Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe
-
Size
454KB
-
MD5
f0ab189a2b8e4b5e1167a4067197abd6
-
SHA1
a456bb2556840390172b6f2008b1495a1917fea1
-
SHA256
50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393
-
SHA512
ee0600d6e85652e318680a454fa72821de7cf2bddf6d971b5a4316d1e7d5259e58a5dd2b0720f29fd5f96a8f9987014f0ef75096fb53c07a3e09b99175d33f29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2372-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-854-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-957-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-1059-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-1458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-1674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1508 00482.exe 2956 7pvpp.exe 5060 q46044.exe 4224 6484882.exe 1332 66260.exe 3580 pjvdj.exe 1528 7bhbtn.exe 4080 bthbbn.exe 2028 3xlfxfx.exe 4552 hnhtnb.exe 1020 fllfffx.exe 4244 6060826.exe 4460 ntbtnn.exe 1732 2888266.exe 548 bnhthb.exe 4780 frxrffx.exe 216 lrlxrfx.exe 840 40048.exe 1752 6044822.exe 1552 thnnhh.exe 4404 pddjd.exe 2032 68488.exe 4332 bnthnh.exe 1292 dpjpv.exe 4416 bbbttt.exe 408 m4026.exe 3284 vpdvp.exe 3184 88264.exe 4392 40086.exe 904 hnhnnh.exe 1952 ttbnnh.exe 4384 880426.exe 4880 840400.exe 4440 1dvpd.exe 1772 7dvpj.exe 1496 262288.exe 3936 nnnhhb.exe 3404 rfrlxxx.exe 2044 vpppj.exe 1760 nhnnnh.exe 448 602088.exe 2000 dpvpv.exe 4648 1flrlrl.exe 1092 nhhbth.exe 1120 06060.exe 2104 2820886.exe 4872 86660.exe 2020 840044.exe 636 040088.exe 4360 flrfrrl.exe 1212 rrrlfrl.exe 908 64044.exe 640 rrxrlrx.exe 2872 7pdjd.exe 4900 0264264.exe 5024 ddddv.exe 1080 llrlxxr.exe 3744 bnntnn.exe 1536 08826.exe 2740 246644.exe 3980 frxxllf.exe 3264 4046464.exe 2464 i668228.exe 2456 5jjjd.exe -
resource yara_rule behavioral2/memory/2372-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-854-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-957-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-1059-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 680482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6660826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 864800.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i842840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 406688.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1508 2372 50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe 83 PID 2372 wrote to memory of 1508 2372 50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe 83 PID 2372 wrote to memory of 1508 2372 50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe 83 PID 1508 wrote to memory of 2956 1508 00482.exe 84 PID 1508 wrote to memory of 2956 1508 00482.exe 84 PID 1508 wrote to memory of 2956 1508 00482.exe 84 PID 2956 wrote to memory of 5060 2956 7pvpp.exe 85 PID 2956 wrote to memory of 5060 2956 7pvpp.exe 85 PID 2956 wrote to memory of 5060 2956 7pvpp.exe 85 PID 5060 wrote to memory of 4224 5060 q46044.exe 86 PID 5060 wrote to memory of 4224 5060 q46044.exe 86 PID 5060 wrote to memory of 4224 5060 q46044.exe 86 PID 4224 wrote to memory of 1332 4224 6484882.exe 87 PID 4224 wrote to memory of 1332 4224 6484882.exe 87 PID 4224 wrote to memory of 1332 4224 6484882.exe 87 PID 1332 wrote to memory of 3580 1332 66260.exe 88 PID 1332 wrote to memory of 3580 1332 66260.exe 88 PID 1332 wrote to memory of 3580 1332 66260.exe 88 PID 3580 wrote to memory of 1528 3580 pjvdj.exe 89 PID 3580 wrote to memory of 1528 3580 pjvdj.exe 89 PID 3580 wrote to memory of 1528 3580 pjvdj.exe 89 PID 1528 wrote to memory of 4080 1528 7bhbtn.exe 90 PID 1528 wrote to memory of 4080 1528 7bhbtn.exe 90 PID 1528 wrote to memory of 4080 1528 7bhbtn.exe 90 PID 4080 wrote to memory of 2028 4080 bthbbn.exe 91 PID 4080 wrote to memory of 2028 4080 bthbbn.exe 91 PID 4080 wrote to memory of 2028 4080 bthbbn.exe 91 PID 2028 wrote to memory of 4552 2028 3xlfxfx.exe 92 PID 2028 wrote to memory of 4552 2028 3xlfxfx.exe 92 PID 2028 wrote to memory of 4552 2028 3xlfxfx.exe 92 PID 4552 wrote to memory of 1020 4552 hnhtnb.exe 93 PID 4552 wrote to memory of 1020 4552 hnhtnb.exe 93 PID 4552 wrote to memory of 1020 4552 hnhtnb.exe 93 PID 1020 wrote to memory of 4244 1020 fllfffx.exe 94 PID 1020 wrote to memory of 4244 1020 fllfffx.exe 94 PID 1020 wrote to memory of 4244 1020 fllfffx.exe 94 PID 4244 wrote to memory of 4460 4244 6060826.exe 95 PID 4244 wrote to memory of 4460 4244 6060826.exe 95 PID 4244 wrote to memory of 4460 4244 6060826.exe 95 PID 4460 wrote to memory of 1732 4460 ntbtnn.exe 96 PID 4460 wrote to memory of 1732 4460 ntbtnn.exe 96 PID 4460 wrote to memory of 1732 4460 ntbtnn.exe 96 PID 1732 wrote to memory of 548 1732 2888266.exe 97 PID 1732 wrote to memory of 548 1732 2888266.exe 97 PID 1732 wrote to memory of 548 1732 2888266.exe 97 PID 548 wrote to memory of 4780 548 bnhthb.exe 98 PID 548 wrote to memory of 4780 548 bnhthb.exe 98 PID 548 wrote to memory of 4780 548 bnhthb.exe 98 PID 4780 wrote to memory of 216 4780 frxrffx.exe 99 PID 4780 wrote to memory of 216 4780 frxrffx.exe 99 PID 4780 wrote to memory of 216 4780 frxrffx.exe 99 PID 216 wrote to memory of 840 216 lrlxrfx.exe 100 PID 216 wrote to memory of 840 216 lrlxrfx.exe 100 PID 216 wrote to memory of 840 216 lrlxrfx.exe 100 PID 840 wrote to memory of 1752 840 40048.exe 101 PID 840 wrote to memory of 1752 840 40048.exe 101 PID 840 wrote to memory of 1752 840 40048.exe 101 PID 1752 wrote to memory of 1552 1752 6044822.exe 102 PID 1752 wrote to memory of 1552 1752 6044822.exe 102 PID 1752 wrote to memory of 1552 1752 6044822.exe 102 PID 1552 wrote to memory of 4404 1552 thnnhh.exe 103 PID 1552 wrote to memory of 4404 1552 thnnhh.exe 103 PID 1552 wrote to memory of 4404 1552 thnnhh.exe 103 PID 4404 wrote to memory of 2032 4404 pddjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe"C:\Users\Admin\AppData\Local\Temp\50482ce2f76b3320f3b6110ba5648246e2ac4ae05f262698493a07aeb9eb2393.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\00482.exec:\00482.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\7pvpp.exec:\7pvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\q46044.exec:\q46044.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\6484882.exec:\6484882.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\66260.exec:\66260.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\pjvdj.exec:\pjvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\7bhbtn.exec:\7bhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\bthbbn.exec:\bthbbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\3xlfxfx.exec:\3xlfxfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\hnhtnb.exec:\hnhtnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\fllfffx.exec:\fllfffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\6060826.exec:\6060826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\ntbtnn.exec:\ntbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\2888266.exec:\2888266.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\bnhthb.exec:\bnhthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\frxrffx.exec:\frxrffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\lrlxrfx.exec:\lrlxrfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\40048.exec:\40048.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\6044822.exec:\6044822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\thnnhh.exec:\thnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\pddjd.exec:\pddjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\68488.exec:\68488.exe23⤵
- Executes dropped EXE
PID:2032 -
\??\c:\bnthnh.exec:\bnthnh.exe24⤵
- Executes dropped EXE
PID:4332 -
\??\c:\dpjpv.exec:\dpjpv.exe25⤵
- Executes dropped EXE
PID:1292 -
\??\c:\bbbttt.exec:\bbbttt.exe26⤵
- Executes dropped EXE
PID:4416 -
\??\c:\m4026.exec:\m4026.exe27⤵
- Executes dropped EXE
PID:408 -
\??\c:\vpdvp.exec:\vpdvp.exe28⤵
- Executes dropped EXE
PID:3284 -
\??\c:\88264.exec:\88264.exe29⤵
- Executes dropped EXE
PID:3184 -
\??\c:\40086.exec:\40086.exe30⤵
- Executes dropped EXE
PID:4392 -
\??\c:\hnhnnh.exec:\hnhnnh.exe31⤵
- Executes dropped EXE
PID:904 -
\??\c:\ttbnnh.exec:\ttbnnh.exe32⤵
- Executes dropped EXE
PID:1952 -
\??\c:\880426.exec:\880426.exe33⤵
- Executes dropped EXE
PID:4384 -
\??\c:\840400.exec:\840400.exe34⤵
- Executes dropped EXE
PID:4880 -
\??\c:\1dvpd.exec:\1dvpd.exe35⤵
- Executes dropped EXE
PID:4440 -
\??\c:\7dvpj.exec:\7dvpj.exe36⤵
- Executes dropped EXE
PID:1772 -
\??\c:\262288.exec:\262288.exe37⤵
- Executes dropped EXE
PID:1496 -
\??\c:\nnnhhb.exec:\nnnhhb.exe38⤵
- Executes dropped EXE
PID:3936 -
\??\c:\rfrlxxx.exec:\rfrlxxx.exe39⤵
- Executes dropped EXE
PID:3404 -
\??\c:\vpppj.exec:\vpppj.exe40⤵
- Executes dropped EXE
PID:2044 -
\??\c:\nhnnnh.exec:\nhnnnh.exe41⤵
- Executes dropped EXE
PID:1760 -
\??\c:\602088.exec:\602088.exe42⤵
- Executes dropped EXE
PID:448 -
\??\c:\dpvpv.exec:\dpvpv.exe43⤵
- Executes dropped EXE
PID:2000 -
\??\c:\1flrlrl.exec:\1flrlrl.exe44⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nhhbth.exec:\nhhbth.exe45⤵
- Executes dropped EXE
PID:1092 -
\??\c:\06060.exec:\06060.exe46⤵
- Executes dropped EXE
PID:1120 -
\??\c:\2820886.exec:\2820886.exe47⤵
- Executes dropped EXE
PID:2104 -
\??\c:\86660.exec:\86660.exe48⤵
- Executes dropped EXE
PID:4872 -
\??\c:\840044.exec:\840044.exe49⤵
- Executes dropped EXE
PID:2020 -
\??\c:\040088.exec:\040088.exe50⤵
- Executes dropped EXE
PID:636 -
\??\c:\flrfrrl.exec:\flrfrrl.exe51⤵
- Executes dropped EXE
PID:4360 -
\??\c:\rrrlfrl.exec:\rrrlfrl.exe52⤵
- Executes dropped EXE
PID:1212 -
\??\c:\64044.exec:\64044.exe53⤵
- Executes dropped EXE
PID:908 -
\??\c:\rrxrlrx.exec:\rrxrlrx.exe54⤵
- Executes dropped EXE
PID:640 -
\??\c:\7pdjd.exec:\7pdjd.exe55⤵
- Executes dropped EXE
PID:2872 -
\??\c:\0264264.exec:\0264264.exe56⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ddddv.exec:\ddddv.exe57⤵
- Executes dropped EXE
PID:5024 -
\??\c:\llrlxxr.exec:\llrlxxr.exe58⤵
- Executes dropped EXE
PID:1080 -
\??\c:\bnntnn.exec:\bnntnn.exe59⤵
- Executes dropped EXE
PID:3744 -
\??\c:\08826.exec:\08826.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536 -
\??\c:\246644.exec:\246644.exe61⤵
- Executes dropped EXE
PID:2740 -
\??\c:\frxxllf.exec:\frxxllf.exe62⤵
- Executes dropped EXE
PID:3980 -
\??\c:\4046464.exec:\4046464.exe63⤵
- Executes dropped EXE
PID:3264 -
\??\c:\i668228.exec:\i668228.exe64⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5jjjd.exec:\5jjjd.exe65⤵
- Executes dropped EXE
PID:2456 -
\??\c:\jvpvd.exec:\jvpvd.exe66⤵PID:2600
-
\??\c:\nhtntb.exec:\nhtntb.exe67⤵PID:1020
-
\??\c:\2848404.exec:\2848404.exe68⤵PID:372
-
\??\c:\jvdvp.exec:\jvdvp.exe69⤵PID:4020
-
\??\c:\02426.exec:\02426.exe70⤵PID:4952
-
\??\c:\008200.exec:\008200.exe71⤵PID:4532
-
\??\c:\btnhhh.exec:\btnhhh.exe72⤵PID:3540
-
\??\c:\000448.exec:\000448.exe73⤵PID:3724
-
\??\c:\02820.exec:\02820.exe74⤵PID:2928
-
\??\c:\1dddv.exec:\1dddv.exe75⤵PID:1488
-
\??\c:\o248226.exec:\o248226.exe76⤵PID:2212
-
\??\c:\jvddv.exec:\jvddv.exe77⤵PID:4616
-
\??\c:\02226.exec:\02226.exe78⤵PID:2604
-
\??\c:\0882688.exec:\0882688.exe79⤵PID:3616
-
\??\c:\428486.exec:\428486.exe80⤵PID:2276
-
\??\c:\26842.exec:\26842.exe81⤵PID:4620
-
\??\c:\jjjdp.exec:\jjjdp.exe82⤵PID:1968
-
\??\c:\pddvj.exec:\pddvj.exe83⤵PID:5096
-
\??\c:\vppdv.exec:\vppdv.exe84⤵PID:3564
-
\??\c:\htttnn.exec:\htttnn.exe85⤵PID:4824
-
\??\c:\bnnhbb.exec:\bnnhbb.exe86⤵PID:2684
-
\??\c:\pvvpd.exec:\pvvpd.exe87⤵PID:2360
-
\??\c:\262600.exec:\262600.exe88⤵PID:4776
-
\??\c:\7xxrffl.exec:\7xxrffl.exe89⤵PID:3028
-
\??\c:\20044.exec:\20044.exe90⤵PID:3576
-
\??\c:\rlffxll.exec:\rlffxll.exe91⤵PID:1012
-
\??\c:\3llfxxr.exec:\3llfxxr.exe92⤵
- System Location Discovery: System Language Discovery
PID:4968 -
\??\c:\8266000.exec:\8266000.exe93⤵PID:4680
-
\??\c:\u804888.exec:\u804888.exe94⤵PID:4700
-
\??\c:\m2826.exec:\m2826.exe95⤵PID:1652
-
\??\c:\08882.exec:\08882.exe96⤵PID:4880
-
\??\c:\c844882.exec:\c844882.exe97⤵PID:4104
-
\??\c:\q22002.exec:\q22002.exe98⤵PID:2992
-
\??\c:\884882.exec:\884882.exe99⤵PID:1008
-
\??\c:\640088.exec:\640088.exe100⤵PID:800
-
\??\c:\dvjdv.exec:\dvjdv.exe101⤵PID:3404
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe102⤵PID:3368
-
\??\c:\vdpvj.exec:\vdpvj.exe103⤵PID:1760
-
\??\c:\ppvpp.exec:\ppvpp.exe104⤵PID:3112
-
\??\c:\xxlllfl.exec:\xxlllfl.exe105⤵PID:1076
-
\??\c:\jvvpp.exec:\jvvpp.exe106⤵PID:4660
-
\??\c:\vjjpd.exec:\vjjpd.exe107⤵PID:4648
-
\??\c:\rllffrr.exec:\rllffrr.exe108⤵PID:1092
-
\??\c:\pdjjd.exec:\pdjjd.exe109⤵PID:2004
-
\??\c:\vppjj.exec:\vppjj.exe110⤵PID:3964
-
\??\c:\s4648.exec:\s4648.exe111⤵PID:4768
-
\??\c:\3ddvp.exec:\3ddvp.exe112⤵PID:2020
-
\??\c:\bttnhh.exec:\bttnhh.exe113⤵PID:1616
-
\??\c:\6226048.exec:\6226048.exe114⤵PID:1588
-
\??\c:\608480.exec:\608480.exe115⤵PID:4360
-
\??\c:\q68222.exec:\q68222.exe116⤵PID:1384
-
\??\c:\q40882.exec:\q40882.exe117⤵PID:116
-
\??\c:\vpvpv.exec:\vpvpv.exe118⤵PID:760
-
\??\c:\c800448.exec:\c800448.exe119⤵PID:5060
-
\??\c:\22086.exec:\22086.exe120⤵PID:2892
-
\??\c:\22624.exec:\22624.exe121⤵PID:1304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-