Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe
-
Size
453KB
-
MD5
1e3bb767d7287c1473fb2d9b9529736f
-
SHA1
86f3675f465380c75eebcbe98eeb10128bef3e40
-
SHA256
8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47
-
SHA512
4f91bf2aacb4174b6794ba2c186fb522ff31789e45ab6ebc407c60fa1418811b14a4243823b9679acb5f6c75ff40448b8c93e0d07e18798f7cdd8e3831ceec90
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3844-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3928 7pjdp.exe 2252 tbthtn.exe 4896 1dvjv.exe 4520 jppjj.exe 1820 5rrlffx.exe 2452 xxxfxfr.exe 4428 ddjpv.exe 652 hhbnbt.exe 3096 vpjdp.exe 4424 ttnhbt.exe 4072 tntnbt.exe 4956 nbntbb.exe 2744 9vdpj.exe 1172 jjdpd.exe 4620 5tthbn.exe 4496 5ddvp.exe 868 1jvpd.exe 3944 pjjvp.exe 1488 jjjvd.exe 3436 flrfrxx.exe 1624 flxrxrx.exe 3684 bnhhbb.exe 1196 dvdpj.exe 1040 1rrlfxl.exe 712 9tbnhn.exe 4792 rflfxrr.exe 2264 hhbnbb.exe 4700 vpddv.exe 4884 pvvjj.exe 3868 xxlfxff.exe 4616 lflxxll.exe 2628 tnhbnb.exe 3384 1xxlfxr.exe 1560 thhbtb.exe 3180 ppdvj.exe 2864 9xllffx.exe 4468 nhhbth.exe 3472 1flxfxf.exe 780 bbnbtn.exe 2276 1vvpj.exe 4920 fffxrlf.exe 996 hhnhtt.exe 4524 5vpjd.exe 2844 lfrrrrr.exe 2708 hhhhbb.exe 4432 vpvpd.exe 3988 7dddd.exe 4412 pvvpj.exe 3108 fflfffx.exe 2408 htbbtb.exe 224 7dpjd.exe 4928 3pvjp.exe 4292 rfxxrll.exe 880 nnnbtn.exe 4520 vvvpp.exe 4320 frxfrfx.exe 1720 btbbbb.exe 4692 vvdvp.exe 4428 fxrllll.exe 2216 3btnhh.exe 4452 djvvp.exe 2688 xlfxxfr.exe 3992 tnbnnn.exe 2588 1vjdp.exe -
resource yara_rule behavioral2/memory/3844-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-811-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 3928 3844 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 83 PID 3844 wrote to memory of 3928 3844 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 83 PID 3844 wrote to memory of 3928 3844 8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe 83 PID 3928 wrote to memory of 2252 3928 7pjdp.exe 84 PID 3928 wrote to memory of 2252 3928 7pjdp.exe 84 PID 3928 wrote to memory of 2252 3928 7pjdp.exe 84 PID 2252 wrote to memory of 4896 2252 tbthtn.exe 85 PID 2252 wrote to memory of 4896 2252 tbthtn.exe 85 PID 2252 wrote to memory of 4896 2252 tbthtn.exe 85 PID 4896 wrote to memory of 4520 4896 1dvjv.exe 86 PID 4896 wrote to memory of 4520 4896 1dvjv.exe 86 PID 4896 wrote to memory of 4520 4896 1dvjv.exe 86 PID 4520 wrote to memory of 1820 4520 jppjj.exe 87 PID 4520 wrote to memory of 1820 4520 jppjj.exe 87 PID 4520 wrote to memory of 1820 4520 jppjj.exe 87 PID 1820 wrote to memory of 2452 1820 5rrlffx.exe 88 PID 1820 wrote to memory of 2452 1820 5rrlffx.exe 88 PID 1820 wrote to memory of 2452 1820 5rrlffx.exe 88 PID 2452 wrote to memory of 4428 2452 xxxfxfr.exe 89 PID 2452 wrote to memory of 4428 2452 xxxfxfr.exe 89 PID 2452 wrote to memory of 4428 2452 xxxfxfr.exe 89 PID 4428 wrote to memory of 652 4428 ddjpv.exe 90 PID 4428 wrote to memory of 652 4428 ddjpv.exe 90 PID 4428 wrote to memory of 652 4428 ddjpv.exe 90 PID 652 wrote to memory of 3096 652 hhbnbt.exe 91 PID 652 wrote to memory of 3096 652 hhbnbt.exe 91 PID 652 wrote to memory of 3096 652 hhbnbt.exe 91 PID 3096 wrote to memory of 4424 3096 vpjdp.exe 92 PID 3096 wrote to memory of 4424 3096 vpjdp.exe 92 PID 3096 wrote to memory of 4424 3096 vpjdp.exe 92 PID 4424 wrote to memory of 4072 4424 ttnhbt.exe 93 PID 4424 wrote to memory of 4072 4424 ttnhbt.exe 93 PID 4424 wrote to memory of 4072 4424 ttnhbt.exe 93 PID 4072 wrote to memory of 4956 4072 tntnbt.exe 94 PID 4072 wrote to memory of 4956 4072 tntnbt.exe 94 PID 4072 wrote to memory of 4956 4072 tntnbt.exe 94 PID 4956 wrote to memory of 2744 4956 nbntbb.exe 95 PID 4956 wrote to memory of 2744 4956 nbntbb.exe 95 PID 4956 wrote to memory of 2744 4956 nbntbb.exe 95 PID 2744 wrote to memory of 1172 2744 9vdpj.exe 96 PID 2744 wrote to memory of 1172 2744 9vdpj.exe 96 PID 2744 wrote to memory of 1172 2744 9vdpj.exe 96 PID 1172 wrote to memory of 4620 1172 jjdpd.exe 97 PID 1172 wrote to memory of 4620 1172 jjdpd.exe 97 PID 1172 wrote to memory of 4620 1172 jjdpd.exe 97 PID 4620 wrote to memory of 4496 4620 5tthbn.exe 98 PID 4620 wrote to memory of 4496 4620 5tthbn.exe 98 PID 4620 wrote to memory of 4496 4620 5tthbn.exe 98 PID 4496 wrote to memory of 868 4496 5ddvp.exe 99 PID 4496 wrote to memory of 868 4496 5ddvp.exe 99 PID 4496 wrote to memory of 868 4496 5ddvp.exe 99 PID 868 wrote to memory of 3944 868 1jvpd.exe 100 PID 868 wrote to memory of 3944 868 1jvpd.exe 100 PID 868 wrote to memory of 3944 868 1jvpd.exe 100 PID 3944 wrote to memory of 1488 3944 pjjvp.exe 101 PID 3944 wrote to memory of 1488 3944 pjjvp.exe 101 PID 3944 wrote to memory of 1488 3944 pjjvp.exe 101 PID 1488 wrote to memory of 3436 1488 jjjvd.exe 102 PID 1488 wrote to memory of 3436 1488 jjjvd.exe 102 PID 1488 wrote to memory of 3436 1488 jjjvd.exe 102 PID 3436 wrote to memory of 1624 3436 flrfrxx.exe 103 PID 3436 wrote to memory of 1624 3436 flrfrxx.exe 103 PID 3436 wrote to memory of 1624 3436 flrfrxx.exe 103 PID 1624 wrote to memory of 3684 1624 flxrxrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"C:\Users\Admin\AppData\Local\Temp\8ecb8a49b5cf742f42e5c4c786d5b72c22c857a2944cf4af7ea69a76c0454c47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\7pjdp.exec:\7pjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\tbthtn.exec:\tbthtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\1dvjv.exec:\1dvjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\jppjj.exec:\jppjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\5rrlffx.exec:\5rrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\xxxfxfr.exec:\xxxfxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\ddjpv.exec:\ddjpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\hhbnbt.exec:\hhbnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\vpjdp.exec:\vpjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\ttnhbt.exec:\ttnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\tntnbt.exec:\tntnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\nbntbb.exec:\nbntbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\9vdpj.exec:\9vdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\jjdpd.exec:\jjdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\5tthbn.exec:\5tthbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\5ddvp.exec:\5ddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\1jvpd.exec:\1jvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\pjjvp.exec:\pjjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\jjjvd.exec:\jjjvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\flrfrxx.exec:\flrfrxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\flxrxrx.exec:\flxrxrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\bnhhbb.exec:\bnhhbb.exe23⤵
- Executes dropped EXE
PID:3684 -
\??\c:\dvdpj.exec:\dvdpj.exe24⤵
- Executes dropped EXE
PID:1196 -
\??\c:\1rrlfxl.exec:\1rrlfxl.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\9tbnhn.exec:\9tbnhn.exe26⤵
- Executes dropped EXE
PID:712 -
\??\c:\rflfxrr.exec:\rflfxrr.exe27⤵
- Executes dropped EXE
PID:4792 -
\??\c:\hhbnbb.exec:\hhbnbb.exe28⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vpddv.exec:\vpddv.exe29⤵
- Executes dropped EXE
PID:4700 -
\??\c:\pvvjj.exec:\pvvjj.exe30⤵
- Executes dropped EXE
PID:4884 -
\??\c:\xxlfxff.exec:\xxlfxff.exe31⤵
- Executes dropped EXE
PID:3868 -
\??\c:\lflxxll.exec:\lflxxll.exe32⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tnhbnb.exec:\tnhbnb.exe33⤵
- Executes dropped EXE
PID:2628 -
\??\c:\1xxlfxr.exec:\1xxlfxr.exe34⤵
- Executes dropped EXE
PID:3384 -
\??\c:\thhbtb.exec:\thhbtb.exe35⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ppdvj.exec:\ppdvj.exe36⤵
- Executes dropped EXE
PID:3180 -
\??\c:\9xllffx.exec:\9xllffx.exe37⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nhhbth.exec:\nhhbth.exe38⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1flxfxf.exec:\1flxfxf.exe39⤵
- Executes dropped EXE
PID:3472 -
\??\c:\bbnbtn.exec:\bbnbtn.exe40⤵
- Executes dropped EXE
PID:780 -
\??\c:\1vvpj.exec:\1vvpj.exe41⤵
- Executes dropped EXE
PID:2276 -
\??\c:\fffxrlf.exec:\fffxrlf.exe42⤵
- Executes dropped EXE
PID:4920 -
\??\c:\hhnhtt.exec:\hhnhtt.exe43⤵
- Executes dropped EXE
PID:996 -
\??\c:\5vpjd.exec:\5vpjd.exe44⤵
- Executes dropped EXE
PID:4524 -
\??\c:\lfrrrrr.exec:\lfrrrrr.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\hhhhbb.exec:\hhhhbb.exe46⤵
- Executes dropped EXE
PID:2708 -
\??\c:\vpvpd.exec:\vpvpd.exe47⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7dddd.exec:\7dddd.exe48⤵
- Executes dropped EXE
PID:3988 -
\??\c:\pvvpj.exec:\pvvpj.exe49⤵
- Executes dropped EXE
PID:4412 -
\??\c:\fflfffx.exec:\fflfffx.exe50⤵
- Executes dropped EXE
PID:3108 -
\??\c:\htbbtb.exec:\htbbtb.exe51⤵
- Executes dropped EXE
PID:2408 -
\??\c:\7dpjd.exec:\7dpjd.exe52⤵
- Executes dropped EXE
PID:224 -
\??\c:\3pvjp.exec:\3pvjp.exe53⤵
- Executes dropped EXE
PID:4928 -
\??\c:\rfxxrll.exec:\rfxxrll.exe54⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nnnbtn.exec:\nnnbtn.exe55⤵
- Executes dropped EXE
PID:880 -
\??\c:\vvvpp.exec:\vvvpp.exe56⤵
- Executes dropped EXE
PID:4520 -
\??\c:\frxfrfx.exec:\frxfrfx.exe57⤵
- Executes dropped EXE
PID:4320 -
\??\c:\btbbbb.exec:\btbbbb.exe58⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vvdvp.exec:\vvdvp.exe59⤵
- Executes dropped EXE
PID:4692 -
\??\c:\fxrllll.exec:\fxrllll.exe60⤵
- Executes dropped EXE
PID:4428 -
\??\c:\3btnhh.exec:\3btnhh.exe61⤵
- Executes dropped EXE
PID:2216 -
\??\c:\djvvp.exec:\djvvp.exe62⤵
- Executes dropped EXE
PID:4452 -
\??\c:\xlfxxfr.exec:\xlfxxfr.exe63⤵
- Executes dropped EXE
PID:2688 -
\??\c:\tnbnnn.exec:\tnbnnn.exe64⤵
- Executes dropped EXE
PID:3992 -
\??\c:\1vjdp.exec:\1vjdp.exe65⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jddpj.exec:\jddpj.exe66⤵PID:4972
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe67⤵PID:2912
-
\??\c:\nhhhbb.exec:\nhhhbb.exe68⤵PID:3020
-
\??\c:\jvpjv.exec:\jvpjv.exe69⤵PID:1172
-
\??\c:\lrlfrrl.exec:\lrlfrrl.exe70⤵PID:4620
-
\??\c:\tnnnnb.exec:\tnnnnb.exe71⤵PID:4444
-
\??\c:\tnnhbt.exec:\tnnhbt.exe72⤵PID:2496
-
\??\c:\jpjdv.exec:\jpjdv.exe73⤵PID:528
-
\??\c:\5xrfxrl.exec:\5xrfxrl.exe74⤵PID:2172
-
\??\c:\nhnntt.exec:\nhnntt.exe75⤵PID:744
-
\??\c:\5vppj.exec:\5vppj.exe76⤵PID:2160
-
\??\c:\rflfxxx.exec:\rflfxxx.exe77⤵PID:1584
-
\??\c:\xlfrxll.exec:\xlfrxll.exe78⤵PID:1600
-
\??\c:\btthbt.exec:\btthbt.exe79⤵PID:3684
-
\??\c:\jvvpd.exec:\jvvpd.exe80⤵PID:3984
-
\??\c:\llrlffx.exec:\llrlffx.exe81⤵PID:2088
-
\??\c:\hntnhb.exec:\hntnhb.exe82⤵PID:3232
-
\??\c:\nhbnbt.exec:\nhbnbt.exe83⤵PID:2340
-
\??\c:\jpjjd.exec:\jpjjd.exe84⤵PID:4960
-
\??\c:\xfllfxx.exec:\xfllfxx.exe85⤵PID:4588
-
\??\c:\hnhntb.exec:\hnhntb.exe86⤵PID:4360
-
\??\c:\vdpvj.exec:\vdpvj.exe87⤵PID:4744
-
\??\c:\rxfrlll.exec:\rxfrlll.exe88⤵PID:1300
-
\??\c:\9tbtnh.exec:\9tbtnh.exe89⤵PID:4224
-
\??\c:\vvpjv.exec:\vvpjv.exe90⤵PID:4612
-
\??\c:\djpjp.exec:\djpjp.exe91⤵PID:468
-
\??\c:\frfrfxl.exec:\frfrfxl.exe92⤵PID:4844
-
\??\c:\tbbthh.exec:\tbbthh.exe93⤵PID:2932
-
\??\c:\jdvpd.exec:\jdvpd.exe94⤵PID:1124
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe95⤵PID:1648
-
\??\c:\lfxrffx.exec:\lfxrffx.exe96⤵PID:1284
-
\??\c:\5vpvp.exec:\5vpvp.exe97⤵PID:1516
-
\??\c:\ppjjd.exec:\ppjjd.exe98⤵PID:1816
-
\??\c:\frrlfrl.exec:\frrlfrl.exe99⤵PID:3920
-
\??\c:\hbbbbn.exec:\hbbbbn.exe100⤵PID:920
-
\??\c:\ppppj.exec:\ppppj.exe101⤵PID:1952
-
\??\c:\jpdpd.exec:\jpdpd.exe102⤵PID:3080
-
\??\c:\3rrlxrl.exec:\3rrlxrl.exe103⤵PID:1504
-
\??\c:\hbtnbb.exec:\hbtnbb.exe104⤵PID:3964
-
\??\c:\jjpvp.exec:\jjpvp.exe105⤵PID:2636
-
\??\c:\llfxrlx.exec:\llfxrlx.exe106⤵
- System Location Discovery: System Language Discovery
PID:5096 -
\??\c:\thbbtt.exec:\thbbtt.exe107⤵PID:4340
-
\??\c:\hhttnh.exec:\hhttnh.exe108⤵PID:3988
-
\??\c:\3jvpj.exec:\3jvpj.exe109⤵PID:2024
-
\??\c:\rlffxll.exec:\rlffxll.exe110⤵PID:4208
-
\??\c:\1btnth.exec:\1btnth.exe111⤵PID:4448
-
\??\c:\jjpvj.exec:\jjpvj.exe112⤵PID:3660
-
\??\c:\3xrfxrf.exec:\3xrfxrf.exe113⤵PID:3420
-
\??\c:\1bhbbb.exec:\1bhbbb.exe114⤵PID:4952
-
\??\c:\5ttbnh.exec:\5ttbnh.exe115⤵
- System Location Discovery: System Language Discovery
PID:2044 -
\??\c:\dpppj.exec:\dpppj.exe116⤵PID:2364
-
\??\c:\lffxxrl.exec:\lffxxrl.exe117⤵PID:4472
-
\??\c:\hntnbb.exec:\hntnbb.exe118⤵PID:1840
-
\??\c:\bnthbt.exec:\bnthbt.exe119⤵PID:536
-
\??\c:\jvpjv.exec:\jvpjv.exe120⤵PID:1104
-
\??\c:\rxxlxxl.exec:\rxxlxxl.exe121⤵PID:4352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-