Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 00:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe
-
Size
453KB
-
MD5
43329281f879a335bbbfb81dae3dcc5f
-
SHA1
67ea86f7a992c3c7754e850ee448c66d57ad4d1f
-
SHA256
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61
-
SHA512
4fe6cd4b4a93fcba6581035773876557a4d9818845809fd0b8c77d22859fccc92e487e7656c017efc04f2396f7a0f47211a31cf38e3b76d6ab43c9e91f02491f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/3292-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-1027-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
fxxrffx.exettttnn.exejjjvj.exe846004.exe9hbttb.exefrxrllx.exepdvdv.exetttbtn.exevpdvp.exe1fxrlfx.exepjjdp.exe8464826.exe8228406.exepdjpd.exexfxfxfx.exee46022.exexlrxllf.exe0886082.exebhthth.exe6626002.exepppdp.exebtnhbn.exe648248.exeppjvj.exea2248.exe204482.exe8840608.exe9dvpd.exehnthbt.exe208666.exetbhthn.exe8282044.exe482648.exe0882044.exebbhnbb.exehtthtn.exew66088.exe288882.exe4248824.exerffrlfx.exevvvpj.exennthbt.exelxxlfxl.exe840408.exe64044.exehbnnbt.exe0880482.exetthnnn.exe8488260.exe268266.exenhtthb.exejpvpj.exepdjjp.exe68422.exem2824.exedvdvd.exeflfrxff.exevvvpj.exe08048.exe28482.exe022448.exe860848.exerffxrlf.exevppjd.exepid Process 2248 fxxrffx.exe 3964 ttttnn.exe 2624 jjjvj.exe 3436 846004.exe 2060 9hbttb.exe 4140 frxrllx.exe 1468 pdvdv.exe 4828 tttbtn.exe 2316 vpdvp.exe 2040 1fxrlfx.exe 1540 pjjdp.exe 2136 8464826.exe 1648 8228406.exe 1376 pdjpd.exe 5100 xfxfxfx.exe 4780 e46022.exe 4620 xlrxllf.exe 4324 0886082.exe 3936 bhthth.exe 3716 6626002.exe 3104 pppdp.exe 3424 btnhbn.exe 4972 648248.exe 2420 ppjvj.exe 3828 a2248.exe 1736 204482.exe 1256 8840608.exe 1492 9dvpd.exe 2600 hnthbt.exe 3640 208666.exe 3712 tbhthn.exe 452 8282044.exe 1684 482648.exe 4000 0882044.exe 3288 bbhnbb.exe 632 htthtn.exe 4284 w66088.exe 3056 288882.exe 2076 4248824.exe 4020 rffrlfx.exe 4416 vvvpj.exe 4236 nnthbt.exe 2412 lxxlfxl.exe 1844 840408.exe 1292 64044.exe 2180 hbnnbt.exe 3396 0880482.exe 4672 tthnnn.exe 4344 8488260.exe 4540 268266.exe 4040 nhtthb.exe 1468 jpvpj.exe 4868 pdjjp.exe 4912 68422.exe 2400 m2824.exe 3468 dvdvd.exe 1888 flfrxff.exe 4180 vvvpj.exe 5100 08048.exe 448 28482.exe 3284 022448.exe 924 860848.exe 2528 rffxrlf.exe 4468 vppjd.exe -
Processes:
resource yara_rule behavioral2/memory/3292-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-614-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
846466.exetbntnn.exe48000.exe1jvpd.exe4264264.exe06082.exe2082842.exe5xrxrrl.exerxrfxrl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846466.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4264264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2082842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfxrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exefxxrffx.exettttnn.exejjjvj.exe846004.exe9hbttb.exefrxrllx.exepdvdv.exetttbtn.exevpdvp.exe1fxrlfx.exepjjdp.exe8464826.exe8228406.exepdjpd.exexfxfxfx.exee46022.exexlrxllf.exe0886082.exebhthth.exe6626002.exepppdp.exedescription pid Process procid_target PID 3292 wrote to memory of 2248 3292 642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe 83 PID 3292 wrote to memory of 2248 3292 642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe 83 PID 3292 wrote to memory of 2248 3292 642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe 83 PID 2248 wrote to memory of 3964 2248 fxxrffx.exe 84 PID 2248 wrote to memory of 3964 2248 fxxrffx.exe 84 PID 2248 wrote to memory of 3964 2248 fxxrffx.exe 84 PID 3964 wrote to memory of 2624 3964 ttttnn.exe 85 PID 3964 wrote to memory of 2624 3964 ttttnn.exe 85 PID 3964 wrote to memory of 2624 3964 ttttnn.exe 85 PID 2624 wrote to memory of 3436 2624 jjjvj.exe 86 PID 2624 wrote to memory of 3436 2624 jjjvj.exe 86 PID 2624 wrote to memory of 3436 2624 jjjvj.exe 86 PID 3436 wrote to memory of 2060 3436 846004.exe 87 PID 3436 wrote to memory of 2060 3436 846004.exe 87 PID 3436 wrote to memory of 2060 3436 846004.exe 87 PID 2060 wrote to memory of 4140 2060 9hbttb.exe 88 PID 2060 wrote to memory of 4140 2060 9hbttb.exe 88 PID 2060 wrote to memory of 4140 2060 9hbttb.exe 88 PID 4140 wrote to memory of 1468 4140 frxrllx.exe 89 PID 4140 wrote to memory of 1468 4140 frxrllx.exe 89 PID 4140 wrote to memory of 1468 4140 frxrllx.exe 89 PID 1468 wrote to memory of 4828 1468 pdvdv.exe 90 PID 1468 wrote to memory of 4828 1468 pdvdv.exe 90 PID 1468 wrote to memory of 4828 1468 pdvdv.exe 90 PID 4828 wrote to memory of 2316 4828 tttbtn.exe 91 PID 4828 wrote to memory of 2316 4828 tttbtn.exe 91 PID 4828 wrote to memory of 2316 4828 tttbtn.exe 91 PID 2316 wrote to memory of 2040 2316 vpdvp.exe 92 PID 2316 wrote to memory of 2040 2316 vpdvp.exe 92 PID 2316 wrote to memory of 2040 2316 vpdvp.exe 92 PID 2040 wrote to memory of 1540 2040 1fxrlfx.exe 93 PID 2040 wrote to memory of 1540 2040 1fxrlfx.exe 93 PID 2040 wrote to memory of 1540 2040 1fxrlfx.exe 93 PID 1540 wrote to memory of 2136 1540 pjjdp.exe 94 PID 1540 wrote to memory of 2136 1540 pjjdp.exe 94 PID 1540 wrote to memory of 2136 1540 pjjdp.exe 94 PID 2136 wrote to memory of 1648 2136 8464826.exe 95 PID 2136 wrote to memory of 1648 2136 8464826.exe 95 PID 2136 wrote to memory of 1648 2136 8464826.exe 95 PID 1648 wrote to memory of 1376 1648 8228406.exe 96 PID 1648 wrote to memory of 1376 1648 8228406.exe 96 PID 1648 wrote to memory of 1376 1648 8228406.exe 96 PID 1376 wrote to memory of 5100 1376 pdjpd.exe 97 PID 1376 wrote to memory of 5100 1376 pdjpd.exe 97 PID 1376 wrote to memory of 5100 1376 pdjpd.exe 97 PID 5100 wrote to memory of 4780 5100 xfxfxfx.exe 98 PID 5100 wrote to memory of 4780 5100 xfxfxfx.exe 98 PID 5100 wrote to memory of 4780 5100 xfxfxfx.exe 98 PID 4780 wrote to memory of 4620 4780 e46022.exe 99 PID 4780 wrote to memory of 4620 4780 e46022.exe 99 PID 4780 wrote to memory of 4620 4780 e46022.exe 99 PID 4620 wrote to memory of 4324 4620 xlrxllf.exe 100 PID 4620 wrote to memory of 4324 4620 xlrxllf.exe 100 PID 4620 wrote to memory of 4324 4620 xlrxllf.exe 100 PID 4324 wrote to memory of 3936 4324 0886082.exe 101 PID 4324 wrote to memory of 3936 4324 0886082.exe 101 PID 4324 wrote to memory of 3936 4324 0886082.exe 101 PID 3936 wrote to memory of 3716 3936 bhthth.exe 102 PID 3936 wrote to memory of 3716 3936 bhthth.exe 102 PID 3936 wrote to memory of 3716 3936 bhthth.exe 102 PID 3716 wrote to memory of 3104 3716 6626002.exe 103 PID 3716 wrote to memory of 3104 3716 6626002.exe 103 PID 3716 wrote to memory of 3104 3716 6626002.exe 103 PID 3104 wrote to memory of 3424 3104 pppdp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe"C:\Users\Admin\AppData\Local\Temp\642b6c52b29a090b4acef85c8c9f287394ccbe718411c3d801a0f6238c8f8d61.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\fxxrffx.exec:\fxxrffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\ttttnn.exec:\ttttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\jjjvj.exec:\jjjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\846004.exec:\846004.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\9hbttb.exec:\9hbttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\frxrllx.exec:\frxrllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\pdvdv.exec:\pdvdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\tttbtn.exec:\tttbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\vpdvp.exec:\vpdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\pjjdp.exec:\pjjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\8464826.exec:\8464826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\8228406.exec:\8228406.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\pdjpd.exec:\pdjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\xfxfxfx.exec:\xfxfxfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\e46022.exec:\e46022.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\xlrxllf.exec:\xlrxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\0886082.exec:\0886082.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\bhthth.exec:\bhthth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\6626002.exec:\6626002.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\pppdp.exec:\pppdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\btnhbn.exec:\btnhbn.exe23⤵
- Executes dropped EXE
PID:3424 -
\??\c:\648248.exec:\648248.exe24⤵
- Executes dropped EXE
PID:4972 -
\??\c:\ppjvj.exec:\ppjvj.exe25⤵
- Executes dropped EXE
PID:2420 -
\??\c:\a2248.exec:\a2248.exe26⤵
- Executes dropped EXE
PID:3828 -
\??\c:\204482.exec:\204482.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\8840608.exec:\8840608.exe28⤵
- Executes dropped EXE
PID:1256 -
\??\c:\9dvpd.exec:\9dvpd.exe29⤵
- Executes dropped EXE
PID:1492 -
\??\c:\hnthbt.exec:\hnthbt.exe30⤵
- Executes dropped EXE
PID:2600 -
\??\c:\208666.exec:\208666.exe31⤵
- Executes dropped EXE
PID:3640 -
\??\c:\tbhthn.exec:\tbhthn.exe32⤵
- Executes dropped EXE
PID:3712 -
\??\c:\8282044.exec:\8282044.exe33⤵
- Executes dropped EXE
PID:452 -
\??\c:\482648.exec:\482648.exe34⤵
- Executes dropped EXE
PID:1684 -
\??\c:\0882044.exec:\0882044.exe35⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bbhnbb.exec:\bbhnbb.exe36⤵
- Executes dropped EXE
PID:3288 -
\??\c:\htthtn.exec:\htthtn.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\w66088.exec:\w66088.exe38⤵
- Executes dropped EXE
PID:4284 -
\??\c:\288882.exec:\288882.exe39⤵
- Executes dropped EXE
PID:3056 -
\??\c:\4248824.exec:\4248824.exe40⤵
- Executes dropped EXE
PID:2076 -
\??\c:\rffrlfx.exec:\rffrlfx.exe41⤵
- Executes dropped EXE
PID:4020 -
\??\c:\vvvpj.exec:\vvvpj.exe42⤵
- Executes dropped EXE
PID:4416 -
\??\c:\nnthbt.exec:\nnthbt.exe43⤵
- Executes dropped EXE
PID:4236 -
\??\c:\lxxlfxl.exec:\lxxlfxl.exe44⤵
- Executes dropped EXE
PID:2412 -
\??\c:\840408.exec:\840408.exe45⤵
- Executes dropped EXE
PID:1844 -
\??\c:\64044.exec:\64044.exe46⤵
- Executes dropped EXE
PID:1292 -
\??\c:\hbnnbt.exec:\hbnnbt.exe47⤵
- Executes dropped EXE
PID:2180 -
\??\c:\0880482.exec:\0880482.exe48⤵
- Executes dropped EXE
PID:3396 -
\??\c:\tthnnn.exec:\tthnnn.exe49⤵
- Executes dropped EXE
PID:4672 -
\??\c:\8488260.exec:\8488260.exe50⤵
- Executes dropped EXE
PID:4344 -
\??\c:\268266.exec:\268266.exe51⤵
- Executes dropped EXE
PID:4540 -
\??\c:\nhtthb.exec:\nhtthb.exe52⤵
- Executes dropped EXE
PID:4040 -
\??\c:\jpvpj.exec:\jpvpj.exe53⤵
- Executes dropped EXE
PID:1468 -
\??\c:\pdjjp.exec:\pdjjp.exe54⤵
- Executes dropped EXE
PID:4868 -
\??\c:\68422.exec:\68422.exe55⤵
- Executes dropped EXE
PID:4912 -
\??\c:\m2824.exec:\m2824.exe56⤵
- Executes dropped EXE
PID:2400 -
\??\c:\dvdvd.exec:\dvdvd.exe57⤵
- Executes dropped EXE
PID:3468 -
\??\c:\flfrxff.exec:\flfrxff.exe58⤵
- Executes dropped EXE
PID:1888 -
\??\c:\vvvpj.exec:\vvvpj.exe59⤵
- Executes dropped EXE
PID:4180 -
\??\c:\08048.exec:\08048.exe60⤵
- Executes dropped EXE
PID:5100 -
\??\c:\28482.exec:\28482.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\022448.exec:\022448.exe62⤵
- Executes dropped EXE
PID:3284 -
\??\c:\860848.exec:\860848.exe63⤵
- Executes dropped EXE
PID:924 -
\??\c:\rffxrlf.exec:\rffxrlf.exe64⤵
- Executes dropped EXE
PID:2528 -
\??\c:\vppjd.exec:\vppjd.exe65⤵
- Executes dropped EXE
PID:4468 -
\??\c:\nnhbtt.exec:\nnhbtt.exe66⤵PID:4716
-
\??\c:\jvpjj.exec:\jvpjj.exe67⤵PID:2788
-
\??\c:\440044.exec:\440044.exe68⤵PID:3376
-
\??\c:\xlxxxll.exec:\xlxxxll.exe69⤵PID:1624
-
\??\c:\jpvpj.exec:\jpvpj.exe70⤵PID:928
-
\??\c:\c800228.exec:\c800228.exe71⤵PID:1056
-
\??\c:\frllffx.exec:\frllffx.exe72⤵PID:3608
-
\??\c:\k42084.exec:\k42084.exe73⤵PID:4276
-
\??\c:\1bbnbb.exec:\1bbnbb.exe74⤵PID:3772
-
\??\c:\dvjdp.exec:\dvjdp.exe75⤵PID:4440
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe76⤵
- System Location Discovery: System Language Discovery
PID:1256 -
\??\c:\228266.exec:\228266.exe77⤵PID:4316
-
\??\c:\6648822.exec:\6648822.exe78⤵PID:2452
-
\??\c:\4420664.exec:\4420664.exe79⤵PID:4380
-
\??\c:\vpjjd.exec:\vpjjd.exe80⤵PID:2324
-
\??\c:\20626.exec:\20626.exe81⤵PID:3392
-
\??\c:\9hbthh.exec:\9hbthh.exe82⤵PID:1812
-
\??\c:\840422.exec:\840422.exe83⤵PID:1180
-
\??\c:\3tnthh.exec:\3tnthh.exe84⤵PID:920
-
\??\c:\xxfxxxl.exec:\xxfxxxl.exe85⤵PID:3012
-
\??\c:\008260.exec:\008260.exe86⤵PID:3528
-
\??\c:\642644.exec:\642644.exe87⤵PID:1464
-
\??\c:\208208.exec:\208208.exe88⤵PID:4396
-
\??\c:\22826.exec:\22826.exe89⤵PID:3420
-
\??\c:\228204.exec:\228204.exe90⤵PID:1936
-
\??\c:\884260.exec:\884260.exe91⤵PID:5080
-
\??\c:\464828.exec:\464828.exe92⤵PID:4236
-
\??\c:\88048.exec:\88048.exe93⤵PID:3516
-
\??\c:\6442048.exec:\6442048.exe94⤵PID:1328
-
\??\c:\3jjvp.exec:\3jjvp.exe95⤵PID:1560
-
\??\c:\c602624.exec:\c602624.exe96⤵PID:2568
-
\??\c:\20820.exec:\20820.exe97⤵PID:3396
-
\??\c:\vppdp.exec:\vppdp.exe98⤵PID:4672
-
\??\c:\6286482.exec:\6286482.exe99⤵PID:4344
-
\??\c:\btnhnn.exec:\btnhnn.exe100⤵PID:1500
-
\??\c:\3xlrlfl.exec:\3xlrlfl.exe101⤵PID:1100
-
\??\c:\nbthhh.exec:\nbthhh.exe102⤵PID:2092
-
\??\c:\8626602.exec:\8626602.exe103⤵PID:456
-
\??\c:\44042.exec:\44042.exe104⤵PID:2212
-
\??\c:\o880848.exec:\o880848.exe105⤵PID:4956
-
\??\c:\8622268.exec:\8622268.exe106⤵PID:4628
-
\??\c:\vjvpv.exec:\vjvpv.exe107⤵PID:4632
-
\??\c:\8448046.exec:\8448046.exe108⤵PID:5104
-
\??\c:\s6422.exec:\s6422.exe109⤵PID:724
-
\??\c:\1nbhbt.exec:\1nbhbt.exe110⤵PID:1524
-
\??\c:\frrlrlf.exec:\frrlrlf.exe111⤵PID:4620
-
\??\c:\0844248.exec:\0844248.exe112⤵PID:3844
-
\??\c:\lxlflfr.exec:\lxlflfr.exe113⤵PID:2920
-
\??\c:\7xlflll.exec:\7xlflll.exe114⤵PID:4360
-
\??\c:\7dvpd.exec:\7dvpd.exe115⤵PID:5068
-
\??\c:\08842.exec:\08842.exe116⤵PID:4296
-
\??\c:\824860.exec:\824860.exe117⤵PID:532
-
\??\c:\288266.exec:\288266.exe118⤵PID:2788
-
\??\c:\5dvpv.exec:\5dvpv.exe119⤵PID:1640
-
\??\c:\vdddj.exec:\vdddj.exe120⤵PID:1624
-
\??\c:\2882604.exec:\2882604.exe121⤵PID:1852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-