Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe
-
Size
454KB
-
MD5
c435c76635b5417cf532f0e6997ae186
-
SHA1
aaad0c2ef17745490220bdb24b5ef956a82d4e12
-
SHA256
bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f
-
SHA512
cda6e71562ab0ebc99f8d91eef66e1a567f4f0bcf7a000edc214d8bd1771185b195172de6b5c4b444dfd6d4235e29057a7f4d53a9c1037346006abd877b2509c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2852-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3060-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-31-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2668-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-89-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1324-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2564-264-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1728-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/332-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-388-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/796-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-462-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/760-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-562-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/888-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-1000-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1216-1043-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2392-1053-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3060 860622.exe 2744 06066.exe 2668 vjvpv.exe 2856 2084280.exe 2796 8022402.exe 1616 2684068.exe 296 lfrxfxf.exe 2956 7bnntb.exe 2144 jppdv.exe 2332 8688002.exe 3036 vpdjv.exe 2104 o644268.exe 3028 pjvdd.exe 3008 5nbbhh.exe 624 q64646.exe 2456 860060.exe 2428 u662020.exe 1976 20262.exe 2388 u602844.exe 1324 xlffllr.exe 952 5rxrffr.exe 2068 rrfrxxl.exe 1548 3nhhhh.exe 1708 w80626.exe 744 2688406.exe 2372 a6620.exe 916 pjdjp.exe 2564 868880.exe 1728 frxllll.exe 2484 1rflrrx.exe 1804 i000224.exe 2380 vpdjv.exe 2880 086060.exe 1716 48066.exe 2664 08444.exe 2656 00806.exe 2676 lxrrrlr.exe 2692 djvdj.exe 1032 0604408.exe 2796 g6006.exe 332 lxllrrx.exe 1476 lxrlrrx.exe 2304 jvpdj.exe 2176 vjpvd.exe 1720 640000.exe 1524 xlxxllx.exe 2984 6460006.exe 796 dpjpv.exe 2000 26420.exe 2292 m6000.exe 2960 dpvvd.exe 1436 lxxxffl.exe 2196 a4628.exe 624 264688.exe 2252 826240.exe 3052 688842.exe 308 lxlrrrx.exe 2556 42846.exe 2388 thnhhh.exe 1244 1jvpd.exe 2044 pjjjp.exe 1828 60802.exe 1696 e20062.exe 972 c484668.exe -
resource yara_rule behavioral1/memory/2852-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1324-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2564-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-742-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-802-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-901-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/268-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/664-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1216-1043-0x00000000003A0000-0x00000000003CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0646228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i862484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6028620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c262446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2852 wrote to memory of 3060 2852 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 30 PID 2852 wrote to memory of 3060 2852 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 30 PID 2852 wrote to memory of 3060 2852 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 30 PID 2852 wrote to memory of 3060 2852 bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe 30 PID 3060 wrote to memory of 2744 3060 860622.exe 31 PID 3060 wrote to memory of 2744 3060 860622.exe 31 PID 3060 wrote to memory of 2744 3060 860622.exe 31 PID 3060 wrote to memory of 2744 3060 860622.exe 31 PID 2744 wrote to memory of 2668 2744 06066.exe 32 PID 2744 wrote to memory of 2668 2744 06066.exe 32 PID 2744 wrote to memory of 2668 2744 06066.exe 32 PID 2744 wrote to memory of 2668 2744 06066.exe 32 PID 2668 wrote to memory of 2856 2668 vjvpv.exe 33 PID 2668 wrote to memory of 2856 2668 vjvpv.exe 33 PID 2668 wrote to memory of 2856 2668 vjvpv.exe 33 PID 2668 wrote to memory of 2856 2668 vjvpv.exe 33 PID 2856 wrote to memory of 2796 2856 2084280.exe 34 PID 2856 wrote to memory of 2796 2856 2084280.exe 34 PID 2856 wrote to memory of 2796 2856 2084280.exe 34 PID 2856 wrote to memory of 2796 2856 2084280.exe 34 PID 2796 wrote to memory of 1616 2796 8022402.exe 35 PID 2796 wrote to memory of 1616 2796 8022402.exe 35 PID 2796 wrote to memory of 1616 2796 8022402.exe 35 PID 2796 wrote to memory of 1616 2796 8022402.exe 35 PID 1616 wrote to memory of 296 1616 2684068.exe 36 PID 1616 wrote to memory of 296 1616 2684068.exe 36 PID 1616 wrote to memory of 296 1616 2684068.exe 36 PID 1616 wrote to memory of 296 1616 2684068.exe 36 PID 296 wrote to memory of 2956 296 lfrxfxf.exe 37 PID 296 wrote to memory of 2956 296 lfrxfxf.exe 37 PID 296 wrote to memory of 2956 296 lfrxfxf.exe 37 PID 296 wrote to memory of 2956 296 lfrxfxf.exe 37 PID 2956 wrote to memory of 2144 2956 7bnntb.exe 38 PID 2956 wrote to memory of 2144 2956 7bnntb.exe 38 PID 2956 wrote to memory of 2144 2956 7bnntb.exe 38 PID 2956 wrote to memory of 2144 2956 7bnntb.exe 38 PID 2144 wrote to memory of 2332 2144 jppdv.exe 39 PID 2144 wrote to memory of 2332 2144 jppdv.exe 39 PID 2144 wrote to memory of 2332 2144 jppdv.exe 39 PID 2144 wrote to memory of 2332 2144 jppdv.exe 39 PID 2332 wrote to memory of 3036 2332 8688002.exe 40 PID 2332 wrote to memory of 3036 2332 8688002.exe 40 PID 2332 wrote to memory of 3036 2332 8688002.exe 40 PID 2332 wrote to memory of 3036 2332 8688002.exe 40 PID 3036 wrote to memory of 2104 3036 vpdjv.exe 41 PID 3036 wrote to memory of 2104 3036 vpdjv.exe 41 PID 3036 wrote to memory of 2104 3036 vpdjv.exe 41 PID 3036 wrote to memory of 2104 3036 vpdjv.exe 41 PID 2104 wrote to memory of 3028 2104 o644268.exe 42 PID 2104 wrote to memory of 3028 2104 o644268.exe 42 PID 2104 wrote to memory of 3028 2104 o644268.exe 42 PID 2104 wrote to memory of 3028 2104 o644268.exe 42 PID 3028 wrote to memory of 3008 3028 pjvdd.exe 43 PID 3028 wrote to memory of 3008 3028 pjvdd.exe 43 PID 3028 wrote to memory of 3008 3028 pjvdd.exe 43 PID 3028 wrote to memory of 3008 3028 pjvdd.exe 43 PID 3008 wrote to memory of 624 3008 5nbbhh.exe 44 PID 3008 wrote to memory of 624 3008 5nbbhh.exe 44 PID 3008 wrote to memory of 624 3008 5nbbhh.exe 44 PID 3008 wrote to memory of 624 3008 5nbbhh.exe 44 PID 624 wrote to memory of 2456 624 q64646.exe 45 PID 624 wrote to memory of 2456 624 q64646.exe 45 PID 624 wrote to memory of 2456 624 q64646.exe 45 PID 624 wrote to memory of 2456 624 q64646.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe"C:\Users\Admin\AppData\Local\Temp\bce42afd4143243f9fc72e15c52a42cf15efbf87bbe2cd02c916ba0abf83a72f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\860622.exec:\860622.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\06066.exec:\06066.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vjvpv.exec:\vjvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\2084280.exec:\2084280.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\8022402.exec:\8022402.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\2684068.exec:\2684068.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\lfrxfxf.exec:\lfrxfxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:296 -
\??\c:\7bnntb.exec:\7bnntb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\jppdv.exec:\jppdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\8688002.exec:\8688002.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\vpdjv.exec:\vpdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\o644268.exec:\o644268.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\pjvdd.exec:\pjvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\5nbbhh.exec:\5nbbhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\q64646.exec:\q64646.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\860060.exec:\860060.exe17⤵
- Executes dropped EXE
PID:2456 -
\??\c:\u662020.exec:\u662020.exe18⤵
- Executes dropped EXE
PID:2428 -
\??\c:\20262.exec:\20262.exe19⤵
- Executes dropped EXE
PID:1976 -
\??\c:\u602844.exec:\u602844.exe20⤵
- Executes dropped EXE
PID:2388 -
\??\c:\xlffllr.exec:\xlffllr.exe21⤵
- Executes dropped EXE
PID:1324 -
\??\c:\5rxrffr.exec:\5rxrffr.exe22⤵
- Executes dropped EXE
PID:952 -
\??\c:\rrfrxxl.exec:\rrfrxxl.exe23⤵
- Executes dropped EXE
PID:2068 -
\??\c:\3nhhhh.exec:\3nhhhh.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\w80626.exec:\w80626.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\2688406.exec:\2688406.exe26⤵
- Executes dropped EXE
PID:744 -
\??\c:\a6620.exec:\a6620.exe27⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pjdjp.exec:\pjdjp.exe28⤵
- Executes dropped EXE
PID:916 -
\??\c:\868880.exec:\868880.exe29⤵
- Executes dropped EXE
PID:2564 -
\??\c:\frxllll.exec:\frxllll.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\1rflrrx.exec:\1rflrrx.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\i000224.exec:\i000224.exe32⤵
- Executes dropped EXE
PID:1804 -
\??\c:\vpdjv.exec:\vpdjv.exe33⤵
- Executes dropped EXE
PID:2380 -
\??\c:\086060.exec:\086060.exe34⤵
- Executes dropped EXE
PID:2880 -
\??\c:\48066.exec:\48066.exe35⤵
- Executes dropped EXE
PID:1716 -
\??\c:\08444.exec:\08444.exe36⤵
- Executes dropped EXE
PID:2664 -
\??\c:\00806.exec:\00806.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lxrrrlr.exec:\lxrrrlr.exe38⤵
- Executes dropped EXE
PID:2676 -
\??\c:\djvdj.exec:\djvdj.exe39⤵
- Executes dropped EXE
PID:2692 -
\??\c:\0604408.exec:\0604408.exe40⤵
- Executes dropped EXE
PID:1032 -
\??\c:\g6006.exec:\g6006.exe41⤵
- Executes dropped EXE
PID:2796 -
\??\c:\lxllrrx.exec:\lxllrrx.exe42⤵
- Executes dropped EXE
PID:332 -
\??\c:\lxrlrrx.exec:\lxrlrrx.exe43⤵
- Executes dropped EXE
PID:1476 -
\??\c:\jvpdj.exec:\jvpdj.exe44⤵
- Executes dropped EXE
PID:2304 -
\??\c:\vjpvd.exec:\vjpvd.exe45⤵
- Executes dropped EXE
PID:2176 -
\??\c:\640000.exec:\640000.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720 -
\??\c:\xlxxllx.exec:\xlxxllx.exe47⤵
- Executes dropped EXE
PID:1524 -
\??\c:\6460006.exec:\6460006.exe48⤵
- Executes dropped EXE
PID:2984 -
\??\c:\dpjpv.exec:\dpjpv.exe49⤵
- Executes dropped EXE
PID:796 -
\??\c:\26420.exec:\26420.exe50⤵
- Executes dropped EXE
PID:2000 -
\??\c:\m6000.exec:\m6000.exe51⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dpvvd.exec:\dpvvd.exe52⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lxxxffl.exec:\lxxxffl.exe53⤵
- Executes dropped EXE
PID:1436 -
\??\c:\a4628.exec:\a4628.exe54⤵
- Executes dropped EXE
PID:2196 -
\??\c:\264688.exec:\264688.exe55⤵
- Executes dropped EXE
PID:624 -
\??\c:\826240.exec:\826240.exe56⤵
- Executes dropped EXE
PID:2252 -
\??\c:\688842.exec:\688842.exe57⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lxlrrrx.exec:\lxlrrrx.exe58⤵
- Executes dropped EXE
PID:308 -
\??\c:\42846.exec:\42846.exe59⤵
- Executes dropped EXE
PID:2556 -
\??\c:\thnhhh.exec:\thnhhh.exe60⤵
- Executes dropped EXE
PID:2388 -
\??\c:\1jvpd.exec:\1jvpd.exe61⤵
- Executes dropped EXE
PID:1244 -
\??\c:\pjjjp.exec:\pjjjp.exe62⤵
- Executes dropped EXE
PID:2044 -
\??\c:\60802.exec:\60802.exe63⤵
- Executes dropped EXE
PID:1828 -
\??\c:\e20062.exec:\e20062.exe64⤵
- Executes dropped EXE
PID:1696 -
\??\c:\c484668.exec:\c484668.exe65⤵
- Executes dropped EXE
PID:972 -
\??\c:\7jvvv.exec:\7jvvv.exe66⤵PID:1340
-
\??\c:\24200.exec:\24200.exe67⤵PID:1752
-
\??\c:\6084044.exec:\6084044.exe68⤵PID:760
-
\??\c:\480628.exec:\480628.exe69⤵PID:1736
-
\??\c:\rlxffxl.exec:\rlxffxl.exe70⤵PID:904
-
\??\c:\484400.exec:\484400.exe71⤵PID:2016
-
\??\c:\dvppd.exec:\dvppd.exe72⤵PID:736
-
\??\c:\4206824.exec:\4206824.exe73⤵PID:2100
-
\??\c:\fxrlllr.exec:\fxrlllr.exe74⤵PID:1668
-
\??\c:\1xxxffl.exec:\1xxxffl.exe75⤵PID:888
-
\??\c:\868460.exec:\868460.exe76⤵PID:2408
-
\??\c:\46228.exec:\46228.exe77⤵PID:2756
-
\??\c:\1rlllll.exec:\1rlllll.exe78⤵PID:2760
-
\??\c:\48280.exec:\48280.exe79⤵PID:2636
-
\??\c:\826622.exec:\826622.exe80⤵PID:1700
-
\??\c:\jpddv.exec:\jpddv.exe81⤵PID:3056
-
\??\c:\jvdpv.exec:\jvdpv.exe82⤵PID:2116
-
\??\c:\202844.exec:\202844.exe83⤵PID:2640
-
\??\c:\644404.exec:\644404.exe84⤵PID:1032
-
\??\c:\nbtbhh.exec:\nbtbhh.exe85⤵PID:996
-
\??\c:\08242.exec:\08242.exe86⤵PID:2212
-
\??\c:\tntnnn.exec:\tntnnn.exe87⤵PID:2316
-
\??\c:\60460.exec:\60460.exe88⤵PID:2220
-
\??\c:\0806484.exec:\0806484.exe89⤵PID:1288
-
\??\c:\ppjvd.exec:\ppjvd.exe90⤵PID:2572
-
\??\c:\20228.exec:\20228.exe91⤵PID:2108
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe92⤵PID:1768
-
\??\c:\pvpvd.exec:\pvpvd.exe93⤵PID:796
-
\??\c:\frflxxl.exec:\frflxxl.exe94⤵PID:3040
-
\??\c:\bthhtb.exec:\bthhtb.exe95⤵PID:1576
-
\??\c:\1hnhhh.exec:\1hnhhh.exe96⤵PID:3008
-
\??\c:\hbbbbt.exec:\hbbbbt.exe97⤵PID:1800
-
\??\c:\hhtnnn.exec:\hhtnnn.exe98⤵PID:2808
-
\??\c:\9jddj.exec:\9jddj.exe99⤵
- System Location Discovery: System Language Discovery
PID:2072 -
\??\c:\nnhhhn.exec:\nnhhhn.exe100⤵PID:2188
-
\??\c:\086248.exec:\086248.exe101⤵PID:2552
-
\??\c:\264684.exec:\264684.exe102⤵PID:2004
-
\??\c:\26224.exec:\26224.exe103⤵PID:2556
-
\??\c:\3frxxll.exec:\3frxxll.exe104⤵PID:2388
-
\??\c:\llfrxfl.exec:\llfrxfl.exe105⤵PID:1244
-
\??\c:\nbntnn.exec:\nbntnn.exe106⤵PID:2320
-
\??\c:\rlffxxf.exec:\rlffxxf.exe107⤵PID:1828
-
\??\c:\pdppv.exec:\pdppv.exe108⤵PID:1696
-
\??\c:\fxlxllr.exec:\fxlxllr.exe109⤵PID:1352
-
\??\c:\868460.exec:\868460.exe110⤵PID:1808
-
\??\c:\tntbnt.exec:\tntbnt.exe111⤵PID:1952
-
\??\c:\1fffxxf.exec:\1fffxxf.exe112⤵PID:2200
-
\??\c:\2822042.exec:\2822042.exe113⤵PID:2184
-
\??\c:\9jddp.exec:\9jddp.exe114⤵PID:1228
-
\??\c:\08422.exec:\08422.exe115⤵PID:1908
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe116⤵PID:2472
-
\??\c:\04680.exec:\04680.exe117⤵PID:1792
-
\??\c:\rlxxllr.exec:\rlxxllr.exe118⤵PID:2348
-
\??\c:\dvdjp.exec:\dvdjp.exe119⤵PID:2500
-
\??\c:\6088446.exec:\6088446.exe120⤵PID:3048
-
\??\c:\2084028.exec:\2084028.exe121⤵PID:2756
-
\??\c:\048022.exec:\048022.exe122⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-