Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe
-
Size
454KB
-
MD5
8121c684319025d3728af38e3aaa09a3
-
SHA1
cc6ddb40e04ffb17eab73b95086d0a3879d8bc82
-
SHA256
572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7
-
SHA512
c3d2b676c8577688533b2efede847a92d167e0ea564975788a059b05c46d6c2160937b99e76f837b83bb7be9efee483a5cf0bbe4b9e2ad4374f4168f7f6811ac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber:q7Tc2NYHUrAwfMp3CDr
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5068-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-1246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-1645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2440 xrrrxxf.exe 3660 28440.exe 2644 thbhnh.exe 2724 446004.exe 2036 446680.exe 2908 btnhhh.exe 3228 0622666.exe 2612 fxxxrrr.exe 3460 66486.exe 944 e84824.exe 2864 246448.exe 2308 rlrrllf.exe 2604 228440.exe 3980 bbthbt.exe 5064 dpppv.exe 2556 802486.exe 648 pvvjd.exe 2636 000000.exe 4416 224822.exe 4320 lfxflrx.exe 2980 44860.exe 4480 6422826.exe 948 84080.exe 3896 4862224.exe 2500 pdpdp.exe 2236 86266.exe 924 jjdjv.exe 1728 0080628.exe 4192 6822886.exe 3144 9ttnhb.exe 3476 dpvjd.exe 1264 i026004.exe 3984 bththh.exe 1944 lfrlrrr.exe 4940 8866660.exe 1564 ntbtnb.exe 3708 88248.exe 3016 2226048.exe 2408 4626004.exe 4516 600448.exe 1444 jvppp.exe 3852 4888444.exe 3012 0666602.exe 2928 ntnnhh.exe 2812 frfrlxx.exe 2912 024040.exe 4508 088648.exe 4420 rrxxlfr.exe 4660 thhthb.exe 1360 6286004.exe 2440 424482.exe 416 42822.exe 1812 884028.exe 3056 64860.exe 4376 lflffff.exe 4352 thhbnh.exe 2852 1vjdp.exe 3168 6248822.exe 2656 q64620.exe 3128 i404248.exe 2752 ppjdv.exe 1544 66600.exe 4344 7nhhbh.exe 2956 1tttnn.exe -
resource yara_rule behavioral2/memory/5068-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88686.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 844882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0842204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 684820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m0200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2048608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06464.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62602.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2440 5068 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 84 PID 5068 wrote to memory of 2440 5068 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 84 PID 5068 wrote to memory of 2440 5068 572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe 84 PID 2440 wrote to memory of 3660 2440 xrrrxxf.exe 85 PID 2440 wrote to memory of 3660 2440 xrrrxxf.exe 85 PID 2440 wrote to memory of 3660 2440 xrrrxxf.exe 85 PID 3660 wrote to memory of 2644 3660 28440.exe 86 PID 3660 wrote to memory of 2644 3660 28440.exe 86 PID 3660 wrote to memory of 2644 3660 28440.exe 86 PID 2644 wrote to memory of 2724 2644 thbhnh.exe 87 PID 2644 wrote to memory of 2724 2644 thbhnh.exe 87 PID 2644 wrote to memory of 2724 2644 thbhnh.exe 87 PID 2724 wrote to memory of 2036 2724 446004.exe 88 PID 2724 wrote to memory of 2036 2724 446004.exe 88 PID 2724 wrote to memory of 2036 2724 446004.exe 88 PID 2036 wrote to memory of 2908 2036 446680.exe 89 PID 2036 wrote to memory of 2908 2036 446680.exe 89 PID 2036 wrote to memory of 2908 2036 446680.exe 89 PID 2908 wrote to memory of 3228 2908 btnhhh.exe 90 PID 2908 wrote to memory of 3228 2908 btnhhh.exe 90 PID 2908 wrote to memory of 3228 2908 btnhhh.exe 90 PID 3228 wrote to memory of 2612 3228 0622666.exe 91 PID 3228 wrote to memory of 2612 3228 0622666.exe 91 PID 3228 wrote to memory of 2612 3228 0622666.exe 91 PID 2612 wrote to memory of 3460 2612 fxxxrrr.exe 92 PID 2612 wrote to memory of 3460 2612 fxxxrrr.exe 92 PID 2612 wrote to memory of 3460 2612 fxxxrrr.exe 92 PID 3460 wrote to memory of 944 3460 66486.exe 93 PID 3460 wrote to memory of 944 3460 66486.exe 93 PID 3460 wrote to memory of 944 3460 66486.exe 93 PID 944 wrote to memory of 2864 944 e84824.exe 94 PID 944 wrote to memory of 2864 944 e84824.exe 94 PID 944 wrote to memory of 2864 944 e84824.exe 94 PID 2864 wrote to memory of 2308 2864 246448.exe 95 PID 2864 wrote to memory of 2308 2864 246448.exe 95 PID 2864 wrote to memory of 2308 2864 246448.exe 95 PID 2308 wrote to memory of 2604 2308 rlrrllf.exe 96 PID 2308 wrote to memory of 2604 2308 rlrrllf.exe 96 PID 2308 wrote to memory of 2604 2308 rlrrllf.exe 96 PID 2604 wrote to memory of 3980 2604 228440.exe 97 PID 2604 wrote to memory of 3980 2604 228440.exe 97 PID 2604 wrote to memory of 3980 2604 228440.exe 97 PID 3980 wrote to memory of 5064 3980 bbthbt.exe 98 PID 3980 wrote to memory of 5064 3980 bbthbt.exe 98 PID 3980 wrote to memory of 5064 3980 bbthbt.exe 98 PID 5064 wrote to memory of 2556 5064 dpppv.exe 99 PID 5064 wrote to memory of 2556 5064 dpppv.exe 99 PID 5064 wrote to memory of 2556 5064 dpppv.exe 99 PID 2556 wrote to memory of 648 2556 802486.exe 100 PID 2556 wrote to memory of 648 2556 802486.exe 100 PID 2556 wrote to memory of 648 2556 802486.exe 100 PID 648 wrote to memory of 2636 648 pvvjd.exe 101 PID 648 wrote to memory of 2636 648 pvvjd.exe 101 PID 648 wrote to memory of 2636 648 pvvjd.exe 101 PID 2636 wrote to memory of 4416 2636 000000.exe 102 PID 2636 wrote to memory of 4416 2636 000000.exe 102 PID 2636 wrote to memory of 4416 2636 000000.exe 102 PID 4416 wrote to memory of 4320 4416 224822.exe 103 PID 4416 wrote to memory of 4320 4416 224822.exe 103 PID 4416 wrote to memory of 4320 4416 224822.exe 103 PID 4320 wrote to memory of 2980 4320 lfxflrx.exe 104 PID 4320 wrote to memory of 2980 4320 lfxflrx.exe 104 PID 4320 wrote to memory of 2980 4320 lfxflrx.exe 104 PID 2980 wrote to memory of 4480 2980 44860.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe"C:\Users\Admin\AppData\Local\Temp\572af50973ce98c4e1f420212dbfdd8aa62e82a03afd3bcddac912b07b027fc7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\xrrrxxf.exec:\xrrrxxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\28440.exec:\28440.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\thbhnh.exec:\thbhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\446004.exec:\446004.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\446680.exec:\446680.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\btnhhh.exec:\btnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\0622666.exec:\0622666.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\66486.exec:\66486.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\e84824.exec:\e84824.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\246448.exec:\246448.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\rlrrllf.exec:\rlrrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\228440.exec:\228440.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\bbthbt.exec:\bbthbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\dpppv.exec:\dpppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\802486.exec:\802486.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\pvvjd.exec:\pvvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\000000.exec:\000000.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\224822.exec:\224822.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\lfxflrx.exec:\lfxflrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\44860.exec:\44860.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\6422826.exec:\6422826.exe23⤵
- Executes dropped EXE
PID:4480 -
\??\c:\84080.exec:\84080.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\4862224.exec:\4862224.exe25⤵
- Executes dropped EXE
PID:3896 -
\??\c:\pdpdp.exec:\pdpdp.exe26⤵
- Executes dropped EXE
PID:2500 -
\??\c:\86266.exec:\86266.exe27⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jjdjv.exec:\jjdjv.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
\??\c:\0080628.exec:\0080628.exe29⤵
- Executes dropped EXE
PID:1728 -
\??\c:\6822886.exec:\6822886.exe30⤵
- Executes dropped EXE
PID:4192 -
\??\c:\9ttnhb.exec:\9ttnhb.exe31⤵
- Executes dropped EXE
PID:3144 -
\??\c:\dpvjd.exec:\dpvjd.exe32⤵
- Executes dropped EXE
PID:3476 -
\??\c:\i026004.exec:\i026004.exe33⤵
- Executes dropped EXE
PID:1264 -
\??\c:\bththh.exec:\bththh.exe34⤵
- Executes dropped EXE
PID:3984 -
\??\c:\lfrlrrr.exec:\lfrlrrr.exe35⤵
- Executes dropped EXE
PID:1944 -
\??\c:\8866660.exec:\8866660.exe36⤵
- Executes dropped EXE
PID:4940 -
\??\c:\ntbtnb.exec:\ntbtnb.exe37⤵
- Executes dropped EXE
PID:1564 -
\??\c:\88248.exec:\88248.exe38⤵
- Executes dropped EXE
PID:3708 -
\??\c:\2226048.exec:\2226048.exe39⤵
- Executes dropped EXE
PID:3016 -
\??\c:\4626004.exec:\4626004.exe40⤵
- Executes dropped EXE
PID:2408 -
\??\c:\600448.exec:\600448.exe41⤵
- Executes dropped EXE
PID:4516 -
\??\c:\jvppp.exec:\jvppp.exe42⤵
- Executes dropped EXE
PID:1444 -
\??\c:\4888444.exec:\4888444.exe43⤵
- Executes dropped EXE
PID:3852 -
\??\c:\0666602.exec:\0666602.exe44⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ntnnhh.exec:\ntnnhh.exe45⤵
- Executes dropped EXE
PID:2928 -
\??\c:\frfrlxx.exec:\frfrlxx.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\024040.exec:\024040.exe47⤵
- Executes dropped EXE
PID:2912 -
\??\c:\088648.exec:\088648.exe48⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rrxxlfr.exec:\rrxxlfr.exe49⤵
- Executes dropped EXE
PID:4420 -
\??\c:\thhthb.exec:\thhthb.exe50⤵
- Executes dropped EXE
PID:4660 -
\??\c:\6286004.exec:\6286004.exe51⤵
- Executes dropped EXE
PID:1360 -
\??\c:\424482.exec:\424482.exe52⤵
- Executes dropped EXE
PID:2440 -
\??\c:\42822.exec:\42822.exe53⤵
- Executes dropped EXE
PID:416 -
\??\c:\884028.exec:\884028.exe54⤵
- Executes dropped EXE
PID:1812 -
\??\c:\64860.exec:\64860.exe55⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lflffff.exec:\lflffff.exe56⤵
- Executes dropped EXE
PID:4376 -
\??\c:\thhbnh.exec:\thhbnh.exe57⤵
- Executes dropped EXE
PID:4352 -
\??\c:\1vjdp.exec:\1vjdp.exe58⤵
- Executes dropped EXE
PID:2852 -
\??\c:\6248822.exec:\6248822.exe59⤵
- Executes dropped EXE
PID:3168 -
\??\c:\q64620.exec:\q64620.exe60⤵
- Executes dropped EXE
PID:2656 -
\??\c:\i404248.exec:\i404248.exe61⤵
- Executes dropped EXE
PID:3128 -
\??\c:\ppjdv.exec:\ppjdv.exe62⤵
- Executes dropped EXE
PID:2752 -
\??\c:\66600.exec:\66600.exe63⤵
- Executes dropped EXE
PID:1544 -
\??\c:\7nhhbh.exec:\7nhhbh.exe64⤵
- Executes dropped EXE
PID:4344 -
\??\c:\1tttnn.exec:\1tttnn.exe65⤵
- Executes dropped EXE
PID:2956 -
\??\c:\bbnhbt.exec:\bbnhbt.exe66⤵PID:4284
-
\??\c:\8262688.exec:\8262688.exe67⤵PID:2988
-
\??\c:\6888226.exec:\6888226.exe68⤵PID:5024
-
\??\c:\tnnhbb.exec:\tnnhbb.exe69⤵PID:1448
-
\??\c:\nhhbtn.exec:\nhhbtn.exe70⤵PID:4292
-
\??\c:\vdpjj.exec:\vdpjj.exe71⤵PID:3148
-
\??\c:\xflxlfl.exec:\xflxlfl.exe72⤵PID:4120
-
\??\c:\bbhtht.exec:\bbhtht.exe73⤵PID:2636
-
\??\c:\rllrfff.exec:\rllrfff.exe74⤵PID:4548
-
\??\c:\ttbnbt.exec:\ttbnbt.exe75⤵PID:4856
-
\??\c:\vpdjv.exec:\vpdjv.exe76⤵PID:3456
-
\??\c:\hhhbbt.exec:\hhhbbt.exe77⤵PID:2664
-
\??\c:\6060488.exec:\6060488.exe78⤵PID:876
-
\??\c:\m0200.exec:\m0200.exe79⤵
- System Location Discovery: System Language Discovery
PID:1588 -
\??\c:\3rflflf.exec:\3rflflf.exe80⤵PID:1540
-
\??\c:\llrlrfr.exec:\llrlrfr.exe81⤵PID:948
-
\??\c:\vvjvv.exec:\vvjvv.exe82⤵PID:3480
-
\??\c:\btnhtt.exec:\btnhtt.exe83⤵PID:3244
-
\??\c:\pjvpd.exec:\pjvpd.exe84⤵PID:3956
-
\??\c:\lxlllff.exec:\lxlllff.exe85⤵PID:2996
-
\??\c:\thntnh.exec:\thntnh.exe86⤵PID:4452
-
\??\c:\8444048.exec:\8444048.exe87⤵PID:4368
-
\??\c:\g4082.exec:\g4082.exe88⤵PID:4080
-
\??\c:\dvdvv.exec:\dvdvv.exe89⤵PID:4888
-
\??\c:\046826.exec:\046826.exe90⤵PID:4488
-
\??\c:\xrrflfx.exec:\xrrflfx.exe91⤵PID:432
-
\??\c:\vjppp.exec:\vjppp.exe92⤵PID:4040
-
\??\c:\8800826.exec:\8800826.exe93⤵PID:1264
-
\??\c:\62882.exec:\62882.exe94⤵PID:2320
-
\??\c:\7lfxfxl.exec:\7lfxfxl.exe95⤵PID:2432
-
\??\c:\608682.exec:\608682.exe96⤵PID:1836
-
\??\c:\28046.exec:\28046.exe97⤵PID:1060
-
\??\c:\e80088.exec:\e80088.exe98⤵PID:2648
-
\??\c:\4066266.exec:\4066266.exe99⤵PID:4316
-
\??\c:\446048.exec:\446048.exe100⤵PID:2164
-
\??\c:\880488.exec:\880488.exe101⤵PID:1880
-
\??\c:\5jjjd.exec:\5jjjd.exe102⤵PID:956
-
\??\c:\86060.exec:\86060.exe103⤵PID:4640
-
\??\c:\m4648.exec:\m4648.exe104⤵PID:3676
-
\??\c:\00864.exec:\00864.exe105⤵PID:3012
-
\??\c:\hbtbnn.exec:\hbtbnn.exe106⤵PID:3432
-
\??\c:\8626262.exec:\8626262.exe107⤵PID:816
-
\??\c:\86080.exec:\86080.exe108⤵PID:3380
-
\??\c:\vjjdv.exec:\vjjdv.exe109⤵PID:4428
-
\??\c:\ppvdd.exec:\ppvdd.exe110⤵PID:4388
-
\??\c:\pvdvj.exec:\pvdvj.exe111⤵PID:4036
-
\??\c:\640886.exec:\640886.exe112⤵PID:4864
-
\??\c:\40600.exec:\40600.exe113⤵PID:4552
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe114⤵PID:3952
-
\??\c:\1dvdj.exec:\1dvdj.exe115⤵PID:4380
-
\??\c:\644448.exec:\644448.exe116⤵PID:3924
-
\??\c:\bbbtnn.exec:\bbbtnn.exe117⤵PID:2644
-
\??\c:\4482008.exec:\4482008.exe118⤵PID:2420
-
\??\c:\nntttb.exec:\nntttb.exe119⤵PID:2304
-
\??\c:\40848.exec:\40848.exe120⤵PID:4532
-
\??\c:\bbbhbn.exec:\bbbhbn.exe121⤵PID:3168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-