Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 22:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe
-
Size
456KB
-
MD5
4a78e247f45a33f53a3bdd74b2be58fe
-
SHA1
74ef2587bda7ae1ef7ff31e6e5c8ec556d4a86d7
-
SHA256
422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e
-
SHA512
ba85f49b62d987d8f0732b27cabdc04cc2545ff099ee65f5c3263a9a8defb1b8d4be4745767ac75474ee0802975b45c6cda2d18c5f5a77cd2dda30b994c73092
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRa:q7Tc2NYHUrAwfMp3CDRa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1008-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-66-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3056-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-110-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2328-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1696-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-373-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2688-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-535-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1616-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-589-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2484-591-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3008-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-643-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2880-642-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2696-660-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2740-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-725-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2200-732-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/568-780-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1724-787-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2860-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-826-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1708-868-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3040-1194-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2176-1238-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2316 862846.exe 1008 ddvvd.exe 2948 fxllrrx.exe 1496 1bnhtt.exe 2312 4806228.exe 2908 0862402.exe 2440 jjpdp.exe 3056 rlffrrl.exe 2688 8202406.exe 2708 jdppj.exe 2740 pvdpp.exe 2328 808804.exe 2276 028260.exe 2288 20846.exe 2192 i640228.exe 2244 060282.exe 2620 20680.exe 2056 248442.exe 1152 82402.exe 1456 2628062.exe 1548 2466224.exe 1208 48882.exe 2632 pdpjp.exe 1696 lxfxxrr.exe 772 80606.exe 2380 082440.exe 2588 6426442.exe 2348 g0440.exe 2536 486288.exe 1656 fxfrlll.exe 2504 422284.exe 2508 o084006.exe 1616 pvdpj.exe 2360 bnhnhh.exe 2324 7rrlffl.exe 1708 q46066.exe 2476 tnbbbb.exe 2760 a0884.exe 1308 42400.exe 2520 jjpdj.exe 2952 rlxfrfl.exe 2888 6400606.exe 2828 8640224.exe 2864 420688.exe 2688 0866888.exe 2708 k24062.exe 2660 8680228.exe 2344 dvddd.exe 2328 ffrxffl.exe 2208 7vjjp.exe 2260 5dppp.exe 1812 426284.exe 2200 86822.exe 2420 608022.exe 2600 nhhhbb.exe 2052 6084624.exe 1944 tnbhnt.exe 1664 8600224.exe 1704 xxxxxfr.exe 304 hnbbhh.exe 1748 hbbhtt.exe 1208 606640.exe 1732 nhbbtn.exe 568 rxflxxx.exe -
resource yara_rule behavioral1/memory/2272-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1008-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2328-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1696-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2536-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1340-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1016-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-589-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3008-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-826-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2128-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-868-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-980-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-1024-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-1120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/648-1169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1528-1245-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o420802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8688068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8644440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26288.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4204624.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2316 2272 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 30 PID 2272 wrote to memory of 2316 2272 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 30 PID 2272 wrote to memory of 2316 2272 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 30 PID 2272 wrote to memory of 2316 2272 422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe 30 PID 2316 wrote to memory of 1008 2316 862846.exe 31 PID 2316 wrote to memory of 1008 2316 862846.exe 31 PID 2316 wrote to memory of 1008 2316 862846.exe 31 PID 2316 wrote to memory of 1008 2316 862846.exe 31 PID 1008 wrote to memory of 2948 1008 ddvvd.exe 32 PID 1008 wrote to memory of 2948 1008 ddvvd.exe 32 PID 1008 wrote to memory of 2948 1008 ddvvd.exe 32 PID 1008 wrote to memory of 2948 1008 ddvvd.exe 32 PID 2948 wrote to memory of 1496 2948 fxllrrx.exe 33 PID 2948 wrote to memory of 1496 2948 fxllrrx.exe 33 PID 2948 wrote to memory of 1496 2948 fxllrrx.exe 33 PID 2948 wrote to memory of 1496 2948 fxllrrx.exe 33 PID 1496 wrote to memory of 2312 1496 1bnhtt.exe 34 PID 1496 wrote to memory of 2312 1496 1bnhtt.exe 34 PID 1496 wrote to memory of 2312 1496 1bnhtt.exe 34 PID 1496 wrote to memory of 2312 1496 1bnhtt.exe 34 PID 2312 wrote to memory of 2908 2312 4806228.exe 35 PID 2312 wrote to memory of 2908 2312 4806228.exe 35 PID 2312 wrote to memory of 2908 2312 4806228.exe 35 PID 2312 wrote to memory of 2908 2312 4806228.exe 35 PID 2908 wrote to memory of 2440 2908 0862402.exe 36 PID 2908 wrote to memory of 2440 2908 0862402.exe 36 PID 2908 wrote to memory of 2440 2908 0862402.exe 36 PID 2908 wrote to memory of 2440 2908 0862402.exe 36 PID 2440 wrote to memory of 3056 2440 jjpdp.exe 37 PID 2440 wrote to memory of 3056 2440 jjpdp.exe 37 PID 2440 wrote to memory of 3056 2440 jjpdp.exe 37 PID 2440 wrote to memory of 3056 2440 jjpdp.exe 37 PID 3056 wrote to memory of 2688 3056 rlffrrl.exe 38 PID 3056 wrote to memory of 2688 3056 rlffrrl.exe 38 PID 3056 wrote to memory of 2688 3056 rlffrrl.exe 38 PID 3056 wrote to memory of 2688 3056 rlffrrl.exe 38 PID 2688 wrote to memory of 2708 2688 8202406.exe 39 PID 2688 wrote to memory of 2708 2688 8202406.exe 39 PID 2688 wrote to memory of 2708 2688 8202406.exe 39 PID 2688 wrote to memory of 2708 2688 8202406.exe 39 PID 2708 wrote to memory of 2740 2708 jdppj.exe 40 PID 2708 wrote to memory of 2740 2708 jdppj.exe 40 PID 2708 wrote to memory of 2740 2708 jdppj.exe 40 PID 2708 wrote to memory of 2740 2708 jdppj.exe 40 PID 2740 wrote to memory of 2328 2740 pvdpp.exe 41 PID 2740 wrote to memory of 2328 2740 pvdpp.exe 41 PID 2740 wrote to memory of 2328 2740 pvdpp.exe 41 PID 2740 wrote to memory of 2328 2740 pvdpp.exe 41 PID 2328 wrote to memory of 2276 2328 808804.exe 42 PID 2328 wrote to memory of 2276 2328 808804.exe 42 PID 2328 wrote to memory of 2276 2328 808804.exe 42 PID 2328 wrote to memory of 2276 2328 808804.exe 42 PID 2276 wrote to memory of 2288 2276 028260.exe 43 PID 2276 wrote to memory of 2288 2276 028260.exe 43 PID 2276 wrote to memory of 2288 2276 028260.exe 43 PID 2276 wrote to memory of 2288 2276 028260.exe 43 PID 2288 wrote to memory of 2192 2288 20846.exe 44 PID 2288 wrote to memory of 2192 2288 20846.exe 44 PID 2288 wrote to memory of 2192 2288 20846.exe 44 PID 2288 wrote to memory of 2192 2288 20846.exe 44 PID 2192 wrote to memory of 2244 2192 i640228.exe 45 PID 2192 wrote to memory of 2244 2192 i640228.exe 45 PID 2192 wrote to memory of 2244 2192 i640228.exe 45 PID 2192 wrote to memory of 2244 2192 i640228.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe"C:\Users\Admin\AppData\Local\Temp\422a1754a49fb4acdd47b851ad5cd3a0a2ed464ef530a44d50ecf0c8aefb6e0e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\862846.exec:\862846.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\ddvvd.exec:\ddvvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\fxllrrx.exec:\fxllrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\1bnhtt.exec:\1bnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\4806228.exec:\4806228.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\0862402.exec:\0862402.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\jjpdp.exec:\jjpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\rlffrrl.exec:\rlffrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\8202406.exec:\8202406.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\jdppj.exec:\jdppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\pvdpp.exec:\pvdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\808804.exec:\808804.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\028260.exec:\028260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\20846.exec:\20846.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\i640228.exec:\i640228.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\060282.exec:\060282.exe17⤵
- Executes dropped EXE
PID:2244 -
\??\c:\20680.exec:\20680.exe18⤵
- Executes dropped EXE
PID:2620 -
\??\c:\248442.exec:\248442.exe19⤵
- Executes dropped EXE
PID:2056 -
\??\c:\82402.exec:\82402.exe20⤵
- Executes dropped EXE
PID:1152 -
\??\c:\2628062.exec:\2628062.exe21⤵
- Executes dropped EXE
PID:1456 -
\??\c:\2466224.exec:\2466224.exe22⤵
- Executes dropped EXE
PID:1548 -
\??\c:\48882.exec:\48882.exe23⤵
- Executes dropped EXE
PID:1208 -
\??\c:\pdpjp.exec:\pdpjp.exe24⤵
- Executes dropped EXE
PID:2632 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe25⤵
- Executes dropped EXE
PID:1696 -
\??\c:\80606.exec:\80606.exe26⤵
- Executes dropped EXE
PID:772 -
\??\c:\082440.exec:\082440.exe27⤵
- Executes dropped EXE
PID:2380 -
\??\c:\6426442.exec:\6426442.exe28⤵
- Executes dropped EXE
PID:2588 -
\??\c:\g0440.exec:\g0440.exe29⤵
- Executes dropped EXE
PID:2348 -
\??\c:\486288.exec:\486288.exe30⤵
- Executes dropped EXE
PID:2536 -
\??\c:\fxfrlll.exec:\fxfrlll.exe31⤵
- Executes dropped EXE
PID:1656 -
\??\c:\422284.exec:\422284.exe32⤵
- Executes dropped EXE
PID:2504 -
\??\c:\o084006.exec:\o084006.exe33⤵
- Executes dropped EXE
PID:2508 -
\??\c:\pvdpj.exec:\pvdpj.exe34⤵
- Executes dropped EXE
PID:1616 -
\??\c:\bnhnhh.exec:\bnhnhh.exe35⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7rrlffl.exec:\7rrlffl.exe36⤵
- Executes dropped EXE
PID:2324 -
\??\c:\q46066.exec:\q46066.exe37⤵
- Executes dropped EXE
PID:1708 -
\??\c:\tnbbbb.exec:\tnbbbb.exe38⤵
- Executes dropped EXE
PID:2476 -
\??\c:\a0884.exec:\a0884.exe39⤵
- Executes dropped EXE
PID:2760 -
\??\c:\42400.exec:\42400.exe40⤵
- Executes dropped EXE
PID:1308 -
\??\c:\jjpdj.exec:\jjpdj.exe41⤵
- Executes dropped EXE
PID:2520 -
\??\c:\rlxfrfl.exec:\rlxfrfl.exe42⤵
- Executes dropped EXE
PID:2952 -
\??\c:\6400606.exec:\6400606.exe43⤵
- Executes dropped EXE
PID:2888 -
\??\c:\8640224.exec:\8640224.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\420688.exec:\420688.exe45⤵
- Executes dropped EXE
PID:2864 -
\??\c:\0866888.exec:\0866888.exe46⤵
- Executes dropped EXE
PID:2688 -
\??\c:\k24062.exec:\k24062.exe47⤵
- Executes dropped EXE
PID:2708 -
\??\c:\8680228.exec:\8680228.exe48⤵
- Executes dropped EXE
PID:2660 -
\??\c:\dvddd.exec:\dvddd.exe49⤵
- Executes dropped EXE
PID:2344 -
\??\c:\ffrxffl.exec:\ffrxffl.exe50⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7vjjp.exec:\7vjjp.exe51⤵
- Executes dropped EXE
PID:2208 -
\??\c:\5dppp.exec:\5dppp.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\426284.exec:\426284.exe53⤵
- Executes dropped EXE
PID:1812 -
\??\c:\86822.exec:\86822.exe54⤵
- Executes dropped EXE
PID:2200 -
\??\c:\608022.exec:\608022.exe55⤵
- Executes dropped EXE
PID:2420 -
\??\c:\nhhhbb.exec:\nhhhbb.exe56⤵
- Executes dropped EXE
PID:2600 -
\??\c:\6084624.exec:\6084624.exe57⤵
- Executes dropped EXE
PID:2052 -
\??\c:\tnbhnt.exec:\tnbhnt.exe58⤵
- Executes dropped EXE
PID:1944 -
\??\c:\8600224.exec:\8600224.exe59⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xxxxxfr.exec:\xxxxxfr.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\hnbbhh.exec:\hnbbhh.exe61⤵
- Executes dropped EXE
PID:304 -
\??\c:\hbbhtt.exec:\hbbhtt.exe62⤵
- Executes dropped EXE
PID:1748 -
\??\c:\606640.exec:\606640.exe63⤵
- Executes dropped EXE
PID:1208 -
\??\c:\nhbbtn.exec:\nhbbtn.exe64⤵
- Executes dropped EXE
PID:1732 -
\??\c:\rxflxxx.exec:\rxflxxx.exe65⤵
- Executes dropped EXE
PID:568 -
\??\c:\5dvpd.exec:\5dvpd.exe66⤵PID:880
-
\??\c:\rfxxfff.exec:\rfxxfff.exe67⤵PID:1340
-
\??\c:\xrfxlxf.exec:\xrfxlxf.exe68⤵PID:884
-
\??\c:\xrfrxlr.exec:\xrfrxlr.exe69⤵PID:1976
-
\??\c:\3nbbhh.exec:\3nbbhh.exe70⤵PID:2884
-
\??\c:\ddvjj.exec:\ddvjj.exe71⤵PID:592
-
\??\c:\nnthnn.exec:\nnthnn.exe72⤵PID:2400
-
\??\c:\264088.exec:\264088.exe73⤵PID:1656
-
\??\c:\m0402.exec:\m0402.exe74⤵PID:1016
-
\??\c:\vjppv.exec:\vjppv.exe75⤵PID:2968
-
\??\c:\9vpjv.exec:\9vpjv.exe76⤵PID:1620
-
\??\c:\4206884.exec:\4206884.exe77⤵PID:1616
-
\??\c:\xrflrxl.exec:\xrflrxl.exe78⤵PID:2332
-
\??\c:\u022884.exec:\u022884.exe79⤵PID:2484
-
\??\c:\260682.exec:\260682.exe80⤵PID:2752
-
\??\c:\3vddj.exec:\3vddj.exe81⤵
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\rfxfrxl.exec:\rfxfrxl.exe82⤵PID:2808
-
\??\c:\8202886.exec:\8202886.exe83⤵PID:2924
-
\??\c:\268848.exec:\268848.exe84⤵PID:2824
-
\??\c:\nthtnn.exec:\nthtnn.exe85⤵PID:3008
-
\??\c:\dvppd.exec:\dvppd.exe86⤵PID:2784
-
\??\c:\6488684.exec:\6488684.exe87⤵PID:2880
-
\??\c:\60408.exec:\60408.exe88⤵PID:2832
-
\??\c:\btnbnn.exec:\btnbnn.exe89⤵PID:2460
-
\??\c:\042862.exec:\042862.exe90⤵PID:2696
-
\??\c:\420404.exec:\420404.exe91⤵PID:2740
-
\??\c:\7vvvv.exec:\7vvvv.exe92⤵PID:2072
-
\??\c:\jvppv.exec:\jvppv.exe93⤵PID:2152
-
\??\c:\g4420.exec:\g4420.exe94⤵PID:2208
-
\??\c:\26068.exec:\26068.exe95⤵PID:2184
-
\??\c:\w02206.exec:\w02206.exe96⤵PID:1812
-
\??\c:\3pddj.exec:\3pddj.exe97⤵PID:2200
-
\??\c:\nhntnb.exec:\nhntnb.exe98⤵PID:2092
-
\??\c:\hthhtt.exec:\hthhtt.exe99⤵PID:2600
-
\??\c:\42000.exec:\42000.exe100⤵PID:1256
-
\??\c:\486666.exec:\486666.exe101⤵PID:1944
-
\??\c:\0866440.exec:\0866440.exe102⤵PID:1456
-
\??\c:\2088662.exec:\2088662.exe103⤵PID:1980
-
\??\c:\1vjdp.exec:\1vjdp.exe104⤵PID:968
-
\??\c:\q42844.exec:\q42844.exe105⤵PID:1556
-
\??\c:\thbbhh.exec:\thbbhh.exe106⤵PID:1568
-
\??\c:\3frlfxl.exec:\3frlfxl.exe107⤵PID:2632
-
\??\c:\jvppd.exec:\jvppd.exe108⤵PID:568
-
\??\c:\8248440.exec:\8248440.exe109⤵PID:1724
-
\??\c:\5nnnth.exec:\5nnnth.exe110⤵PID:1340
-
\??\c:\4202626.exec:\4202626.exe111⤵PID:2380
-
\??\c:\jdppd.exec:\jdppd.exe112⤵PID:1976
-
\??\c:\tnhhnn.exec:\tnhhnn.exe113⤵PID:2860
-
\??\c:\208400.exec:\208400.exe114⤵PID:592
-
\??\c:\s0840.exec:\s0840.exe115⤵PID:536
-
\??\c:\vdpvd.exec:\vdpvd.exe116⤵PID:1656
-
\??\c:\nnhnbh.exec:\nnhnbh.exe117⤵PID:2704
-
\??\c:\pjvjd.exec:\pjvjd.exe118⤵PID:2968
-
\??\c:\djdpv.exec:\djdpv.exe119⤵PID:1416
-
\??\c:\264444.exec:\264444.exe120⤵PID:2532
-
\??\c:\q20066.exec:\q20066.exe121⤵PID:2128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-