Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
General
-
Target
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe
-
Size
456KB
-
MD5
627aa7a5f1f15e7a6322745971081fe4
-
SHA1
5378db3a53eb41924351ccc8d221da1e0086da50
-
SHA256
15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978
-
SHA512
178493b59d9e5ee30bcfd3e14470882e1989dd3b659f2e7e5112fdb2f9f8809b7ea08391b4a5ce25314e46e43ef7eeaf2293a128fa28bb7ea511375900155afd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRF:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3352-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-766-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-1104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-1204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-1356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1800 lrfrlfr.exe 1564 thtnnh.exe 212 vddvj.exe 208 lxfxrrx.exe 4864 flrlfxr.exe 2076 fffffrr.exe 2100 bbhhhn.exe 4748 xxlfxrr.exe 4140 pvdvp.exe 4452 rlrllff.exe 3204 xxxrffx.exe 1184 bnbtnh.exe 4972 djppj.exe 4992 fxfxrrr.exe 640 pjdvj.exe 2912 hhhnhb.exe 2016 djdvv.exe 3484 rllrffx.exe 3504 bhnhbb.exe 1044 jjvpp.exe 3708 rrxlfff.exe 1008 pvpdp.exe 1040 ddpvj.exe 3176 xflfrfx.exe 1708 rxxfrlf.exe 2228 xrrlffx.exe 4796 rrfrfrl.exe 4996 7llfxrl.exe 2060 frrlrrl.exe 4376 ntthbt.exe 5040 jdppj.exe 4868 vvvpj.exe 3508 frfxrrr.exe 1744 jdpjj.exe 3944 xlxflff.exe 1852 dvvpj.exe 4124 1fxrxrx.exe 2608 frllllf.exe 4552 hbbnhn.exe 1360 pjvpp.exe 1096 xrrrrll.exe 1716 bbnhhh.exe 1116 jvvpv.exe 2216 rrxrfff.exe 4508 ddppp.exe 1544 frfxlll.exe 4340 7tbttt.exe 2072 vvjjp.exe 1204 jjvpp.exe 1076 xlrrflf.exe 2908 bntnhh.exe 3900 dvdvp.exe 1172 1ppjv.exe 208 5rrrllf.exe 3044 tnbtbb.exe 3492 thnhnh.exe 1764 ppjvv.exe 1440 xrxxffx.exe 1776 xrfflrf.exe 840 nbnttt.exe 408 5jdvv.exe 4748 xrfxlrl.exe 4140 rlrrlxx.exe 2952 9nnhtt.exe -
resource yara_rule behavioral2/memory/3352-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-766-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-1090-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 1800 3352 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 83 PID 3352 wrote to memory of 1800 3352 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 83 PID 3352 wrote to memory of 1800 3352 15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe 83 PID 1800 wrote to memory of 1564 1800 lrfrlfr.exe 84 PID 1800 wrote to memory of 1564 1800 lrfrlfr.exe 84 PID 1800 wrote to memory of 1564 1800 lrfrlfr.exe 84 PID 1564 wrote to memory of 212 1564 thtnnh.exe 85 PID 1564 wrote to memory of 212 1564 thtnnh.exe 85 PID 1564 wrote to memory of 212 1564 thtnnh.exe 85 PID 212 wrote to memory of 208 212 vddvj.exe 86 PID 212 wrote to memory of 208 212 vddvj.exe 86 PID 212 wrote to memory of 208 212 vddvj.exe 86 PID 208 wrote to memory of 4864 208 lxfxrrx.exe 87 PID 208 wrote to memory of 4864 208 lxfxrrx.exe 87 PID 208 wrote to memory of 4864 208 lxfxrrx.exe 87 PID 4864 wrote to memory of 2076 4864 flrlfxr.exe 88 PID 4864 wrote to memory of 2076 4864 flrlfxr.exe 88 PID 4864 wrote to memory of 2076 4864 flrlfxr.exe 88 PID 2076 wrote to memory of 2100 2076 fffffrr.exe 89 PID 2076 wrote to memory of 2100 2076 fffffrr.exe 89 PID 2076 wrote to memory of 2100 2076 fffffrr.exe 89 PID 2100 wrote to memory of 4748 2100 bbhhhn.exe 90 PID 2100 wrote to memory of 4748 2100 bbhhhn.exe 90 PID 2100 wrote to memory of 4748 2100 bbhhhn.exe 90 PID 4748 wrote to memory of 4140 4748 xxlfxrr.exe 91 PID 4748 wrote to memory of 4140 4748 xxlfxrr.exe 91 PID 4748 wrote to memory of 4140 4748 xxlfxrr.exe 91 PID 4140 wrote to memory of 4452 4140 pvdvp.exe 92 PID 4140 wrote to memory of 4452 4140 pvdvp.exe 92 PID 4140 wrote to memory of 4452 4140 pvdvp.exe 92 PID 4452 wrote to memory of 3204 4452 rlrllff.exe 93 PID 4452 wrote to memory of 3204 4452 rlrllff.exe 93 PID 4452 wrote to memory of 3204 4452 rlrllff.exe 93 PID 3204 wrote to memory of 1184 3204 xxxrffx.exe 94 PID 3204 wrote to memory of 1184 3204 xxxrffx.exe 94 PID 3204 wrote to memory of 1184 3204 xxxrffx.exe 94 PID 1184 wrote to memory of 4972 1184 bnbtnh.exe 95 PID 1184 wrote to memory of 4972 1184 bnbtnh.exe 95 PID 1184 wrote to memory of 4972 1184 bnbtnh.exe 95 PID 4972 wrote to memory of 4992 4972 djppj.exe 96 PID 4972 wrote to memory of 4992 4972 djppj.exe 96 PID 4972 wrote to memory of 4992 4972 djppj.exe 96 PID 4992 wrote to memory of 640 4992 fxfxrrr.exe 97 PID 4992 wrote to memory of 640 4992 fxfxrrr.exe 97 PID 4992 wrote to memory of 640 4992 fxfxrrr.exe 97 PID 640 wrote to memory of 2912 640 pjdvj.exe 98 PID 640 wrote to memory of 2912 640 pjdvj.exe 98 PID 640 wrote to memory of 2912 640 pjdvj.exe 98 PID 2912 wrote to memory of 2016 2912 hhhnhb.exe 99 PID 2912 wrote to memory of 2016 2912 hhhnhb.exe 99 PID 2912 wrote to memory of 2016 2912 hhhnhb.exe 99 PID 2016 wrote to memory of 3484 2016 djdvv.exe 100 PID 2016 wrote to memory of 3484 2016 djdvv.exe 100 PID 2016 wrote to memory of 3484 2016 djdvv.exe 100 PID 3484 wrote to memory of 3504 3484 rllrffx.exe 101 PID 3484 wrote to memory of 3504 3484 rllrffx.exe 101 PID 3484 wrote to memory of 3504 3484 rllrffx.exe 101 PID 3504 wrote to memory of 1044 3504 bhnhbb.exe 102 PID 3504 wrote to memory of 1044 3504 bhnhbb.exe 102 PID 3504 wrote to memory of 1044 3504 bhnhbb.exe 102 PID 1044 wrote to memory of 3708 1044 jjvpp.exe 103 PID 1044 wrote to memory of 3708 1044 jjvpp.exe 103 PID 1044 wrote to memory of 3708 1044 jjvpp.exe 103 PID 3708 wrote to memory of 1008 3708 rrxlfff.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe"C:\Users\Admin\AppData\Local\Temp\15bf6a2aea91152e7628d02c2cb60344c355894232f4073c70beb3440d36c978.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\lrfrlfr.exec:\lrfrlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\thtnnh.exec:\thtnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\vddvj.exec:\vddvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\lxfxrrx.exec:\lxfxrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\flrlfxr.exec:\flrlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\fffffrr.exec:\fffffrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\bbhhhn.exec:\bbhhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\xxlfxrr.exec:\xxlfxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\pvdvp.exec:\pvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\rlrllff.exec:\rlrllff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\xxxrffx.exec:\xxxrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\bnbtnh.exec:\bnbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\djppj.exec:\djppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\pjdvj.exec:\pjdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\hhhnhb.exec:\hhhnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\djdvv.exec:\djdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\rllrffx.exec:\rllrffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\bhnhbb.exec:\bhnhbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\jjvpp.exec:\jjvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\rrxlfff.exec:\rrxlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\pvpdp.exec:\pvpdp.exe23⤵
- Executes dropped EXE
PID:1008 -
\??\c:\ddpvj.exec:\ddpvj.exe24⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xflfrfx.exec:\xflfrfx.exe25⤵
- Executes dropped EXE
PID:3176 -
\??\c:\rxxfrlf.exec:\rxxfrlf.exe26⤵
- Executes dropped EXE
PID:1708 -
\??\c:\xrrlffx.exec:\xrrlffx.exe27⤵
- Executes dropped EXE
PID:2228 -
\??\c:\rrfrfrl.exec:\rrfrfrl.exe28⤵
- Executes dropped EXE
PID:4796 -
\??\c:\7llfxrl.exec:\7llfxrl.exe29⤵
- Executes dropped EXE
PID:4996 -
\??\c:\frrlrrl.exec:\frrlrrl.exe30⤵
- Executes dropped EXE
PID:2060 -
\??\c:\ntthbt.exec:\ntthbt.exe31⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jdppj.exec:\jdppj.exe32⤵
- Executes dropped EXE
PID:5040 -
\??\c:\vvvpj.exec:\vvvpj.exe33⤵
- Executes dropped EXE
PID:4868 -
\??\c:\frfxrrr.exec:\frfxrrr.exe34⤵
- Executes dropped EXE
PID:3508 -
\??\c:\jdpjj.exec:\jdpjj.exe35⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xlxflff.exec:\xlxflff.exe36⤵
- Executes dropped EXE
PID:3944 -
\??\c:\dvvpj.exec:\dvvpj.exe37⤵
- Executes dropped EXE
PID:1852 -
\??\c:\1fxrxrx.exec:\1fxrxrx.exe38⤵
- Executes dropped EXE
PID:4124 -
\??\c:\frllllf.exec:\frllllf.exe39⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hbbnhn.exec:\hbbnhn.exe40⤵
- Executes dropped EXE
PID:4552 -
\??\c:\pjvpp.exec:\pjvpp.exe41⤵
- Executes dropped EXE
PID:1360 -
\??\c:\xrrrrll.exec:\xrrrrll.exe42⤵
- Executes dropped EXE
PID:1096 -
\??\c:\bbnhhh.exec:\bbnhhh.exe43⤵
- Executes dropped EXE
PID:1716 -
\??\c:\jvvpv.exec:\jvvpv.exe44⤵
- Executes dropped EXE
PID:1116 -
\??\c:\rrxrfff.exec:\rrxrfff.exe45⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ddppp.exec:\ddppp.exe46⤵
- Executes dropped EXE
PID:4508 -
\??\c:\frfxlll.exec:\frfxlll.exe47⤵
- Executes dropped EXE
PID:1544 -
\??\c:\7tbttt.exec:\7tbttt.exe48⤵
- Executes dropped EXE
PID:4340 -
\??\c:\vvjjp.exec:\vvjjp.exe49⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jjvpp.exec:\jjvpp.exe50⤵
- Executes dropped EXE
PID:1204 -
\??\c:\xlrrflf.exec:\xlrrflf.exe51⤵
- Executes dropped EXE
PID:1076 -
\??\c:\bntnhh.exec:\bntnhh.exe52⤵
- Executes dropped EXE
PID:2908 -
\??\c:\dvdvp.exec:\dvdvp.exe53⤵
- Executes dropped EXE
PID:3900 -
\??\c:\1ppjv.exec:\1ppjv.exe54⤵
- Executes dropped EXE
PID:1172 -
\??\c:\5rrrllf.exec:\5rrrllf.exe55⤵
- Executes dropped EXE
PID:208 -
\??\c:\tnbtbb.exec:\tnbtbb.exe56⤵
- Executes dropped EXE
PID:3044 -
\??\c:\thnhnh.exec:\thnhnh.exe57⤵
- Executes dropped EXE
PID:3492 -
\??\c:\ppjvv.exec:\ppjvv.exe58⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xrxxffx.exec:\xrxxffx.exe59⤵
- Executes dropped EXE
PID:1440 -
\??\c:\xrfflrf.exec:\xrfflrf.exe60⤵
- Executes dropped EXE
PID:1776 -
\??\c:\nbnttt.exec:\nbnttt.exe61⤵
- Executes dropped EXE
PID:840 -
\??\c:\5jdvv.exec:\5jdvv.exe62⤵
- Executes dropped EXE
PID:408 -
\??\c:\xrfxlrl.exec:\xrfxlrl.exe63⤵
- Executes dropped EXE
PID:4748 -
\??\c:\rlrrlxx.exec:\rlrrlxx.exe64⤵
- Executes dropped EXE
PID:4140 -
\??\c:\9nnhtt.exec:\9nnhtt.exe65⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1pvpv.exec:\1pvpv.exe66⤵PID:976
-
\??\c:\xffxrlf.exec:\xffxrlf.exe67⤵PID:3640
-
\??\c:\fxxxllf.exec:\fxxxllf.exe68⤵PID:2384
-
\??\c:\bbtnnt.exec:\bbtnnt.exe69⤵PID:2292
-
\??\c:\dvddv.exec:\dvddv.exe70⤵PID:232
-
\??\c:\xfrfxrl.exec:\xfrfxrl.exe71⤵PID:3704
-
\??\c:\btbtnh.exec:\btbtnh.exe72⤵PID:4744
-
\??\c:\jvdvv.exec:\jvdvv.exe73⤵PID:4756
-
\??\c:\5rxfxxx.exec:\5rxfxxx.exe74⤵PID:2080
-
\??\c:\xrrrllf.exec:\xrrrllf.exe75⤵PID:1572
-
\??\c:\bthhbt.exec:\bthhbt.exe76⤵PID:4192
-
\??\c:\jvdvj.exec:\jvdvj.exe77⤵PID:1352
-
\??\c:\rfllxxx.exec:\rfllxxx.exe78⤵PID:564
-
\??\c:\hhhhbh.exec:\hhhhbh.exe79⤵PID:4380
-
\??\c:\nnthbh.exec:\nnthbh.exe80⤵PID:1864
-
\??\c:\jvpjv.exec:\jvpjv.exe81⤵PID:2548
-
\??\c:\lxlxllf.exec:\lxlxllf.exe82⤵PID:1040
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe83⤵PID:2764
-
\??\c:\hhtbbh.exec:\hhtbbh.exe84⤵PID:424
-
\??\c:\jjpjd.exec:\jjpjd.exe85⤵PID:1708
-
\??\c:\xxlfllx.exec:\xxlfllx.exe86⤵PID:4516
-
\??\c:\bthnbb.exec:\bthnbb.exe87⤵PID:2160
-
\??\c:\httnhb.exec:\httnhb.exe88⤵PID:4956
-
\??\c:\djpjd.exec:\djpjd.exe89⤵PID:4672
-
\??\c:\5rrrllf.exec:\5rrrllf.exe90⤵PID:2184
-
\??\c:\5nnhhb.exec:\5nnhhb.exe91⤵PID:4832
-
\??\c:\pvvjd.exec:\pvvjd.exe92⤵PID:64
-
\??\c:\3lrlxxf.exec:\3lrlxxf.exe93⤵PID:2004
-
\??\c:\xlrlfxf.exec:\xlrlfxf.exe94⤵PID:2936
-
\??\c:\tnhbbb.exec:\tnhbbb.exe95⤵PID:3400
-
\??\c:\ddjdv.exec:\ddjdv.exe96⤵PID:2584
-
\??\c:\ppdpj.exec:\ppdpj.exe97⤵PID:4716
-
\??\c:\fxxrffx.exec:\fxxrffx.exe98⤵PID:3608
-
\??\c:\tthhbb.exec:\tthhbb.exe99⤵PID:4408
-
\??\c:\pvjvv.exec:\pvjvv.exe100⤵PID:3140
-
\??\c:\pjjpd.exec:\pjjpd.exe101⤵PID:2556
-
\??\c:\rxflxxr.exec:\rxflxxr.exe102⤵PID:4256
-
\??\c:\nnbbhh.exec:\nnbbhh.exe103⤵PID:1360
-
\??\c:\vvddp.exec:\vvddp.exe104⤵PID:756
-
\??\c:\pvvpj.exec:\pvvpj.exe105⤵
- System Location Discovery: System Language Discovery
PID:1716 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe106⤵PID:1920
-
\??\c:\7nnhhb.exec:\7nnhhb.exe107⤵PID:2216
-
\??\c:\dvjdv.exec:\dvjdv.exe108⤵PID:4508
-
\??\c:\rlrlfff.exec:\rlrlfff.exe109⤵PID:1544
-
\??\c:\5lllxxx.exec:\5lllxxx.exe110⤵PID:2008
-
\??\c:\bntnhh.exec:\bntnhh.exe111⤵PID:1800
-
\??\c:\jjppd.exec:\jjppd.exe112⤵PID:1564
-
\??\c:\flxrlll.exec:\flxrlll.exe113⤵PID:1724
-
\??\c:\fxfffrr.exec:\fxfffrr.exe114⤵PID:2908
-
\??\c:\hbnhnn.exec:\hbnhnn.exe115⤵PID:3900
-
\??\c:\dvppv.exec:\dvppv.exe116⤵PID:1172
-
\??\c:\frfrllf.exec:\frfrllf.exe117⤵PID:208
-
\??\c:\lxlrrrx.exec:\lxlrrrx.exe118⤵PID:3044
-
\??\c:\thttnn.exec:\thttnn.exe119⤵PID:3492
-
\??\c:\dvdvp.exec:\dvdvp.exe120⤵PID:1764
-
\??\c:\ddpdv.exec:\ddpdv.exe121⤵PID:2100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-