Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 23:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe
-
Size
454KB
-
MD5
8121c684319025d3728af38e3aaa09a3
-
SHA1
cc6ddb40e04ffb17eab73b95086d0a3879d8bc82
-
SHA256
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7
-
SHA512
c3d2b676c8577688533b2efede847a92d167e0ea564975788a059b05c46d6c2160937b99e76f837b83bb7be9efee483a5cf0bbe4b9e2ad4374f4168f7f6811ac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 47 IoCs
resource yara_rule behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2256-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2708-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1996-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-336-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2864-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/956-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3032-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1720-487-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/952-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/732-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1804-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-615-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2724-627-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3012-709-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-736-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2360-764-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1076-778-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/1612-954-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1068-969-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2288-982-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/2556-1094-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2608-1140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1704 pvpvj.exe 2188 vvdvd.exe 2848 xrflrfl.exe 2844 3vpvp.exe 408 hnbhth.exe 3024 vdppj.exe 2860 xfxrrxl.exe 2708 9jdjj.exe 2256 7xxfxlx.exe 1832 bnbhtb.exe 2192 lrfflrx.exe 2060 9vvdj.exe 1976 xxxlxfx.exe 1996 nnthht.exe 1868 llxlxfr.exe 2780 ddjpd.exe 592 frffxrx.exe 2084 ntntbh.exe 2124 tbntnn.exe 2220 ffrxflx.exe 1224 dvvjp.exe 2400 flflfll.exe 1192 nnbbnt.exe 832 jjvdj.exe 1052 7flxxfl.exe 1556 hhntbb.exe 2656 rrxflrf.exe 2208 1nhntn.exe 800 fxlrllx.exe 1920 hnbthn.exe 2624 vvpvj.exe 1156 ffrrxlx.exe 884 5jvvj.exe 2308 ppjvj.exe 1604 9xxfxfx.exe 2904 ntbhnb.exe 1092 bbhnnb.exe 2840 vvjpd.exe 2952 lrllrlr.exe 2824 9htbnt.exe 2844 9vpvp.exe 3008 lrfllrf.exe 2864 3lffrxf.exe 2700 hbttht.exe 2768 1pddj.exe 1456 rxxrxxf.exe 956 5fffrxl.exe 2728 hntttb.exe 2104 vvjjp.exe 2192 rfxfrxf.exe 1520 rrffflr.exe 2908 nhtbhn.exe 1108 vpvdp.exe 3028 flrxlxf.exe 3032 3lllxlx.exe 1740 5bnnbn.exe 1744 jjvdv.exe 1860 jjvdd.exe 2412 lrlllxr.exe 1720 htbnbt.exe 2020 1jpjv.exe 2216 xxllxfl.exe 1628 3fxxllx.exe 952 nhnbbn.exe -
resource yara_rule behavioral1/memory/1704-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/884-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2864-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/956-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/732-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-681-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1744-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-1038-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-1081-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-1107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-1140-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1704 2312 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 30 PID 2312 wrote to memory of 1704 2312 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 30 PID 2312 wrote to memory of 1704 2312 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 30 PID 2312 wrote to memory of 1704 2312 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 30 PID 1704 wrote to memory of 2188 1704 pvpvj.exe 31 PID 1704 wrote to memory of 2188 1704 pvpvj.exe 31 PID 1704 wrote to memory of 2188 1704 pvpvj.exe 31 PID 1704 wrote to memory of 2188 1704 pvpvj.exe 31 PID 2188 wrote to memory of 2848 2188 vvdvd.exe 32 PID 2188 wrote to memory of 2848 2188 vvdvd.exe 32 PID 2188 wrote to memory of 2848 2188 vvdvd.exe 32 PID 2188 wrote to memory of 2848 2188 vvdvd.exe 32 PID 2848 wrote to memory of 2844 2848 xrflrfl.exe 33 PID 2848 wrote to memory of 2844 2848 xrflrfl.exe 33 PID 2848 wrote to memory of 2844 2848 xrflrfl.exe 33 PID 2848 wrote to memory of 2844 2848 xrflrfl.exe 33 PID 2844 wrote to memory of 408 2844 3vpvp.exe 34 PID 2844 wrote to memory of 408 2844 3vpvp.exe 34 PID 2844 wrote to memory of 408 2844 3vpvp.exe 34 PID 2844 wrote to memory of 408 2844 3vpvp.exe 34 PID 408 wrote to memory of 3024 408 hnbhth.exe 35 PID 408 wrote to memory of 3024 408 hnbhth.exe 35 PID 408 wrote to memory of 3024 408 hnbhth.exe 35 PID 408 wrote to memory of 3024 408 hnbhth.exe 35 PID 3024 wrote to memory of 2860 3024 vdppj.exe 36 PID 3024 wrote to memory of 2860 3024 vdppj.exe 36 PID 3024 wrote to memory of 2860 3024 vdppj.exe 36 PID 3024 wrote to memory of 2860 3024 vdppj.exe 36 PID 2860 wrote to memory of 2708 2860 xfxrrxl.exe 37 PID 2860 wrote to memory of 2708 2860 xfxrrxl.exe 37 PID 2860 wrote to memory of 2708 2860 xfxrrxl.exe 37 PID 2860 wrote to memory of 2708 2860 xfxrrxl.exe 37 PID 2708 wrote to memory of 2256 2708 9jdjj.exe 38 PID 2708 wrote to memory of 2256 2708 9jdjj.exe 38 PID 2708 wrote to memory of 2256 2708 9jdjj.exe 38 PID 2708 wrote to memory of 2256 2708 9jdjj.exe 38 PID 2256 wrote to memory of 1832 2256 7xxfxlx.exe 39 PID 2256 wrote to memory of 1832 2256 7xxfxlx.exe 39 PID 2256 wrote to memory of 1832 2256 7xxfxlx.exe 39 PID 2256 wrote to memory of 1832 2256 7xxfxlx.exe 39 PID 1832 wrote to memory of 2192 1832 bnbhtb.exe 40 PID 1832 wrote to memory of 2192 1832 bnbhtb.exe 40 PID 1832 wrote to memory of 2192 1832 bnbhtb.exe 40 PID 1832 wrote to memory of 2192 1832 bnbhtb.exe 40 PID 2192 wrote to memory of 2060 2192 lrfflrx.exe 41 PID 2192 wrote to memory of 2060 2192 lrfflrx.exe 41 PID 2192 wrote to memory of 2060 2192 lrfflrx.exe 41 PID 2192 wrote to memory of 2060 2192 lrfflrx.exe 41 PID 2060 wrote to memory of 1976 2060 9vvdj.exe 42 PID 2060 wrote to memory of 1976 2060 9vvdj.exe 42 PID 2060 wrote to memory of 1976 2060 9vvdj.exe 42 PID 2060 wrote to memory of 1976 2060 9vvdj.exe 42 PID 1976 wrote to memory of 1996 1976 xxxlxfx.exe 43 PID 1976 wrote to memory of 1996 1976 xxxlxfx.exe 43 PID 1976 wrote to memory of 1996 1976 xxxlxfx.exe 43 PID 1976 wrote to memory of 1996 1976 xxxlxfx.exe 43 PID 1996 wrote to memory of 1868 1996 nnthht.exe 44 PID 1996 wrote to memory of 1868 1996 nnthht.exe 44 PID 1996 wrote to memory of 1868 1996 nnthht.exe 44 PID 1996 wrote to memory of 1868 1996 nnthht.exe 44 PID 1868 wrote to memory of 2780 1868 llxlxfr.exe 45 PID 1868 wrote to memory of 2780 1868 llxlxfr.exe 45 PID 1868 wrote to memory of 2780 1868 llxlxfr.exe 45 PID 1868 wrote to memory of 2780 1868 llxlxfr.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe"C:\Users\Admin\AppData\Local\Temp\572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\pvpvj.exec:\pvpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\vvdvd.exec:\vvdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\xrflrfl.exec:\xrflrfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\3vpvp.exec:\3vpvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\hnbhth.exec:\hnbhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\vdppj.exec:\vdppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\xfxrrxl.exec:\xfxrrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\9jdjj.exec:\9jdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\7xxfxlx.exec:\7xxfxlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\bnbhtb.exec:\bnbhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\lrfflrx.exec:\lrfflrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\9vvdj.exec:\9vvdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\xxxlxfx.exec:\xxxlxfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\nnthht.exec:\nnthht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\llxlxfr.exec:\llxlxfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\ddjpd.exec:\ddjpd.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\frffxrx.exec:\frffxrx.exe18⤵
- Executes dropped EXE
PID:592 -
\??\c:\ntntbh.exec:\ntntbh.exe19⤵
- Executes dropped EXE
PID:2084 -
\??\c:\tbntnn.exec:\tbntnn.exe20⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ffrxflx.exec:\ffrxflx.exe21⤵
- Executes dropped EXE
PID:2220 -
\??\c:\dvvjp.exec:\dvvjp.exe22⤵
- Executes dropped EXE
PID:1224 -
\??\c:\flflfll.exec:\flflfll.exe23⤵
- Executes dropped EXE
PID:2400 -
\??\c:\nnbbnt.exec:\nnbbnt.exe24⤵
- Executes dropped EXE
PID:1192 -
\??\c:\jjvdj.exec:\jjvdj.exe25⤵
- Executes dropped EXE
PID:832 -
\??\c:\7flxxfl.exec:\7flxxfl.exe26⤵
- Executes dropped EXE
PID:1052 -
\??\c:\hhntbb.exec:\hhntbb.exe27⤵
- Executes dropped EXE
PID:1556 -
\??\c:\rrxflrf.exec:\rrxflrf.exe28⤵
- Executes dropped EXE
PID:2656 -
\??\c:\1nhntn.exec:\1nhntn.exe29⤵
- Executes dropped EXE
PID:2208 -
\??\c:\fxlrllx.exec:\fxlrllx.exe30⤵
- Executes dropped EXE
PID:800 -
\??\c:\hnbthn.exec:\hnbthn.exe31⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vvpvj.exec:\vvpvj.exe32⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ffrrxlx.exec:\ffrrxlx.exe33⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5jvvj.exec:\5jvvj.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\ppjvj.exec:\ppjvj.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\9xxfxfx.exec:\9xxfxfx.exe36⤵
- Executes dropped EXE
PID:1604 -
\??\c:\ntbhnb.exec:\ntbhnb.exe37⤵
- Executes dropped EXE
PID:2904 -
\??\c:\bbhnnb.exec:\bbhnnb.exe38⤵
- Executes dropped EXE
PID:1092 -
\??\c:\vvjpd.exec:\vvjpd.exe39⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lrllrlr.exec:\lrllrlr.exe40⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9htbnt.exec:\9htbnt.exe41⤵
- Executes dropped EXE
PID:2824 -
\??\c:\9vpvp.exec:\9vpvp.exe42⤵
- Executes dropped EXE
PID:2844 -
\??\c:\lrfllrf.exec:\lrfllrf.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\3lffrxf.exec:\3lffrxf.exe44⤵
- Executes dropped EXE
PID:2864 -
\??\c:\hbttht.exec:\hbttht.exe45⤵
- Executes dropped EXE
PID:2700 -
\??\c:\1pddj.exec:\1pddj.exe46⤵
- Executes dropped EXE
PID:2768 -
\??\c:\rxxrxxf.exec:\rxxrxxf.exe47⤵
- Executes dropped EXE
PID:1456 -
\??\c:\5fffrxl.exec:\5fffrxl.exe48⤵
- Executes dropped EXE
PID:956 -
\??\c:\hntttb.exec:\hntttb.exe49⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vvjjp.exec:\vvjjp.exe50⤵
- Executes dropped EXE
PID:2104 -
\??\c:\rfxfrxf.exec:\rfxfrxf.exe51⤵
- Executes dropped EXE
PID:2192 -
\??\c:\rrffflr.exec:\rrffflr.exe52⤵
- Executes dropped EXE
PID:1520 -
\??\c:\nhtbhn.exec:\nhtbhn.exe53⤵
- Executes dropped EXE
PID:2908 -
\??\c:\vpvdp.exec:\vpvdp.exe54⤵
- Executes dropped EXE
PID:1108 -
\??\c:\flrxlxf.exec:\flrxlxf.exe55⤵
- Executes dropped EXE
PID:3028 -
\??\c:\3lllxlx.exec:\3lllxlx.exe56⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5bnnbn.exec:\5bnnbn.exe57⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jjvdv.exec:\jjvdv.exe58⤵
- Executes dropped EXE
PID:1744 -
\??\c:\jjvdd.exec:\jjvdd.exe59⤵
- Executes dropped EXE
PID:1860 -
\??\c:\lrlllxr.exec:\lrlllxr.exe60⤵
- Executes dropped EXE
PID:2412 -
\??\c:\htbnbt.exec:\htbnbt.exe61⤵
- Executes dropped EXE
PID:1720 -
\??\c:\1jpjv.exec:\1jpjv.exe62⤵
- Executes dropped EXE
PID:2020 -
\??\c:\xxllxfl.exec:\xxllxfl.exe63⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3fxxllx.exec:\3fxxllx.exe64⤵
- Executes dropped EXE
PID:1628 -
\??\c:\nhnbbn.exec:\nhnbbn.exe65⤵
- Executes dropped EXE
PID:952 -
\??\c:\jjdjp.exec:\jjdjp.exe66⤵PID:2512
-
\??\c:\lrlrflx.exec:\lrlrflx.exe67⤵PID:832
-
\??\c:\rrxfrfr.exec:\rrxfrfr.exe68⤵PID:1356
-
\??\c:\1ttbhh.exec:\1ttbhh.exe69⤵PID:732
-
\??\c:\jpddj.exec:\jpddj.exe70⤵PID:2068
-
\??\c:\pvjdd.exec:\pvjdd.exe71⤵PID:1660
-
\??\c:\3llrxxl.exec:\3llrxxl.exe72⤵PID:2208
-
\??\c:\tbhhtb.exec:\tbhhtb.exe73⤵PID:1804
-
\??\c:\vdvdp.exec:\vdvdp.exe74⤵PID:1516
-
\??\c:\vvvvd.exec:\vvvvd.exe75⤵PID:3052
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe76⤵PID:1056
-
\??\c:\hhbbth.exec:\hhbbth.exe77⤵PID:2608
-
\??\c:\nhntnh.exec:\nhntnh.exe78⤵PID:2312
-
\??\c:\jvpdj.exec:\jvpdj.exe79⤵PID:1600
-
\??\c:\xflxlxl.exec:\xflxlxl.exe80⤵PID:2044
-
\??\c:\3flfxfr.exec:\3flfxfr.exe81⤵PID:612
-
\??\c:\hbthnb.exec:\hbthnb.exe82⤵PID:2892
-
\??\c:\9vjpj.exec:\9vjpj.exe83⤵PID:2848
-
\??\c:\7fxxxfl.exec:\7fxxxfl.exe84⤵PID:2928
-
\??\c:\xrlrxlx.exec:\xrlrxlx.exe85⤵PID:2724
-
\??\c:\ttnnbb.exec:\ttnnbb.exe86⤵PID:3020
-
\??\c:\1vdvp.exec:\1vdvp.exe87⤵PID:2804
-
\??\c:\7lffllf.exec:\7lffllf.exe88⤵PID:2732
-
\??\c:\lrfflfr.exec:\lrfflfr.exe89⤵PID:2720
-
\??\c:\7btbtt.exec:\7btbtt.exe90⤵PID:1452
-
\??\c:\hnntnt.exec:\hnntnt.exe91⤵PID:1612
-
\??\c:\pvpdp.exec:\pvpdp.exe92⤵PID:2176
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe93⤵PID:2444
-
\??\c:\7bnbnb.exec:\7bnbnb.exe94⤵PID:2284
-
\??\c:\bbthth.exec:\bbthth.exe95⤵PID:2032
-
\??\c:\pvjpv.exec:\pvjpv.exe96⤵PID:1144
-
\??\c:\pvjpj.exec:\pvjpj.exe97⤵PID:3012
-
\??\c:\3fxlflr.exec:\3fxlflr.exe98⤵PID:1868
-
\??\c:\thbhbn.exec:\thbhbn.exe99⤵PID:2052
-
\??\c:\jjpvd.exec:\jjpvd.exe100⤵PID:1584
-
\??\c:\dpddp.exec:\dpddp.exe101⤵PID:1744
-
\??\c:\xlxflfl.exec:\xlxflfl.exe102⤵PID:836
-
\??\c:\hhbhnt.exec:\hhbhnt.exe103⤵PID:2636
-
\??\c:\ddjpd.exec:\ddjpd.exe104⤵PID:1720
-
\??\c:\ddjjv.exec:\ddjjv.exe105⤵PID:2360
-
\??\c:\3xrxlrf.exec:\3xrxlrf.exe106⤵PID:916
-
\??\c:\1bttbh.exec:\1bttbh.exe107⤵PID:1076
-
\??\c:\htnntb.exec:\htnntb.exe108⤵PID:2016
-
\??\c:\djdpv.exec:\djdpv.exe109⤵PID:2008
-
\??\c:\xxflrfl.exec:\xxflrfl.exe110⤵PID:1588
-
\??\c:\9xlrlxf.exec:\9xlrlxf.exe111⤵PID:1556
-
\??\c:\bhttnn.exec:\bhttnn.exe112⤵PID:2556
-
\??\c:\jvdjv.exec:\jvdjv.exe113⤵PID:1652
-
\??\c:\jpdpv.exec:\jpdpv.exe114⤵PID:800
-
\??\c:\rrxfrfr.exec:\rrxfrfr.exe115⤵PID:2660
-
\??\c:\nnntnn.exec:\nnntnn.exe116⤵PID:2640
-
\??\c:\nhhnbn.exec:\nhhnbn.exe117⤵PID:344
-
\??\c:\jpvvd.exec:\jpvvd.exe118⤵PID:1532
-
\??\c:\lrxflrx.exec:\lrxflrx.exe119⤵PID:1056
-
\??\c:\3rrrxfr.exec:\3rrrxfr.exe120⤵PID:1764
-
\??\c:\thntnb.exec:\thntnb.exe121⤵PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-