Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 00:51
Behavioral task
behavioral1
Sample
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe
-
Size
332KB
-
MD5
246a5c7ee9e210bece204aaffc95b6ce
-
SHA1
2e78dd70dd639ec3cdb63f0ac28f2350aebd7c75
-
SHA256
1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026
-
SHA512
c186d7d09e75aea0910322ad10db819e11b25585093bc74f2368b15cd70c7c66f9f29cfbef4dd33a1b1746188535fe280c2272dc623e466ab644967379f2ccbe
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbex:R4wFHoSHYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 51 IoCs
resource yara_rule behavioral1/memory/556-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2280-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/556-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-23-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2132-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2756-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2892-65-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2712-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2724-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1760-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1056-112-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1624-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-128-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1948-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1840-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2932-145-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/652-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/448-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1536-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1224-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1120-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1672-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2228-314-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/2740-325-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2960-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2960-339-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2652-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1252-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2136-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2700-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/408-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1008-480-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/916-501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3004-559-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1576-622-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/780-727-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/1384-786-0x00000000002A0000-0x00000000002C7000-memory.dmp family_blackmoon behavioral1/memory/2012-825-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3068-853-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2496-1011-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2160-5959-0x0000000076B90000-0x0000000076C8A000-memory.dmp family_blackmoon behavioral1/memory/2160-6471-0x0000000076B90000-0x0000000076C8A000-memory.dmp family_blackmoon behavioral1/memory/2160-20774-0x0000000076C90000-0x0000000076DAF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 556 nnhhtt.exe 2176 w64028.exe 2132 bttntb.exe 2756 226422.exe 2868 rlxrfxl.exe 2616 w68282.exe 2892 m4846.exe 2712 lxfrrlf.exe 2724 5ppvp.exe 2668 22662.exe 1760 08224.exe 1056 a8260.exe 1624 7xxffrf.exe 1840 w60680.exe 1948 ddpvd.exe 2932 o266284.exe 1924 082462.exe 332 w86622.exe 652 dvppp.exe 1120 o422864.exe 1352 llllffx.exe 448 04284.exe 1700 4862846.exe 1008 226206.exe 1876 vpdjd.exe 1536 5tbhnn.exe 1384 8206280.exe 904 lfllxff.exe 1224 bttntn.exe 2488 nnnbbt.exe 2076 dvpdp.exe 1936 602826.exe 2100 48002.exe 888 dvpdj.exe 2020 3tntht.exe 1692 vjvvv.exe 1600 e26622.exe 2108 djpjd.exe 2528 7nhnnn.exe 1672 82662.exe 2228 xrrfflr.exe 2760 flrxrfx.exe 2740 44246.exe 2820 e04028.exe 2960 bntbbb.exe 2888 lfxfxlf.exe 2748 1flrxrx.exe 2920 7frrlxx.exe 2608 nhtthh.exe 2652 frfxfrx.exe 2620 xxlxffr.exe 3048 lfxflrf.exe 1252 26802.exe 1340 5pjpj.exe 2136 6466628.exe 2700 lfxfllr.exe 2144 ppjpd.exe 1164 s6064.exe 1412 nbthtn.exe 3020 thbtbt.exe 1924 220280.exe 1492 pvvjd.exe 264 008668.exe 1868 4424686.exe -
resource yara_rule behavioral1/memory/2280-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fb-7.dat upx behavioral1/memory/556-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2280-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/556-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016cc4-15.dat upx behavioral1/memory/2176-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016ccd-25.dat upx behavioral1/memory/2176-23-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x0008000000016cd7-33.dat upx behavioral1/memory/2132-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2756-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016ce8-41.dat upx behavioral1/files/0x0007000000016cf0-49.dat upx behavioral1/memory/2616-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d04-58.dat upx behavioral1/memory/2892-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193e6-66.dat upx behavioral1/memory/2712-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193f0-75.dat upx behavioral1/files/0x000500000001945c-84.dat upx behavioral1/memory/2724-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2668-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001948d-93.dat upx behavioral1/memory/1760-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194e2-102.dat upx behavioral1/memory/1760-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1624-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1056-112-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001958b-111.dat upx behavioral1/memory/1624-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c2-120.dat upx behavioral1/files/0x00050000000195c4-129.dat upx behavioral1/files/0x0009000000016ca5-139.dat upx behavioral1/memory/1948-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1840-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c6-148.dat upx behavioral1/memory/2932-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1924-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-156.dat upx behavioral1/files/0x00050000000195c8-163.dat upx behavioral1/files/0x00050000000195ca-173.dat upx behavioral1/memory/652-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195cc-181.dat upx behavioral1/files/0x00050000000195ce-188.dat upx behavioral1/files/0x00050000000195d0-196.dat upx behavioral1/memory/448-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195e0-203.dat upx behavioral1/files/0x0005000000019624-212.dat upx behavioral1/files/0x0005000000019665-218.dat upx behavioral1/files/0x00050000000196a0-225.dat upx behavioral1/files/0x0005000000019931-235.dat upx behavioral1/memory/904-234-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bec-241.dat upx behavioral1/files/0x0005000000019bf0-250.dat upx behavioral1/memory/1536-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1224-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf2-258.dat upx behavioral1/files/0x0005000000019c0b-265.dat upx behavioral1/memory/1120-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1672-311-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2960-340-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2652-369-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1252-385-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 860200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 008668.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4206846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m4846.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86402.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 556 2280 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 30 PID 2280 wrote to memory of 556 2280 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 30 PID 2280 wrote to memory of 556 2280 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 30 PID 2280 wrote to memory of 556 2280 1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe 30 PID 556 wrote to memory of 2176 556 nnhhtt.exe 31 PID 556 wrote to memory of 2176 556 nnhhtt.exe 31 PID 556 wrote to memory of 2176 556 nnhhtt.exe 31 PID 556 wrote to memory of 2176 556 nnhhtt.exe 31 PID 2176 wrote to memory of 2132 2176 w64028.exe 32 PID 2176 wrote to memory of 2132 2176 w64028.exe 32 PID 2176 wrote to memory of 2132 2176 w64028.exe 32 PID 2176 wrote to memory of 2132 2176 w64028.exe 32 PID 2132 wrote to memory of 2756 2132 bttntb.exe 33 PID 2132 wrote to memory of 2756 2132 bttntb.exe 33 PID 2132 wrote to memory of 2756 2132 bttntb.exe 33 PID 2132 wrote to memory of 2756 2132 bttntb.exe 33 PID 2756 wrote to memory of 2868 2756 226422.exe 34 PID 2756 wrote to memory of 2868 2756 226422.exe 34 PID 2756 wrote to memory of 2868 2756 226422.exe 34 PID 2756 wrote to memory of 2868 2756 226422.exe 34 PID 2868 wrote to memory of 2616 2868 rlxrfxl.exe 35 PID 2868 wrote to memory of 2616 2868 rlxrfxl.exe 35 PID 2868 wrote to memory of 2616 2868 rlxrfxl.exe 35 PID 2868 wrote to memory of 2616 2868 rlxrfxl.exe 35 PID 2616 wrote to memory of 2892 2616 w68282.exe 36 PID 2616 wrote to memory of 2892 2616 w68282.exe 36 PID 2616 wrote to memory of 2892 2616 w68282.exe 36 PID 2616 wrote to memory of 2892 2616 w68282.exe 36 PID 2892 wrote to memory of 2712 2892 m4846.exe 37 PID 2892 wrote to memory of 2712 2892 m4846.exe 37 PID 2892 wrote to memory of 2712 2892 m4846.exe 37 PID 2892 wrote to memory of 2712 2892 m4846.exe 37 PID 2712 wrote to memory of 2724 2712 lxfrrlf.exe 38 PID 2712 wrote to memory of 2724 2712 lxfrrlf.exe 38 PID 2712 wrote to memory of 2724 2712 lxfrrlf.exe 38 PID 2712 wrote to memory of 2724 2712 lxfrrlf.exe 38 PID 2724 wrote to memory of 2668 2724 5ppvp.exe 39 PID 2724 wrote to memory of 2668 2724 5ppvp.exe 39 PID 2724 wrote to memory of 2668 2724 5ppvp.exe 39 PID 2724 wrote to memory of 2668 2724 5ppvp.exe 39 PID 2668 wrote to memory of 1760 2668 22662.exe 40 PID 2668 wrote to memory of 1760 2668 22662.exe 40 PID 2668 wrote to memory of 1760 2668 22662.exe 40 PID 2668 wrote to memory of 1760 2668 22662.exe 40 PID 1760 wrote to memory of 1056 1760 08224.exe 41 PID 1760 wrote to memory of 1056 1760 08224.exe 41 PID 1760 wrote to memory of 1056 1760 08224.exe 41 PID 1760 wrote to memory of 1056 1760 08224.exe 41 PID 1056 wrote to memory of 1624 1056 a8260.exe 42 PID 1056 wrote to memory of 1624 1056 a8260.exe 42 PID 1056 wrote to memory of 1624 1056 a8260.exe 42 PID 1056 wrote to memory of 1624 1056 a8260.exe 42 PID 1624 wrote to memory of 1840 1624 7xxffrf.exe 43 PID 1624 wrote to memory of 1840 1624 7xxffrf.exe 43 PID 1624 wrote to memory of 1840 1624 7xxffrf.exe 43 PID 1624 wrote to memory of 1840 1624 7xxffrf.exe 43 PID 1840 wrote to memory of 1948 1840 w60680.exe 44 PID 1840 wrote to memory of 1948 1840 w60680.exe 44 PID 1840 wrote to memory of 1948 1840 w60680.exe 44 PID 1840 wrote to memory of 1948 1840 w60680.exe 44 PID 1948 wrote to memory of 2932 1948 ddpvd.exe 45 PID 1948 wrote to memory of 2932 1948 ddpvd.exe 45 PID 1948 wrote to memory of 2932 1948 ddpvd.exe 45 PID 1948 wrote to memory of 2932 1948 ddpvd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe"C:\Users\Admin\AppData\Local\Temp\1c208e7028ba0a317dda21ed989c905e49cc9792db3da93d37a7b53bd98c6026.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\nnhhtt.exec:\nnhhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\w64028.exec:\w64028.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\bttntb.exec:\bttntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\226422.exec:\226422.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\rlxrfxl.exec:\rlxrfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\w68282.exec:\w68282.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\m4846.exec:\m4846.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\lxfrrlf.exec:\lxfrrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\5ppvp.exec:\5ppvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\22662.exec:\22662.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\08224.exec:\08224.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\a8260.exec:\a8260.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\7xxffrf.exec:\7xxffrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\w60680.exec:\w60680.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\ddpvd.exec:\ddpvd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\o266284.exec:\o266284.exe17⤵
- Executes dropped EXE
PID:2932 -
\??\c:\082462.exec:\082462.exe18⤵
- Executes dropped EXE
PID:1924 -
\??\c:\w86622.exec:\w86622.exe19⤵
- Executes dropped EXE
PID:332 -
\??\c:\dvppp.exec:\dvppp.exe20⤵
- Executes dropped EXE
PID:652 -
\??\c:\o422864.exec:\o422864.exe21⤵
- Executes dropped EXE
PID:1120 -
\??\c:\llllffx.exec:\llllffx.exe22⤵
- Executes dropped EXE
PID:1352 -
\??\c:\04284.exec:\04284.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\4862846.exec:\4862846.exe24⤵
- Executes dropped EXE
PID:1700 -
\??\c:\226206.exec:\226206.exe25⤵
- Executes dropped EXE
PID:1008 -
\??\c:\vpdjd.exec:\vpdjd.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1876 -
\??\c:\5tbhnn.exec:\5tbhnn.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\8206280.exec:\8206280.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\lfllxff.exec:\lfllxff.exe29⤵
- Executes dropped EXE
PID:904 -
\??\c:\bttntn.exec:\bttntn.exe30⤵
- Executes dropped EXE
PID:1224 -
\??\c:\nnnbbt.exec:\nnnbbt.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\dvpdp.exec:\dvpdp.exe32⤵
- Executes dropped EXE
PID:2076 -
\??\c:\602826.exec:\602826.exe33⤵
- Executes dropped EXE
PID:1936 -
\??\c:\48002.exec:\48002.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\dvpdj.exec:\dvpdj.exe35⤵
- Executes dropped EXE
PID:888 -
\??\c:\3tntht.exec:\3tntht.exe36⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vjvvv.exec:\vjvvv.exe37⤵
- Executes dropped EXE
PID:1692 -
\??\c:\e26622.exec:\e26622.exe38⤵
- Executes dropped EXE
PID:1600 -
\??\c:\djpjd.exec:\djpjd.exe39⤵
- Executes dropped EXE
PID:2108 -
\??\c:\7nhnnn.exec:\7nhnnn.exe40⤵
- Executes dropped EXE
PID:2528 -
\??\c:\82662.exec:\82662.exe41⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xrrfflr.exec:\xrrfflr.exe42⤵
- Executes dropped EXE
PID:2228 -
\??\c:\flrxrfx.exec:\flrxrfx.exe43⤵
- Executes dropped EXE
PID:2760 -
\??\c:\44246.exec:\44246.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\e04028.exec:\e04028.exe45⤵
- Executes dropped EXE
PID:2820 -
\??\c:\bntbbb.exec:\bntbbb.exe46⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lfxfxlf.exec:\lfxfxlf.exe47⤵
- Executes dropped EXE
PID:2888 -
\??\c:\1flrxrx.exec:\1flrxrx.exe48⤵
- Executes dropped EXE
PID:2748 -
\??\c:\7frrlxx.exec:\7frrlxx.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\nhtthh.exec:\nhtthh.exe50⤵
- Executes dropped EXE
PID:2608 -
\??\c:\frfxfrx.exec:\frfxfrx.exe51⤵
- Executes dropped EXE
PID:2652 -
\??\c:\xxlxffr.exec:\xxlxffr.exe52⤵
- Executes dropped EXE
PID:2620 -
\??\c:\lfxflrf.exec:\lfxflrf.exe53⤵
- Executes dropped EXE
PID:3048 -
\??\c:\26802.exec:\26802.exe54⤵
- Executes dropped EXE
PID:1252 -
\??\c:\5pjpj.exec:\5pjpj.exe55⤵
- Executes dropped EXE
PID:1340 -
\??\c:\6466628.exec:\6466628.exe56⤵
- Executes dropped EXE
PID:2136 -
\??\c:\lfxfllr.exec:\lfxfllr.exe57⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ppjpd.exec:\ppjpd.exe58⤵
- Executes dropped EXE
PID:2144 -
\??\c:\s6064.exec:\s6064.exe59⤵
- Executes dropped EXE
PID:1164 -
\??\c:\nbthtn.exec:\nbthtn.exe60⤵
- Executes dropped EXE
PID:1412 -
\??\c:\thbtbt.exec:\thbtbt.exe61⤵
- Executes dropped EXE
PID:3020 -
\??\c:\220280.exec:\220280.exe62⤵
- Executes dropped EXE
PID:1924 -
\??\c:\pvvjd.exec:\pvvjd.exe63⤵
- Executes dropped EXE
PID:1492 -
\??\c:\008668.exec:\008668.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264 -
\??\c:\4424686.exec:\4424686.exe65⤵
- Executes dropped EXE
PID:1868 -
\??\c:\48624.exec:\48624.exe66⤵PID:1656
-
\??\c:\s2400.exec:\s2400.exe67⤵PID:1604
-
\??\c:\vvppj.exec:\vvppj.exe68⤵PID:2084
-
\??\c:\vjvpv.exec:\vjvpv.exe69⤵PID:408
-
\??\c:\08026.exec:\08026.exe70⤵PID:1816
-
\??\c:\2262002.exec:\2262002.exe71⤵PID:1320
-
\??\c:\7lfrlfr.exec:\7lfrlfr.exe72⤵PID:1008
-
\??\c:\flfxlrx.exec:\flfxlrx.exe73⤵PID:800
-
\??\c:\7xfffll.exec:\7xfffll.exe74⤵PID:2588
-
\??\c:\86280.exec:\86280.exe75⤵PID:1568
-
\??\c:\080626.exec:\080626.exe76⤵PID:916
-
\??\c:\20822.exec:\20822.exe77⤵PID:904
-
\??\c:\040404.exec:\040404.exe78⤵PID:1224
-
\??\c:\8400606.exec:\8400606.exe79⤵PID:2416
-
\??\c:\3nttbh.exec:\3nttbh.exe80⤵PID:2488
-
\??\c:\u860284.exec:\u860284.exe81⤵PID:2076
-
\??\c:\jpppj.exec:\jpppj.exe82⤵PID:3004
-
\??\c:\llflrrx.exec:\llflrrx.exe83⤵PID:896
-
\??\c:\4824246.exec:\4824246.exe84⤵PID:1688
-
\??\c:\djvdp.exec:\djvdp.exe85⤵PID:2012
-
\??\c:\6820422.exec:\6820422.exe86⤵PID:2280
-
\??\c:\066626.exec:\066626.exe87⤵PID:1592
-
\??\c:\5jjpv.exec:\5jjpv.exe88⤵PID:1600
-
\??\c:\fxllxxf.exec:\fxllxxf.exe89⤵PID:2536
-
\??\c:\8824828.exec:\8824828.exe90⤵PID:2176
-
\??\c:\0042402.exec:\0042402.exe91⤵PID:2704
-
\??\c:\5xrlxll.exec:\5xrlxll.exe92⤵PID:864
-
\??\c:\m6068.exec:\m6068.exe93⤵PID:2760
-
\??\c:\266400.exec:\266400.exe94⤵PID:2744
-
\??\c:\lxffllf.exec:\lxffllf.exe95⤵PID:2752
-
\??\c:\9jpvj.exec:\9jpvj.exe96⤵PID:2128
-
\??\c:\o042068.exec:\o042068.exe97⤵PID:2636
-
\??\c:\q80200.exec:\q80200.exe98⤵PID:1576
-
\??\c:\5xrrflx.exec:\5xrrflx.exe99⤵PID:2792
-
\??\c:\26024.exec:\26024.exe100⤵PID:1620
-
\??\c:\60424.exec:\60424.exe101⤵PID:2640
-
\??\c:\208840.exec:\208840.exe102⤵PID:2624
-
\??\c:\640460.exec:\640460.exe103⤵PID:3056
-
\??\c:\648822.exec:\648822.exe104⤵PID:3036
-
\??\c:\fxlrrrx.exec:\fxlrrrx.exe105⤵PID:1168
-
\??\c:\08624.exec:\08624.exe106⤵PID:2916
-
\??\c:\pppjv.exec:\pppjv.exe107⤵PID:1076
-
\??\c:\5nnbnn.exec:\5nnbnn.exe108⤵PID:2872
-
\??\c:\82006.exec:\82006.exe109⤵PID:692
-
\??\c:\pjppd.exec:\pjppd.exe110⤵PID:1104
-
\??\c:\jjdpj.exec:\jjdpj.exe111⤵PID:1960
-
\??\c:\u484046.exec:\u484046.exe112⤵PID:484
-
\??\c:\9fxxrlx.exec:\9fxxrlx.exe113⤵PID:2912
-
\??\c:\60462.exec:\60462.exe114⤵PID:1036
-
\??\c:\xrffrlr.exec:\xrffrlr.exe115⤵PID:608
-
\??\c:\5frlrrx.exec:\5frlrrx.exe116⤵PID:1504
-
\??\c:\00046.exec:\00046.exe117⤵PID:1120
-
\??\c:\jdvjp.exec:\jdvjp.exe118⤵PID:780
-
\??\c:\60280.exec:\60280.exe119⤵PID:2084
-
\??\c:\660206.exec:\660206.exe120⤵PID:408
-
\??\c:\9tthhh.exec:\9tthhh.exe121⤵PID:2496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-