Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe
Resource
win7-20240708-en
7 signatures
150 seconds
General
-
Target
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe
-
Size
453KB
-
MD5
c37686cf8d9cb5649bcb1c2b38416c61
-
SHA1
a8c7d8c3dd6585ec47265f95da1c57bcd294b30a
-
SHA256
994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9
-
SHA512
991db6eded496e924a2d209b4b4630409f56d3144bb1daa749c66ec54e52bf15f1c69b3e8dfa52ae8559479ae231823a8bef884a5e18c4e4b3319ded3db55bde
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2744-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2180-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/660-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/324-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2948-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1476-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/944-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-417-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1636-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/888-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-602-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2592-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-618-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2232-638-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2376-690-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2788-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1272-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-766-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2896-876-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2572-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1748-923-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1556-936-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1560-944-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1696-1109-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2744 6406840.exe 2064 ffrfrrf.exe 2764 8006826.exe 2844 4026624.exe 2676 5tttnn.exe 2580 4828422.exe 2848 8880068.exe 2620 1vjpv.exe 2236 pdddp.exe 1224 vpvvd.exe 1476 48626.exe 572 00024.exe 1600 04248.exe 2616 882468.exe 2948 ddvdp.exe 316 7dvjp.exe 296 rxxxflr.exe 660 u046280.exe 2136 bbtthh.exe 2408 82420.exe 2148 4240628.exe 2520 i662448.exe 1284 2040280.exe 1784 xxrrffr.exe 2900 22028.exe 1944 204086.exe 3036 7thnht.exe 2240 5rrfrfl.exe 1244 8266840.exe 888 0620402.exe 604 2646446.exe 324 dvpdj.exe 2040 w26840.exe 1576 3nbbhn.exe 1044 rlflxxx.exe 2716 hbnntb.exe 2436 4824280.exe 2772 04242.exe 2844 1nntnh.exe 2956 4884624.exe 2920 nnnbbn.exe 2556 042488.exe 944 62266.exe 2620 5pvdv.exe 2236 tntbnt.exe 2796 82406.exe 1384 480468.exe 572 6046060.exe 868 6462408.exe 2616 xrflxxl.exe 2540 26468.exe 1664 446246.exe 2804 5fflxxl.exe 1916 s2246.exe 2056 c606880.exe 2100 q66684.exe 1996 860288.exe 908 9btttt.exe 2356 bnbbnn.exe 1304 0422266.exe 2096 jdvvd.exe 1636 jvppp.exe 1092 6220406.exe 1300 jvpvj.exe -
resource yara_rule behavioral1/memory/2744-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/324-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/908-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-602-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2592-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-618-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2808-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1272-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-877-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-960-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3060-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/788-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k04622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q64882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w26840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08228.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0428680.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0406044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000646.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e86866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8862868.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlrlrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2744 2180 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 30 PID 2180 wrote to memory of 2744 2180 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 30 PID 2180 wrote to memory of 2744 2180 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 30 PID 2180 wrote to memory of 2744 2180 994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe 30 PID 2744 wrote to memory of 2064 2744 6406840.exe 31 PID 2744 wrote to memory of 2064 2744 6406840.exe 31 PID 2744 wrote to memory of 2064 2744 6406840.exe 31 PID 2744 wrote to memory of 2064 2744 6406840.exe 31 PID 2064 wrote to memory of 2764 2064 ffrfrrf.exe 32 PID 2064 wrote to memory of 2764 2064 ffrfrrf.exe 32 PID 2064 wrote to memory of 2764 2064 ffrfrrf.exe 32 PID 2064 wrote to memory of 2764 2064 ffrfrrf.exe 32 PID 2764 wrote to memory of 2844 2764 8006826.exe 68 PID 2764 wrote to memory of 2844 2764 8006826.exe 68 PID 2764 wrote to memory of 2844 2764 8006826.exe 68 PID 2764 wrote to memory of 2844 2764 8006826.exe 68 PID 2844 wrote to memory of 2676 2844 4026624.exe 34 PID 2844 wrote to memory of 2676 2844 4026624.exe 34 PID 2844 wrote to memory of 2676 2844 4026624.exe 34 PID 2844 wrote to memory of 2676 2844 4026624.exe 34 PID 2676 wrote to memory of 2580 2676 5tttnn.exe 35 PID 2676 wrote to memory of 2580 2676 5tttnn.exe 35 PID 2676 wrote to memory of 2580 2676 5tttnn.exe 35 PID 2676 wrote to memory of 2580 2676 5tttnn.exe 35 PID 2580 wrote to memory of 2848 2580 4828422.exe 36 PID 2580 wrote to memory of 2848 2580 4828422.exe 36 PID 2580 wrote to memory of 2848 2580 4828422.exe 36 PID 2580 wrote to memory of 2848 2580 4828422.exe 36 PID 2848 wrote to memory of 2620 2848 8880068.exe 37 PID 2848 wrote to memory of 2620 2848 8880068.exe 37 PID 2848 wrote to memory of 2620 2848 8880068.exe 37 PID 2848 wrote to memory of 2620 2848 8880068.exe 37 PID 2620 wrote to memory of 2236 2620 1vjpv.exe 38 PID 2620 wrote to memory of 2236 2620 1vjpv.exe 38 PID 2620 wrote to memory of 2236 2620 1vjpv.exe 38 PID 2620 wrote to memory of 2236 2620 1vjpv.exe 38 PID 2236 wrote to memory of 1224 2236 pdddp.exe 39 PID 2236 wrote to memory of 1224 2236 pdddp.exe 39 PID 2236 wrote to memory of 1224 2236 pdddp.exe 39 PID 2236 wrote to memory of 1224 2236 pdddp.exe 39 PID 1224 wrote to memory of 1476 1224 vpvvd.exe 40 PID 1224 wrote to memory of 1476 1224 vpvvd.exe 40 PID 1224 wrote to memory of 1476 1224 vpvvd.exe 40 PID 1224 wrote to memory of 1476 1224 vpvvd.exe 40 PID 1476 wrote to memory of 572 1476 48626.exe 41 PID 1476 wrote to memory of 572 1476 48626.exe 41 PID 1476 wrote to memory of 572 1476 48626.exe 41 PID 1476 wrote to memory of 572 1476 48626.exe 41 PID 572 wrote to memory of 1600 572 00024.exe 42 PID 572 wrote to memory of 1600 572 00024.exe 42 PID 572 wrote to memory of 1600 572 00024.exe 42 PID 572 wrote to memory of 1600 572 00024.exe 42 PID 1600 wrote to memory of 2616 1600 04248.exe 43 PID 1600 wrote to memory of 2616 1600 04248.exe 43 PID 1600 wrote to memory of 2616 1600 04248.exe 43 PID 1600 wrote to memory of 2616 1600 04248.exe 43 PID 2616 wrote to memory of 2948 2616 882468.exe 44 PID 2616 wrote to memory of 2948 2616 882468.exe 44 PID 2616 wrote to memory of 2948 2616 882468.exe 44 PID 2616 wrote to memory of 2948 2616 882468.exe 44 PID 2948 wrote to memory of 316 2948 ddvdp.exe 45 PID 2948 wrote to memory of 316 2948 ddvdp.exe 45 PID 2948 wrote to memory of 316 2948 ddvdp.exe 45 PID 2948 wrote to memory of 316 2948 ddvdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe"C:\Users\Admin\AppData\Local\Temp\994321ef7f5fb54717f617137a8c9a70ac4f7e84e3e7ce33c2abe0d5c98657f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\6406840.exec:\6406840.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\ffrfrrf.exec:\ffrfrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\8006826.exec:\8006826.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\4026624.exec:\4026624.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\5tttnn.exec:\5tttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\4828422.exec:\4828422.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\8880068.exec:\8880068.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\1vjpv.exec:\1vjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\pdddp.exec:\pdddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\vpvvd.exec:\vpvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\48626.exec:\48626.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\00024.exec:\00024.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\04248.exec:\04248.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\882468.exec:\882468.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\ddvdp.exec:\ddvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\7dvjp.exec:\7dvjp.exe17⤵
- Executes dropped EXE
PID:316 -
\??\c:\rxxxflr.exec:\rxxxflr.exe18⤵
- Executes dropped EXE
PID:296 -
\??\c:\u046280.exec:\u046280.exe19⤵
- Executes dropped EXE
PID:660 -
\??\c:\bbtthh.exec:\bbtthh.exe20⤵
- Executes dropped EXE
PID:2136 -
\??\c:\82420.exec:\82420.exe21⤵
- Executes dropped EXE
PID:2408 -
\??\c:\4240628.exec:\4240628.exe22⤵
- Executes dropped EXE
PID:2148 -
\??\c:\i662448.exec:\i662448.exe23⤵
- Executes dropped EXE
PID:2520 -
\??\c:\2040280.exec:\2040280.exe24⤵
- Executes dropped EXE
PID:1284 -
\??\c:\xxrrffr.exec:\xxrrffr.exe25⤵
- Executes dropped EXE
PID:1784 -
\??\c:\22028.exec:\22028.exe26⤵
- Executes dropped EXE
PID:2900 -
\??\c:\204086.exec:\204086.exe27⤵
- Executes dropped EXE
PID:1944 -
\??\c:\7thnht.exec:\7thnht.exe28⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5rrfrfl.exec:\5rrfrfl.exe29⤵
- Executes dropped EXE
PID:2240 -
\??\c:\8266840.exec:\8266840.exe30⤵
- Executes dropped EXE
PID:1244 -
\??\c:\0620402.exec:\0620402.exe31⤵
- Executes dropped EXE
PID:888 -
\??\c:\2646446.exec:\2646446.exe32⤵
- Executes dropped EXE
PID:604 -
\??\c:\dvpdj.exec:\dvpdj.exe33⤵
- Executes dropped EXE
PID:324 -
\??\c:\w26840.exec:\w26840.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
\??\c:\3nbbhn.exec:\3nbbhn.exe35⤵
- Executes dropped EXE
PID:1576 -
\??\c:\rlflxxx.exec:\rlflxxx.exe36⤵
- Executes dropped EXE
PID:1044 -
\??\c:\hbnntb.exec:\hbnntb.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\4824280.exec:\4824280.exe38⤵
- Executes dropped EXE
PID:2436 -
\??\c:\04242.exec:\04242.exe39⤵
- Executes dropped EXE
PID:2772 -
\??\c:\1nntnh.exec:\1nntnh.exe40⤵
- Executes dropped EXE
PID:2844 -
\??\c:\4884624.exec:\4884624.exe41⤵
- Executes dropped EXE
PID:2956 -
\??\c:\nnnbbn.exec:\nnnbbn.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\042488.exec:\042488.exe43⤵
- Executes dropped EXE
PID:2556 -
\??\c:\62266.exec:\62266.exe44⤵
- Executes dropped EXE
PID:944 -
\??\c:\5pvdv.exec:\5pvdv.exe45⤵
- Executes dropped EXE
PID:2620 -
\??\c:\tntbnt.exec:\tntbnt.exe46⤵
- Executes dropped EXE
PID:2236 -
\??\c:\82406.exec:\82406.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\480468.exec:\480468.exe48⤵
- Executes dropped EXE
PID:1384 -
\??\c:\6046060.exec:\6046060.exe49⤵
- Executes dropped EXE
PID:572 -
\??\c:\6462408.exec:\6462408.exe50⤵
- Executes dropped EXE
PID:868 -
\??\c:\xrflxxl.exec:\xrflxxl.exe51⤵
- Executes dropped EXE
PID:2616 -
\??\c:\26468.exec:\26468.exe52⤵
- Executes dropped EXE
PID:2540 -
\??\c:\446246.exec:\446246.exe53⤵
- Executes dropped EXE
PID:1664 -
\??\c:\5fflxxl.exec:\5fflxxl.exe54⤵
- Executes dropped EXE
PID:2804 -
\??\c:\s2246.exec:\s2246.exe55⤵
- Executes dropped EXE
PID:1916 -
\??\c:\c606880.exec:\c606880.exe56⤵
- Executes dropped EXE
PID:2056 -
\??\c:\q66684.exec:\q66684.exe57⤵
- Executes dropped EXE
PID:2100 -
\??\c:\860288.exec:\860288.exe58⤵
- Executes dropped EXE
PID:1996 -
\??\c:\9btttt.exec:\9btttt.exe59⤵
- Executes dropped EXE
PID:908 -
\??\c:\bnbbnn.exec:\bnbbnn.exe60⤵
- Executes dropped EXE
PID:2356 -
\??\c:\0422266.exec:\0422266.exe61⤵
- Executes dropped EXE
PID:1304 -
\??\c:\jdvvd.exec:\jdvvd.exe62⤵
- Executes dropped EXE
PID:2096 -
\??\c:\jvppp.exec:\jvppp.exe63⤵
- Executes dropped EXE
PID:1636 -
\??\c:\6220406.exec:\6220406.exe64⤵
- Executes dropped EXE
PID:1092 -
\??\c:\jvpvj.exec:\jvpvj.exe65⤵
- Executes dropped EXE
PID:1300 -
\??\c:\3thhhh.exec:\3thhhh.exe66⤵PID:1624
-
\??\c:\btnntb.exec:\btnntb.exe67⤵PID:1104
-
\??\c:\k02242.exec:\k02242.exe68⤵PID:2156
-
\??\c:\4806224.exec:\4806224.exe69⤵PID:2316
-
\??\c:\7xllxfr.exec:\7xllxfr.exe70⤵PID:1260
-
\??\c:\66468.exec:\66468.exe71⤵PID:888
-
\??\c:\8240600.exec:\8240600.exe72⤵PID:788
-
\??\c:\w86622.exec:\w86622.exe73⤵PID:1336
-
\??\c:\4420662.exec:\4420662.exe74⤵PID:2348
-
\??\c:\3rfrxff.exec:\3rfrxff.exe75⤵PID:2180
-
\??\c:\2684668.exec:\2684668.exe76⤵PID:1952
-
\??\c:\66684.exec:\66684.exe77⤵PID:2980
-
\??\c:\4046828.exec:\4046828.exe78⤵PID:2064
-
\??\c:\8264282.exec:\8264282.exe79⤵PID:2336
-
\??\c:\3httbb.exec:\3httbb.exe80⤵PID:2200
-
\??\c:\pjpdj.exec:\pjpdj.exe81⤵PID:2864
-
\??\c:\e42866.exec:\e42866.exe82⤵PID:2592
-
\??\c:\1dppv.exec:\1dppv.exe83⤵PID:2684
-
\??\c:\lllxrxl.exec:\lllxrxl.exe84⤵PID:2392
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe85⤵PID:2992
-
\??\c:\40868.exec:\40868.exe86⤵PID:2632
-
\??\c:\jdvpv.exec:\jdvpv.exe87⤵
- System Location Discovery: System Language Discovery
PID:2232 -
\??\c:\xfxrrxr.exec:\xfxrrxr.exe88⤵PID:1468
-
\??\c:\q60628.exec:\q60628.exe89⤵PID:2808
-
\??\c:\862680.exec:\862680.exe90⤵PID:556
-
\??\c:\4202824.exec:\4202824.exe91⤵PID:2576
-
\??\c:\26446.exec:\26446.exe92⤵PID:2976
-
\??\c:\20468.exec:\20468.exe93⤵PID:1976
-
\??\c:\2606446.exec:\2606446.exe94⤵PID:2940
-
\??\c:\260066.exec:\260066.exe95⤵PID:2376
-
\??\c:\w04444.exec:\w04444.exe96⤵PID:2788
-
\??\c:\fxxfrxf.exec:\fxxfrxf.exe97⤵PID:1668
-
\??\c:\4822464.exec:\4822464.exe98⤵PID:2928
-
\??\c:\vpjpv.exec:\vpjpv.exe99⤵PID:2312
-
\??\c:\hbhnbh.exec:\hbhnbh.exe100⤵PID:2408
-
\??\c:\642042.exec:\642042.exe101⤵PID:1088
-
\??\c:\7htbnh.exec:\7htbnh.exe102⤵PID:2148
-
\??\c:\86662.exec:\86662.exe103⤵PID:568
-
\??\c:\u420802.exec:\u420802.exe104⤵PID:1272
-
\??\c:\k60460.exec:\k60460.exe105⤵PID:1344
-
\??\c:\8262442.exec:\8262442.exe106⤵PID:1092
-
\??\c:\604600.exec:\604600.exe107⤵PID:1564
-
\??\c:\g0242.exec:\g0242.exe108⤵PID:2248
-
\??\c:\6462240.exec:\6462240.exe109⤵PID:1652
-
\??\c:\fffrxfx.exec:\fffrxfx.exe110⤵PID:752
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe111⤵PID:1244
-
\??\c:\644084.exec:\644084.exe112⤵PID:3048
-
\??\c:\08228.exec:\08228.exe113⤵
- System Location Discovery: System Language Discovery
PID:604 -
\??\c:\nhhhbb.exec:\nhhhbb.exe114⤵PID:1020
-
\??\c:\6484006.exec:\6484006.exe115⤵PID:324
-
\??\c:\rlrxllr.exec:\rlrxllr.exe116⤵PID:1332
-
\??\c:\vjjvv.exec:\vjjvv.exe117⤵PID:1696
-
\??\c:\rrrfffr.exec:\rrrfffr.exe118⤵PID:2144
-
\??\c:\vvvjj.exec:\vvvjj.exe119⤵PID:1952
-
\??\c:\88246.exec:\88246.exe120⤵PID:1876
-
\??\c:\vvpdp.exec:\vvpdp.exe121⤵PID:2832
-
\??\c:\pjvpv.exec:\pjvpv.exe122⤵PID:2468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-