Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 09:12
Behavioral task
behavioral1
Sample
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe
-
Size
87KB
-
MD5
4b7f3720bb32bfbb1914aafd7419cdf0
-
SHA1
c0f28c08f8201d51e2ef53c04586785589249a79
-
SHA256
73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72
-
SHA512
01bfe54325acad87ed8a78f1ab2d1bd62adbc4c38d1ceb179be9e060f1e057b474068ae0d101f9c85b8e0d12fd58fdaad8db7b9257c137bcf24b321e4429f1eb
-
SSDEEP
1536:xvQBeOGtrYS3srx93UBWfwC6Ggnouy82F13w1rCJtzGeKuO+mqizpPubYDEzfY:xhOmTsF93UYfwC6GIout03LzuuOlzpPf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1572-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2176-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4996-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1544-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3916-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2628-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/652-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1624-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2088-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2748-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1652-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3460-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2584-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-202-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4240-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4032-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-389-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5020-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2016-620-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-621-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-726-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-763-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-806-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3404-1026-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4628-1063-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-1374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 xlxfrfr.exe 3644 7bhbbb.exe 4996 jdddd.exe 1544 rrrlffr.exe 1492 ntbhnn.exe 3916 thhhhh.exe 844 5lrllxx.exe 2628 tbnhhh.exe 652 vvvdj.exe 320 3rrxrrr.exe 2552 tnhbnb.exe 2208 jddvv.exe 116 xxxlffr.exe 2288 xllfxxr.exe 5040 nhnnhn.exe 1624 jpvvp.exe 2088 7xxfxlf.exe 4148 pvdvv.exe 2748 5btnnn.exe 2460 bnnhbn.exe 4704 fxflfrr.exe 1652 rrlfxrl.exe 3636 httnhh.exe 2464 dpddj.exe 3460 1djjv.exe 1760 rlrrflf.exe 3384 nhttnn.exe 2584 jjpdd.exe 4444 ffrlxfr.exe 2004 bttbbh.exe 4548 1djdd.exe 1404 7frrrrf.exe 2248 nhbhtn.exe 1032 3ppjp.exe 4396 llfrrxx.exe 3376 tnhttb.exe 2608 jdpjp.exe 1040 jdjjd.exe 4904 xrrllll.exe 4760 bbnhbh.exe 4112 jjdpj.exe 4768 frlrlll.exe 2368 nntttn.exe 2520 1jvdv.exe 3612 xxrxxrx.exe 1588 5thbnn.exe 1464 vpdvp.exe 2440 xfxxrxx.exe 4776 hbbnnh.exe 4900 vjvpd.exe 2736 xxxxrrl.exe 3400 thntnt.exe 4200 lffxrrr.exe 2068 ntbnhh.exe 2020 jdjpv.exe 816 nbtbnb.exe 4124 pjjjd.exe 3920 xrxrlrl.exe 3016 rxxlxrr.exe 4800 nhbbnn.exe 1316 hnbtbt.exe 4828 pvppj.exe 4240 xrffflf.exe 220 hnnnnn.exe -
resource yara_rule behavioral2/memory/1572-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b46-3.dat upx behavioral2/memory/1572-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023ba1-9.dat upx behavioral2/memory/2176-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bbe-12.dat upx behavioral2/memory/3644-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bbf-19.dat upx behavioral2/memory/4996-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bc0-25.dat upx behavioral2/memory/1544-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bc4-31.dat upx behavioral2/memory/1492-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc9-36.dat upx behavioral2/memory/3916-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bca-42.dat upx behavioral2/memory/844-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2628-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bcb-48.dat upx behavioral2/files/0x0008000000023bcc-54.dat upx behavioral2/memory/652-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfb-60.dat upx behavioral2/memory/320-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bfc-66.dat upx behavioral2/files/0x0008000000023bfd-71.dat upx behavioral2/files/0x0008000000023bfe-76.dat upx behavioral2/memory/116-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2288-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bff-81.dat upx behavioral2/files/0x0008000000023c00-87.dat upx behavioral2/memory/1624-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c05-95.dat upx behavioral2/memory/1624-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c06-101.dat upx behavioral2/memory/2088-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c07-107.dat upx behavioral2/memory/4148-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c19-111.dat upx behavioral2/memory/2748-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2460-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023ba9-117.dat upx behavioral2/files/0x0008000000023c1f-124.dat upx behavioral2/memory/1652-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c20-130.dat upx behavioral2/memory/3636-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c21-134.dat upx behavioral2/files/0x0008000000023c22-141.dat upx behavioral2/memory/3460-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c23-145.dat upx behavioral2/files/0x000b000000023c39-152.dat upx behavioral2/files/0x0016000000023c3a-157.dat upx behavioral2/files/0x0008000000023c40-161.dat upx behavioral2/memory/2584-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4444-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c44-170.dat upx behavioral2/files/0x0008000000023c50-174.dat upx behavioral2/files/0x0008000000023c51-179.dat upx behavioral2/memory/2248-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1032-191-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4396-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-202-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1040-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4904-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2368-223-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1572 wrote to memory of 2176 1572 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 83 PID 1572 wrote to memory of 2176 1572 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 83 PID 1572 wrote to memory of 2176 1572 73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe 83 PID 2176 wrote to memory of 3644 2176 xlxfrfr.exe 84 PID 2176 wrote to memory of 3644 2176 xlxfrfr.exe 84 PID 2176 wrote to memory of 3644 2176 xlxfrfr.exe 84 PID 3644 wrote to memory of 4996 3644 7bhbbb.exe 85 PID 3644 wrote to memory of 4996 3644 7bhbbb.exe 85 PID 3644 wrote to memory of 4996 3644 7bhbbb.exe 85 PID 4996 wrote to memory of 1544 4996 jdddd.exe 86 PID 4996 wrote to memory of 1544 4996 jdddd.exe 86 PID 4996 wrote to memory of 1544 4996 jdddd.exe 86 PID 1544 wrote to memory of 1492 1544 rrrlffr.exe 87 PID 1544 wrote to memory of 1492 1544 rrrlffr.exe 87 PID 1544 wrote to memory of 1492 1544 rrrlffr.exe 87 PID 1492 wrote to memory of 3916 1492 ntbhnn.exe 88 PID 1492 wrote to memory of 3916 1492 ntbhnn.exe 88 PID 1492 wrote to memory of 3916 1492 ntbhnn.exe 88 PID 3916 wrote to memory of 844 3916 thhhhh.exe 89 PID 3916 wrote to memory of 844 3916 thhhhh.exe 89 PID 3916 wrote to memory of 844 3916 thhhhh.exe 89 PID 844 wrote to memory of 2628 844 5lrllxx.exe 90 PID 844 wrote to memory of 2628 844 5lrllxx.exe 90 PID 844 wrote to memory of 2628 844 5lrllxx.exe 90 PID 2628 wrote to memory of 652 2628 tbnhhh.exe 91 PID 2628 wrote to memory of 652 2628 tbnhhh.exe 91 PID 2628 wrote to memory of 652 2628 tbnhhh.exe 91 PID 652 wrote to memory of 320 652 vvvdj.exe 92 PID 652 wrote to memory of 320 652 vvvdj.exe 92 PID 652 wrote to memory of 320 652 vvvdj.exe 92 PID 320 wrote to memory of 2552 320 3rrxrrr.exe 93 PID 320 wrote to memory of 2552 320 3rrxrrr.exe 93 PID 320 wrote to memory of 2552 320 3rrxrrr.exe 93 PID 2552 wrote to memory of 2208 2552 tnhbnb.exe 94 PID 2552 wrote to memory of 2208 2552 tnhbnb.exe 94 PID 2552 wrote to memory of 2208 2552 tnhbnb.exe 94 PID 2208 wrote to memory of 116 2208 jddvv.exe 95 PID 2208 wrote to memory of 116 2208 jddvv.exe 95 PID 2208 wrote to memory of 116 2208 jddvv.exe 95 PID 116 wrote to memory of 2288 116 xxxlffr.exe 96 PID 116 wrote to memory of 2288 116 xxxlffr.exe 96 PID 116 wrote to memory of 2288 116 xxxlffr.exe 96 PID 2288 wrote to memory of 5040 2288 xllfxxr.exe 97 PID 2288 wrote to memory of 5040 2288 xllfxxr.exe 97 PID 2288 wrote to memory of 5040 2288 xllfxxr.exe 97 PID 5040 wrote to memory of 1624 5040 nhnnhn.exe 98 PID 5040 wrote to memory of 1624 5040 nhnnhn.exe 98 PID 5040 wrote to memory of 1624 5040 nhnnhn.exe 98 PID 1624 wrote to memory of 2088 1624 jpvvp.exe 99 PID 1624 wrote to memory of 2088 1624 jpvvp.exe 99 PID 1624 wrote to memory of 2088 1624 jpvvp.exe 99 PID 2088 wrote to memory of 4148 2088 7xxfxlf.exe 100 PID 2088 wrote to memory of 4148 2088 7xxfxlf.exe 100 PID 2088 wrote to memory of 4148 2088 7xxfxlf.exe 100 PID 4148 wrote to memory of 2748 4148 pvdvv.exe 101 PID 4148 wrote to memory of 2748 4148 pvdvv.exe 101 PID 4148 wrote to memory of 2748 4148 pvdvv.exe 101 PID 2748 wrote to memory of 2460 2748 5btnnn.exe 102 PID 2748 wrote to memory of 2460 2748 5btnnn.exe 102 PID 2748 wrote to memory of 2460 2748 5btnnn.exe 102 PID 2460 wrote to memory of 4704 2460 bnnhbn.exe 103 PID 2460 wrote to memory of 4704 2460 bnnhbn.exe 103 PID 2460 wrote to memory of 4704 2460 bnnhbn.exe 103 PID 4704 wrote to memory of 1652 4704 fxflfrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe"C:\Users\Admin\AppData\Local\Temp\73c4963606d4e9d3dcff1cd55d0e7aa19582a623dfe47edb403493ace7250e72.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\xlxfrfr.exec:\xlxfrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\7bhbbb.exec:\7bhbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\jdddd.exec:\jdddd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\rrrlffr.exec:\rrrlffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\ntbhnn.exec:\ntbhnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\thhhhh.exec:\thhhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\5lrllxx.exec:\5lrllxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\tbnhhh.exec:\tbnhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\vvvdj.exec:\vvvdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
\??\c:\3rrxrrr.exec:\3rrxrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\tnhbnb.exec:\tnhbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\jddvv.exec:\jddvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xxxlffr.exec:\xxxlffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\xllfxxr.exec:\xllfxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\nhnnhn.exec:\nhnnhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\jpvvp.exec:\jpvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\7xxfxlf.exec:\7xxfxlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\pvdvv.exec:\pvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\5btnnn.exec:\5btnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\bnnhbn.exec:\bnnhbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\fxflfrr.exec:\fxflfrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe23⤵
- Executes dropped EXE
PID:1652 -
\??\c:\httnhh.exec:\httnhh.exe24⤵
- Executes dropped EXE
PID:3636 -
\??\c:\dpddj.exec:\dpddj.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\1djjv.exec:\1djjv.exe26⤵
- Executes dropped EXE
PID:3460 -
\??\c:\rlrrflf.exec:\rlrrflf.exe27⤵
- Executes dropped EXE
PID:1760 -
\??\c:\nhttnn.exec:\nhttnn.exe28⤵
- Executes dropped EXE
PID:3384 -
\??\c:\jjpdd.exec:\jjpdd.exe29⤵
- Executes dropped EXE
PID:2584 -
\??\c:\ffrlxfr.exec:\ffrlxfr.exe30⤵
- Executes dropped EXE
PID:4444 -
\??\c:\bttbbh.exec:\bttbbh.exe31⤵
- Executes dropped EXE
PID:2004 -
\??\c:\1djdd.exec:\1djdd.exe32⤵
- Executes dropped EXE
PID:4548 -
\??\c:\7frrrrf.exec:\7frrrrf.exe33⤵
- Executes dropped EXE
PID:1404 -
\??\c:\nhbhtn.exec:\nhbhtn.exe34⤵
- Executes dropped EXE
PID:2248 -
\??\c:\3ppjp.exec:\3ppjp.exe35⤵
- Executes dropped EXE
PID:1032 -
\??\c:\llfrrxx.exec:\llfrrxx.exe36⤵
- Executes dropped EXE
PID:4396 -
\??\c:\tnhttb.exec:\tnhttb.exe37⤵
- Executes dropped EXE
PID:3376 -
\??\c:\jdpjp.exec:\jdpjp.exe38⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jdjjd.exec:\jdjjd.exe39⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xrrllll.exec:\xrrllll.exe40⤵
- Executes dropped EXE
PID:4904 -
\??\c:\bbnhbh.exec:\bbnhbh.exe41⤵
- Executes dropped EXE
PID:4760 -
\??\c:\jjdpj.exec:\jjdpj.exe42⤵
- Executes dropped EXE
PID:4112 -
\??\c:\frlrlll.exec:\frlrlll.exe43⤵
- Executes dropped EXE
PID:4768 -
\??\c:\nntttn.exec:\nntttn.exe44⤵
- Executes dropped EXE
PID:2368 -
\??\c:\1jvdv.exec:\1jvdv.exe45⤵
- Executes dropped EXE
PID:2520 -
\??\c:\xxrxxrx.exec:\xxrxxrx.exe46⤵
- Executes dropped EXE
PID:3612 -
\??\c:\5thbnn.exec:\5thbnn.exe47⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vpdvp.exec:\vpdvp.exe48⤵
- Executes dropped EXE
PID:1464 -
\??\c:\xfxxrxx.exec:\xfxxrxx.exe49⤵
- Executes dropped EXE
PID:2440 -
\??\c:\hbbnnh.exec:\hbbnnh.exe50⤵
- Executes dropped EXE
PID:4776 -
\??\c:\vjvpd.exec:\vjvpd.exe51⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ffrrffr.exec:\ffrrffr.exe52⤵PID:4448
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe53⤵
- Executes dropped EXE
PID:2736 -
\??\c:\thntnt.exec:\thntnt.exe54⤵
- Executes dropped EXE
PID:3400 -
\??\c:\lffxrrr.exec:\lffxrrr.exe55⤵
- Executes dropped EXE
PID:4200 -
\??\c:\ntbnhh.exec:\ntbnhh.exe56⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jdjpv.exec:\jdjpv.exe57⤵
- Executes dropped EXE
PID:2020 -
\??\c:\nbtbnb.exec:\nbtbnb.exe58⤵
- Executes dropped EXE
PID:816 -
\??\c:\pjjjd.exec:\pjjjd.exe59⤵
- Executes dropped EXE
PID:4124 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe60⤵
- Executes dropped EXE
PID:3920 -
\??\c:\rxxlxrr.exec:\rxxlxrr.exe61⤵
- Executes dropped EXE
PID:3016 -
\??\c:\nhbbnn.exec:\nhbbnn.exe62⤵
- Executes dropped EXE
PID:4800 -
\??\c:\hnbtbt.exec:\hnbtbt.exe63⤵
- Executes dropped EXE
PID:1316 -
\??\c:\pvppj.exec:\pvppj.exe64⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xrffflf.exec:\xrffflf.exe65⤵
- Executes dropped EXE
PID:4240 -
\??\c:\hnnnnn.exec:\hnnnnn.exe66⤵
- Executes dropped EXE
PID:220 -
\??\c:\7vjpv.exec:\7vjpv.exe67⤵PID:184
-
\??\c:\rlxxrxf.exec:\rlxxrxf.exe68⤵PID:216
-
\??\c:\llrxrfl.exec:\llrxrfl.exe69⤵PID:2208
-
\??\c:\nhtnhh.exec:\nhtnhh.exe70⤵PID:116
-
\??\c:\djjdd.exec:\djjdd.exe71⤵PID:3260
-
\??\c:\xfllfxx.exec:\xfllfxx.exe72⤵PID:4536
-
\??\c:\ttthbb.exec:\ttthbb.exe73⤵PID:4604
-
\??\c:\dpdvp.exec:\dpdvp.exe74⤵PID:5040
-
\??\c:\ppvvj.exec:\ppvvj.exe75⤵PID:4316
-
\??\c:\llffllf.exec:\llffllf.exe76⤵PID:3372
-
\??\c:\3bhnnt.exec:\3bhnnt.exe77⤵PID:1688
-
\??\c:\tbnnnb.exec:\tbnnnb.exe78⤵PID:2828
-
\??\c:\vvppd.exec:\vvppd.exe79⤵PID:1920
-
\??\c:\lrffxfl.exec:\lrffxfl.exe80⤵PID:4216
-
\??\c:\frxxxxx.exec:\frxxxxx.exe81⤵PID:1936
-
\??\c:\1tbbnt.exec:\1tbbnt.exe82⤵PID:1984
-
\??\c:\djdvd.exec:\djdvd.exe83⤵PID:3580
-
\??\c:\5rflfrr.exec:\5rflfrr.exe84⤵PID:2512
-
\??\c:\bbtnbb.exec:\bbtnbb.exe85⤵PID:4460
-
\??\c:\ttttnb.exec:\ttttnb.exe86⤵PID:3040
-
\??\c:\ppdjv.exec:\ppdjv.exe87⤵PID:564
-
\??\c:\rxrrffx.exec:\rxrrffx.exe88⤵PID:4032
-
\??\c:\httbtn.exec:\httbtn.exe89⤵PID:4784
-
\??\c:\jjjdj.exec:\jjjdj.exe90⤵PID:4808
-
\??\c:\xflxfrr.exec:\xflxfrr.exe91⤵PID:2316
-
\??\c:\hhbhbh.exec:\hhbhbh.exe92⤵PID:3256
-
\??\c:\nhhnnt.exec:\nhhnnt.exe93⤵PID:948
-
\??\c:\hhnnbh.exec:\hhnnbh.exe94⤵PID:2576
-
\??\c:\3frrrxx.exec:\3frrrxx.exe95⤵PID:1716
-
\??\c:\bbbhhh.exec:\bbbhhh.exe96⤵PID:1792
-
\??\c:\tnbttb.exec:\tnbttb.exe97⤵PID:4880
-
\??\c:\jjpvv.exec:\jjpvv.exe98⤵PID:1940
-
\??\c:\jppvv.exec:\jppvv.exe99⤵PID:1608
-
\??\c:\7xxrrrl.exec:\7xxrrrl.exe100⤵PID:3408
-
\??\c:\htnhbb.exec:\htnhbb.exe101⤵PID:3948
-
\??\c:\ttthbh.exec:\ttthbh.exe102⤵PID:2024
-
\??\c:\djjdp.exec:\djjdp.exe103⤵PID:4084
-
\??\c:\lrxrxxx.exec:\lrxrxxx.exe104⤵PID:4112
-
\??\c:\xrlfxlx.exec:\xrlfxlx.exe105⤵PID:3392
-
\??\c:\nnnnhb.exec:\nnnnhb.exe106⤵PID:3128
-
\??\c:\jjpdd.exec:\jjpdd.exe107⤵PID:4528
-
\??\c:\9lrrrfx.exec:\9lrrrfx.exe108⤵PID:368
-
\??\c:\xlrrfrl.exec:\xlrrfrl.exe109⤵PID:5020
-
\??\c:\ttbhhn.exec:\ttbhhn.exe110⤵PID:4588
-
\??\c:\thtttt.exec:\thtttt.exe111⤵PID:2016
-
\??\c:\ddpjp.exec:\ddpjp.exe112⤵PID:4448
-
\??\c:\3lrrfrl.exec:\3lrrfrl.exe113⤵PID:3400
-
\??\c:\xflxfrf.exec:\xflxfrf.exe114⤵PID:1320
-
\??\c:\httnnn.exec:\httnnn.exe115⤵PID:4976
-
\??\c:\7jppd.exec:\7jppd.exe116⤵PID:1820
-
\??\c:\pvddv.exec:\pvddv.exe117⤵PID:3616
-
\??\c:\rllllll.exec:\rllllll.exe118⤵PID:4312
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe119⤵PID:2196
-
\??\c:\bbbhhn.exec:\bbbhhn.exe120⤵PID:3716
-
\??\c:\tthhhh.exec:\tthhhh.exe121⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-