Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 11:59
Behavioral task
behavioral1
Sample
16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe
-
Size
378KB
-
MD5
5a74e894a52cc46b599e3002cf757970
-
SHA1
3da6cfbe06ad0c76be774683b7fd3b480fd22d5c
-
SHA256
16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50b
-
SHA512
db5d5a7efa2e31e2ca7288420d51d8b0ea449838ad9a7d3f34f72b06d61c8ac93a6cb354f631412ad2d36e1ea8ab2b664e76d640821f62c640099343e0f75db0
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQrvr:C4wFHoS2Vs+IdMoSzqkR5RWVVWrT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4596-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1228-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2504-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1468-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2884-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2276-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2912-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-81-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/860-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1656-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3324-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1100-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4772-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1132-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/944-587-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1756-654-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-703-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-722-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-789-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-1021-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-1139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5104-1715-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4852 42666.exe 1228 lxxxrxr.exe 2252 2800880.exe 4564 6040000.exe 3276 48404.exe 3352 xxlfrrr.exe 2504 hnbtbh.exe 1468 bbbbhh.exe 2884 vvddd.exe 2912 68448.exe 2276 288240.exe 4000 42662.exe 4272 7btnnn.exe 3304 vvddd.exe 1296 hhtttt.exe 3964 a6282.exe 2068 pdpvd.exe 464 rrrlxll.exe 1848 xrxrxrf.exe 4548 486266.exe 1612 68482.exe 3244 djpjd.exe 1096 3lfxrlr.exe 1116 k46004.exe 1112 1bbttt.exe 4196 nbbhhb.exe 3800 fxffxxr.exe 860 xrrlllf.exe 1740 fffffrr.exe 4188 666082.exe 872 08820.exe 5004 httnht.exe 1656 5frrxxr.exe 4232 thhbbh.exe 2932 dvvvp.exe 3152 flrxrrr.exe 5112 hnhnhn.exe 3884 dvdpj.exe 3324 5nbttb.exe 2488 4286822.exe 2940 48684.exe 3264 828686.exe 2576 nnthtn.exe 1924 a8820.exe 4508 o428862.exe 728 86664.exe 952 426666.exe 232 xrrlfrr.exe 4660 tbbtnn.exe 4644 2604226.exe 3596 i282482.exe 2888 nbhhtt.exe 3432 9hhhbt.exe 4760 nbbnbt.exe 4756 7rxrlrl.exe 456 4060442.exe 1264 thnhhb.exe 2264 066486.exe 4900 vjjjd.exe 1588 pvddv.exe 1696 82884.exe 2884 268260.exe 2652 9lrrlrl.exe 736 pvdvv.exe -
resource yara_rule behavioral2/memory/4596-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cad-3.dat upx behavioral2/memory/4596-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4852-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-9.dat upx behavioral2/files/0x0007000000023cb2-13.dat upx behavioral2/memory/1228-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-21.dat upx behavioral2/memory/4564-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2252-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb4-29.dat upx behavioral2/memory/3276-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-34.dat upx behavioral2/files/0x0007000000023cb6-39.dat upx behavioral2/memory/3352-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-45.dat upx behavioral2/memory/2504-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-54.dat upx behavioral2/memory/1468-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-57.dat upx behavioral2/memory/2884-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cba-64.dat upx behavioral2/memory/2276-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2912-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-71.dat upx behavioral2/files/0x0007000000023cbc-75.dat upx behavioral2/memory/4000-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4272-81-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-80.dat upx behavioral2/files/0x0007000000023cbd-86.dat upx behavioral2/files/0x0007000000023cbe-92.dat upx behavioral2/memory/3964-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1296-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2068-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-105.dat upx behavioral2/memory/3964-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-109.dat upx behavioral2/files/0x0007000000023cc2-116.dat upx behavioral2/files/0x0007000000023cc3-122.dat upx behavioral2/memory/1612-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-127.dat upx behavioral2/memory/1096-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-140.dat upx behavioral2/memory/3244-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc5-133.dat upx behavioral2/memory/4548-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1848-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-98.dat upx behavioral2/files/0x0007000000023cc7-144.dat upx behavioral2/files/0x0007000000023cc8-151.dat upx behavioral2/memory/1112-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc9-156.dat upx behavioral2/memory/3800-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-162.dat upx behavioral2/files/0x0007000000023ccb-166.dat upx behavioral2/memory/860-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-172.dat upx behavioral2/memory/4188-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-179.dat upx behavioral2/files/0x0007000000023cce-183.dat upx behavioral2/memory/872-186-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5004-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1656-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4232-198-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888480.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 228600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 600406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 664488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s0804.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4226442.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6886000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6448404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 488822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4852 4596 16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe 83 PID 4596 wrote to memory of 4852 4596 16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe 83 PID 4596 wrote to memory of 4852 4596 16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe 83 PID 4852 wrote to memory of 1228 4852 42666.exe 84 PID 4852 wrote to memory of 1228 4852 42666.exe 84 PID 4852 wrote to memory of 1228 4852 42666.exe 84 PID 1228 wrote to memory of 2252 1228 lxxxrxr.exe 85 PID 1228 wrote to memory of 2252 1228 lxxxrxr.exe 85 PID 1228 wrote to memory of 2252 1228 lxxxrxr.exe 85 PID 2252 wrote to memory of 4564 2252 2800880.exe 86 PID 2252 wrote to memory of 4564 2252 2800880.exe 86 PID 2252 wrote to memory of 4564 2252 2800880.exe 86 PID 4564 wrote to memory of 3276 4564 6040000.exe 87 PID 4564 wrote to memory of 3276 4564 6040000.exe 87 PID 4564 wrote to memory of 3276 4564 6040000.exe 87 PID 3276 wrote to memory of 3352 3276 48404.exe 88 PID 3276 wrote to memory of 3352 3276 48404.exe 88 PID 3276 wrote to memory of 3352 3276 48404.exe 88 PID 3352 wrote to memory of 2504 3352 xxlfrrr.exe 89 PID 3352 wrote to memory of 2504 3352 xxlfrrr.exe 89 PID 3352 wrote to memory of 2504 3352 xxlfrrr.exe 89 PID 2504 wrote to memory of 1468 2504 hnbtbh.exe 90 PID 2504 wrote to memory of 1468 2504 hnbtbh.exe 90 PID 2504 wrote to memory of 1468 2504 hnbtbh.exe 90 PID 1468 wrote to memory of 2884 1468 bbbbhh.exe 91 PID 1468 wrote to memory of 2884 1468 bbbbhh.exe 91 PID 1468 wrote to memory of 2884 1468 bbbbhh.exe 91 PID 2884 wrote to memory of 2912 2884 vvddd.exe 92 PID 2884 wrote to memory of 2912 2884 vvddd.exe 92 PID 2884 wrote to memory of 2912 2884 vvddd.exe 92 PID 2912 wrote to memory of 2276 2912 68448.exe 93 PID 2912 wrote to memory of 2276 2912 68448.exe 93 PID 2912 wrote to memory of 2276 2912 68448.exe 93 PID 2276 wrote to memory of 4000 2276 288240.exe 94 PID 2276 wrote to memory of 4000 2276 288240.exe 94 PID 2276 wrote to memory of 4000 2276 288240.exe 94 PID 4000 wrote to memory of 4272 4000 42662.exe 95 PID 4000 wrote to memory of 4272 4000 42662.exe 95 PID 4000 wrote to memory of 4272 4000 42662.exe 95 PID 4272 wrote to memory of 3304 4272 7btnnn.exe 96 PID 4272 wrote to memory of 3304 4272 7btnnn.exe 96 PID 4272 wrote to memory of 3304 4272 7btnnn.exe 96 PID 3304 wrote to memory of 1296 3304 vvddd.exe 97 PID 3304 wrote to memory of 1296 3304 vvddd.exe 97 PID 3304 wrote to memory of 1296 3304 vvddd.exe 97 PID 1296 wrote to memory of 3964 1296 hhtttt.exe 98 PID 1296 wrote to memory of 3964 1296 hhtttt.exe 98 PID 1296 wrote to memory of 3964 1296 hhtttt.exe 98 PID 3964 wrote to memory of 2068 3964 a6282.exe 99 PID 3964 wrote to memory of 2068 3964 a6282.exe 99 PID 3964 wrote to memory of 2068 3964 a6282.exe 99 PID 2068 wrote to memory of 464 2068 pdpvd.exe 100 PID 2068 wrote to memory of 464 2068 pdpvd.exe 100 PID 2068 wrote to memory of 464 2068 pdpvd.exe 100 PID 464 wrote to memory of 1848 464 rrrlxll.exe 101 PID 464 wrote to memory of 1848 464 rrrlxll.exe 101 PID 464 wrote to memory of 1848 464 rrrlxll.exe 101 PID 1848 wrote to memory of 4548 1848 xrxrxrf.exe 102 PID 1848 wrote to memory of 4548 1848 xrxrxrf.exe 102 PID 1848 wrote to memory of 4548 1848 xrxrxrf.exe 102 PID 4548 wrote to memory of 1612 4548 486266.exe 103 PID 4548 wrote to memory of 1612 4548 486266.exe 103 PID 4548 wrote to memory of 1612 4548 486266.exe 103 PID 1612 wrote to memory of 3244 1612 68482.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe"C:\Users\Admin\AppData\Local\Temp\16da551252f83c0bac41d7d5d73922887aeab2ee66d7bc2d95455ebbfadee50bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\42666.exec:\42666.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\2800880.exec:\2800880.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\6040000.exec:\6040000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\48404.exec:\48404.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\xxlfrrr.exec:\xxlfrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\hnbtbh.exec:\hnbtbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\bbbbhh.exec:\bbbbhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\vvddd.exec:\vvddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\68448.exec:\68448.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\288240.exec:\288240.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\42662.exec:\42662.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\7btnnn.exec:\7btnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\vvddd.exec:\vvddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\hhtttt.exec:\hhtttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\a6282.exec:\a6282.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\pdpvd.exec:\pdpvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\rrrlxll.exec:\rrrlxll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\xrxrxrf.exec:\xrxrxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
\??\c:\486266.exec:\486266.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\68482.exec:\68482.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\djpjd.exec:\djpjd.exe23⤵
- Executes dropped EXE
PID:3244 -
\??\c:\3lfxrlr.exec:\3lfxrlr.exe24⤵
- Executes dropped EXE
PID:1096 -
\??\c:\k46004.exec:\k46004.exe25⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1bbttt.exec:\1bbttt.exe26⤵
- Executes dropped EXE
PID:1112 -
\??\c:\nbbhhb.exec:\nbbhhb.exe27⤵
- Executes dropped EXE
PID:4196 -
\??\c:\fxffxxr.exec:\fxffxxr.exe28⤵
- Executes dropped EXE
PID:3800 -
\??\c:\xrrlllf.exec:\xrrlllf.exe29⤵
- Executes dropped EXE
PID:860 -
\??\c:\fffffrr.exec:\fffffrr.exe30⤵
- Executes dropped EXE
PID:1740 -
\??\c:\666082.exec:\666082.exe31⤵
- Executes dropped EXE
PID:4188 -
\??\c:\08820.exec:\08820.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\httnht.exec:\httnht.exe33⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5frrxxr.exec:\5frrxxr.exe34⤵
- Executes dropped EXE
PID:1656 -
\??\c:\thhbbh.exec:\thhbbh.exe35⤵
- Executes dropped EXE
PID:4232 -
\??\c:\dvvvp.exec:\dvvvp.exe36⤵
- Executes dropped EXE
PID:2932 -
\??\c:\flrxrrr.exec:\flrxrrr.exe37⤵
- Executes dropped EXE
PID:3152 -
\??\c:\hnhnhn.exec:\hnhnhn.exe38⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dvdpj.exec:\dvdpj.exe39⤵
- Executes dropped EXE
PID:3884 -
\??\c:\5nbttb.exec:\5nbttb.exe40⤵
- Executes dropped EXE
PID:3324 -
\??\c:\4286822.exec:\4286822.exe41⤵
- Executes dropped EXE
PID:2488 -
\??\c:\48684.exec:\48684.exe42⤵
- Executes dropped EXE
PID:2940 -
\??\c:\828686.exec:\828686.exe43⤵
- Executes dropped EXE
PID:3264 -
\??\c:\nnthtn.exec:\nnthtn.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\a8820.exec:\a8820.exe45⤵
- Executes dropped EXE
PID:1924 -
\??\c:\o428862.exec:\o428862.exe46⤵
- Executes dropped EXE
PID:4508 -
\??\c:\86664.exec:\86664.exe47⤵
- Executes dropped EXE
PID:728 -
\??\c:\426666.exec:\426666.exe48⤵
- Executes dropped EXE
PID:952 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe49⤵
- Executes dropped EXE
PID:232 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe50⤵PID:4968
-
\??\c:\tbbtnn.exec:\tbbtnn.exe51⤵
- Executes dropped EXE
PID:4660 -
\??\c:\2604226.exec:\2604226.exe52⤵
- Executes dropped EXE
PID:4644 -
\??\c:\i282482.exec:\i282482.exe53⤵
- Executes dropped EXE
PID:3596 -
\??\c:\nbhhtt.exec:\nbhhtt.exe54⤵
- Executes dropped EXE
PID:2888 -
\??\c:\9hhhbt.exec:\9hhhbt.exe55⤵
- Executes dropped EXE
PID:3432 -
\??\c:\nbbnbt.exec:\nbbnbt.exe56⤵
- Executes dropped EXE
PID:4760 -
\??\c:\7rxrlrl.exec:\7rxrlrl.exe57⤵
- Executes dropped EXE
PID:4756 -
\??\c:\4060442.exec:\4060442.exe58⤵
- Executes dropped EXE
PID:456 -
\??\c:\thnhhb.exec:\thnhhb.exe59⤵
- Executes dropped EXE
PID:1264 -
\??\c:\066486.exec:\066486.exe60⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vjjjd.exec:\vjjjd.exe61⤵
- Executes dropped EXE
PID:4900 -
\??\c:\pvddv.exec:\pvddv.exe62⤵
- Executes dropped EXE
PID:1588 -
\??\c:\82884.exec:\82884.exe63⤵
- Executes dropped EXE
PID:1696 -
\??\c:\268260.exec:\268260.exe64⤵
- Executes dropped EXE
PID:2884 -
\??\c:\9lrrlrl.exec:\9lrrlrl.exe65⤵
- Executes dropped EXE
PID:2652 -
\??\c:\pvdvv.exec:\pvdvv.exe66⤵
- Executes dropped EXE
PID:736 -
\??\c:\008820.exec:\008820.exe67⤵PID:4116
-
\??\c:\8044220.exec:\8044220.exe68⤵PID:3616
-
\??\c:\xlxxxxr.exec:\xlxxxxr.exe69⤵PID:2780
-
\??\c:\20604.exec:\20604.exe70⤵PID:4272
-
\??\c:\k04844.exec:\k04844.exe71⤵PID:5060
-
\??\c:\dvvvv.exec:\dvvvv.exe72⤵PID:1296
-
\??\c:\xfllflr.exec:\xfllflr.exe73⤵PID:1408
-
\??\c:\2682048.exec:\2682048.exe74⤵PID:4924
-
\??\c:\80004.exec:\80004.exe75⤵PID:388
-
\??\c:\40666.exec:\40666.exe76⤵PID:1088
-
\??\c:\048624.exec:\048624.exe77⤵PID:2796
-
\??\c:\66286.exec:\66286.exe78⤵PID:4560
-
\??\c:\k24868.exec:\k24868.exe79⤵PID:180
-
\??\c:\s6044.exec:\s6044.exe80⤵PID:1792
-
\??\c:\xrxrxfx.exec:\xrxrxfx.exe81⤵PID:536
-
\??\c:\hhhhhh.exec:\hhhhhh.exe82⤵PID:4052
-
\??\c:\9vddv.exec:\9vddv.exe83⤵PID:3124
-
\??\c:\880048.exec:\880048.exe84⤵PID:2852
-
\??\c:\200400.exec:\200400.exe85⤵PID:1476
-
\??\c:\btnhbt.exec:\btnhbt.exe86⤵PID:4948
-
\??\c:\fllrfxl.exec:\fllrfxl.exe87⤵PID:5024
-
\??\c:\8042266.exec:\8042266.exe88⤵PID:4064
-
\??\c:\628884.exec:\628884.exe89⤵PID:2628
-
\??\c:\hhhhbb.exec:\hhhhbb.exe90⤵PID:3836
-
\??\c:\jvvjd.exec:\jvvjd.exe91⤵PID:4452
-
\??\c:\frrllff.exec:\frrllff.exe92⤵PID:1384
-
\??\c:\040808.exec:\040808.exe93⤵PID:928
-
\??\c:\04006.exec:\04006.exe94⤵PID:2428
-
\??\c:\24622.exec:\24622.exe95⤵PID:3828
-
\??\c:\262648.exec:\262648.exe96⤵PID:4088
-
\??\c:\s4668.exec:\s4668.exe97⤵PID:1020
-
\??\c:\9fxfffx.exec:\9fxfffx.exe98⤵PID:1888
-
\??\c:\828822.exec:\828822.exe99⤵PID:3196
-
\??\c:\o242602.exec:\o242602.exe100⤵PID:1100
-
\??\c:\lrxxrrr.exec:\lrxxrrr.exe101⤵PID:2696
-
\??\c:\886684.exec:\886684.exe102⤵PID:4772
-
\??\c:\424288.exec:\424288.exe103⤵PID:964
-
\??\c:\tbhbnb.exec:\tbhbnb.exe104⤵PID:4620
-
\??\c:\8448282.exec:\8448282.exe105⤵PID:1724
-
\??\c:\84826.exec:\84826.exe106⤵PID:2332
-
\??\c:\5pjdd.exec:\5pjdd.exe107⤵PID:696
-
\??\c:\9lrfffx.exec:\9lrfffx.exe108⤵PID:3060
-
\??\c:\8226004.exec:\8226004.exe109⤵PID:2316
-
\??\c:\4060482.exec:\4060482.exe110⤵PID:3856
-
\??\c:\664206.exec:\664206.exe111⤵PID:4880
-
\??\c:\84428.exec:\84428.exe112⤵PID:4392
-
\??\c:\xrrfrrl.exec:\xrrfrrl.exe113⤵PID:4888
-
\??\c:\9ppjj.exec:\9ppjj.exe114⤵PID:1736
-
\??\c:\hbnnhh.exec:\hbnnhh.exe115⤵PID:2164
-
\??\c:\jddvv.exec:\jddvv.exe116⤵PID:2908
-
\??\c:\82222.exec:\82222.exe117⤵PID:2580
-
\??\c:\bbbnnn.exec:\bbbnnn.exe118⤵PID:544
-
\??\c:\28600.exec:\28600.exe119⤵PID:1324
-
\??\c:\jjddv.exec:\jjddv.exe120⤵PID:4932
-
\??\c:\084204.exec:\084204.exe121⤵PID:4756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-