Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe
-
Size
453KB
-
MD5
e3ecfdfad104fc27ca37a31300fba590
-
SHA1
1920d9ed1335c73429db3e0d35802fdfd0dddbee
-
SHA256
f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ec
-
SHA512
463e03319c572ef25c173b20833bb5783b96ade013e491882b76c95e7f09f9a455730ee711dd15bdea207ae116118555faf9b0a71e3d4955544f7426b7a100ab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2712-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-35-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1908-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/468-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-58-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2816-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1004-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1304-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2072-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-213-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2564-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2504-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/580-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-283-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1572-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-311-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2136-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/380-420-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1308-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3012-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-971-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2528-974-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2504-1098-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2160 8266402.exe 1480 dvpjv.exe 1908 7xffllr.exe 468 jpjpv.exe 2816 lxrrfxl.exe 2768 882468.exe 2868 lfxrffx.exe 2512 nttbhn.exe 2904 640004.exe 2764 jvpjj.exe 2672 4262406.exe 2212 42840.exe 1628 pjddj.exe 2688 6466846.exe 1912 2606880.exe 1004 9nhhtt.exe 2696 264024.exe 1452 2242402.exe 1764 5btbnn.exe 2072 48224.exe 1304 i424620.exe 2564 6082464.exe 1212 ppppj.exe 2036 7pjjv.exe 1360 8646684.exe 1524 pjvdj.exe 1536 jdvdv.exe 2504 hbbhhh.exe 580 1llrffx.exe 2936 jpdpd.exe 876 rflrxfl.exe 1572 86446.exe 2712 rxffffr.exe 2136 60846.exe 2328 642840.exe 2364 60880.exe 2568 424688.exe 2916 208840.exe 2460 m6806.exe 2844 646800.exe 2756 vpjjp.exe 2908 k26806.exe 2760 26406.exe 2716 rlffrxf.exe 2740 jppvj.exe 2632 04240.exe 1332 1jdpp.exe 2680 086606.exe 1684 lfflxfx.exe 380 w26644.exe 1340 48062.exe 2304 ffflffr.exe 484 7dppp.exe 1308 482486.exe 1944 hbntbh.exe 1792 642404.exe 2944 6424268.exe 2980 64224.exe 3068 vpdvj.exe 2176 u622068.exe 408 8820460.exe 568 7rrrllr.exe 1368 xrxlflr.exe 1136 822240.exe -
resource yara_rule behavioral1/memory/2712-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/468-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1304-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2072-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-231-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2036-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-283-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1572-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/988-545-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/3060-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-825-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-1000-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-1098-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-1135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-1294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-1313-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2084262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o662446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o022884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6082464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o062840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 826222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208848.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2160 2712 f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe 30 PID 2712 wrote to memory of 2160 2712 f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe 30 PID 2712 wrote to memory of 2160 2712 f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe 30 PID 2712 wrote to memory of 2160 2712 f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe 30 PID 2160 wrote to memory of 1480 2160 8266402.exe 31 PID 2160 wrote to memory of 1480 2160 8266402.exe 31 PID 2160 wrote to memory of 1480 2160 8266402.exe 31 PID 2160 wrote to memory of 1480 2160 8266402.exe 31 PID 1480 wrote to memory of 1908 1480 dvpjv.exe 32 PID 1480 wrote to memory of 1908 1480 dvpjv.exe 32 PID 1480 wrote to memory of 1908 1480 dvpjv.exe 32 PID 1480 wrote to memory of 1908 1480 dvpjv.exe 32 PID 1908 wrote to memory of 468 1908 7xffllr.exe 33 PID 1908 wrote to memory of 468 1908 7xffllr.exe 33 PID 1908 wrote to memory of 468 1908 7xffllr.exe 33 PID 1908 wrote to memory of 468 1908 7xffllr.exe 33 PID 468 wrote to memory of 2816 468 jpjpv.exe 34 PID 468 wrote to memory of 2816 468 jpjpv.exe 34 PID 468 wrote to memory of 2816 468 jpjpv.exe 34 PID 468 wrote to memory of 2816 468 jpjpv.exe 34 PID 2816 wrote to memory of 2768 2816 lxrrfxl.exe 35 PID 2816 wrote to memory of 2768 2816 lxrrfxl.exe 35 PID 2816 wrote to memory of 2768 2816 lxrrfxl.exe 35 PID 2816 wrote to memory of 2768 2816 lxrrfxl.exe 35 PID 2768 wrote to memory of 2868 2768 882468.exe 36 PID 2768 wrote to memory of 2868 2768 882468.exe 36 PID 2768 wrote to memory of 2868 2768 882468.exe 36 PID 2768 wrote to memory of 2868 2768 882468.exe 36 PID 2868 wrote to memory of 2512 2868 lfxrffx.exe 37 PID 2868 wrote to memory of 2512 2868 lfxrffx.exe 37 PID 2868 wrote to memory of 2512 2868 lfxrffx.exe 37 PID 2868 wrote to memory of 2512 2868 lfxrffx.exe 37 PID 2512 wrote to memory of 2904 2512 nttbhn.exe 38 PID 2512 wrote to memory of 2904 2512 nttbhn.exe 38 PID 2512 wrote to memory of 2904 2512 nttbhn.exe 38 PID 2512 wrote to memory of 2904 2512 nttbhn.exe 38 PID 2904 wrote to memory of 2764 2904 640004.exe 39 PID 2904 wrote to memory of 2764 2904 640004.exe 39 PID 2904 wrote to memory of 2764 2904 640004.exe 39 PID 2904 wrote to memory of 2764 2904 640004.exe 39 PID 2764 wrote to memory of 2672 2764 jvpjj.exe 40 PID 2764 wrote to memory of 2672 2764 jvpjj.exe 40 PID 2764 wrote to memory of 2672 2764 jvpjj.exe 40 PID 2764 wrote to memory of 2672 2764 jvpjj.exe 40 PID 2672 wrote to memory of 2212 2672 4262406.exe 41 PID 2672 wrote to memory of 2212 2672 4262406.exe 41 PID 2672 wrote to memory of 2212 2672 4262406.exe 41 PID 2672 wrote to memory of 2212 2672 4262406.exe 41 PID 2212 wrote to memory of 1628 2212 42840.exe 42 PID 2212 wrote to memory of 1628 2212 42840.exe 42 PID 2212 wrote to memory of 1628 2212 42840.exe 42 PID 2212 wrote to memory of 1628 2212 42840.exe 42 PID 1628 wrote to memory of 2688 1628 pjddj.exe 43 PID 1628 wrote to memory of 2688 1628 pjddj.exe 43 PID 1628 wrote to memory of 2688 1628 pjddj.exe 43 PID 1628 wrote to memory of 2688 1628 pjddj.exe 43 PID 2688 wrote to memory of 1912 2688 6466846.exe 44 PID 2688 wrote to memory of 1912 2688 6466846.exe 44 PID 2688 wrote to memory of 1912 2688 6466846.exe 44 PID 2688 wrote to memory of 1912 2688 6466846.exe 44 PID 1912 wrote to memory of 1004 1912 2606880.exe 45 PID 1912 wrote to memory of 1004 1912 2606880.exe 45 PID 1912 wrote to memory of 1004 1912 2606880.exe 45 PID 1912 wrote to memory of 1004 1912 2606880.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe"C:\Users\Admin\AppData\Local\Temp\f56274e74842b3f6a9947bf64949732ae10fa3c86f35d2efdb090987d2b258ecN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\8266402.exec:\8266402.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\dvpjv.exec:\dvpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\7xffllr.exec:\7xffllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\jpjpv.exec:\jpjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\lxrrfxl.exec:\lxrrfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\882468.exec:\882468.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\lfxrffx.exec:\lfxrffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\nttbhn.exec:\nttbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\640004.exec:\640004.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jvpjj.exec:\jvpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\4262406.exec:\4262406.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\42840.exec:\42840.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\pjddj.exec:\pjddj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\6466846.exec:\6466846.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\2606880.exec:\2606880.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\9nhhtt.exec:\9nhhtt.exe17⤵
- Executes dropped EXE
PID:1004 -
\??\c:\264024.exec:\264024.exe18⤵
- Executes dropped EXE
PID:2696 -
\??\c:\2242402.exec:\2242402.exe19⤵
- Executes dropped EXE
PID:1452 -
\??\c:\5btbnn.exec:\5btbnn.exe20⤵
- Executes dropped EXE
PID:1764 -
\??\c:\48224.exec:\48224.exe21⤵
- Executes dropped EXE
PID:2072 -
\??\c:\i424620.exec:\i424620.exe22⤵
- Executes dropped EXE
PID:1304 -
\??\c:\6082464.exec:\6082464.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
\??\c:\ppppj.exec:\ppppj.exe24⤵
- Executes dropped EXE
PID:1212 -
\??\c:\7pjjv.exec:\7pjjv.exe25⤵
- Executes dropped EXE
PID:2036 -
\??\c:\8646684.exec:\8646684.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\pjvdj.exec:\pjvdj.exe27⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jdvdv.exec:\jdvdv.exe28⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbbhhh.exec:\hbbhhh.exe29⤵
- Executes dropped EXE
PID:2504 -
\??\c:\1llrffx.exec:\1llrffx.exe30⤵
- Executes dropped EXE
PID:580 -
\??\c:\jpdpd.exec:\jpdpd.exe31⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rflrxfl.exec:\rflrxfl.exe32⤵
- Executes dropped EXE
PID:876 -
\??\c:\86446.exec:\86446.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rxffffr.exec:\rxffffr.exe34⤵
- Executes dropped EXE
PID:2712 -
\??\c:\60846.exec:\60846.exe35⤵
- Executes dropped EXE
PID:2136 -
\??\c:\642840.exec:\642840.exe36⤵
- Executes dropped EXE
PID:2328 -
\??\c:\60880.exec:\60880.exe37⤵
- Executes dropped EXE
PID:2364 -
\??\c:\424688.exec:\424688.exe38⤵
- Executes dropped EXE
PID:2568 -
\??\c:\208840.exec:\208840.exe39⤵
- Executes dropped EXE
PID:2916 -
\??\c:\m6806.exec:\m6806.exe40⤵
- Executes dropped EXE
PID:2460 -
\??\c:\646800.exec:\646800.exe41⤵
- Executes dropped EXE
PID:2844 -
\??\c:\vpjjp.exec:\vpjjp.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\k26806.exec:\k26806.exe43⤵
- Executes dropped EXE
PID:2908 -
\??\c:\26406.exec:\26406.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\rlffrxf.exec:\rlffrxf.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\jppvj.exec:\jppvj.exe46⤵
- Executes dropped EXE
PID:2740 -
\??\c:\04240.exec:\04240.exe47⤵
- Executes dropped EXE
PID:2632 -
\??\c:\1jdpp.exec:\1jdpp.exe48⤵
- Executes dropped EXE
PID:1332 -
\??\c:\086606.exec:\086606.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\lfflxfx.exec:\lfflxfx.exe50⤵
- Executes dropped EXE
PID:1684 -
\??\c:\w26644.exec:\w26644.exe51⤵
- Executes dropped EXE
PID:380 -
\??\c:\48062.exec:\48062.exe52⤵
- Executes dropped EXE
PID:1340 -
\??\c:\ffflffr.exec:\ffflffr.exe53⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7dppp.exec:\7dppp.exe54⤵
- Executes dropped EXE
PID:484 -
\??\c:\482486.exec:\482486.exe55⤵
- Executes dropped EXE
PID:1308 -
\??\c:\hbntbh.exec:\hbntbh.exe56⤵
- Executes dropped EXE
PID:1944 -
\??\c:\642404.exec:\642404.exe57⤵
- Executes dropped EXE
PID:1792 -
\??\c:\6424268.exec:\6424268.exe58⤵
- Executes dropped EXE
PID:2944 -
\??\c:\64224.exec:\64224.exe59⤵
- Executes dropped EXE
PID:2980 -
\??\c:\vpdvj.exec:\vpdvj.exe60⤵
- Executes dropped EXE
PID:3068 -
\??\c:\u622068.exec:\u622068.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\8820460.exec:\8820460.exe62⤵
- Executes dropped EXE
PID:408 -
\??\c:\7rrrllr.exec:\7rrrllr.exe63⤵
- Executes dropped EXE
PID:568 -
\??\c:\xrxlflr.exec:\xrxlflr.exe64⤵
- Executes dropped EXE
PID:1368 -
\??\c:\822240.exec:\822240.exe65⤵
- Executes dropped EXE
PID:1136 -
\??\c:\hbntht.exec:\hbntht.exe66⤵PID:1864
-
\??\c:\w80804.exec:\w80804.exe67⤵PID:1720
-
\??\c:\1ffxxxx.exec:\1ffxxxx.exe68⤵PID:896
-
\??\c:\lxrxlxl.exec:\lxrxlxl.exe69⤵PID:1868
-
\??\c:\86884.exec:\86884.exe70⤵PID:988
-
\??\c:\7btbtt.exec:\7btbtt.exe71⤵PID:2180
-
\??\c:\jpjpv.exec:\jpjpv.exe72⤵PID:2440
-
\??\c:\e20288.exec:\e20288.exe73⤵PID:2308
-
\??\c:\a0402.exec:\a0402.exe74⤵PID:2936
-
\??\c:\thbbnn.exec:\thbbnn.exe75⤵PID:2404
-
\??\c:\btntbh.exec:\btntbh.exe76⤵PID:2028
-
\??\c:\864084.exec:\864084.exe77⤵PID:3060
-
\??\c:\tnbhnn.exec:\tnbhnn.exe78⤵PID:3064
-
\??\c:\dpppd.exec:\dpppd.exe79⤵PID:2312
-
\??\c:\lxlrxxl.exec:\lxlrxxl.exe80⤵PID:2328
-
\??\c:\1lxxffl.exec:\1lxxffl.exe81⤵PID:2264
-
\??\c:\5xlfffl.exec:\5xlfffl.exe82⤵PID:1700
-
\??\c:\86222.exec:\86222.exe83⤵PID:2916
-
\??\c:\1lfllll.exec:\1lfllll.exe84⤵PID:2392
-
\??\c:\1vjjp.exec:\1vjjp.exe85⤵PID:2844
-
\??\c:\jdjpd.exec:\jdjpd.exe86⤵PID:3012
-
\??\c:\208848.exec:\208848.exe87⤵
- System Location Discovery: System Language Discovery
PID:2880 -
\??\c:\1fxrxrr.exec:\1fxrxrr.exe88⤵PID:2656
-
\??\c:\22228.exec:\22228.exe89⤵PID:2716
-
\??\c:\fxrxllf.exec:\fxrxllf.exe90⤵PID:2740
-
\??\c:\rlxfrll.exec:\rlxfrll.exe91⤵PID:2624
-
\??\c:\g4668.exec:\g4668.exe92⤵PID:2672
-
\??\c:\8262440.exec:\8262440.exe93⤵PID:2800
-
\??\c:\fxrrllr.exec:\fxrrllr.exe94⤵PID:1684
-
\??\c:\26462.exec:\26462.exe95⤵PID:1664
-
\??\c:\1vjpd.exec:\1vjpd.exe96⤵PID:1340
-
\??\c:\s6040.exec:\s6040.exe97⤵PID:1220
-
\??\c:\bnbttt.exec:\bnbttt.exe98⤵PID:1164
-
\??\c:\rfrlflx.exec:\rfrlflx.exe99⤵PID:1916
-
\??\c:\e84648.exec:\e84648.exe100⤵PID:2932
-
\??\c:\vpdjp.exec:\vpdjp.exe101⤵PID:2696
-
\??\c:\802844.exec:\802844.exe102⤵PID:2984
-
\??\c:\8680620.exec:\8680620.exe103⤵PID:1264
-
\??\c:\rlxfrlr.exec:\rlxfrlr.exe104⤵PID:2952
-
\??\c:\26442.exec:\26442.exe105⤵PID:2920
-
\??\c:\jjjdp.exec:\jjjdp.exe106⤵PID:2108
-
\??\c:\6860228.exec:\6860228.exe107⤵PID:2104
-
\??\c:\2028068.exec:\2028068.exe108⤵PID:308
-
\??\c:\608244.exec:\608244.exe109⤵PID:2132
-
\??\c:\dpdjp.exec:\dpdjp.exe110⤵PID:1532
-
\??\c:\w08088.exec:\w08088.exe111⤵PID:1904
-
\??\c:\8266668.exec:\8266668.exe112⤵PID:1788
-
\??\c:\fxrxflr.exec:\fxrxflr.exe113⤵PID:1760
-
\??\c:\086600.exec:\086600.exe114⤵PID:2164
-
\??\c:\668624.exec:\668624.exe115⤵PID:2504
-
\??\c:\e48400.exec:\e48400.exe116⤵PID:2156
-
\??\c:\5nbhnt.exec:\5nbhnt.exe117⤵PID:1752
-
\??\c:\ffxlxfx.exec:\ffxlxfx.exe118⤵PID:2308
-
\??\c:\flrflfl.exec:\flrflfl.exe119⤵PID:2936
-
\??\c:\bttnbb.exec:\bttnbb.exe120⤵PID:2404
-
\??\c:\64268.exec:\64268.exe121⤵PID:3056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-