Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:56
Behavioral task
behavioral1
Sample
1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe
-
Size
334KB
-
MD5
b206099ab570ea0899a95a80f12c345c
-
SHA1
de96077ce89f0c48091e35ca2c6cdb2960e1c2aa
-
SHA256
1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71
-
SHA512
d0a74a17315e1925df252d525a1ad18bdd0a940ef070571c36fa2d46c4f7a0088a8636ac994c0a3786cc55ee7f51a658ac16afa7e71487fcc174a903d73cc02f
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRh:R4wFHoSHYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4028-3-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4868-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3484-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1080-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4684-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3688-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4556-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3380-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/908-344-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1212-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-435-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-531-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-644-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1680-1081-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-1360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 8242226.exe 3592 0626600.exe 3892 2466442.exe 3196 62066.exe 3148 040044.exe 4868 42086.exe 1336 pdvvd.exe 1432 w02226.exe 4132 c644882.exe 3872 lxxrrrr.exe 3900 vddvp.exe 1840 62800.exe 2916 g0260.exe 3164 228488.exe 2432 bnttnn.exe 1460 08662.exe 4472 flrfxrl.exe 4584 002882.exe 3484 46660.exe 948 xlrlffx.exe 2144 thhtnn.exe 1808 pdjdj.exe 3488 bntnnt.exe 4540 5jjdv.exe 1712 bntnbb.exe 4684 w28260.exe 1360 86266.exe 3784 rrxxrlf.exe 4008 8684462.exe 5064 dddvv.exe 2648 hhnntt.exe 1788 xfllfff.exe 1296 m6642.exe 1080 6282660.exe 4912 hthhnn.exe 3368 rxfxfxx.exe 3060 02888.exe 1864 6004488.exe 4560 frfxrlx.exe 1540 hbtnbb.exe 3944 dpjvp.exe 3652 hhnnhh.exe 4468 ffrrrxx.exe 2288 rrrrlxr.exe 4144 2402086.exe 3160 1dvpp.exe 2644 jdpvv.exe 5108 k00848.exe 4836 46428.exe 2464 hhtbht.exe 3716 vppjd.exe 4056 htbnhh.exe 2720 ttthnb.exe 1200 jpvpd.exe 3796 bhhthb.exe 4656 204204.exe 1856 428204.exe 1500 7pjvj.exe 3592 0620826.exe 4664 c220844.exe 2436 084248.exe 3528 rlxrlfx.exe 4768 frrfrll.exe 2608 u460826.exe -
resource yara_rule behavioral2/memory/4028-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4028-3-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b27-4.dat upx behavioral2/memory/228-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b80-9.dat upx behavioral2/files/0x000a000000023b85-20.dat upx behavioral2/memory/3196-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-24.dat upx behavioral2/memory/3592-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3892-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-14.dat upx behavioral2/files/0x000a000000023b87-28.dat upx behavioral2/memory/3148-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-33.dat upx behavioral2/memory/4868-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1336-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-39.dat upx behavioral2/files/0x000a000000023b8a-43.dat upx behavioral2/memory/1432-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-48.dat upx behavioral2/memory/4132-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-53.dat upx behavioral2/memory/3872-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-58.dat upx behavioral2/files/0x000a000000023b8f-62.dat upx behavioral2/memory/1840-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2916-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b81-67.dat upx behavioral2/files/0x000a000000023b90-72.dat upx behavioral2/memory/3164-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-77.dat upx behavioral2/memory/2432-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-83.dat upx behavioral2/files/0x000a000000023b93-86.dat upx behavioral2/files/0x000a000000023b94-90.dat upx behavioral2/files/0x000a000000023b95-96.dat upx behavioral2/memory/948-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-102.dat upx behavioral2/memory/948-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-105.dat upx behavioral2/memory/1808-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3484-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-110.dat upx behavioral2/memory/3488-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-115.dat upx behavioral2/memory/4540-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-120.dat upx behavioral2/files/0x000a000000023b9c-125.dat upx behavioral2/memory/1712-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-131.dat upx behavioral2/files/0x000a000000023b9e-134.dat upx behavioral2/files/0x000a000000023b9f-139.dat upx behavioral2/memory/3784-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba0-145.dat upx behavioral2/files/0x000b000000023ba1-148.dat upx behavioral2/files/0x000b000000023ba2-153.dat upx behavioral2/memory/1788-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1080-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3368-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3060-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1296-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2648-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4008-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4560-174-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 466004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0484884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e06444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i004226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 228 4028 1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe 83 PID 4028 wrote to memory of 228 4028 1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe 83 PID 4028 wrote to memory of 228 4028 1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe 83 PID 228 wrote to memory of 3592 228 8242226.exe 84 PID 228 wrote to memory of 3592 228 8242226.exe 84 PID 228 wrote to memory of 3592 228 8242226.exe 84 PID 3592 wrote to memory of 3892 3592 0626600.exe 85 PID 3592 wrote to memory of 3892 3592 0626600.exe 85 PID 3592 wrote to memory of 3892 3592 0626600.exe 85 PID 3892 wrote to memory of 3196 3892 2466442.exe 86 PID 3892 wrote to memory of 3196 3892 2466442.exe 86 PID 3892 wrote to memory of 3196 3892 2466442.exe 86 PID 3196 wrote to memory of 3148 3196 62066.exe 87 PID 3196 wrote to memory of 3148 3196 62066.exe 87 PID 3196 wrote to memory of 3148 3196 62066.exe 87 PID 3148 wrote to memory of 4868 3148 040044.exe 88 PID 3148 wrote to memory of 4868 3148 040044.exe 88 PID 3148 wrote to memory of 4868 3148 040044.exe 88 PID 4868 wrote to memory of 1336 4868 42086.exe 89 PID 4868 wrote to memory of 1336 4868 42086.exe 89 PID 4868 wrote to memory of 1336 4868 42086.exe 89 PID 1336 wrote to memory of 1432 1336 pdvvd.exe 90 PID 1336 wrote to memory of 1432 1336 pdvvd.exe 90 PID 1336 wrote to memory of 1432 1336 pdvvd.exe 90 PID 1432 wrote to memory of 4132 1432 w02226.exe 91 PID 1432 wrote to memory of 4132 1432 w02226.exe 91 PID 1432 wrote to memory of 4132 1432 w02226.exe 91 PID 4132 wrote to memory of 3872 4132 c644882.exe 92 PID 4132 wrote to memory of 3872 4132 c644882.exe 92 PID 4132 wrote to memory of 3872 4132 c644882.exe 92 PID 3872 wrote to memory of 3900 3872 lxxrrrr.exe 93 PID 3872 wrote to memory of 3900 3872 lxxrrrr.exe 93 PID 3872 wrote to memory of 3900 3872 lxxrrrr.exe 93 PID 3900 wrote to memory of 1840 3900 vddvp.exe 94 PID 3900 wrote to memory of 1840 3900 vddvp.exe 94 PID 3900 wrote to memory of 1840 3900 vddvp.exe 94 PID 1840 wrote to memory of 2916 1840 62800.exe 95 PID 1840 wrote to memory of 2916 1840 62800.exe 95 PID 1840 wrote to memory of 2916 1840 62800.exe 95 PID 2916 wrote to memory of 3164 2916 g0260.exe 96 PID 2916 wrote to memory of 3164 2916 g0260.exe 96 PID 2916 wrote to memory of 3164 2916 g0260.exe 96 PID 3164 wrote to memory of 2432 3164 228488.exe 97 PID 3164 wrote to memory of 2432 3164 228488.exe 97 PID 3164 wrote to memory of 2432 3164 228488.exe 97 PID 2432 wrote to memory of 1460 2432 bnttnn.exe 98 PID 2432 wrote to memory of 1460 2432 bnttnn.exe 98 PID 2432 wrote to memory of 1460 2432 bnttnn.exe 98 PID 1460 wrote to memory of 4472 1460 08662.exe 99 PID 1460 wrote to memory of 4472 1460 08662.exe 99 PID 1460 wrote to memory of 4472 1460 08662.exe 99 PID 4472 wrote to memory of 4584 4472 flrfxrl.exe 100 PID 4472 wrote to memory of 4584 4472 flrfxrl.exe 100 PID 4472 wrote to memory of 4584 4472 flrfxrl.exe 100 PID 4584 wrote to memory of 3484 4584 002882.exe 101 PID 4584 wrote to memory of 3484 4584 002882.exe 101 PID 4584 wrote to memory of 3484 4584 002882.exe 101 PID 3484 wrote to memory of 948 3484 46660.exe 102 PID 3484 wrote to memory of 948 3484 46660.exe 102 PID 3484 wrote to memory of 948 3484 46660.exe 102 PID 948 wrote to memory of 2144 948 xlrlffx.exe 103 PID 948 wrote to memory of 2144 948 xlrlffx.exe 103 PID 948 wrote to memory of 2144 948 xlrlffx.exe 103 PID 2144 wrote to memory of 1808 2144 thhtnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe"C:\Users\Admin\AppData\Local\Temp\1dd4f29f673b9621a798a9ae0e47b6b7c673e9596481afd39ef041787b4d4d71.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\8242226.exec:\8242226.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\0626600.exec:\0626600.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\2466442.exec:\2466442.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\62066.exec:\62066.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\040044.exec:\040044.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\42086.exec:\42086.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\pdvvd.exec:\pdvvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\w02226.exec:\w02226.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\c644882.exec:\c644882.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\vddvp.exec:\vddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\62800.exec:\62800.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\g0260.exec:\g0260.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\228488.exec:\228488.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\bnttnn.exec:\bnttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\08662.exec:\08662.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\flrfxrl.exec:\flrfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\002882.exec:\002882.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\46660.exec:\46660.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\xlrlffx.exec:\xlrlffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\thhtnn.exec:\thhtnn.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\pdjdj.exec:\pdjdj.exe23⤵
- Executes dropped EXE
PID:1808 -
\??\c:\bntnnt.exec:\bntnnt.exe24⤵
- Executes dropped EXE
PID:3488 -
\??\c:\5jjdv.exec:\5jjdv.exe25⤵
- Executes dropped EXE
PID:4540 -
\??\c:\bntnbb.exec:\bntnbb.exe26⤵
- Executes dropped EXE
PID:1712 -
\??\c:\w28260.exec:\w28260.exe27⤵
- Executes dropped EXE
PID:4684 -
\??\c:\86266.exec:\86266.exe28⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rrxxrlf.exec:\rrxxrlf.exe29⤵
- Executes dropped EXE
PID:3784 -
\??\c:\8684462.exec:\8684462.exe30⤵
- Executes dropped EXE
PID:4008 -
\??\c:\dddvv.exec:\dddvv.exe31⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hhnntt.exec:\hhnntt.exe32⤵
- Executes dropped EXE
PID:2648 -
\??\c:\xfllfff.exec:\xfllfff.exe33⤵
- Executes dropped EXE
PID:1788 -
\??\c:\m6642.exec:\m6642.exe34⤵
- Executes dropped EXE
PID:1296 -
\??\c:\6282660.exec:\6282660.exe35⤵
- Executes dropped EXE
PID:1080 -
\??\c:\hthhnn.exec:\hthhnn.exe36⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rxfxfxx.exec:\rxfxfxx.exe37⤵
- Executes dropped EXE
PID:3368 -
\??\c:\02888.exec:\02888.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\6004488.exec:\6004488.exe39⤵
- Executes dropped EXE
PID:1864 -
\??\c:\frfxrlx.exec:\frfxrlx.exe40⤵
- Executes dropped EXE
PID:4560 -
\??\c:\hbtnbb.exec:\hbtnbb.exe41⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dpjvp.exec:\dpjvp.exe42⤵
- Executes dropped EXE
PID:3944 -
\??\c:\hhnnhh.exec:\hhnnhh.exe43⤵
- Executes dropped EXE
PID:3652 -
\??\c:\ffrrrxx.exec:\ffrrrxx.exe44⤵
- Executes dropped EXE
PID:4468 -
\??\c:\rrrrlxr.exec:\rrrrlxr.exe45⤵
- Executes dropped EXE
PID:2288 -
\??\c:\2402086.exec:\2402086.exe46⤵
- Executes dropped EXE
PID:4144 -
\??\c:\1dvpp.exec:\1dvpp.exe47⤵
- Executes dropped EXE
PID:3160 -
\??\c:\jdpvv.exec:\jdpvv.exe48⤵
- Executes dropped EXE
PID:2644 -
\??\c:\k00848.exec:\k00848.exe49⤵
- Executes dropped EXE
PID:5108 -
\??\c:\46428.exec:\46428.exe50⤵
- Executes dropped EXE
PID:4836 -
\??\c:\hhtbht.exec:\hhtbht.exe51⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vppjd.exec:\vppjd.exe52⤵
- Executes dropped EXE
PID:3716 -
\??\c:\htbnhh.exec:\htbnhh.exe53⤵
- Executes dropped EXE
PID:4056 -
\??\c:\ttthnb.exec:\ttthnb.exe54⤵
- Executes dropped EXE
PID:2720 -
\??\c:\jpvpd.exec:\jpvpd.exe55⤵
- Executes dropped EXE
PID:1200 -
\??\c:\bhhthb.exec:\bhhthb.exe56⤵
- Executes dropped EXE
PID:3796 -
\??\c:\pjjvp.exec:\pjjvp.exe57⤵PID:4140
-
\??\c:\204204.exec:\204204.exe58⤵
- Executes dropped EXE
PID:4656 -
\??\c:\428204.exec:\428204.exe59⤵
- Executes dropped EXE
PID:1856 -
\??\c:\7pjvj.exec:\7pjvj.exe60⤵
- Executes dropped EXE
PID:1500 -
\??\c:\0620826.exec:\0620826.exe61⤵
- Executes dropped EXE
PID:3592 -
\??\c:\c220844.exec:\c220844.exe62⤵
- Executes dropped EXE
PID:4664 -
\??\c:\084248.exec:\084248.exe63⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rlxrlfx.exec:\rlxrlfx.exe64⤵
- Executes dropped EXE
PID:3528 -
\??\c:\frrfrll.exec:\frrfrll.exe65⤵
- Executes dropped EXE
PID:4768 -
\??\c:\u460826.exec:\u460826.exe66⤵
- Executes dropped EXE
PID:2608 -
\??\c:\k28660.exec:\k28660.exe67⤵PID:2724
-
\??\c:\088426.exec:\088426.exe68⤵PID:4824
-
\??\c:\6064648.exec:\6064648.exe69⤵PID:2264
-
\??\c:\6464044.exec:\6464044.exe70⤵PID:4916
-
\??\c:\7vjdv.exec:\7vjdv.exe71⤵PID:2300
-
\??\c:\246442.exec:\246442.exe72⤵PID:5116
-
\??\c:\c408604.exec:\c408604.exe73⤵PID:3688
-
\??\c:\8242822.exec:\8242822.exe74⤵PID:2328
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe75⤵PID:1840
-
\??\c:\tntnbb.exec:\tntnbb.exe76⤵PID:2916
-
\??\c:\602660.exec:\602660.exe77⤵PID:4524
-
\??\c:\thhtbt.exec:\thhtbt.exe78⤵PID:4992
-
\??\c:\hhnbnh.exec:\hhnbnh.exe79⤵PID:1792
-
\??\c:\46826.exec:\46826.exe80⤵PID:4484
-
\??\c:\m0206.exec:\m0206.exe81⤵PID:5036
-
\??\c:\664204.exec:\664204.exe82⤵PID:4076
-
\??\c:\4464226.exec:\4464226.exe83⤵PID:2276
-
\??\c:\lllxrlx.exec:\lllxrlx.exe84⤵PID:3624
-
\??\c:\0484884.exec:\0484884.exe85⤵
- System Location Discovery: System Language Discovery
PID:4556 -
\??\c:\88048.exec:\88048.exe86⤵PID:4828
-
\??\c:\6462082.exec:\6462082.exe87⤵PID:3776
-
\??\c:\044204.exec:\044204.exe88⤵PID:2144
-
\??\c:\fffrfxr.exec:\fffrfxr.exe89⤵PID:3024
-
\??\c:\2020602.exec:\2020602.exe90⤵PID:4448
-
\??\c:\5tthbt.exec:\5tthbt.exe91⤵PID:2196
-
\??\c:\hthttt.exec:\hthttt.exe92⤵PID:4816
-
\??\c:\822082.exec:\822082.exe93⤵PID:1712
-
\??\c:\1jjvj.exec:\1jjvj.exe94⤵PID:1680
-
\??\c:\bththb.exec:\bththb.exe95⤵PID:1608
-
\??\c:\hbthbt.exec:\hbthbt.exe96⤵PID:3380
-
\??\c:\284204.exec:\284204.exe97⤵PID:3784
-
\??\c:\3pvjj.exec:\3pvjj.exe98⤵PID:4276
-
\??\c:\084804.exec:\084804.exe99⤵PID:4600
-
\??\c:\82048.exec:\82048.exe100⤵PID:4052
-
\??\c:\xffxlff.exec:\xffxlff.exe101⤵PID:3152
-
\??\c:\7pjvj.exec:\7pjvj.exe102⤵PID:1752
-
\??\c:\08264.exec:\08264.exe103⤵PID:2492
-
\??\c:\u060822.exec:\u060822.exe104⤵PID:5052
-
\??\c:\vjdpd.exec:\vjdpd.exe105⤵PID:3452
-
\??\c:\vpdvp.exec:\vpdvp.exe106⤵PID:1264
-
\??\c:\rrfrrrl.exec:\rrfrrrl.exe107⤵PID:4064
-
\??\c:\lxlflfr.exec:\lxlflfr.exe108⤵PID:1864
-
\??\c:\006048.exec:\006048.exe109⤵PID:4560
-
\??\c:\vjdvj.exec:\vjdvj.exe110⤵PID:872
-
\??\c:\2882044.exec:\2882044.exe111⤵PID:4920
-
\??\c:\5hhthb.exec:\5hhthb.exe112⤵PID:2332
-
\??\c:\028644.exec:\028644.exe113⤵PID:2020
-
\??\c:\jvvpd.exec:\jvvpd.exe114⤵PID:908
-
\??\c:\42808.exec:\42808.exe115⤵PID:3208
-
\??\c:\w40482.exec:\w40482.exe116⤵PID:2104
-
\??\c:\xflxxrr.exec:\xflxxrr.exe117⤵PID:2640
-
\??\c:\rrrlfxl.exec:\rrrlfxl.exe118⤵PID:904
-
\??\c:\nbthtn.exec:\nbthtn.exe119⤵PID:3180
-
\??\c:\nhbnbh.exec:\nhbnbh.exe120⤵PID:2788
-
\??\c:\flllxrf.exec:\flllxrf.exe121⤵PID:2672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-