Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 01:20
Behavioral task
behavioral1
Sample
ec51c66ee6ae5ecdf48ad751c839aa40N.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
120 seconds
General
-
Target
ec51c66ee6ae5ecdf48ad751c839aa40N.exe
-
Size
220KB
-
MD5
ec51c66ee6ae5ecdf48ad751c839aa40
-
SHA1
757f813b57a9f76698f207694ebaa2e8e851f082
-
SHA256
c3175ae285183cd2de2e1eabde01bfc39cb169c8814d784216c7d9f8ea34ee12
-
SHA512
c824393943d0332a3e2b581a2e040d8a53f59f921e4965f7e825e2501307748867f93c6a696db88a4c9d6e5e28ebe8ff804b2ba360488ffc13f204e6a8cc8004
-
SSDEEP
3072:9hOmTsF93UYfwC6GIoutz5yLpcgDE4JSCCtGkbuy5yLpr1awC6GIoutz5yKdwqBO:9cm4FmowdHoS4WEkMawdHoSbdwqBO
Malware Config
Signatures
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3068-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2256-25-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2256-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2744-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1680-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2572-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2592-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2144-90-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2708-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2588-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/552-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/896-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1888-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1644-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1652-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1720-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/628-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1388-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2620-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2252-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-345-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/2592-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1264-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2868-383-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2760-397-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2864-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2864-411-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2864-431-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1744-438-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1652-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2376-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2476-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-553-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3060-634-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2852-641-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2184-723-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1608-754-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2364-819-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2872-936-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2156-1259-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/628-1302-0x0000000000230000-0x0000000000257000-memory.dmp family_blackmoon behavioral1/memory/2444-1336-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2256-1362-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3068 1vddj.exe 2256 djvjj.exe 2744 3hhnbh.exe 2808 pdpdp.exe 1784 fxxfrxr.exe 1680 7tbbhb.exe 2572 vpjvd.exe 2592 xrrflrx.exe 2144 hhbbtn.exe 2160 pppjd.exe 2708 rlrxxff.exe 2588 1thhnn.exe 2872 dddpd.exe 552 fxxlxff.exe 1620 htntbn.exe 896 jvpvj.exe 1888 rlffrfl.exe 1644 btbtbb.exe 1652 jjpvp.exe 1788 7xlfrrf.exe 2356 bbbbtt.exe 428 3djjp.exe 596 1vddv.exe 2488 rrxfrll.exe 1720 hthnbt.exe 628 7vdjj.exe 1388 dvjpv.exe 2084 frxfffr.exe 2620 9djvj.exe 752 lfxllrf.exe 2444 nnnnbn.exe 1592 dpjpp.exe 1640 frflrrx.exe 2664 nhhnhb.exe 2728 thtnbt.exe 2824 dvjvj.exe 2252 rxllllf.exe 1908 lxxfrxx.exe 2552 nhbntt.exe 2740 vjvvj.exe 2640 1xllrxf.exe 2016 5lxxfrx.exe 2592 9tnntt.exe 1264 jdjdp.exe 2224 vpdjv.exe 2868 9fllfff.exe 2788 bthtnt.exe 2760 tnhnnh.exe 2416 pdjjv.exe 2864 pjdpd.exe 3036 xrflxxx.exe 2496 htbtbb.exe 2312 3djjv.exe 1744 ddjvp.exe 2992 1frfrfl.exe 2176 9hnhtt.exe 1652 ppvjj.exe 2376 jjdpd.exe 2896 llfxlxf.exe 2112 hbntnt.exe 1608 hhthbb.exe 2476 jjpvj.exe 1552 3rfrllx.exe 1284 xxllrlr.exe -
resource yara_rule behavioral1/memory/1956-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00080000000120fb-8.dat upx behavioral1/memory/1956-7-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3068-15-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/3068-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016ce8-17.dat upx behavioral1/memory/2256-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2744-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d04-28.dat upx behavioral1/files/0x0007000000016d49-39.dat upx behavioral1/memory/2744-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016d5a-46.dat upx behavioral1/files/0x000a000000016d71-55.dat upx behavioral1/files/0x0008000000016e1d-63.dat upx behavioral1/memory/1680-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2572-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001945c-73.dat upx behavioral1/memory/2592-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001948d-81.dat upx behavioral1/files/0x00050000000194e2-91.dat upx behavioral1/files/0x000500000001958b-99.dat upx behavioral1/files/0x00050000000195c2-108.dat upx behavioral1/memory/2708-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2588-115-0x0000000000430000-0x0000000000457000-memory.dmp upx behavioral1/files/0x00050000000195c4-116.dat upx behavioral1/memory/2588-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c6-126.dat upx behavioral1/memory/552-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195c7-134.dat upx behavioral1/files/0x00050000000195c8-142.dat upx behavioral1/memory/1620-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/896-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195ca-152.dat upx behavioral1/memory/1888-161-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/1888-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195cc-162.dat upx behavioral1/files/0x00050000000195ce-171.dat upx behavioral1/memory/1644-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1652-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000195d0-181.dat upx behavioral1/files/0x00050000000195e0-190.dat upx behavioral1/files/0x0005000000019624-198.dat upx behavioral1/files/0x0005000000019665-207.dat upx behavioral1/files/0x001d000000016cc4-215.dat upx behavioral1/files/0x00050000000196a0-224.dat upx behavioral1/files/0x0005000000019931-233.dat upx behavioral1/memory/1720-232-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bec-242.dat upx behavioral1/memory/628-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf0-249.dat upx behavioral1/memory/1388-252-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2620-263-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019bf2-262.dat upx behavioral1/files/0x0005000000019c0b-270.dat upx behavioral1/files/0x0005000000019cd5-278.dat upx behavioral1/files/0x0005000000019cfc-286.dat upx behavioral1/memory/2252-324-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1908-325-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2552-332-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2592-364-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1264-370-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2868-383-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2760-395-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/memory/2864-410-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfflxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 3068 1956 ec51c66ee6ae5ecdf48ad751c839aa40N.exe 30 PID 1956 wrote to memory of 3068 1956 ec51c66ee6ae5ecdf48ad751c839aa40N.exe 30 PID 1956 wrote to memory of 3068 1956 ec51c66ee6ae5ecdf48ad751c839aa40N.exe 30 PID 1956 wrote to memory of 3068 1956 ec51c66ee6ae5ecdf48ad751c839aa40N.exe 30 PID 3068 wrote to memory of 2256 3068 1vddj.exe 31 PID 3068 wrote to memory of 2256 3068 1vddj.exe 31 PID 3068 wrote to memory of 2256 3068 1vddj.exe 31 PID 3068 wrote to memory of 2256 3068 1vddj.exe 31 PID 2256 wrote to memory of 2744 2256 djvjj.exe 32 PID 2256 wrote to memory of 2744 2256 djvjj.exe 32 PID 2256 wrote to memory of 2744 2256 djvjj.exe 32 PID 2256 wrote to memory of 2744 2256 djvjj.exe 32 PID 2744 wrote to memory of 2808 2744 3hhnbh.exe 33 PID 2744 wrote to memory of 2808 2744 3hhnbh.exe 33 PID 2744 wrote to memory of 2808 2744 3hhnbh.exe 33 PID 2744 wrote to memory of 2808 2744 3hhnbh.exe 33 PID 2808 wrote to memory of 1784 2808 pdpdp.exe 34 PID 2808 wrote to memory of 1784 2808 pdpdp.exe 34 PID 2808 wrote to memory of 1784 2808 pdpdp.exe 34 PID 2808 wrote to memory of 1784 2808 pdpdp.exe 34 PID 1784 wrote to memory of 1680 1784 fxxfrxr.exe 35 PID 1784 wrote to memory of 1680 1784 fxxfrxr.exe 35 PID 1784 wrote to memory of 1680 1784 fxxfrxr.exe 35 PID 1784 wrote to memory of 1680 1784 fxxfrxr.exe 35 PID 1680 wrote to memory of 2572 1680 7tbbhb.exe 36 PID 1680 wrote to memory of 2572 1680 7tbbhb.exe 36 PID 1680 wrote to memory of 2572 1680 7tbbhb.exe 36 PID 1680 wrote to memory of 2572 1680 7tbbhb.exe 36 PID 2572 wrote to memory of 2592 2572 vpjvd.exe 37 PID 2572 wrote to memory of 2592 2572 vpjvd.exe 37 PID 2572 wrote to memory of 2592 2572 vpjvd.exe 37 PID 2572 wrote to memory of 2592 2572 vpjvd.exe 37 PID 2592 wrote to memory of 2144 2592 xrrflrx.exe 38 PID 2592 wrote to memory of 2144 2592 xrrflrx.exe 38 PID 2592 wrote to memory of 2144 2592 xrrflrx.exe 38 PID 2592 wrote to memory of 2144 2592 xrrflrx.exe 38 PID 2144 wrote to memory of 2160 2144 hhbbtn.exe 39 PID 2144 wrote to memory of 2160 2144 hhbbtn.exe 39 PID 2144 wrote to memory of 2160 2144 hhbbtn.exe 39 PID 2144 wrote to memory of 2160 2144 hhbbtn.exe 39 PID 2160 wrote to memory of 2708 2160 pppjd.exe 40 PID 2160 wrote to memory of 2708 2160 pppjd.exe 40 PID 2160 wrote to memory of 2708 2160 pppjd.exe 40 PID 2160 wrote to memory of 2708 2160 pppjd.exe 40 PID 2708 wrote to memory of 2588 2708 rlrxxff.exe 41 PID 2708 wrote to memory of 2588 2708 rlrxxff.exe 41 PID 2708 wrote to memory of 2588 2708 rlrxxff.exe 41 PID 2708 wrote to memory of 2588 2708 rlrxxff.exe 41 PID 2588 wrote to memory of 2872 2588 1thhnn.exe 42 PID 2588 wrote to memory of 2872 2588 1thhnn.exe 42 PID 2588 wrote to memory of 2872 2588 1thhnn.exe 42 PID 2588 wrote to memory of 2872 2588 1thhnn.exe 42 PID 2872 wrote to memory of 552 2872 dddpd.exe 43 PID 2872 wrote to memory of 552 2872 dddpd.exe 43 PID 2872 wrote to memory of 552 2872 dddpd.exe 43 PID 2872 wrote to memory of 552 2872 dddpd.exe 43 PID 552 wrote to memory of 1620 552 fxxlxff.exe 44 PID 552 wrote to memory of 1620 552 fxxlxff.exe 44 PID 552 wrote to memory of 1620 552 fxxlxff.exe 44 PID 552 wrote to memory of 1620 552 fxxlxff.exe 44 PID 1620 wrote to memory of 896 1620 htntbn.exe 45 PID 1620 wrote to memory of 896 1620 htntbn.exe 45 PID 1620 wrote to memory of 896 1620 htntbn.exe 45 PID 1620 wrote to memory of 896 1620 htntbn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec51c66ee6ae5ecdf48ad751c839aa40N.exe"C:\Users\Admin\AppData\Local\Temp\ec51c66ee6ae5ecdf48ad751c839aa40N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\1vddj.exec:\1vddj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\djvjj.exec:\djvjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\3hhnbh.exec:\3hhnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\pdpdp.exec:\pdpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\7tbbhb.exec:\7tbbhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vpjvd.exec:\vpjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\xrrflrx.exec:\xrrflrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\hhbbtn.exec:\hhbbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\pppjd.exec:\pppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\rlrxxff.exec:\rlrxxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\1thhnn.exec:\1thhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\dddpd.exec:\dddpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\fxxlxff.exec:\fxxlxff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\htntbn.exec:\htntbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\jvpvj.exec:\jvpvj.exe17⤵
- Executes dropped EXE
PID:896 -
\??\c:\rlffrfl.exec:\rlffrfl.exe18⤵
- Executes dropped EXE
PID:1888 -
\??\c:\btbtbb.exec:\btbtbb.exe19⤵
- Executes dropped EXE
PID:1644 -
\??\c:\jjpvp.exec:\jjpvp.exe20⤵
- Executes dropped EXE
PID:1652 -
\??\c:\7xlfrrf.exec:\7xlfrrf.exe21⤵
- Executes dropped EXE
PID:1788 -
\??\c:\bbbbtt.exec:\bbbbtt.exe22⤵
- Executes dropped EXE
PID:2356 -
\??\c:\3djjp.exec:\3djjp.exe23⤵
- Executes dropped EXE
PID:428 -
\??\c:\1vddv.exec:\1vddv.exe24⤵
- Executes dropped EXE
PID:596 -
\??\c:\rrxfrll.exec:\rrxfrll.exe25⤵
- Executes dropped EXE
PID:2488 -
\??\c:\hthnbt.exec:\hthnbt.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7vdjj.exec:\7vdjj.exe27⤵
- Executes dropped EXE
PID:628 -
\??\c:\dvjpv.exec:\dvjpv.exe28⤵
- Executes dropped EXE
PID:1388 -
\??\c:\frxfffr.exec:\frxfffr.exe29⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9djvj.exec:\9djvj.exe30⤵
- Executes dropped EXE
PID:2620 -
\??\c:\lfxllrf.exec:\lfxllrf.exe31⤵
- Executes dropped EXE
PID:752 -
\??\c:\nnnnbn.exec:\nnnnbn.exe32⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dpjpp.exec:\dpjpp.exe33⤵
- Executes dropped EXE
PID:1592 -
\??\c:\frflrrx.exec:\frflrrx.exe34⤵
- Executes dropped EXE
PID:1640 -
\??\c:\nhhnhb.exec:\nhhnhb.exe35⤵
- Executes dropped EXE
PID:2664 -
\??\c:\thtnbt.exec:\thtnbt.exe36⤵
- Executes dropped EXE
PID:2728 -
\??\c:\dvjvj.exec:\dvjvj.exe37⤵
- Executes dropped EXE
PID:2824 -
\??\c:\rxllllf.exec:\rxllllf.exe38⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lxxfrxx.exec:\lxxfrxx.exe39⤵
- Executes dropped EXE
PID:1908 -
\??\c:\nhbntt.exec:\nhbntt.exe40⤵
- Executes dropped EXE
PID:2552 -
\??\c:\vjvvj.exec:\vjvvj.exe41⤵
- Executes dropped EXE
PID:2740 -
\??\c:\1xllrxf.exec:\1xllrxf.exe42⤵
- Executes dropped EXE
PID:2640 -
\??\c:\5lxxfrx.exec:\5lxxfrx.exe43⤵
- Executes dropped EXE
PID:2016 -
\??\c:\9tnntt.exec:\9tnntt.exe44⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jdjdp.exec:\jdjdp.exe45⤵
- Executes dropped EXE
PID:1264 -
\??\c:\vpdjv.exec:\vpdjv.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\9fllfff.exec:\9fllfff.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bthtnt.exec:\bthtnt.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\tnhnnh.exec:\tnhnnh.exe49⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pdjjv.exec:\pdjjv.exe50⤵
- Executes dropped EXE
PID:2416 -
\??\c:\pjdpd.exec:\pjdpd.exe51⤵
- Executes dropped EXE
PID:2864 -
\??\c:\xrflxxx.exec:\xrflxxx.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036 -
\??\c:\htbtbb.exec:\htbtbb.exe53⤵
- Executes dropped EXE
PID:2496 -
\??\c:\3djjv.exec:\3djjv.exe54⤵
- Executes dropped EXE
PID:2312 -
\??\c:\ddjvp.exec:\ddjvp.exe55⤵
- Executes dropped EXE
PID:1744 -
\??\c:\1frfrfl.exec:\1frfrfl.exe56⤵
- Executes dropped EXE
PID:2992 -
\??\c:\9hnhtt.exec:\9hnhtt.exe57⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ppvjj.exec:\ppvjj.exe58⤵
- Executes dropped EXE
PID:1652 -
\??\c:\jjdpd.exec:\jjdpd.exe59⤵
- Executes dropped EXE
PID:2376 -
\??\c:\llfxlxf.exec:\llfxlxf.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\hbntnt.exec:\hbntnt.exe61⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hhthbb.exec:\hhthbb.exe62⤵
- Executes dropped EXE
PID:1608 -
\??\c:\jjpvj.exec:\jjpvj.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\3rfrllx.exec:\3rfrllx.exe64⤵
- Executes dropped EXE
PID:1552 -
\??\c:\xxllrlr.exec:\xxllrlr.exe65⤵
- Executes dropped EXE
PID:1284 -
\??\c:\bntbnb.exec:\bntbnb.exe66⤵PID:620
-
\??\c:\1jjvd.exec:\1jjvd.exe67⤵PID:1176
-
\??\c:\fxxlxfr.exec:\fxxlxfr.exe68⤵PID:1648
-
\??\c:\xrflxxl.exec:\xrflxxl.exe69⤵PID:3032
-
\??\c:\nnntbb.exec:\nnntbb.exe70⤵PID:772
-
\??\c:\hhbbnt.exec:\hhbbnt.exe71⤵PID:876
-
\??\c:\vvvjv.exec:\vvvjv.exe72⤵PID:2448
-
\??\c:\ddpvp.exec:\ddpvp.exe73⤵PID:2704
-
\??\c:\xlfxxxf.exec:\xlfxxxf.exe74⤵PID:1704
-
\??\c:\nbthnh.exec:\nbthnh.exe75⤵PID:3068
-
\??\c:\nbnntt.exec:\nbnntt.exe76⤵PID:2732
-
\??\c:\pjddv.exec:\pjddv.exe77⤵PID:2720
-
\??\c:\jvddv.exec:\jvddv.exe78⤵PID:2700
-
\??\c:\1xxxfxf.exec:\1xxxfxf.exe79⤵PID:2644
-
\??\c:\xxrfrlx.exec:\xxrfrlx.exe80⤵PID:2904
-
\??\c:\9httbb.exec:\9httbb.exe81⤵PID:2688
-
\??\c:\jdpjp.exec:\jdpjp.exe82⤵PID:2656
-
\??\c:\vvdjd.exec:\vvdjd.exe83⤵PID:2740
-
\??\c:\rfrrxrx.exec:\rfrrxrx.exe84⤵PID:2640
-
\??\c:\bhtnbb.exec:\bhtnbb.exe85⤵PID:3052
-
\??\c:\1thnnn.exec:\1thnnn.exe86⤵PID:3060
-
\??\c:\3vdvv.exec:\3vdvv.exe87⤵PID:2852
-
\??\c:\9pvdj.exec:\9pvdj.exe88⤵PID:2224
-
\??\c:\fflxlll.exec:\fflxlll.exe89⤵PID:2868
-
\??\c:\lxflxxf.exec:\lxflxxf.exe90⤵PID:2788
-
\??\c:\3nbttn.exec:\3nbttn.exe91⤵PID:2872
-
\??\c:\bttntt.exec:\bttntt.exe92⤵PID:544
-
\??\c:\9ddjd.exec:\9ddjd.exe93⤵PID:1756
-
\??\c:\lfffrll.exec:\lfffrll.exe94⤵PID:2556
-
\??\c:\9xxfllr.exec:\9xxfllr.exe95⤵PID:1892
-
\??\c:\nhtttt.exec:\nhtttt.exe96⤵PID:1148
-
\??\c:\1bnnnn.exec:\1bnnnn.exe97⤵PID:2132
-
\??\c:\vpjpd.exec:\vpjpd.exe98⤵PID:1048
-
\??\c:\3jvpp.exec:\3jvpp.exe99⤵PID:2104
-
\??\c:\xlllfff.exec:\xlllfff.exe100⤵PID:2184
-
\??\c:\5lxxffl.exec:\5lxxffl.exe101⤵PID:2916
-
\??\c:\bthbnh.exec:\bthbnh.exe102⤵PID:2356
-
\??\c:\dvpvd.exec:\dvpvd.exe103⤵PID:1072
-
\??\c:\3pdjp.exec:\3pdjp.exe104⤵PID:2112
-
\??\c:\rxlrxrl.exec:\rxlrxrl.exe105⤵PID:1608
-
\??\c:\nbhnnn.exec:\nbhnnn.exe106⤵PID:2124
-
\??\c:\hnttbb.exec:\hnttbb.exe107⤵PID:1552
-
\??\c:\vpppd.exec:\vpppd.exe108⤵PID:1088
-
\??\c:\pjdjd.exec:\pjdjd.exe109⤵PID:1716
-
\??\c:\1xxxlxl.exec:\1xxxlxl.exe110⤵PID:1176
-
\??\c:\nhtbnb.exec:\nhtbnb.exe111⤵PID:1480
-
\??\c:\vpvdp.exec:\vpvdp.exe112⤵PID:308
-
\??\c:\vvjvj.exec:\vvjvj.exe113⤵PID:2620
-
\??\c:\llxfffr.exec:\llxfffr.exe114⤵PID:876
-
\??\c:\3fxxflr.exec:\3fxxflr.exe115⤵PID:2448
-
\??\c:\5ntbhn.exec:\5ntbhn.exe116⤵PID:2364
-
\??\c:\ntnntb.exec:\ntnntb.exe117⤵PID:1704
-
\??\c:\dvjvj.exec:\dvjvj.exe118⤵PID:2340
-
\??\c:\xrflxfl.exec:\xrflxfl.exe119⤵PID:2968
-
\??\c:\7lxlrxf.exec:\7lxlrxf.exe120⤵PID:2720
-
\??\c:\ttnbtb.exec:\ttnbtb.exe121⤵PID:2828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-