Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 08:57
Behavioral task
behavioral1
Sample
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe
-
Size
335KB
-
MD5
7a0f333a155797167d0c5c56254cc806
-
SHA1
a2b255e1eb252ef27942c16ee3031bf6d5f63d5e
-
SHA256
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f
-
SHA512
7d1e40cafc3463f84b2610ef06f5644e9f5bab008da42a78d8d270a17d2110830377b4668643b74000d5ab296659dc930f710c647e80869b837a74c90a4cc82d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2644-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3856-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/756-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/324-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/368-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/748-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1220-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/316-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3880-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/820-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/212-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2084-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1364-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/688-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2916-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/520-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/724-316-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3692-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-355-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-358-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1380-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2388-608-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1240-623-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-802-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-1131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
ffrrrrr.exetnhbbb.exehhttbh.exentttnn.exeddjdv.exevvdvv.exebbntbt.exentbbbh.exepdjdd.exepppvv.exerxfxxlf.exetttttt.exe1htnnt.exeddpdd.exellrrrrr.exedpddv.exeffxrxxf.exe5htttb.exe5htntt.exejjvvd.exevdjpj.exexfrrlll.exetbnhbb.exebnhbbn.exevpdjd.exejdjpj.exerfrxxxx.exebhnnhh.exehthhbn.exejjddv.exelflrlxl.exerfrfxff.exe3nbhhh.exepjjpd.exe5jvpp.exe9lrllrr.exehhhbhh.exedpdvj.exetbbnbn.exe9nnnhn.exedvjdd.exejpdjj.exefxxxxff.exehhtttb.exenttttt.exejddpj.exejpjdv.exe5llxrlf.exe1rffllr.exebtnnnn.exepdpdd.exefxlllrr.exefflfxff.exebtnnbt.exepjvvd.exefxxfxll.exepvvvv.exejpvpd.exerrllxxf.exentnnnh.exepjvvp.exe7xfxrll.exe9lrlfxf.exenbhhtt.exepid Process 1624 ffrrrrr.exe 2344 tnhbbb.exe 4228 hhttbh.exe 3856 ntttnn.exe 1736 ddjdv.exe 2932 vvdvv.exe 3544 bbntbt.exe 3868 ntbbbh.exe 468 pdjdd.exe 4236 pppvv.exe 1788 rxfxxlf.exe 1364 tttttt.exe 2916 1htnnt.exe 756 ddpdd.exe 2084 llrrrrr.exe 212 dpddv.exe 4040 ffxrxxf.exe 1944 5htttb.exe 324 5htntt.exe 820 jjvvd.exe 3880 vdjpj.exe 4064 xfrrlll.exe 4476 tbnhbb.exe 3088 bnhbbn.exe 316 vpdjd.exe 3428 jdjpj.exe 2884 rfrxxxx.exe 724 bhnnhh.exe 2652 hthhbn.exe 2036 jjddv.exe 3832 lflrlxl.exe 3520 rfrfxff.exe 3392 3nbhhh.exe 1140 pjjpd.exe 368 5jvpp.exe 3644 9lrllrr.exe 2004 hhhbhh.exe 748 dpdvj.exe 3196 tbbnbn.exe 2040 9nnnhn.exe 1220 dvjdd.exe 3112 jpdjj.exe 1812 fxxxxff.exe 852 hhtttb.exe 3852 nttttt.exe 5012 jddpj.exe 1408 jpjdv.exe 3840 5llxrlf.exe 3376 1rffllr.exe 3448 btnnnn.exe 5096 pdpdd.exe 2704 fxlllrr.exe 5116 fflfxff.exe 1464 btnnbt.exe 396 pjvvd.exe 2840 fxxfxll.exe 4344 pvvvv.exe 2764 jpvpd.exe 3596 rrllxxf.exe 4564 ntnnnh.exe 4312 pjvvp.exe 688 7xfxrll.exe 2644 9lrlfxf.exe 1624 nbhhtt.exe -
Processes:
resource yara_rule behavioral2/memory/2644-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba7-3.dat upx behavioral2/memory/2644-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c90-9.dat upx behavioral2/memory/2344-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-12.dat upx behavioral2/memory/1624-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-18.dat upx behavioral2/memory/4228-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-25.dat upx behavioral2/memory/3856-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-30.dat upx behavioral2/memory/1736-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-35.dat upx behavioral2/memory/2932-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-44.dat upx behavioral2/memory/3868-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-50.dat upx behavioral2/files/0x0007000000023c9d-54.dat upx behavioral2/memory/1788-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-59.dat upx behavioral2/files/0x0007000000023ca1-71.dat upx behavioral2/memory/756-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-68.dat upx behavioral2/files/0x0007000000023ca2-78.dat upx behavioral2/files/0x0007000000023ca4-87.dat upx behavioral2/memory/1944-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/324-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-103.dat upx behavioral2/files/0x0007000000023ca8-106.dat upx behavioral2/memory/3088-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c91-131.dat upx behavioral2/files/0x0007000000023cad-135.dat upx behavioral2/files/0x0007000000023cae-140.dat upx behavioral2/memory/724-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-145.dat upx behavioral2/files/0x0007000000023cb1-153.dat upx behavioral2/memory/368-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3644-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1140-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3392-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3520-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/748-173-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3196-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1220-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1812-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-149.dat upx behavioral2/memory/2652-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/316-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-126.dat upx behavioral2/files/0x0007000000023cab-121.dat upx behavioral2/files/0x0007000000023caa-117.dat upx behavioral2/memory/4064-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-112.dat upx behavioral2/memory/3880-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/820-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-97.dat upx behavioral2/files/0x0007000000023ca5-92.dat upx behavioral2/memory/4040-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/212-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-83.dat upx behavioral2/memory/2084-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-64.dat upx behavioral2/memory/1364-63-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fxfrlfr.exexlxrllf.exennbtnn.exexxllffx.exetttttt.exedjdjj.exe1ffxllx.exetnbbtt.exebbnnnn.exelfxrlfx.exevpjdp.exepvppp.exejppvp.exexllfxlf.exellxfxll.exe7hnhtt.exe3djjd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exeffrrrrr.exetnhbbb.exehhttbh.exentttnn.exeddjdv.exevvdvv.exebbntbt.exentbbbh.exepdjdd.exepppvv.exerxfxxlf.exetttttt.exe1htnnt.exeddpdd.exellrrrrr.exedpddv.exeffxrxxf.exe5htttb.exe5htntt.exejjvvd.exevdjpj.exedescription pid Process procid_target PID 2644 wrote to memory of 1624 2644 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 82 PID 2644 wrote to memory of 1624 2644 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 82 PID 2644 wrote to memory of 1624 2644 d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe 82 PID 1624 wrote to memory of 2344 1624 ffrrrrr.exe 83 PID 1624 wrote to memory of 2344 1624 ffrrrrr.exe 83 PID 1624 wrote to memory of 2344 1624 ffrrrrr.exe 83 PID 2344 wrote to memory of 4228 2344 tnhbbb.exe 84 PID 2344 wrote to memory of 4228 2344 tnhbbb.exe 84 PID 2344 wrote to memory of 4228 2344 tnhbbb.exe 84 PID 4228 wrote to memory of 3856 4228 hhttbh.exe 85 PID 4228 wrote to memory of 3856 4228 hhttbh.exe 85 PID 4228 wrote to memory of 3856 4228 hhttbh.exe 85 PID 3856 wrote to memory of 1736 3856 ntttnn.exe 86 PID 3856 wrote to memory of 1736 3856 ntttnn.exe 86 PID 3856 wrote to memory of 1736 3856 ntttnn.exe 86 PID 1736 wrote to memory of 2932 1736 ddjdv.exe 87 PID 1736 wrote to memory of 2932 1736 ddjdv.exe 87 PID 1736 wrote to memory of 2932 1736 ddjdv.exe 87 PID 2932 wrote to memory of 3544 2932 vvdvv.exe 88 PID 2932 wrote to memory of 3544 2932 vvdvv.exe 88 PID 2932 wrote to memory of 3544 2932 vvdvv.exe 88 PID 3544 wrote to memory of 3868 3544 bbntbt.exe 89 PID 3544 wrote to memory of 3868 3544 bbntbt.exe 89 PID 3544 wrote to memory of 3868 3544 bbntbt.exe 89 PID 3868 wrote to memory of 468 3868 ntbbbh.exe 90 PID 3868 wrote to memory of 468 3868 ntbbbh.exe 90 PID 3868 wrote to memory of 468 3868 ntbbbh.exe 90 PID 468 wrote to memory of 4236 468 pdjdd.exe 91 PID 468 wrote to memory of 4236 468 pdjdd.exe 91 PID 468 wrote to memory of 4236 468 pdjdd.exe 91 PID 4236 wrote to memory of 1788 4236 pppvv.exe 92 PID 4236 wrote to memory of 1788 4236 pppvv.exe 92 PID 4236 wrote to memory of 1788 4236 pppvv.exe 92 PID 1788 wrote to memory of 1364 1788 rxfxxlf.exe 93 PID 1788 wrote to memory of 1364 1788 rxfxxlf.exe 93 PID 1788 wrote to memory of 1364 1788 rxfxxlf.exe 93 PID 1364 wrote to memory of 2916 1364 tttttt.exe 94 PID 1364 wrote to memory of 2916 1364 tttttt.exe 94 PID 1364 wrote to memory of 2916 1364 tttttt.exe 94 PID 2916 wrote to memory of 756 2916 1htnnt.exe 95 PID 2916 wrote to memory of 756 2916 1htnnt.exe 95 PID 2916 wrote to memory of 756 2916 1htnnt.exe 95 PID 756 wrote to memory of 2084 756 ddpdd.exe 96 PID 756 wrote to memory of 2084 756 ddpdd.exe 96 PID 756 wrote to memory of 2084 756 ddpdd.exe 96 PID 2084 wrote to memory of 212 2084 llrrrrr.exe 97 PID 2084 wrote to memory of 212 2084 llrrrrr.exe 97 PID 2084 wrote to memory of 212 2084 llrrrrr.exe 97 PID 212 wrote to memory of 4040 212 dpddv.exe 98 PID 212 wrote to memory of 4040 212 dpddv.exe 98 PID 212 wrote to memory of 4040 212 dpddv.exe 98 PID 4040 wrote to memory of 1944 4040 ffxrxxf.exe 99 PID 4040 wrote to memory of 1944 4040 ffxrxxf.exe 99 PID 4040 wrote to memory of 1944 4040 ffxrxxf.exe 99 PID 1944 wrote to memory of 324 1944 5htttb.exe 100 PID 1944 wrote to memory of 324 1944 5htttb.exe 100 PID 1944 wrote to memory of 324 1944 5htttb.exe 100 PID 324 wrote to memory of 820 324 5htntt.exe 101 PID 324 wrote to memory of 820 324 5htntt.exe 101 PID 324 wrote to memory of 820 324 5htntt.exe 101 PID 820 wrote to memory of 3880 820 jjvvd.exe 102 PID 820 wrote to memory of 3880 820 jjvvd.exe 102 PID 820 wrote to memory of 3880 820 jjvvd.exe 102 PID 3880 wrote to memory of 4064 3880 vdjpj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"C:\Users\Admin\AppData\Local\Temp\d42e663bdb1661490731c5c7a860000a5c057a5f133de9ecbf2d74031e6c959f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\tnhbbb.exec:\tnhbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\hhttbh.exec:\hhttbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\ntttnn.exec:\ntttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\ddjdv.exec:\ddjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\vvdvv.exec:\vvdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\bbntbt.exec:\bbntbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\ntbbbh.exec:\ntbbbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\pppvv.exec:\pppvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\rxfxxlf.exec:\rxfxxlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\tttttt.exec:\tttttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\1htnnt.exec:\1htnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\ddpdd.exec:\ddpdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\llrrrrr.exec:\llrrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\dpddv.exec:\dpddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\ffxrxxf.exec:\ffxrxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\5htttb.exec:\5htttb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\5htntt.exec:\5htntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\jjvvd.exec:\jjvvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\vdjpj.exec:\vdjpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\xfrrlll.exec:\xfrrlll.exe23⤵
- Executes dropped EXE
PID:4064 -
\??\c:\tbnhbb.exec:\tbnhbb.exe24⤵
- Executes dropped EXE
PID:4476 -
\??\c:\bnhbbn.exec:\bnhbbn.exe25⤵
- Executes dropped EXE
PID:3088 -
\??\c:\vpdjd.exec:\vpdjd.exe26⤵
- Executes dropped EXE
PID:316 -
\??\c:\jdjpj.exec:\jdjpj.exe27⤵
- Executes dropped EXE
PID:3428 -
\??\c:\rfrxxxx.exec:\rfrxxxx.exe28⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bhnnhh.exec:\bhnnhh.exe29⤵
- Executes dropped EXE
PID:724 -
\??\c:\hthhbn.exec:\hthhbn.exe30⤵
- Executes dropped EXE
PID:2652 -
\??\c:\jjddv.exec:\jjddv.exe31⤵
- Executes dropped EXE
PID:2036 -
\??\c:\lflrlxl.exec:\lflrlxl.exe32⤵
- Executes dropped EXE
PID:3832 -
\??\c:\rfrfxff.exec:\rfrfxff.exe33⤵
- Executes dropped EXE
PID:3520 -
\??\c:\3nbhhh.exec:\3nbhhh.exe34⤵
- Executes dropped EXE
PID:3392 -
\??\c:\pjjpd.exec:\pjjpd.exe35⤵
- Executes dropped EXE
PID:1140 -
\??\c:\5jvpp.exec:\5jvpp.exe36⤵
- Executes dropped EXE
PID:368 -
\??\c:\9lrllrr.exec:\9lrllrr.exe37⤵
- Executes dropped EXE
PID:3644 -
\??\c:\hhhbhh.exec:\hhhbhh.exe38⤵
- Executes dropped EXE
PID:2004 -
\??\c:\dpdvj.exec:\dpdvj.exe39⤵
- Executes dropped EXE
PID:748 -
\??\c:\tbbnbn.exec:\tbbnbn.exe40⤵
- Executes dropped EXE
PID:3196 -
\??\c:\9nnnhn.exec:\9nnnhn.exe41⤵
- Executes dropped EXE
PID:2040 -
\??\c:\dvjdd.exec:\dvjdd.exe42⤵
- Executes dropped EXE
PID:1220 -
\??\c:\jpdjj.exec:\jpdjj.exe43⤵
- Executes dropped EXE
PID:3112 -
\??\c:\fxxxxff.exec:\fxxxxff.exe44⤵
- Executes dropped EXE
PID:1812 -
\??\c:\hhtttb.exec:\hhtttb.exe45⤵
- Executes dropped EXE
PID:852 -
\??\c:\nttttt.exec:\nttttt.exe46⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jddpj.exec:\jddpj.exe47⤵
- Executes dropped EXE
PID:5012 -
\??\c:\jpjdv.exec:\jpjdv.exe48⤵
- Executes dropped EXE
PID:1408 -
\??\c:\5llxrlf.exec:\5llxrlf.exe49⤵
- Executes dropped EXE
PID:3840 -
\??\c:\1rffllr.exec:\1rffllr.exe50⤵
- Executes dropped EXE
PID:3376 -
\??\c:\btnnnn.exec:\btnnnn.exe51⤵
- Executes dropped EXE
PID:3448 -
\??\c:\pdpdd.exec:\pdpdd.exe52⤵
- Executes dropped EXE
PID:5096 -
\??\c:\fxlllrr.exec:\fxlllrr.exe53⤵
- Executes dropped EXE
PID:2704 -
\??\c:\fflfxff.exec:\fflfxff.exe54⤵
- Executes dropped EXE
PID:5116 -
\??\c:\btnnbt.exec:\btnnbt.exe55⤵
- Executes dropped EXE
PID:1464 -
\??\c:\pjvvd.exec:\pjvvd.exe56⤵
- Executes dropped EXE
PID:396 -
\??\c:\fxxfxll.exec:\fxxfxll.exe57⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pvvvv.exec:\pvvvv.exe58⤵
- Executes dropped EXE
PID:4344 -
\??\c:\jpvpd.exec:\jpvpd.exe59⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rrllxxf.exec:\rrllxxf.exe60⤵
- Executes dropped EXE
PID:3596 -
\??\c:\ntnnnh.exec:\ntnnnh.exe61⤵
- Executes dropped EXE
PID:4564 -
\??\c:\pjvvp.exec:\pjvvp.exe62⤵
- Executes dropped EXE
PID:4312 -
\??\c:\7xfxrll.exec:\7xfxrll.exe63⤵
- Executes dropped EXE
PID:688 -
\??\c:\9lrlfxf.exec:\9lrlfxf.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\nbhhtt.exec:\nbhhtt.exe65⤵
- Executes dropped EXE
PID:1624 -
\??\c:\jddvp.exec:\jddvp.exe66⤵PID:3512
-
\??\c:\fxllfxf.exec:\fxllfxf.exe67⤵PID:4744
-
\??\c:\7hnhtt.exec:\7hnhtt.exe68⤵
- System Location Discovery: System Language Discovery
PID:772 -
\??\c:\bbhbbb.exec:\bbhbbb.exe69⤵PID:4796
-
\??\c:\5lxxflf.exec:\5lxxflf.exe70⤵PID:444
-
\??\c:\hhttbh.exec:\hhttbh.exe71⤵PID:4328
-
\??\c:\9dppd.exec:\9dppd.exe72⤵PID:2808
-
\??\c:\hbthtb.exec:\hbthtb.exe73⤵PID:1940
-
\??\c:\jdpvp.exec:\jdpvp.exe74⤵PID:1628
-
\??\c:\rlrrllf.exec:\rlrrllf.exe75⤵PID:468
-
\??\c:\btbbtb.exec:\btbbtb.exe76⤵PID:4764
-
\??\c:\xffllff.exec:\xffllff.exe77⤵PID:2848
-
\??\c:\9hnnht.exec:\9hnnht.exe78⤵PID:1344
-
\??\c:\lfrlflf.exec:\lfrlflf.exe79⤵PID:3080
-
\??\c:\7hnhhn.exec:\7hnhhn.exe80⤵PID:2928
-
\??\c:\1pdvj.exec:\1pdvj.exe81⤵PID:2916
-
\??\c:\rrxxxfx.exec:\rrxxxfx.exe82⤵PID:1664
-
\??\c:\dpjjd.exec:\dpjjd.exe83⤵PID:896
-
\??\c:\5lrfxxx.exec:\5lrfxxx.exe84⤵PID:3132
-
\??\c:\htttnb.exec:\htttnb.exe85⤵PID:3300
-
\??\c:\9ntttb.exec:\9ntttb.exe86⤵PID:4904
-
\??\c:\dpdvd.exec:\dpdvd.exe87⤵PID:116
-
\??\c:\ffrfxrr.exec:\ffrfxrr.exe88⤵PID:4936
-
\??\c:\bttnnn.exec:\bttnnn.exe89⤵PID:324
-
\??\c:\jpddd.exec:\jpddd.exe90⤵PID:5020
-
\??\c:\dvpjv.exec:\dvpjv.exe91⤵PID:4628
-
\??\c:\1llfxxx.exec:\1llfxxx.exe92⤵PID:4508
-
\??\c:\tbtttt.exec:\tbtttt.exe93⤵PID:3492
-
\??\c:\hnbttb.exec:\hnbttb.exe94⤵PID:4736
-
\??\c:\djvvj.exec:\djvvj.exe95⤵PID:1380
-
\??\c:\3pppj.exec:\3pppj.exe96⤵PID:1696
-
\??\c:\fxllllr.exec:\fxllllr.exe97⤵PID:2476
-
\??\c:\tntttb.exec:\tntttb.exe98⤵PID:2496
-
\??\c:\jjddv.exec:\jjddv.exe99⤵PID:520
-
\??\c:\1pjpj.exec:\1pjpj.exe100⤵PID:724
-
\??\c:\9lxxrfx.exec:\9lxxrfx.exe101⤵PID:3020
-
\??\c:\hnbbtt.exec:\hnbbtt.exe102⤵PID:5100
-
\??\c:\bhtnbb.exec:\bhtnbb.exe103⤵PID:2036
-
\??\c:\jvdvv.exec:\jvdvv.exe104⤵PID:3692
-
\??\c:\rrllffx.exec:\rrllffx.exe105⤵PID:1508
-
\??\c:\hhnnnt.exec:\hhnnnt.exe106⤵PID:440
-
\??\c:\1bhhbh.exec:\1bhhbh.exe107⤵PID:1740
-
\??\c:\vppdd.exec:\vppdd.exe108⤵PID:1848
-
\??\c:\lflllll.exec:\lflllll.exe109⤵PID:1420
-
\??\c:\ntnttt.exec:\ntnttt.exe110⤵PID:1124
-
\??\c:\hbntnb.exec:\hbntnb.exe111⤵PID:1616
-
\??\c:\9dvpj.exec:\9dvpj.exe112⤵PID:4136
-
\??\c:\fllxrlr.exec:\fllxrlr.exe113⤵PID:2228
-
\??\c:\tnbhhh.exec:\tnbhhh.exe114⤵PID:824
-
\??\c:\9btnhb.exec:\9btnhb.exe115⤵PID:1200
-
\??\c:\dvpvj.exec:\dvpvj.exe116⤵PID:760
-
\??\c:\rxfflxx.exec:\rxfflxx.exe117⤵PID:1672
-
\??\c:\ttnnnb.exec:\ttnnnb.exe118⤵PID:4660
-
\??\c:\hhhtnh.exec:\hhhtnh.exe119⤵PID:1892
-
\??\c:\vvvpj.exec:\vvvpj.exe120⤵PID:1712
-
\??\c:\xflxrxr.exec:\xflxrxr.exe121⤵PID:2760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-