41 PID 2132 wrote to memory of 1864 2132 m8002.exe 77 PID 2132 wrote to memory of 1864 2132 m8002.exe 77 PID 2132 wrote to memory of 1864 2132 m8002.exe 77 PID 2132 wrote to memory of 1864 2132 m8002.exe 77 PID 1864 wrote to memory of 3052 1864 hbbtbn.exe 43 PID 1864 wrote to memory of 3052 1864 hbbtbn.exe 43 PID 1864 wrote to memory of 3052 1864 hbbtbn.exe 43 PID 1864 wrote to memory of 3052 1864 hbbtbn.exe 43 PID 3052 wrote to memory of 988 3052 46888.exe 44 PID 3052 wrote to memory of 988 3052 46888.exe 44 PID 3052 wrote to memory of 988 3052 46888.exe 44 PID 3052 wrote to memory of 988 3052 46888.exe 44 PID 988 wrote to memory of 2676 988 48084.exe 80 PID 988 wrote to memory of 2676 988 48084.exe 80 PID 988 wrote to memory of 2676 988 48084.exe 80 PID 988 wrote to memory of 2676 988 48084.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe"C:\Users\Admin\AppData\Local\Temp\5569ae7a73087b1ec0038aa584899a9de7e6d8b886bade897e975a2b5d3f02d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\7xfxrrr.exec:\7xfxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\206660.exec:\206660.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\6808424.exec:\6808424.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\xlfxxrr.exec:\xlfxxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\q02660.exec:\q02660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\2020228.exec:\2020228.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\c640004.exec:\c640004.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\6468044.exec:\6468044.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\pjvdd.exec:\pjvdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\e46626.exec:\e46626.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\s8662.exec:\s8662.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\m8002.exec:\m8002.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\hbbtbn.exec:\hbbtbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\46888.exec:\46888.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\48084.exec:\48084.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\xxlrxrf.exec:\xxlrxrf.exe17⤵
- Executes dropped EXE
PID:2676 -
\??\c:\426866.exec:\426866.exe18⤵
- Executes dropped EXE
PID:3028 -
\??\c:\s2446.exec:\s2446.exe19⤵
- Executes dropped EXE
PID:1792 -
\??\c:\5rfxxxx.exec:\5rfxxxx.exe20⤵
- Executes dropped EXE
PID:1988 -
\??\c:\7nbttn.exec:\7nbttn.exe21⤵
- Executes dropped EXE
PID:2592 -
\??\c:\frflrrr.exec:\frflrrr.exe22⤵
- Executes dropped EXE
PID:1968 -
\??\c:\vjjjd.exec:\vjjjd.exe23⤵
- Executes dropped EXE
PID:544 -
\??\c:\646482.exec:\646482.exe24⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rrxxxrr.exec:\rrxxxrr.exe25⤵
- Executes dropped EXE
PID:1360 -
\??\c:\4088400.exec:\4088400.exe26⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hthhnh.exec:\hthhnh.exe27⤵
- Executes dropped EXE
PID:1680 -
\??\c:\824006.exec:\824006.exe28⤵
- Executes dropped EXE
PID:2912 -
\??\c:\4284882.exec:\4284882.exe29⤵
- Executes dropped EXE
PID:2652 -
\??\c:\2022428.exec:\2022428.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\pjvpp.exec:\pjvpp.exe31⤵
- Executes dropped EXE
PID:2544 -
\??\c:\4288442.exec:\4288442.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\vpvjv.exec:\vpvjv.exe33⤵
- Executes dropped EXE
PID:2496 -
\??\c:\vjdpp.exec:\vjdpp.exe34⤵
- Executes dropped EXE
PID:1604 -
\??\c:\040060.exec:\040060.exe35⤵
- Executes dropped EXE
PID:1232 -
\??\c:\868222.exec:\868222.exe36⤵
- Executes dropped EXE
PID:2028 -
\??\c:\tbhttn.exec:\tbhttn.exe37⤵
- Executes dropped EXE
PID:1324 -
\??\c:\bnbbbb.exec:\bnbbbb.exe38⤵
- Executes dropped EXE
PID:2248 -
\??\c:\nbbbbt.exec:\nbbbbt.exe39⤵
- Executes dropped EXE
PID:2276 -
\??\c:\24600.exec:\24600.exe40⤵
- Executes dropped EXE
PID:3004 -
\??\c:\pdpdd.exec:\pdpdd.exe41⤵
- Executes dropped EXE
PID:2812 -
\??\c:\0860624.exec:\0860624.exe42⤵
- Executes dropped EXE
PID:2972 -
\??\c:\rflffll.exec:\rflffll.exe43⤵
- Executes dropped EXE
PID:2476 -
\??\c:\028886.exec:\028886.exe44⤵
- Executes dropped EXE
PID:2388 -
\??\c:\80486.exec:\80486.exe45⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jvjvd.exec:\jvjvd.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bnbttt.exec:\bnbttt.exe47⤵
- Executes dropped EXE
PID:2580 -
\??\c:\3pvpj.exec:\3pvpj.exe48⤵
- Executes dropped EXE
PID:2756 -
\??\c:\08484.exec:\08484.exe49⤵
- Executes dropped EXE
PID:1864 -
\??\c:\240482.exec:\240482.exe50⤵
- Executes dropped EXE
PID:488 -
\??\c:\862448.exec:\862448.exe51⤵
- Executes dropped EXE
PID:2684 -
\??\c:\xlrrrlr.exec:\xlrrrlr.exe52⤵
- Executes dropped EXE
PID:2676 -
\??\c:\tnntnn.exec:\tnntnn.exe53⤵
- Executes dropped EXE
PID:2232 -
\??\c:\868208.exec:\868208.exe54⤵
- Executes dropped EXE
PID:1940 -
\??\c:\a8440.exec:\a8440.exe55⤵
- Executes dropped EXE
PID:1760 -
\??\c:\20840.exec:\20840.exe56⤵
- Executes dropped EXE
PID:1140 -
\??\c:\864440.exec:\864440.exe57⤵
- Executes dropped EXE
PID:2556 -
\??\c:\a6888.exec:\a6888.exe58⤵
- Executes dropped EXE
PID:1820 -
\??\c:\2086266.exec:\2086266.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\xrflrxl.exec:\xrflrxl.exe60⤵
- Executes dropped EXE
PID:1364 -
\??\c:\thhhnn.exec:\thhhnn.exe61⤵
- Executes dropped EXE
PID:1548 -
\??\c:\bthntt.exec:\bthntt.exe62⤵
- Executes dropped EXE
PID:884 -
\??\c:\6864448.exec:\6864448.exe63⤵
- Executes dropped EXE
PID:2548 -
\??\c:\tnbhhn.exec:\tnbhhn.exe64⤵
- Executes dropped EXE
PID:1008 -
\??\c:\nhhhtt.exec:\nhhhtt.exe65⤵
- Executes dropped EXE
PID:2072 -
\??\c:\vjvpd.exec:\vjvpd.exe66⤵PID:2280
-
\??\c:\w86482.exec:\w86482.exe67⤵PID:2004
-
\??\c:\xrfflfl.exec:\xrfflfl.exe68⤵PID:2216
-
\??\c:\1vvpv.exec:\1vvpv.exe69⤵PID:908
-
\??\c:\642884.exec:\642884.exe70⤵PID:2508
-
\??\c:\pjvpp.exec:\pjvpp.exe71⤵PID:2164
-
\??\c:\nbnttt.exec:\nbnttt.exe72⤵PID:1536
-
\??\c:\frxlffl.exec:\frxlffl.exe73⤵PID:2260
-
\??\c:\thnhnn.exec:\thnhnn.exe74⤵PID:2248
-
\??\c:\hthhnt.exec:\hthhnt.exe75⤵PID:2976
-
\??\c:\1thhbn.exec:\1thhbn.exe76⤵PID:1784
-
\??\c:\i204084.exec:\i204084.exe77⤵PID:2816
-
\??\c:\xxxfflr.exec:\xxxfflr.exe78⤵PID:2200
-
\??\c:\rxfxfxl.exec:\rxfxfxl.exe79⤵PID:2984
-
\??\c:\i800862.exec:\i800862.exe80⤵PID:1144
-
\??\c:\86884.exec:\86884.exe81⤵PID:300
-
\??\c:\w88286.exec:\w88286.exe82⤵PID:2844
-
\??\c:\dvppd.exec:\dvppd.exe83⤵PID:2856
-
\??\c:\68266.exec:\68266.exe84⤵PID:2960
-
\??\c:\hhbtbt.exec:\hhbtbt.exe85⤵PID:2860
-
\??\c:\pdvpv.exec:\pdvpv.exe86⤵PID:2756
-
\??\c:\8622828.exec:\8622828.exe87⤵PID:2748
-
\??\c:\24662.exec:\24662.exe88⤵PID:1672
-
\??\c:\5lxfxfl.exec:\5lxfxfl.exe89⤵PID:2500
-
\??\c:\xlxrrrr.exec:\xlxrrrr.exe90⤵PID:1248
-
\??\c:\nhnnnn.exec:\nhnnnn.exe91⤵PID:2808
-
\??\c:\2460000.exec:\2460000.exe92⤵PID:1512
-
\??\c:\8862884.exec:\8862884.exe93⤵PID:1728
-
\??\c:\vjvdj.exec:\vjvdj.exe94⤵PID:3016
-
\??\c:\ntnhnn.exec:\ntnhnn.exe95⤵PID:2112
-
\??\c:\86062.exec:\86062.exe96⤵PID:1792
-
\??\c:\bbhhbh.exec:\bbhhbh.exe97⤵PID:2320
-
\??\c:\64882.exec:\64882.exe98⤵PID:1876
-
\??\c:\i682828.exec:\i682828.exe99⤵PID:2096
-
\??\c:\vvpvj.exec:\vvpvj.exe100⤵PID:2300
-
\??\c:\ffxflrf.exec:\ffxflrf.exe101⤵PID:1980
-
\??\c:\lrxxffl.exec:\lrxxffl.exe102⤵PID:1364
-
\??\c:\024468.exec:\024468.exe103⤵PID:1948
-
\??\c:\7djdj.exec:\7djdj.exe104⤵PID:1776
-
\??\c:\048466.exec:\048466.exe105⤵PID:764
-
\??\c:\20222.exec:\20222.exe106⤵PID:1724
-
\??\c:\w64488.exec:\w64488.exe107⤵PID:2072
-
\??\c:\08444.exec:\08444.exe108⤵PID:2544
-
\??\c:\042288.exec:\042288.exe109⤵PID:1976
-
\??\c:\i264448.exec:\i264448.exe110⤵PID:1932
-
\??\c:\26064.exec:\26064.exe111⤵PID:908
-
\??\c:\868444.exec:\868444.exe112⤵PID:1036
-
\??\c:\htnnnn.exec:\htnnnn.exe113⤵PID:1232
-
\??\c:\jvjdp.exec:\jvjdp.exe114⤵PID:1276
-
\??\c:\llxfllr.exec:\llxfllr.exe115⤵PID:316
-
\??\c:\42824.exec:\42824.exe116⤵PID:2432
-
\??\c:\2202486.exec:\2202486.exe117⤵PID:1872
-
\??\c:\q04406.exec:\q04406.exe118⤵PID:2440
-
\??\c:\flfflrx.exec:\flfflrx.exe119⤵PID:2988
-
\??\c:\flrxxrx.exec:\flrxxrx.exe120⤵PID:2200
-
\??\c:\jdddv.exec:\jdddv.exe121⤵PID:2936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-