Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 19:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe
-
Size
456KB
-
MD5
aa11e7d4cfcd5c995438fa4704ece465
-
SHA1
014c94e41baabb3f428f36c2d502bfde3607f73b
-
SHA256
49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01
-
SHA512
9d1dc841aa7c01670ab0982c2ee00575bf97114b99704bb906319e28a37e38bd5ea631f6f15d820b7377a0681b3ed289a064a2654ceed3331cac3235a20740e5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeX:q7Tc2NYHUrAwfMp3CDX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2624-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2104-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2976-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1320-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1284-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/568-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-638-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1900-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-738-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2280-740-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2020-781-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2244-788-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2928-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-945-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-950-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/840-975-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/316-982-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-1046-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1692-1053-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2388-1084-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2908-1178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-1262-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2160-1301-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2624 ppjvp.exe 2628 8404488.exe 2104 nnnhtt.exe 1476 dpjjj.exe 2936 htnbbh.exe 2848 20284.exe 2976 048462.exe 3020 642862.exe 2968 ttbtbn.exe 2712 tnbbnn.exe 2972 vpjvd.exe 1320 jjdjj.exe 3032 0462806.exe 1848 xxxrxxf.exe 3016 26822.exe 1284 0484664.exe 1296 htnhtn.exe 324 xrflxxf.exe 2732 dvvdp.exe 2572 bnbbbb.exe 2592 480408.exe 2148 602806.exe 1788 htbntt.exe 1872 nnntbh.exe 820 48280.exe 1768 bththn.exe 2128 pddjj.exe 2216 tnnbth.exe 568 200684.exe 1732 jdjjp.exe 888 3jpdj.exe 2644 bnhntb.exe 2396 48886.exe 1736 jpddj.exe 1904 e08022.exe 780 3bhbbt.exe 2296 u206880.exe 2928 4206240.exe 2840 jvpjp.exe 2260 w04462.exe 2716 1bnbhn.exe 2228 086682.exe 2880 frfrxrx.exe 1948 82002.exe 2516 lxrlxxf.exe 844 btntht.exe 3048 0862446.exe 3032 6400662.exe 3064 04246.exe 2588 s0228.exe 2028 xxrxflr.exe 2372 82024.exe 852 bbbntb.exe 1508 5jddd.exe 2348 642622.exe 3004 b00846.exe 1860 044688.exe 1192 9rrrlfx.exe 2400 q86284.exe 2304 2084668.exe 2344 48682.exe 2788 i446802.exe 2652 088424.exe 1636 dppdp.exe -
resource yara_rule behavioral1/memory/2624-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2104-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/568-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-924-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-989-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-1003-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-1103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1320-1165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-1178-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262880.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k80044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i244484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i446802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4800660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4248606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2624 1240 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 30 PID 1240 wrote to memory of 2624 1240 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 30 PID 1240 wrote to memory of 2624 1240 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 30 PID 1240 wrote to memory of 2624 1240 49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe 30 PID 2624 wrote to memory of 2628 2624 ppjvp.exe 31 PID 2624 wrote to memory of 2628 2624 ppjvp.exe 31 PID 2624 wrote to memory of 2628 2624 ppjvp.exe 31 PID 2624 wrote to memory of 2628 2624 ppjvp.exe 31 PID 2628 wrote to memory of 2104 2628 8404488.exe 32 PID 2628 wrote to memory of 2104 2628 8404488.exe 32 PID 2628 wrote to memory of 2104 2628 8404488.exe 32 PID 2628 wrote to memory of 2104 2628 8404488.exe 32 PID 2104 wrote to memory of 1476 2104 nnnhtt.exe 33 PID 2104 wrote to memory of 1476 2104 nnnhtt.exe 33 PID 2104 wrote to memory of 1476 2104 nnnhtt.exe 33 PID 2104 wrote to memory of 1476 2104 nnnhtt.exe 33 PID 1476 wrote to memory of 2936 1476 dpjjj.exe 34 PID 1476 wrote to memory of 2936 1476 dpjjj.exe 34 PID 1476 wrote to memory of 2936 1476 dpjjj.exe 34 PID 1476 wrote to memory of 2936 1476 dpjjj.exe 34 PID 2936 wrote to memory of 2848 2936 htnbbh.exe 35 PID 2936 wrote to memory of 2848 2936 htnbbh.exe 35 PID 2936 wrote to memory of 2848 2936 htnbbh.exe 35 PID 2936 wrote to memory of 2848 2936 htnbbh.exe 35 PID 2848 wrote to memory of 2976 2848 20284.exe 36 PID 2848 wrote to memory of 2976 2848 20284.exe 36 PID 2848 wrote to memory of 2976 2848 20284.exe 36 PID 2848 wrote to memory of 2976 2848 20284.exe 36 PID 2976 wrote to memory of 3020 2976 048462.exe 37 PID 2976 wrote to memory of 3020 2976 048462.exe 37 PID 2976 wrote to memory of 3020 2976 048462.exe 37 PID 2976 wrote to memory of 3020 2976 048462.exe 37 PID 3020 wrote to memory of 2968 3020 642862.exe 38 PID 3020 wrote to memory of 2968 3020 642862.exe 38 PID 3020 wrote to memory of 2968 3020 642862.exe 38 PID 3020 wrote to memory of 2968 3020 642862.exe 38 PID 2968 wrote to memory of 2712 2968 ttbtbn.exe 39 PID 2968 wrote to memory of 2712 2968 ttbtbn.exe 39 PID 2968 wrote to memory of 2712 2968 ttbtbn.exe 39 PID 2968 wrote to memory of 2712 2968 ttbtbn.exe 39 PID 2712 wrote to memory of 2972 2712 tnbbnn.exe 40 PID 2712 wrote to memory of 2972 2712 tnbbnn.exe 40 PID 2712 wrote to memory of 2972 2712 tnbbnn.exe 40 PID 2712 wrote to memory of 2972 2712 tnbbnn.exe 40 PID 2972 wrote to memory of 1320 2972 vpjvd.exe 41 PID 2972 wrote to memory of 1320 2972 vpjvd.exe 41 PID 2972 wrote to memory of 1320 2972 vpjvd.exe 41 PID 2972 wrote to memory of 1320 2972 vpjvd.exe 41 PID 1320 wrote to memory of 3032 1320 jjdjj.exe 42 PID 1320 wrote to memory of 3032 1320 jjdjj.exe 42 PID 1320 wrote to memory of 3032 1320 jjdjj.exe 42 PID 1320 wrote to memory of 3032 1320 jjdjj.exe 42 PID 3032 wrote to memory of 1848 3032 0462806.exe 43 PID 3032 wrote to memory of 1848 3032 0462806.exe 43 PID 3032 wrote to memory of 1848 3032 0462806.exe 43 PID 3032 wrote to memory of 1848 3032 0462806.exe 43 PID 1848 wrote to memory of 3016 1848 xxxrxxf.exe 44 PID 1848 wrote to memory of 3016 1848 xxxrxxf.exe 44 PID 1848 wrote to memory of 3016 1848 xxxrxxf.exe 44 PID 1848 wrote to memory of 3016 1848 xxxrxxf.exe 44 PID 3016 wrote to memory of 1284 3016 26822.exe 45 PID 3016 wrote to memory of 1284 3016 26822.exe 45 PID 3016 wrote to memory of 1284 3016 26822.exe 45 PID 3016 wrote to memory of 1284 3016 26822.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"C:\Users\Admin\AppData\Local\Temp\49b7cef8abda56250f94496f325b824586e33c58502fa7767511a21d5cf21d01.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\ppjvp.exec:\ppjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\8404488.exec:\8404488.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\nnnhtt.exec:\nnnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\dpjjj.exec:\dpjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\htnbbh.exec:\htnbbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\20284.exec:\20284.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\048462.exec:\048462.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\642862.exec:\642862.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\ttbtbn.exec:\ttbtbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\tnbbnn.exec:\tnbbnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\vpjvd.exec:\vpjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\jjdjj.exec:\jjdjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\0462806.exec:\0462806.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\xxxrxxf.exec:\xxxrxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\26822.exec:\26822.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\0484664.exec:\0484664.exe17⤵
- Executes dropped EXE
PID:1284 -
\??\c:\htnhtn.exec:\htnhtn.exe18⤵
- Executes dropped EXE
PID:1296 -
\??\c:\xrflxxf.exec:\xrflxxf.exe19⤵
- Executes dropped EXE
PID:324 -
\??\c:\dvvdp.exec:\dvvdp.exe20⤵
- Executes dropped EXE
PID:2732 -
\??\c:\bnbbbb.exec:\bnbbbb.exe21⤵
- Executes dropped EXE
PID:2572 -
\??\c:\480408.exec:\480408.exe22⤵
- Executes dropped EXE
PID:2592 -
\??\c:\602806.exec:\602806.exe23⤵
- Executes dropped EXE
PID:2148 -
\??\c:\htbntt.exec:\htbntt.exe24⤵
- Executes dropped EXE
PID:1788 -
\??\c:\nnntbh.exec:\nnntbh.exe25⤵
- Executes dropped EXE
PID:1872 -
\??\c:\48280.exec:\48280.exe26⤵
- Executes dropped EXE
PID:820 -
\??\c:\bththn.exec:\bththn.exe27⤵
- Executes dropped EXE
PID:1768 -
\??\c:\pddjj.exec:\pddjj.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\tnnbth.exec:\tnnbth.exe29⤵
- Executes dropped EXE
PID:2216 -
\??\c:\200684.exec:\200684.exe30⤵
- Executes dropped EXE
PID:568 -
\??\c:\jdjjp.exec:\jdjjp.exe31⤵
- Executes dropped EXE
PID:1732 -
\??\c:\3jpdj.exec:\3jpdj.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\bnhntb.exec:\bnhntb.exe33⤵
- Executes dropped EXE
PID:2644 -
\??\c:\48886.exec:\48886.exe34⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jpddj.exec:\jpddj.exe35⤵
- Executes dropped EXE
PID:1736 -
\??\c:\e08022.exec:\e08022.exe36⤵
- Executes dropped EXE
PID:1904 -
\??\c:\3bhbbt.exec:\3bhbbt.exe37⤵
- Executes dropped EXE
PID:780 -
\??\c:\u206880.exec:\u206880.exe38⤵
- Executes dropped EXE
PID:2296 -
\??\c:\4206240.exec:\4206240.exe39⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jvpjp.exec:\jvpjp.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\w04462.exec:\w04462.exe41⤵
- Executes dropped EXE
PID:2260 -
\??\c:\1bnbhn.exec:\1bnbhn.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\086682.exec:\086682.exe43⤵
- Executes dropped EXE
PID:2228 -
\??\c:\frfrxrx.exec:\frfrxrx.exe44⤵
- Executes dropped EXE
PID:2880 -
\??\c:\82002.exec:\82002.exe45⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lxrlxxf.exec:\lxrlxxf.exe46⤵
- Executes dropped EXE
PID:2516 -
\??\c:\btntht.exec:\btntht.exe47⤵
- Executes dropped EXE
PID:844 -
\??\c:\0862446.exec:\0862446.exe48⤵
- Executes dropped EXE
PID:3048 -
\??\c:\6400662.exec:\6400662.exe49⤵
- Executes dropped EXE
PID:3032 -
\??\c:\04246.exec:\04246.exe50⤵
- Executes dropped EXE
PID:3064 -
\??\c:\s0228.exec:\s0228.exe51⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xxrxflr.exec:\xxrxflr.exe52⤵
- Executes dropped EXE
PID:2028 -
\??\c:\82024.exec:\82024.exe53⤵
- Executes dropped EXE
PID:2372 -
\??\c:\bbbntb.exec:\bbbntb.exe54⤵
- Executes dropped EXE
PID:852 -
\??\c:\5jddd.exec:\5jddd.exe55⤵
- Executes dropped EXE
PID:1508 -
\??\c:\642622.exec:\642622.exe56⤵
- Executes dropped EXE
PID:2348 -
\??\c:\b00846.exec:\b00846.exe57⤵
- Executes dropped EXE
PID:3004 -
\??\c:\044688.exec:\044688.exe58⤵
- Executes dropped EXE
PID:1860 -
\??\c:\9rrrlfx.exec:\9rrrlfx.exe59⤵
- Executes dropped EXE
PID:1192 -
\??\c:\q86284.exec:\q86284.exe60⤵
- Executes dropped EXE
PID:2400 -
\??\c:\2084668.exec:\2084668.exe61⤵
- Executes dropped EXE
PID:2304 -
\??\c:\48682.exec:\48682.exe62⤵
- Executes dropped EXE
PID:2344 -
\??\c:\i446802.exec:\i446802.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
\??\c:\088424.exec:\088424.exe64⤵
- Executes dropped EXE
PID:2652 -
\??\c:\dppdp.exec:\dppdp.exe65⤵
- Executes dropped EXE
PID:1636 -
\??\c:\c422442.exec:\c422442.exe66⤵PID:2220
-
\??\c:\268288.exec:\268288.exe67⤵PID:2008
-
\??\c:\q44428.exec:\q44428.exe68⤵PID:2128
-
\??\c:\ppjpd.exec:\ppjpd.exe69⤵PID:2640
-
\??\c:\1tnnnh.exec:\1tnnnh.exe70⤵PID:2176
-
\??\c:\4860220.exec:\4860220.exe71⤵PID:2336
-
\??\c:\pjdpv.exec:\pjdpv.exe72⤵PID:2444
-
\??\c:\3flrxxl.exec:\3flrxxl.exe73⤵PID:2316
-
\??\c:\262880.exec:\262880.exe74⤵
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\w86806.exec:\w86806.exe75⤵
- System Location Discovery: System Language Discovery
PID:2616 -
\??\c:\826628.exec:\826628.exe76⤵PID:2392
-
\??\c:\dvjpv.exec:\dvjpv.exe77⤵PID:2108
-
\??\c:\xrlrxxf.exec:\xrlrxxf.exe78⤵PID:320
-
\??\c:\jvppv.exec:\jvppv.exe79⤵PID:2296
-
\??\c:\80044.exec:\80044.exe80⤵PID:2824
-
\??\c:\bbnnnt.exec:\bbnnnt.exe81⤵PID:1156
-
\??\c:\c626666.exec:\c626666.exe82⤵PID:2924
-
\??\c:\dvpvd.exec:\dvpvd.exe83⤵PID:2828
-
\??\c:\6422844.exec:\6422844.exe84⤵PID:2884
-
\??\c:\7jdjj.exec:\7jdjj.exe85⤵PID:2764
-
\??\c:\1thttt.exec:\1thttt.exe86⤵PID:2860
-
\??\c:\7jddj.exec:\7jddj.exe87⤵PID:2712
-
\??\c:\0042006.exec:\0042006.exe88⤵PID:1280
-
\??\c:\406868.exec:\406868.exe89⤵PID:844
-
\??\c:\nhbhtb.exec:\nhbhtb.exe90⤵PID:2812
-
\??\c:\42402.exec:\42402.exe91⤵PID:1308
-
\??\c:\68404.exec:\68404.exe92⤵PID:996
-
\??\c:\bthnbt.exec:\bthnbt.exe93⤵PID:2360
-
\??\c:\08000.exec:\08000.exe94⤵PID:1900
-
\??\c:\xrllxxl.exec:\xrllxxl.exe95⤵PID:696
-
\??\c:\lfxlxfr.exec:\lfxlxfr.exe96⤵PID:2536
-
\??\c:\rrlrflr.exec:\rrlrflr.exe97⤵PID:2584
-
\??\c:\9jvvd.exec:\9jvvd.exe98⤵
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\tntbnt.exec:\tntbnt.exe99⤵PID:2088
-
\??\c:\llxxllr.exec:\llxxllr.exe100⤵PID:1800
-
\??\c:\m6624.exec:\m6624.exe101⤵PID:1192
-
\??\c:\6468888.exec:\6468888.exe102⤵PID:1096
-
\??\c:\6428068.exec:\6428068.exe103⤵PID:2280
-
\??\c:\e48028.exec:\e48028.exe104⤵PID:2068
-
\??\c:\lrllfxl.exec:\lrllfxl.exe105⤵PID:684
-
\??\c:\ddpvj.exec:\ddpvj.exe106⤵PID:2020
-
\??\c:\k42844.exec:\k42844.exe107⤵PID:2652
-
\??\c:\7tbbbn.exec:\7tbbbn.exe108⤵PID:2160
-
\??\c:\pdvdd.exec:\pdvdd.exe109⤵PID:1260
-
\??\c:\48024.exec:\48024.exe110⤵PID:2244
-
\??\c:\646848.exec:\646848.exe111⤵PID:2232
-
\??\c:\20846.exec:\20846.exe112⤵PID:2300
-
\??\c:\82024.exec:\82024.exe113⤵PID:2404
-
\??\c:\fxlllrx.exec:\fxlllrx.exe114⤵PID:1240
-
\??\c:\ttbttt.exec:\ttbttt.exe115⤵PID:1600
-
\??\c:\3pvvj.exec:\3pvvj.exe116⤵PID:1908
-
\??\c:\btnntt.exec:\btnntt.exe117⤵PID:2616
-
\??\c:\088240.exec:\088240.exe118⤵PID:1952
-
\??\c:\5djjv.exec:\5djjv.exe119⤵PID:2108
-
\??\c:\3nthnt.exec:\3nthnt.exe120⤵PID:2928
-
\??\c:\7pdjv.exec:\7pdjv.exe121⤵PID:2956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-