Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
-
Size
454KB
-
MD5
75aa1d13efe8ce777c478382731b8c5f
-
SHA1
8d7bf8d1a58dcb7af52d27ec1b1464148130efe2
-
SHA256
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58
-
SHA512
5230fa37af838d002b7471a5443b8a12bcd1c573f98e28f4a3983017498aa42468bf3a14f4955822445faa6d274ab4b1ac98514397e7758779ac35413aa31c59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 45 IoCs
resource yara_rule behavioral1/memory/1980-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-35-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2560-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-54-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2864-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-75-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3048-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2308-99-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1492-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-137-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2176-146-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1648-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2272-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/272-199-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1664-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-250-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/916-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1644-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-495-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-542-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1652-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2528-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-1074-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2788 dvvdj.exe 2160 208088.exe 2364 1tbbbh.exe 2560 lxfxxxf.exe 2856 426648.exe 2864 s0604.exe 3048 lxxxxxx.exe 2760 8802884.exe 2768 pvvpd.exe 2308 8266408.exe 3020 2200286.exe 1492 nhtttt.exe 568 lfrrrxf.exe 2912 nthhnn.exe 2176 k46682.exe 1648 208466.exe 2272 3jpdj.exe 2408 bthhnh.exe 2672 6466884.exe 272 ffrxxxl.exe 596 u666824.exe 1664 xxllxxf.exe 1764 48680.exe 1536 lxflrrr.exe 316 ththnn.exe 916 e80622.exe 1716 dvjvj.exe 552 2684068.exe 2616 1jppp.exe 1644 pvdpp.exe 2200 a2402.exe 2528 486282.exe 2888 xllrfxf.exe 2516 tnhnnh.exe 1708 vvdvj.exe 2956 bthhhh.exe 2964 3rfxffl.exe 2836 bthnbh.exe 2856 fxrxfxl.exe 2344 42002.exe 2564 thtnbt.exe 2704 thtbnb.exe 2700 086844.exe 2720 8628444.exe 2776 86444.exe 2308 u028884.exe 884 jvjpv.exe 2772 dpjpj.exe 2992 48622.exe 1112 vpdpj.exe 3024 446466.exe 2920 4208680.exe 2176 0428668.exe 1648 rlrfllr.exe 2556 ppddd.exe 2188 vppjj.exe 2088 a6684.exe 2384 8628446.exe 2448 0004668.exe 2240 3pjpp.exe 1976 hnthhh.exe 1096 vvpvj.exe 2688 q24640.exe 1356 lfxfxxl.exe -
resource yara_rule behavioral1/memory/1980-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2272-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-190-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/272-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2448-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2528-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2968-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-922-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-927-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2872-930-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-944-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-1030-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-1081-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1904-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-1119-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 686622.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0628068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82462.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 820682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2788 1980 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 30 PID 1980 wrote to memory of 2788 1980 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 30 PID 1980 wrote to memory of 2788 1980 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 30 PID 1980 wrote to memory of 2788 1980 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 30 PID 2788 wrote to memory of 2160 2788 dvvdj.exe 31 PID 2788 wrote to memory of 2160 2788 dvvdj.exe 31 PID 2788 wrote to memory of 2160 2788 dvvdj.exe 31 PID 2788 wrote to memory of 2160 2788 dvvdj.exe 31 PID 2160 wrote to memory of 2364 2160 208088.exe 32 PID 2160 wrote to memory of 2364 2160 208088.exe 32 PID 2160 wrote to memory of 2364 2160 208088.exe 32 PID 2160 wrote to memory of 2364 2160 208088.exe 32 PID 2364 wrote to memory of 2560 2364 1tbbbh.exe 33 PID 2364 wrote to memory of 2560 2364 1tbbbh.exe 33 PID 2364 wrote to memory of 2560 2364 1tbbbh.exe 33 PID 2364 wrote to memory of 2560 2364 1tbbbh.exe 33 PID 2560 wrote to memory of 2856 2560 lxfxxxf.exe 34 PID 2560 wrote to memory of 2856 2560 lxfxxxf.exe 34 PID 2560 wrote to memory of 2856 2560 lxfxxxf.exe 34 PID 2560 wrote to memory of 2856 2560 lxfxxxf.exe 34 PID 2856 wrote to memory of 2864 2856 426648.exe 35 PID 2856 wrote to memory of 2864 2856 426648.exe 35 PID 2856 wrote to memory of 2864 2856 426648.exe 35 PID 2856 wrote to memory of 2864 2856 426648.exe 35 PID 2864 wrote to memory of 3048 2864 s0604.exe 36 PID 2864 wrote to memory of 3048 2864 s0604.exe 36 PID 2864 wrote to memory of 3048 2864 s0604.exe 36 PID 2864 wrote to memory of 3048 2864 s0604.exe 36 PID 3048 wrote to memory of 2760 3048 lxxxxxx.exe 37 PID 3048 wrote to memory of 2760 3048 lxxxxxx.exe 37 PID 3048 wrote to memory of 2760 3048 lxxxxxx.exe 37 PID 3048 wrote to memory of 2760 3048 lxxxxxx.exe 37 PID 2760 wrote to memory of 2768 2760 8802884.exe 38 PID 2760 wrote to memory of 2768 2760 8802884.exe 38 PID 2760 wrote to memory of 2768 2760 8802884.exe 38 PID 2760 wrote to memory of 2768 2760 8802884.exe 38 PID 2768 wrote to memory of 2308 2768 pvvpd.exe 39 PID 2768 wrote to memory of 2308 2768 pvvpd.exe 39 PID 2768 wrote to memory of 2308 2768 pvvpd.exe 39 PID 2768 wrote to memory of 2308 2768 pvvpd.exe 39 PID 2308 wrote to memory of 3020 2308 8266408.exe 40 PID 2308 wrote to memory of 3020 2308 8266408.exe 40 PID 2308 wrote to memory of 3020 2308 8266408.exe 40 PID 2308 wrote to memory of 3020 2308 8266408.exe 40 PID 3020 wrote to memory of 1492 3020 2200286.exe 41 PID 3020 wrote to memory of 1492 3020 2200286.exe 41 PID 3020 wrote to memory of 1492 3020 2200286.exe 41 PID 3020 wrote to memory of 1492 3020 2200286.exe 41 PID 1492 wrote to memory of 568 1492 nhtttt.exe 42 PID 1492 wrote to memory of 568 1492 nhtttt.exe 42 PID 1492 wrote to memory of 568 1492 nhtttt.exe 42 PID 1492 wrote to memory of 568 1492 nhtttt.exe 42 PID 568 wrote to memory of 2912 568 lfrrrxf.exe 43 PID 568 wrote to memory of 2912 568 lfrrrxf.exe 43 PID 568 wrote to memory of 2912 568 lfrrrxf.exe 43 PID 568 wrote to memory of 2912 568 lfrrrxf.exe 43 PID 2912 wrote to memory of 2176 2912 nthhnn.exe 44 PID 2912 wrote to memory of 2176 2912 nthhnn.exe 44 PID 2912 wrote to memory of 2176 2912 nthhnn.exe 44 PID 2912 wrote to memory of 2176 2912 nthhnn.exe 44 PID 2176 wrote to memory of 1648 2176 k46682.exe 45 PID 2176 wrote to memory of 1648 2176 k46682.exe 45 PID 2176 wrote to memory of 1648 2176 k46682.exe 45 PID 2176 wrote to memory of 1648 2176 k46682.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\dvvdj.exec:\dvvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\208088.exec:\208088.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\1tbbbh.exec:\1tbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\426648.exec:\426648.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\s0604.exec:\s0604.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\8802884.exec:\8802884.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\pvvpd.exec:\pvvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\8266408.exec:\8266408.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\2200286.exec:\2200286.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\nhtttt.exec:\nhtttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\lfrrrxf.exec:\lfrrrxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568 -
\??\c:\nthhnn.exec:\nthhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\k46682.exec:\k46682.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\208466.exec:\208466.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\3jpdj.exec:\3jpdj.exe18⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bthhnh.exec:\bthhnh.exe19⤵
- Executes dropped EXE
PID:2408 -
\??\c:\6466884.exec:\6466884.exe20⤵
- Executes dropped EXE
PID:2672 -
\??\c:\ffrxxxl.exec:\ffrxxxl.exe21⤵
- Executes dropped EXE
PID:272 -
\??\c:\u666824.exec:\u666824.exe22⤵
- Executes dropped EXE
PID:596 -
\??\c:\xxllxxf.exec:\xxllxxf.exe23⤵
- Executes dropped EXE
PID:1664 -
\??\c:\48680.exec:\48680.exe24⤵
- Executes dropped EXE
PID:1764 -
\??\c:\lxflrrr.exec:\lxflrrr.exe25⤵
- Executes dropped EXE
PID:1536 -
\??\c:\ththnn.exec:\ththnn.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\e80622.exec:\e80622.exe27⤵
- Executes dropped EXE
PID:916 -
\??\c:\dvjvj.exec:\dvjvj.exe28⤵
- Executes dropped EXE
PID:1716 -
\??\c:\2684068.exec:\2684068.exe29⤵
- Executes dropped EXE
PID:552 -
\??\c:\1jppp.exec:\1jppp.exe30⤵
- Executes dropped EXE
PID:2616 -
\??\c:\pvdpp.exec:\pvdpp.exe31⤵
- Executes dropped EXE
PID:1644 -
\??\c:\a2402.exec:\a2402.exe32⤵
- Executes dropped EXE
PID:2200 -
\??\c:\486282.exec:\486282.exe33⤵
- Executes dropped EXE
PID:2528 -
\??\c:\xllrfxf.exec:\xllrfxf.exe34⤵
- Executes dropped EXE
PID:2888 -
\??\c:\tnhnnh.exec:\tnhnnh.exe35⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vvdvj.exec:\vvdvj.exe36⤵
- Executes dropped EXE
PID:1708 -
\??\c:\bthhhh.exec:\bthhhh.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\3rfxffl.exec:\3rfxffl.exe38⤵
- Executes dropped EXE
PID:2964 -
\??\c:\bthnbh.exec:\bthnbh.exe39⤵
- Executes dropped EXE
PID:2836 -
\??\c:\fxrxfxl.exec:\fxrxfxl.exe40⤵
- Executes dropped EXE
PID:2856 -
\??\c:\42002.exec:\42002.exe41⤵
- Executes dropped EXE
PID:2344 -
\??\c:\thtnbt.exec:\thtnbt.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\thtbnb.exec:\thtbnb.exe43⤵
- Executes dropped EXE
PID:2704 -
\??\c:\086844.exec:\086844.exe44⤵
- Executes dropped EXE
PID:2700 -
\??\c:\8628444.exec:\8628444.exe45⤵
- Executes dropped EXE
PID:2720 -
\??\c:\86444.exec:\86444.exe46⤵
- Executes dropped EXE
PID:2776 -
\??\c:\u028884.exec:\u028884.exe47⤵
- Executes dropped EXE
PID:2308 -
\??\c:\jvjpv.exec:\jvjpv.exe48⤵
- Executes dropped EXE
PID:884 -
\??\c:\dpjpj.exec:\dpjpj.exe49⤵
- Executes dropped EXE
PID:2772 -
\??\c:\48622.exec:\48622.exe50⤵
- Executes dropped EXE
PID:2992 -
\??\c:\vpdpj.exec:\vpdpj.exe51⤵
- Executes dropped EXE
PID:1112 -
\??\c:\446466.exec:\446466.exe52⤵
- Executes dropped EXE
PID:3024 -
\??\c:\4208680.exec:\4208680.exe53⤵
- Executes dropped EXE
PID:2920 -
\??\c:\0428668.exec:\0428668.exe54⤵
- Executes dropped EXE
PID:2176 -
\??\c:\rlrfllr.exec:\rlrfllr.exe55⤵
- Executes dropped EXE
PID:1648 -
\??\c:\ppddd.exec:\ppddd.exe56⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vppjj.exec:\vppjj.exe57⤵
- Executes dropped EXE
PID:2188 -
\??\c:\a6684.exec:\a6684.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\8628446.exec:\8628446.exe59⤵
- Executes dropped EXE
PID:2384 -
\??\c:\0004668.exec:\0004668.exe60⤵
- Executes dropped EXE
PID:2448 -
\??\c:\3pjpp.exec:\3pjpp.exe61⤵
- Executes dropped EXE
PID:2240 -
\??\c:\hnthhh.exec:\hnthhh.exe62⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vvpvj.exec:\vvpvj.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\q24640.exec:\q24640.exe64⤵
- Executes dropped EXE
PID:2688 -
\??\c:\lfxfxxl.exec:\lfxfxxl.exe65⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9bbhnn.exec:\9bbhnn.exe66⤵PID:2004
-
\??\c:\02486.exec:\02486.exe67⤵PID:1412
-
\??\c:\1nhhtb.exec:\1nhhtb.exe68⤵PID:1636
-
\??\c:\m4624.exec:\m4624.exe69⤵PID:1776
-
\??\c:\xlxflrf.exec:\xlxflrf.exe70⤵PID:2020
-
\??\c:\7jvvj.exec:\7jvvj.exe71⤵PID:2360
-
\??\c:\824026.exec:\824026.exe72⤵PID:1656
-
\??\c:\08628.exec:\08628.exe73⤵PID:1652
-
\??\c:\5btbhn.exec:\5btbhn.exe74⤵PID:1688
-
\??\c:\w64462.exec:\w64462.exe75⤵PID:2200
-
\??\c:\848044.exec:\848044.exe76⤵PID:2528
-
\??\c:\440866.exec:\440866.exe77⤵PID:1892
-
\??\c:\04680.exec:\04680.exe78⤵PID:2312
-
\??\c:\s2440.exec:\s2440.exe79⤵PID:2140
-
\??\c:\4862446.exec:\4862446.exe80⤵PID:2976
-
\??\c:\ffxfflf.exec:\ffxfflf.exe81⤵PID:2952
-
\??\c:\604062.exec:\604062.exe82⤵PID:2296
-
\??\c:\k08800.exec:\k08800.exe83⤵PID:2988
-
\??\c:\nnbnbt.exec:\nnbnbt.exe84⤵PID:2504
-
\??\c:\448688.exec:\448688.exe85⤵PID:2868
-
\??\c:\btnbnb.exec:\btnbnb.exe86⤵PID:2732
-
\??\c:\44808.exec:\44808.exe87⤵PID:2760
-
\??\c:\u002448.exec:\u002448.exe88⤵PID:2716
-
\??\c:\602806.exec:\602806.exe89⤵PID:2916
-
\??\c:\8640224.exec:\8640224.exe90⤵PID:2776
-
\??\c:\5thhhn.exec:\5thhhn.exe91⤵PID:2032
-
\??\c:\9ppvv.exec:\9ppvv.exe92⤵PID:1632
-
\??\c:\i244664.exec:\i244664.exe93⤵PID:3000
-
\??\c:\9dpvj.exec:\9dpvj.exe94⤵PID:2884
-
\??\c:\8640224.exec:\8640224.exe95⤵PID:1296
-
\??\c:\1rxxfff.exec:\1rxxfff.exe96⤵PID:2112
-
\??\c:\pdpvd.exec:\pdpvd.exe97⤵PID:1276
-
\??\c:\3frfrxf.exec:\3frfrxf.exe98⤵PID:2644
-
\??\c:\frlrxxf.exec:\frlrxxf.exe99⤵PID:2084
-
\??\c:\3httnn.exec:\3httnn.exe100⤵PID:844
-
\??\c:\5ntbhb.exec:\5ntbhb.exe101⤵PID:2684
-
\??\c:\3htntn.exec:\3htntn.exe102⤵PID:2088
-
\??\c:\4284062.exec:\4284062.exe103⤵PID:1800
-
\??\c:\2600662.exec:\2600662.exe104⤵PID:2448
-
\??\c:\6006004.exec:\6006004.exe105⤵PID:1324
-
\??\c:\w46240.exec:\w46240.exe106⤵PID:1664
-
\??\c:\xxrrxxf.exec:\xxrrxxf.exe107⤵PID:1096
-
\??\c:\426280.exec:\426280.exe108⤵PID:2688
-
\??\c:\5jppj.exec:\5jppj.exe109⤵PID:776
-
\??\c:\jvpdp.exec:\jvpdp.exe110⤵PID:1212
-
\??\c:\8066222.exec:\8066222.exe111⤵PID:2232
-
\??\c:\tntthb.exec:\tntthb.exe112⤵PID:2212
-
\??\c:\3lrxxxf.exec:\3lrxxxf.exe113⤵PID:2292
-
\??\c:\08466.exec:\08466.exe114⤵PID:2624
-
\??\c:\3xlrffl.exec:\3xlrffl.exe115⤵PID:2360
-
\??\c:\pdjpv.exec:\pdjpv.exe116⤵PID:1036
-
\??\c:\m8662.exec:\m8662.exe117⤵PID:2456
-
\??\c:\9rrxxrx.exec:\9rrxxrx.exe118⤵PID:2024
-
\??\c:\pdvvd.exec:\pdvvd.exe119⤵PID:2472
-
\??\c:\5flflfx.exec:\5flflfx.exe120⤵PID:1948
-
\??\c:\frxxxxf.exec:\frxxxxf.exe121⤵PID:2160
-
\??\c:\860026.exec:\860026.exe122⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-