Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 13:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe
-
Size
455KB
-
MD5
19858e53bb2f67a4326ddea5a5ae03c0
-
SHA1
45874ac39197b976e92803477f2954665bf4c6d1
-
SHA256
ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652
-
SHA512
253c0fd98ffcdc5dcb9ad5bdc797d03fb96a631fd6a95a32a54fbb8a88b609b3256c9e33440490d5be5c97a02d8e07bb275145409d2fae89245c9e63412b3177
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 38 IoCs
resource yara_rule behavioral1/memory/1504-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2876-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-449-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2644-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1316-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-454-0x0000000000350000-0x000000000037A000-memory.dmp family_blackmoon behavioral1/memory/2728-467-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1704-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-478-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2240-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1316 ddpjp.exe 1472 pdjpv.exe 2492 a6880.exe 2780 vdvpp.exe 2816 828060.exe 2344 1rxxfll.exe 2980 42000.exe 2656 9bnhnn.exe 2852 20686.exe 2684 7pjvj.exe 1424 9rrfxlx.exe 2452 vjdvv.exe 768 5btbth.exe 2888 04628.exe 1092 202800.exe 1736 vdppv.exe 2868 nbnntb.exe 380 246404.exe 828 40428.exe 1976 64624.exe 3064 dvdjd.exe 2784 3nttbt.exe 2644 s4668.exe 2560 42822.exe 448 5rrrrxf.exe 1732 pjpdp.exe 1748 4462266.exe 1648 4262446.exe 1252 0806228.exe 288 8622288.exe 3056 bnbttt.exe 880 464460.exe 2036 20884.exe 1248 1ttnnn.exe 1616 608022.exe 1564 1tbhtt.exe 892 9djvp.exe 2504 42484.exe 2836 e64022.exe 2124 o060224.exe 2832 4048240.exe 2176 bttbnn.exe 2936 m4220.exe 2800 frffrrx.exe 2704 048022.exe 1144 lfflxfx.exe 2132 66624.exe 2876 00880.exe 2820 xxrffrr.exe 2920 rlxfrfx.exe 2956 1pjjj.exe 2880 pvpvj.exe 1512 xlxxffl.exe 1148 pvpjj.exe 540 jdvvd.exe 3040 9thhnt.exe 1988 3xrxlrf.exe 2284 g8202.exe 2584 nhnnbb.exe 2168 64280.exe 2728 7jdjp.exe 1704 bbthbh.exe 1748 042800.exe 1772 4480280.exe -
resource yara_rule behavioral1/memory/1504-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1316-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-467-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1704-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/472-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2232-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-935-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-998-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-1139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-1152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-1225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-1287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2308-1300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-1349-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 426066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0848888.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 882206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i062440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6422846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c204006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1316 1504 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 30 PID 1504 wrote to memory of 1316 1504 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 30 PID 1504 wrote to memory of 1316 1504 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 30 PID 1504 wrote to memory of 1316 1504 ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe 30 PID 1316 wrote to memory of 1472 1316 ddpjp.exe 31 PID 1316 wrote to memory of 1472 1316 ddpjp.exe 31 PID 1316 wrote to memory of 1472 1316 ddpjp.exe 31 PID 1316 wrote to memory of 1472 1316 ddpjp.exe 31 PID 1472 wrote to memory of 2492 1472 pdjpv.exe 32 PID 1472 wrote to memory of 2492 1472 pdjpv.exe 32 PID 1472 wrote to memory of 2492 1472 pdjpv.exe 32 PID 1472 wrote to memory of 2492 1472 pdjpv.exe 32 PID 2492 wrote to memory of 2780 2492 a6880.exe 33 PID 2492 wrote to memory of 2780 2492 a6880.exe 33 PID 2492 wrote to memory of 2780 2492 a6880.exe 33 PID 2492 wrote to memory of 2780 2492 a6880.exe 33 PID 2780 wrote to memory of 2816 2780 vdvpp.exe 34 PID 2780 wrote to memory of 2816 2780 vdvpp.exe 34 PID 2780 wrote to memory of 2816 2780 vdvpp.exe 34 PID 2780 wrote to memory of 2816 2780 vdvpp.exe 34 PID 2816 wrote to memory of 2344 2816 828060.exe 35 PID 2816 wrote to memory of 2344 2816 828060.exe 35 PID 2816 wrote to memory of 2344 2816 828060.exe 35 PID 2816 wrote to memory of 2344 2816 828060.exe 35 PID 2344 wrote to memory of 2980 2344 1rxxfll.exe 36 PID 2344 wrote to memory of 2980 2344 1rxxfll.exe 36 PID 2344 wrote to memory of 2980 2344 1rxxfll.exe 36 PID 2344 wrote to memory of 2980 2344 1rxxfll.exe 36 PID 2980 wrote to memory of 2656 2980 42000.exe 37 PID 2980 wrote to memory of 2656 2980 42000.exe 37 PID 2980 wrote to memory of 2656 2980 42000.exe 37 PID 2980 wrote to memory of 2656 2980 42000.exe 37 PID 2656 wrote to memory of 2852 2656 9bnhnn.exe 38 PID 2656 wrote to memory of 2852 2656 9bnhnn.exe 38 PID 2656 wrote to memory of 2852 2656 9bnhnn.exe 38 PID 2656 wrote to memory of 2852 2656 9bnhnn.exe 38 PID 2852 wrote to memory of 2684 2852 20686.exe 39 PID 2852 wrote to memory of 2684 2852 20686.exe 39 PID 2852 wrote to memory of 2684 2852 20686.exe 39 PID 2852 wrote to memory of 2684 2852 20686.exe 39 PID 2684 wrote to memory of 1424 2684 7pjvj.exe 40 PID 2684 wrote to memory of 1424 2684 7pjvj.exe 40 PID 2684 wrote to memory of 1424 2684 7pjvj.exe 40 PID 2684 wrote to memory of 1424 2684 7pjvj.exe 40 PID 1424 wrote to memory of 2452 1424 9rrfxlx.exe 41 PID 1424 wrote to memory of 2452 1424 9rrfxlx.exe 41 PID 1424 wrote to memory of 2452 1424 9rrfxlx.exe 41 PID 1424 wrote to memory of 2452 1424 9rrfxlx.exe 41 PID 2452 wrote to memory of 768 2452 vjdvv.exe 42 PID 2452 wrote to memory of 768 2452 vjdvv.exe 42 PID 2452 wrote to memory of 768 2452 vjdvv.exe 42 PID 2452 wrote to memory of 768 2452 vjdvv.exe 42 PID 768 wrote to memory of 2888 768 5btbth.exe 43 PID 768 wrote to memory of 2888 768 5btbth.exe 43 PID 768 wrote to memory of 2888 768 5btbth.exe 43 PID 768 wrote to memory of 2888 768 5btbth.exe 43 PID 2888 wrote to memory of 1092 2888 04628.exe 44 PID 2888 wrote to memory of 1092 2888 04628.exe 44 PID 2888 wrote to memory of 1092 2888 04628.exe 44 PID 2888 wrote to memory of 1092 2888 04628.exe 44 PID 1092 wrote to memory of 1736 1092 202800.exe 45 PID 1092 wrote to memory of 1736 1092 202800.exe 45 PID 1092 wrote to memory of 1736 1092 202800.exe 45 PID 1092 wrote to memory of 1736 1092 202800.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe"C:\Users\Admin\AppData\Local\Temp\ddce372b2a33d0c82bbdafd4dcf8925459702be280f2f8c64bd7090ca4324652N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\ddpjp.exec:\ddpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\pdjpv.exec:\pdjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\a6880.exec:\a6880.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\vdvpp.exec:\vdvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\828060.exec:\828060.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\1rxxfll.exec:\1rxxfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\42000.exec:\42000.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\9bnhnn.exec:\9bnhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\20686.exec:\20686.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\7pjvj.exec:\7pjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\9rrfxlx.exec:\9rrfxlx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\vjdvv.exec:\vjdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\5btbth.exec:\5btbth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
\??\c:\04628.exec:\04628.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\202800.exec:\202800.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\vdppv.exec:\vdppv.exe17⤵
- Executes dropped EXE
PID:1736 -
\??\c:\nbnntb.exec:\nbnntb.exe18⤵
- Executes dropped EXE
PID:2868 -
\??\c:\246404.exec:\246404.exe19⤵
- Executes dropped EXE
PID:380 -
\??\c:\40428.exec:\40428.exe20⤵
- Executes dropped EXE
PID:828 -
\??\c:\64624.exec:\64624.exe21⤵
- Executes dropped EXE
PID:1976 -
\??\c:\dvdjd.exec:\dvdjd.exe22⤵
- Executes dropped EXE
PID:3064 -
\??\c:\3nttbt.exec:\3nttbt.exe23⤵
- Executes dropped EXE
PID:2784 -
\??\c:\s4668.exec:\s4668.exe24⤵
- Executes dropped EXE
PID:2644 -
\??\c:\42822.exec:\42822.exe25⤵
- Executes dropped EXE
PID:2560 -
\??\c:\5rrrrxf.exec:\5rrrrxf.exe26⤵
- Executes dropped EXE
PID:448 -
\??\c:\pjpdp.exec:\pjpdp.exe27⤵
- Executes dropped EXE
PID:1732 -
\??\c:\4462266.exec:\4462266.exe28⤵
- Executes dropped EXE
PID:1748 -
\??\c:\4262446.exec:\4262446.exe29⤵
- Executes dropped EXE
PID:1648 -
\??\c:\0806228.exec:\0806228.exe30⤵
- Executes dropped EXE
PID:1252 -
\??\c:\8622288.exec:\8622288.exe31⤵
- Executes dropped EXE
PID:288 -
\??\c:\bnbttt.exec:\bnbttt.exe32⤵
- Executes dropped EXE
PID:3056 -
\??\c:\464460.exec:\464460.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\20884.exec:\20884.exe34⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1ttnnn.exec:\1ttnnn.exe35⤵
- Executes dropped EXE
PID:1248 -
\??\c:\608022.exec:\608022.exe36⤵
- Executes dropped EXE
PID:1616 -
\??\c:\1tbhtt.exec:\1tbhtt.exe37⤵
- Executes dropped EXE
PID:1564 -
\??\c:\9djvp.exec:\9djvp.exe38⤵
- Executes dropped EXE
PID:892 -
\??\c:\42484.exec:\42484.exe39⤵
- Executes dropped EXE
PID:2504 -
\??\c:\e64022.exec:\e64022.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\o060224.exec:\o060224.exe41⤵
- Executes dropped EXE
PID:2124 -
\??\c:\4048240.exec:\4048240.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bttbnn.exec:\bttbnn.exe43⤵
- Executes dropped EXE
PID:2176 -
\??\c:\m4220.exec:\m4220.exe44⤵
- Executes dropped EXE
PID:2936 -
\??\c:\frffrrx.exec:\frffrrx.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\048022.exec:\048022.exe46⤵
- Executes dropped EXE
PID:2704 -
\??\c:\lfflxfx.exec:\lfflxfx.exe47⤵
- Executes dropped EXE
PID:1144 -
\??\c:\66624.exec:\66624.exe48⤵
- Executes dropped EXE
PID:2132 -
\??\c:\00880.exec:\00880.exe49⤵
- Executes dropped EXE
PID:2876 -
\??\c:\xxrffrr.exec:\xxrffrr.exe50⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rlxfrfx.exec:\rlxfrfx.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\1pjjj.exec:\1pjjj.exe52⤵
- Executes dropped EXE
PID:2956 -
\??\c:\pvpvj.exec:\pvpvj.exe53⤵
- Executes dropped EXE
PID:2880 -
\??\c:\xlxxffl.exec:\xlxxffl.exe54⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pvpjj.exec:\pvpjj.exe55⤵
- Executes dropped EXE
PID:1148 -
\??\c:\jdvvd.exec:\jdvvd.exe56⤵
- Executes dropped EXE
PID:540 -
\??\c:\9thhnt.exec:\9thhnt.exe57⤵
- Executes dropped EXE
PID:3040 -
\??\c:\3xrxlrf.exec:\3xrxlrf.exe58⤵
- Executes dropped EXE
PID:1988 -
\??\c:\g8202.exec:\g8202.exe59⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nhnnbb.exec:\nhnnbb.exe60⤵
- Executes dropped EXE
PID:2584 -
\??\c:\64280.exec:\64280.exe61⤵
- Executes dropped EXE
PID:2168 -
\??\c:\7jdjp.exec:\7jdjp.exe62⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bbthbh.exec:\bbthbh.exe63⤵
- Executes dropped EXE
PID:1704 -
\??\c:\042800.exec:\042800.exe64⤵
- Executes dropped EXE
PID:1748 -
\??\c:\4480280.exec:\4480280.exe65⤵
- Executes dropped EXE
PID:1772 -
\??\c:\26464.exec:\26464.exe66⤵PID:1560
-
\??\c:\882884.exec:\882884.exe67⤵PID:1040
-
\??\c:\s4284.exec:\s4284.exe68⤵PID:1520
-
\??\c:\426284.exec:\426284.exe69⤵PID:2288
-
\??\c:\048462.exec:\048462.exe70⤵PID:1932
-
\??\c:\3jvdj.exec:\3jvdj.exe71⤵PID:2192
-
\??\c:\60802.exec:\60802.exe72⤵PID:1916
-
\??\c:\48280.exec:\48280.exe73⤵PID:1196
-
\??\c:\m2080.exec:\m2080.exe74⤵PID:1488
-
\??\c:\jppvj.exec:\jppvj.exe75⤵PID:2124
-
\??\c:\7ththn.exec:\7ththn.exe76⤵PID:1716
-
\??\c:\ddvdp.exec:\ddvdp.exe77⤵PID:2440
-
\??\c:\fxrfffr.exec:\fxrfffr.exe78⤵PID:2796
-
\??\c:\864466.exec:\864466.exe79⤵PID:2992
-
\??\c:\8644000.exec:\8644000.exe80⤵PID:2816
-
\??\c:\3hbbbt.exec:\3hbbbt.exe81⤵PID:2556
-
\??\c:\3bnbnn.exec:\3bnbnn.exe82⤵PID:3060
-
\??\c:\ffxfrlx.exec:\ffxfrlx.exe83⤵PID:1876
-
\??\c:\llffrrl.exec:\llffrrl.exe84⤵PID:3044
-
\??\c:\pddjp.exec:\pddjp.exe85⤵PID:676
-
\??\c:\k08604.exec:\k08604.exe86⤵PID:2576
-
\??\c:\04846.exec:\04846.exe87⤵PID:2692
-
\??\c:\i062440.exec:\i062440.exe88⤵
- System Location Discovery: System Language Discovery
PID:2452 -
\??\c:\lxllrff.exec:\lxllrff.exe89⤵PID:2824
-
\??\c:\vpvdj.exec:\vpvdj.exe90⤵PID:2748
-
\??\c:\dpddj.exec:\dpddj.exe91⤵PID:2476
-
\??\c:\q68400.exec:\q68400.exe92⤵PID:1864
-
\??\c:\4222844.exec:\4222844.exe93⤵PID:2808
-
\??\c:\k66244.exec:\k66244.exe94⤵PID:656
-
\??\c:\djdvp.exec:\djdvp.exe95⤵PID:264
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe96⤵PID:3028
-
\??\c:\60842.exec:\60842.exe97⤵PID:2312
-
\??\c:\2262002.exec:\2262002.exe98⤵PID:1992
-
\??\c:\822862.exec:\822862.exe99⤵PID:1724
-
\??\c:\826828.exec:\826828.exe100⤵PID:1944
-
\??\c:\6044002.exec:\6044002.exe101⤵PID:2284
-
\??\c:\4862840.exec:\4862840.exe102⤵PID:2764
-
\??\c:\hbthnt.exec:\hbthnt.exe103⤵PID:1928
-
\??\c:\nhbhtb.exec:\nhbhtb.exe104⤵PID:472
-
\??\c:\2206280.exec:\2206280.exe105⤵PID:2080
-
\??\c:\bbbntt.exec:\bbbntt.exe106⤵PID:2040
-
\??\c:\hbbhbb.exec:\hbbhbb.exe107⤵PID:2512
-
\??\c:\7xllrrx.exec:\7xllrrx.exe108⤵PID:2400
-
\??\c:\266288.exec:\266288.exe109⤵PID:2524
-
\??\c:\o084220.exec:\o084220.exe110⤵PID:900
-
\??\c:\2666480.exec:\2666480.exe111⤵PID:2240
-
\??\c:\8262884.exec:\8262884.exe112⤵PID:2532
-
\??\c:\6440880.exec:\6440880.exe113⤵PID:1156
-
\??\c:\hbtntb.exec:\hbtntb.exe114⤵PID:3024
-
\??\c:\jdvvd.exec:\jdvvd.exe115⤵PID:2016
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe116⤵PID:1036
-
\??\c:\82624.exec:\82624.exe117⤵PID:2504
-
\??\c:\s6020.exec:\s6020.exe118⤵PID:2932
-
\??\c:\2666006.exec:\2666006.exe119⤵PID:1472
-
\??\c:\2608464.exec:\2608464.exe120⤵PID:2028
-
\??\c:\fxrrrlx.exec:\fxrrrlx.exe121⤵PID:2832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-