Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe
-
Size
455KB
-
MD5
6f62429486a44c80f2ac1f1f0d8b3bab
-
SHA1
7e173d76566840845b7ad7e2fdfdceba9fe3c46f
-
SHA256
a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76
-
SHA512
790440f8310409102f16a2335b6fb89348014d0f9b6239c5208d97079d973dad68dea16c3802a76ed399a677ed84d7b002936f02f90f889e97af8159dd8ff70d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3220-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-931-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-1078-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-1076-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-1095-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3732 dddvp.exe 228 lllffrr.exe 2532 9lxfrrf.exe 4088 hbhhhh.exe 1188 pdpdv.exe 2360 lrfxxff.exe 4212 bhhhbb.exe 4904 tbhbtn.exe 2100 jpvpv.exe 4000 rflrlfl.exe 4408 9tbbbn.exe 1540 vpvpp.exe 2884 lrxfrrf.exe 4356 llrxxxr.exe 4412 bbbbbb.exe 4908 vdjjj.exe 5108 lrxffll.exe 2016 7lfxrrf.exe 3024 tbbthh.exe 4620 jjdjv.exe 1840 7xffrxl.exe 2436 lflllll.exe 5072 tbnnbh.exe 1004 ddjjp.exe 1784 7rlrlll.exe 2988 hnbbtt.exe 3640 bthnht.exe 4564 ddvvj.exe 4080 lfflfff.exe 3016 nnhhbb.exe 2224 ddjpp.exe 3568 rfxrllf.exe 2768 xxxrlfx.exe 2828 5hhhbb.exe 3204 vvvpj.exe 1824 rxlxffl.exe 2600 nttnhh.exe 868 djvpj.exe 4024 9vdvd.exe 4432 xfxlfxr.exe 4064 ttnhhb.exe 4076 hbbbtt.exe 4548 vdjdj.exe 540 rfrlfxf.exe 1120 5bbtnh.exe 2176 pvvpj.exe 5028 5dppj.exe 2300 xrlfxxr.exe 3592 pjjdd.exe 3220 ddpjd.exe 2556 7lffrrl.exe 3292 tnnbbn.exe 1444 pvdvd.exe 4092 flfxrrl.exe 4232 hhbttn.exe 2104 3dvpj.exe 4212 rxxxxxx.exe 952 lxfxrxl.exe 5064 tbnhth.exe 1856 ppjvp.exe 3920 rlllfff.exe 532 bhnntt.exe 3760 dvdvd.exe 2884 lrfxxxx.exe -
resource yara_rule behavioral2/memory/3220-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-931-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-1078-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-1076-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3220 wrote to memory of 3732 3220 a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe 83 PID 3220 wrote to memory of 3732 3220 a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe 83 PID 3220 wrote to memory of 3732 3220 a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe 83 PID 3732 wrote to memory of 228 3732 dddvp.exe 84 PID 3732 wrote to memory of 228 3732 dddvp.exe 84 PID 3732 wrote to memory of 228 3732 dddvp.exe 84 PID 228 wrote to memory of 2532 228 lllffrr.exe 85 PID 228 wrote to memory of 2532 228 lllffrr.exe 85 PID 228 wrote to memory of 2532 228 lllffrr.exe 85 PID 2532 wrote to memory of 4088 2532 9lxfrrf.exe 86 PID 2532 wrote to memory of 4088 2532 9lxfrrf.exe 86 PID 2532 wrote to memory of 4088 2532 9lxfrrf.exe 86 PID 4088 wrote to memory of 1188 4088 hbhhhh.exe 87 PID 4088 wrote to memory of 1188 4088 hbhhhh.exe 87 PID 4088 wrote to memory of 1188 4088 hbhhhh.exe 87 PID 1188 wrote to memory of 2360 1188 pdpdv.exe 88 PID 1188 wrote to memory of 2360 1188 pdpdv.exe 88 PID 1188 wrote to memory of 2360 1188 pdpdv.exe 88 PID 2360 wrote to memory of 4212 2360 lrfxxff.exe 89 PID 2360 wrote to memory of 4212 2360 lrfxxff.exe 89 PID 2360 wrote to memory of 4212 2360 lrfxxff.exe 89 PID 4212 wrote to memory of 4904 4212 bhhhbb.exe 90 PID 4212 wrote to memory of 4904 4212 bhhhbb.exe 90 PID 4212 wrote to memory of 4904 4212 bhhhbb.exe 90 PID 4904 wrote to memory of 2100 4904 tbhbtn.exe 91 PID 4904 wrote to memory of 2100 4904 tbhbtn.exe 91 PID 4904 wrote to memory of 2100 4904 tbhbtn.exe 91 PID 2100 wrote to memory of 4000 2100 jpvpv.exe 92 PID 2100 wrote to memory of 4000 2100 jpvpv.exe 92 PID 2100 wrote to memory of 4000 2100 jpvpv.exe 92 PID 4000 wrote to memory of 4408 4000 rflrlfl.exe 93 PID 4000 wrote to memory of 4408 4000 rflrlfl.exe 93 PID 4000 wrote to memory of 4408 4000 rflrlfl.exe 93 PID 4408 wrote to memory of 1540 4408 9tbbbn.exe 94 PID 4408 wrote to memory of 1540 4408 9tbbbn.exe 94 PID 4408 wrote to memory of 1540 4408 9tbbbn.exe 94 PID 1540 wrote to memory of 2884 1540 vpvpp.exe 95 PID 1540 wrote to memory of 2884 1540 vpvpp.exe 95 PID 1540 wrote to memory of 2884 1540 vpvpp.exe 95 PID 2884 wrote to memory of 4356 2884 lrxfrrf.exe 96 PID 2884 wrote to memory of 4356 2884 lrxfrrf.exe 96 PID 2884 wrote to memory of 4356 2884 lrxfrrf.exe 96 PID 4356 wrote to memory of 4412 4356 llrxxxr.exe 97 PID 4356 wrote to memory of 4412 4356 llrxxxr.exe 97 PID 4356 wrote to memory of 4412 4356 llrxxxr.exe 97 PID 4412 wrote to memory of 4908 4412 bbbbbb.exe 98 PID 4412 wrote to memory of 4908 4412 bbbbbb.exe 98 PID 4412 wrote to memory of 4908 4412 bbbbbb.exe 98 PID 4908 wrote to memory of 5108 4908 vdjjj.exe 99 PID 4908 wrote to memory of 5108 4908 vdjjj.exe 99 PID 4908 wrote to memory of 5108 4908 vdjjj.exe 99 PID 5108 wrote to memory of 2016 5108 lrxffll.exe 100 PID 5108 wrote to memory of 2016 5108 lrxffll.exe 100 PID 5108 wrote to memory of 2016 5108 lrxffll.exe 100 PID 2016 wrote to memory of 3024 2016 7lfxrrf.exe 101 PID 2016 wrote to memory of 3024 2016 7lfxrrf.exe 101 PID 2016 wrote to memory of 3024 2016 7lfxrrf.exe 101 PID 3024 wrote to memory of 4620 3024 tbbthh.exe 102 PID 3024 wrote to memory of 4620 3024 tbbthh.exe 102 PID 3024 wrote to memory of 4620 3024 tbbthh.exe 102 PID 4620 wrote to memory of 1840 4620 jjdjv.exe 103 PID 4620 wrote to memory of 1840 4620 jjdjv.exe 103 PID 4620 wrote to memory of 1840 4620 jjdjv.exe 103 PID 1840 wrote to memory of 2436 1840 7xffrxl.exe 154
Processes
-
C:\Users\Admin\AppData\Local\Temp\a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe"C:\Users\Admin\AppData\Local\Temp\a16eaaee2e90d83d834fab53d41f6ce367490f19a836a3cf56b9e5abee7c6c76.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\dddvp.exec:\dddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\lllffrr.exec:\lllffrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\9lxfrrf.exec:\9lxfrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\hbhhhh.exec:\hbhhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\pdpdv.exec:\pdpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\lrfxxff.exec:\lrfxxff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\bhhhbb.exec:\bhhhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\tbhbtn.exec:\tbhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\jpvpv.exec:\jpvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\rflrlfl.exec:\rflrlfl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\9tbbbn.exec:\9tbbbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\vpvpp.exec:\vpvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\lrxfrrf.exec:\lrxfrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\llrxxxr.exec:\llrxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\bbbbbb.exec:\bbbbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\vdjjj.exec:\vdjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\lrxffll.exec:\lrxffll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\7lfxrrf.exec:\7lfxrrf.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\tbbthh.exec:\tbbthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\jjdjv.exec:\jjdjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\7xffrxl.exec:\7xffrxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\lflllll.exec:\lflllll.exe23⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tbnnbh.exec:\tbnnbh.exe24⤵
- Executes dropped EXE
PID:5072 -
\??\c:\ddjjp.exec:\ddjjp.exe25⤵
- Executes dropped EXE
PID:1004 -
\??\c:\7rlrlll.exec:\7rlrlll.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\hnbbtt.exec:\hnbbtt.exe27⤵
- Executes dropped EXE
PID:2988 -
\??\c:\bthnht.exec:\bthnht.exe28⤵
- Executes dropped EXE
PID:3640 -
\??\c:\ddvvj.exec:\ddvvj.exe29⤵
- Executes dropped EXE
PID:4564 -
\??\c:\lfflfff.exec:\lfflfff.exe30⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nnhhbb.exec:\nnhhbb.exe31⤵
- Executes dropped EXE
PID:3016 -
\??\c:\ddjpp.exec:\ddjpp.exe32⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rfxrllf.exec:\rfxrllf.exe33⤵
- Executes dropped EXE
PID:3568 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe34⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5hhhbb.exec:\5hhhbb.exe35⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vvvpj.exec:\vvvpj.exe36⤵
- Executes dropped EXE
PID:3204 -
\??\c:\rxlxffl.exec:\rxlxffl.exe37⤵
- Executes dropped EXE
PID:1824 -
\??\c:\nttnhh.exec:\nttnhh.exe38⤵
- Executes dropped EXE
PID:2600 -
\??\c:\djvpj.exec:\djvpj.exe39⤵
- Executes dropped EXE
PID:868 -
\??\c:\9vdvd.exec:\9vdvd.exe40⤵
- Executes dropped EXE
PID:4024 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe41⤵
- Executes dropped EXE
PID:4432 -
\??\c:\ttnhhb.exec:\ttnhhb.exe42⤵
- Executes dropped EXE
PID:4064 -
\??\c:\hbbbtt.exec:\hbbbtt.exe43⤵
- Executes dropped EXE
PID:4076 -
\??\c:\vdjdj.exec:\vdjdj.exe44⤵
- Executes dropped EXE
PID:4548 -
\??\c:\rfrlfxf.exec:\rfrlfxf.exe45⤵
- Executes dropped EXE
PID:540 -
\??\c:\5bbtnh.exec:\5bbtnh.exe46⤵
- Executes dropped EXE
PID:1120 -
\??\c:\pvvpj.exec:\pvvpj.exe47⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5dppj.exec:\5dppj.exe48⤵
- Executes dropped EXE
PID:5028 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe49⤵
- Executes dropped EXE
PID:2300 -
\??\c:\pjjdd.exec:\pjjdd.exe50⤵
- Executes dropped EXE
PID:3592 -
\??\c:\ddpjd.exec:\ddpjd.exe51⤵
- Executes dropped EXE
PID:3220 -
\??\c:\7lffrrl.exec:\7lffrrl.exe52⤵
- Executes dropped EXE
PID:2556 -
\??\c:\tnnbbn.exec:\tnnbbn.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\pvdvd.exec:\pvdvd.exe54⤵
- Executes dropped EXE
PID:1444 -
\??\c:\flfxrrl.exec:\flfxrrl.exe55⤵
- Executes dropped EXE
PID:4092 -
\??\c:\hhbttn.exec:\hhbttn.exe56⤵
- Executes dropped EXE
PID:4232 -
\??\c:\3dvpj.exec:\3dvpj.exe57⤵
- Executes dropped EXE
PID:2104 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe58⤵
- Executes dropped EXE
PID:4212 -
\??\c:\lxfxrxl.exec:\lxfxrxl.exe59⤵
- Executes dropped EXE
PID:952 -
\??\c:\tbnhth.exec:\tbnhth.exe60⤵
- Executes dropped EXE
PID:5064 -
\??\c:\ppjvp.exec:\ppjvp.exe61⤵
- Executes dropped EXE
PID:1856 -
\??\c:\rlllfff.exec:\rlllfff.exe62⤵
- Executes dropped EXE
PID:3920 -
\??\c:\bhnntt.exec:\bhnntt.exe63⤵
- Executes dropped EXE
PID:532 -
\??\c:\dvdvd.exec:\dvdvd.exe64⤵
- Executes dropped EXE
PID:3760 -
\??\c:\lrfxxxx.exec:\lrfxxxx.exe65⤵
- Executes dropped EXE
PID:2884 -
\??\c:\tbbbtt.exec:\tbbbtt.exe66⤵PID:4732
-
\??\c:\pjvpj.exec:\pjvpj.exe67⤵PID:4684
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe68⤵PID:3312
-
\??\c:\nnbbnn.exec:\nnbbnn.exe69⤵PID:636
-
\??\c:\ppvpp.exec:\ppvpp.exe70⤵PID:3916
-
\??\c:\7rrlffx.exec:\7rrlffx.exe71⤵PID:5104
-
\??\c:\bthbnn.exec:\bthbnn.exe72⤵PID:2356
-
\??\c:\5jddd.exec:\5jddd.exe73⤵PID:2436
-
\??\c:\5xxrlfx.exec:\5xxrlfx.exe74⤵PID:3628
-
\??\c:\ntnhbh.exec:\ntnhbh.exe75⤵PID:2320
-
\??\c:\nbhhhn.exec:\nbhhhn.exe76⤵PID:4104
-
\??\c:\ddddp.exec:\ddddp.exe77⤵PID:2988
-
\??\c:\rrrlfrl.exec:\rrrlfrl.exe78⤵PID:2216
-
\??\c:\nnnnhh.exec:\nnnnhh.exe79⤵PID:1632
-
\??\c:\ddjjd.exec:\ddjjd.exe80⤵PID:3692
-
\??\c:\7vvdv.exec:\7vvdv.exe81⤵PID:3452
-
\??\c:\ppvvd.exec:\ppvvd.exe82⤵PID:4980
-
\??\c:\5vpjd.exec:\5vpjd.exe83⤵PID:624
-
\??\c:\xlllffx.exec:\xlllffx.exe84⤵PID:3960
-
\??\c:\hnhbtt.exec:\hnhbtt.exe85⤵PID:4116
-
\??\c:\3vppj.exec:\3vppj.exe86⤵PID:2676
-
\??\c:\fxrlrrl.exec:\fxrlrrl.exe87⤵PID:2908
-
\??\c:\9bbbbn.exec:\9bbbbn.exe88⤵PID:4432
-
\??\c:\djjpv.exec:\djjpv.exe89⤵PID:5080
-
\??\c:\rrrllll.exec:\rrrllll.exe90⤵PID:3388
-
\??\c:\hbhbtt.exec:\hbhbtt.exe91⤵PID:2528
-
\??\c:\lrfxffr.exec:\lrfxffr.exe92⤵PID:2412
-
\??\c:\btbtnn.exec:\btbtnn.exe93⤵PID:1948
-
\??\c:\vvvdv.exec:\vvvdv.exe94⤵PID:3712
-
\??\c:\3xrllff.exec:\3xrllff.exe95⤵PID:1484
-
\??\c:\nnbttt.exec:\nnbttt.exe96⤵PID:3400
-
\??\c:\1rxxrrl.exec:\1rxxrrl.exe97⤵PID:4920
-
\??\c:\hhttnn.exec:\hhttnn.exe98⤵PID:2332
-
\??\c:\pvvdd.exec:\pvvdd.exe99⤵PID:4844
-
\??\c:\xffxrrr.exec:\xffxrrr.exe100⤵PID:2520
-
\??\c:\btbtnn.exec:\btbtnn.exe101⤵PID:1444
-
\??\c:\djjjj.exec:\djjjj.exe102⤵PID:3028
-
\??\c:\llrllxx.exec:\llrllxx.exe103⤵PID:4092
-
\??\c:\ntnnhn.exec:\ntnnhn.exe104⤵PID:4232
-
\??\c:\vvppj.exec:\vvppj.exe105⤵PID:2236
-
\??\c:\lrxfrrl.exec:\lrxfrrl.exe106⤵PID:404
-
\??\c:\1nnhbb.exec:\1nnhbb.exe107⤵PID:4796
-
\??\c:\vdddd.exec:\vdddd.exe108⤵PID:1136
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe109⤵PID:392
-
\??\c:\pvdjp.exec:\pvdjp.exe110⤵PID:4508
-
\??\c:\rrffxxr.exec:\rrffxxr.exe111⤵PID:3448
-
\??\c:\vvjjd.exec:\vvjjd.exe112⤵PID:2568
-
\??\c:\rlrlfff.exec:\rlrlfff.exe113⤵PID:1420
-
\??\c:\5htnnb.exec:\5htnnb.exe114⤵PID:1540
-
\??\c:\jpjdv.exec:\jpjdv.exe115⤵PID:4952
-
\??\c:\djddv.exec:\djddv.exe116⤵PID:1360
-
\??\c:\hnttbb.exec:\hnttbb.exe117⤵PID:1848
-
\??\c:\vvjdp.exec:\vvjdp.exe118⤵PID:3772
-
\??\c:\hbhnhb.exec:\hbhnhb.exe119⤵PID:3952
-
\??\c:\jjjjd.exec:\jjjjd.exe120⤵PID:4808
-
\??\c:\7rxrflf.exec:\7rxrflf.exe121⤵PID:4908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-