Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe
-
Size
455KB
-
MD5
ac145e3d02d8e34ffad4efc21c41a4c6
-
SHA1
8929086b0248db5625e9cb9055eafaa64666c52e
-
SHA256
a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b
-
SHA512
a758146784ee102a06d8ddd6fbc8dd7a0088a4e4c3bfbc6518a342f81e81cfd9fcf8f5dc4ee793b3e7fd29baa69d8edc2dcac3d4938f4438a77cf9f0c2ede085
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTV6:q7Tc2NYHUrAwfMp3CDx6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-1045-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-1410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-1436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-1598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-1786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1804 dppjd.exe 1692 vpjjj.exe 4524 26440.exe 2064 6448844.exe 1392 82844.exe 2100 rllxlfx.exe 2276 m0604.exe 4648 u220048.exe 452 462428.exe 2324 xrrlffx.exe 460 3nhbbt.exe 4824 frxrlff.exe 2524 3ffxxxx.exe 3292 nnnbtt.exe 1284 2842806.exe 2632 9bhbbn.exe 4316 pjjjp.exe 1424 k28266.exe 1400 nhnhbn.exe 3892 lllrlxr.exe 2032 jvvpp.exe 4380 dppjv.exe 3500 tnthnh.exe 2200 a4048.exe 2664 nthhtt.exe 4360 668284.exe 4092 fxxxrrr.exe 2056 82484.exe 1292 jvdvp.exe 4028 tnhnbh.exe 2272 48044.exe 3736 84660.exe 5016 dpvpj.exe 4780 600044.exe 3304 66828.exe 4884 xxlfxfl.exe 5000 0402004.exe 3144 jddvj.exe 3612 28482.exe 3992 1hhbtt.exe 1360 thttbt.exe 2824 e64484.exe 5028 7jpjj.exe 4468 tnbbnb.exe 4332 1tthtt.exe 4352 000200.exe 1804 u666004.exe 2228 6282226.exe 1692 6426044.exe 3028 xrfxfxx.exe 3284 1bbnhh.exe 4692 3vvpd.exe 4420 bntnnn.exe 3020 208484.exe 3232 60664.exe 4664 2404882.exe 2636 66260.exe 1436 vjpjj.exe 3288 1flfrrl.exe 3708 9ffxxxr.exe 3756 xllrffx.exe 2104 httnhh.exe 1284 tnnnbb.exe 2268 hntnbt.exe -
resource yara_rule behavioral2/memory/3532-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-1358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-1410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-1436-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 668284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6288260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0800660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0482082.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8404280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 48482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0206662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o682226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language u808882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0466068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g0666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 1804 3532 a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe 85 PID 3532 wrote to memory of 1804 3532 a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe 85 PID 3532 wrote to memory of 1804 3532 a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe 85 PID 1804 wrote to memory of 1692 1804 dppjd.exe 86 PID 1804 wrote to memory of 1692 1804 dppjd.exe 86 PID 1804 wrote to memory of 1692 1804 dppjd.exe 86 PID 1692 wrote to memory of 4524 1692 vpjjj.exe 87 PID 1692 wrote to memory of 4524 1692 vpjjj.exe 87 PID 1692 wrote to memory of 4524 1692 vpjjj.exe 87 PID 4524 wrote to memory of 2064 4524 26440.exe 88 PID 4524 wrote to memory of 2064 4524 26440.exe 88 PID 4524 wrote to memory of 2064 4524 26440.exe 88 PID 2064 wrote to memory of 1392 2064 6448844.exe 89 PID 2064 wrote to memory of 1392 2064 6448844.exe 89 PID 2064 wrote to memory of 1392 2064 6448844.exe 89 PID 1392 wrote to memory of 2100 1392 82844.exe 90 PID 1392 wrote to memory of 2100 1392 82844.exe 90 PID 1392 wrote to memory of 2100 1392 82844.exe 90 PID 2100 wrote to memory of 2276 2100 rllxlfx.exe 91 PID 2100 wrote to memory of 2276 2100 rllxlfx.exe 91 PID 2100 wrote to memory of 2276 2100 rllxlfx.exe 91 PID 2276 wrote to memory of 4648 2276 m0604.exe 92 PID 2276 wrote to memory of 4648 2276 m0604.exe 92 PID 2276 wrote to memory of 4648 2276 m0604.exe 92 PID 4648 wrote to memory of 452 4648 u220048.exe 93 PID 4648 wrote to memory of 452 4648 u220048.exe 93 PID 4648 wrote to memory of 452 4648 u220048.exe 93 PID 452 wrote to memory of 2324 452 462428.exe 94 PID 452 wrote to memory of 2324 452 462428.exe 94 PID 452 wrote to memory of 2324 452 462428.exe 94 PID 2324 wrote to memory of 460 2324 xrrlffx.exe 95 PID 2324 wrote to memory of 460 2324 xrrlffx.exe 95 PID 2324 wrote to memory of 460 2324 xrrlffx.exe 95 PID 460 wrote to memory of 4824 460 3nhbbt.exe 96 PID 460 wrote to memory of 4824 460 3nhbbt.exe 96 PID 460 wrote to memory of 4824 460 3nhbbt.exe 96 PID 4824 wrote to memory of 2524 4824 frxrlff.exe 97 PID 4824 wrote to memory of 2524 4824 frxrlff.exe 97 PID 4824 wrote to memory of 2524 4824 frxrlff.exe 97 PID 2524 wrote to memory of 3292 2524 3ffxxxx.exe 98 PID 2524 wrote to memory of 3292 2524 3ffxxxx.exe 98 PID 2524 wrote to memory of 3292 2524 3ffxxxx.exe 98 PID 3292 wrote to memory of 1284 3292 nnnbtt.exe 99 PID 3292 wrote to memory of 1284 3292 nnnbtt.exe 99 PID 3292 wrote to memory of 1284 3292 nnnbtt.exe 99 PID 1284 wrote to memory of 2632 1284 2842806.exe 100 PID 1284 wrote to memory of 2632 1284 2842806.exe 100 PID 1284 wrote to memory of 2632 1284 2842806.exe 100 PID 2632 wrote to memory of 4316 2632 9bhbbn.exe 101 PID 2632 wrote to memory of 4316 2632 9bhbbn.exe 101 PID 2632 wrote to memory of 4316 2632 9bhbbn.exe 101 PID 4316 wrote to memory of 1424 4316 pjjjp.exe 102 PID 4316 wrote to memory of 1424 4316 pjjjp.exe 102 PID 4316 wrote to memory of 1424 4316 pjjjp.exe 102 PID 1424 wrote to memory of 1400 1424 k28266.exe 151 PID 1424 wrote to memory of 1400 1424 k28266.exe 151 PID 1424 wrote to memory of 1400 1424 k28266.exe 151 PID 1400 wrote to memory of 3892 1400 nhnhbn.exe 104 PID 1400 wrote to memory of 3892 1400 nhnhbn.exe 104 PID 1400 wrote to memory of 3892 1400 nhnhbn.exe 104 PID 3892 wrote to memory of 2032 3892 lllrlxr.exe 105 PID 3892 wrote to memory of 2032 3892 lllrlxr.exe 105 PID 3892 wrote to memory of 2032 3892 lllrlxr.exe 105 PID 2032 wrote to memory of 4380 2032 jvvpp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe"C:\Users\Admin\AppData\Local\Temp\a16f6057e5fc9de4fc5b98570bcb3c4be2f88f9257ab72d872fca3c562efa32b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\dppjd.exec:\dppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\vpjjj.exec:\vpjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\26440.exec:\26440.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\6448844.exec:\6448844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\82844.exec:\82844.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\rllxlfx.exec:\rllxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\m0604.exec:\m0604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\u220048.exec:\u220048.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\462428.exec:\462428.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\xrrlffx.exec:\xrrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\3nhbbt.exec:\3nhbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\frxrlff.exec:\frxrlff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\3ffxxxx.exec:\3ffxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nnnbtt.exec:\nnnbtt.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\2842806.exec:\2842806.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\9bhbbn.exec:\9bhbbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\pjjjp.exec:\pjjjp.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\k28266.exec:\k28266.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\nhnhbn.exec:\nhnhbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\lllrlxr.exec:\lllrlxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\jvvpp.exec:\jvvpp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\dppjv.exec:\dppjv.exe23⤵
- Executes dropped EXE
PID:4380 -
\??\c:\tnthnh.exec:\tnthnh.exe24⤵
- Executes dropped EXE
PID:3500 -
\??\c:\a4048.exec:\a4048.exe25⤵
- Executes dropped EXE
PID:2200 -
\??\c:\nthhtt.exec:\nthhtt.exe26⤵
- Executes dropped EXE
PID:2664 -
\??\c:\668284.exec:\668284.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4360 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe28⤵
- Executes dropped EXE
PID:4092 -
\??\c:\82484.exec:\82484.exe29⤵
- Executes dropped EXE
PID:2056 -
\??\c:\jvdvp.exec:\jvdvp.exe30⤵
- Executes dropped EXE
PID:1292 -
\??\c:\tnhnbh.exec:\tnhnbh.exe31⤵
- Executes dropped EXE
PID:4028 -
\??\c:\48044.exec:\48044.exe32⤵
- Executes dropped EXE
PID:2272 -
\??\c:\84660.exec:\84660.exe33⤵
- Executes dropped EXE
PID:3736 -
\??\c:\dpvpj.exec:\dpvpj.exe34⤵
- Executes dropped EXE
PID:5016 -
\??\c:\600044.exec:\600044.exe35⤵
- Executes dropped EXE
PID:4780 -
\??\c:\66828.exec:\66828.exe36⤵
- Executes dropped EXE
PID:3304 -
\??\c:\xxlfxfl.exec:\xxlfxfl.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\0402004.exec:\0402004.exe38⤵
- Executes dropped EXE
PID:5000 -
\??\c:\jddvj.exec:\jddvj.exe39⤵
- Executes dropped EXE
PID:3144 -
\??\c:\28482.exec:\28482.exe40⤵
- Executes dropped EXE
PID:3612 -
\??\c:\1hhbtt.exec:\1hhbtt.exe41⤵
- Executes dropped EXE
PID:3992 -
\??\c:\thttbt.exec:\thttbt.exe42⤵
- Executes dropped EXE
PID:1360 -
\??\c:\e64484.exec:\e64484.exe43⤵
- Executes dropped EXE
PID:2824 -
\??\c:\7jpjj.exec:\7jpjj.exe44⤵
- Executes dropped EXE
PID:5028 -
\??\c:\tnbbnb.exec:\tnbbnb.exe45⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1tthtt.exec:\1tthtt.exe46⤵
- Executes dropped EXE
PID:4332 -
\??\c:\000200.exec:\000200.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\u666004.exec:\u666004.exe48⤵
- Executes dropped EXE
PID:1804 -
\??\c:\6282226.exec:\6282226.exe49⤵
- Executes dropped EXE
PID:2228 -
\??\c:\6426044.exec:\6426044.exe50⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xrfxfxx.exec:\xrfxfxx.exe51⤵
- Executes dropped EXE
PID:3028 -
\??\c:\1bbnhh.exec:\1bbnhh.exe52⤵
- Executes dropped EXE
PID:3284 -
\??\c:\3vvpd.exec:\3vvpd.exe53⤵
- Executes dropped EXE
PID:4692 -
\??\c:\bntnnn.exec:\bntnnn.exe54⤵
- Executes dropped EXE
PID:4420 -
\??\c:\208484.exec:\208484.exe55⤵
- Executes dropped EXE
PID:3020 -
\??\c:\60664.exec:\60664.exe56⤵
- Executes dropped EXE
PID:3232 -
\??\c:\2404882.exec:\2404882.exe57⤵
- Executes dropped EXE
PID:4664 -
\??\c:\66260.exec:\66260.exe58⤵
- Executes dropped EXE
PID:2636 -
\??\c:\vjpjj.exec:\vjpjj.exe59⤵
- Executes dropped EXE
PID:1436 -
\??\c:\1flfrrl.exec:\1flfrrl.exe60⤵
- Executes dropped EXE
PID:3288 -
\??\c:\9ffxxxr.exec:\9ffxxxr.exe61⤵
- Executes dropped EXE
PID:3708 -
\??\c:\xllrffx.exec:\xllrffx.exe62⤵
- Executes dropped EXE
PID:3756 -
\??\c:\httnhh.exec:\httnhh.exe63⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tnnnbb.exec:\tnnnbb.exe64⤵
- Executes dropped EXE
PID:1284 -
\??\c:\hntnbt.exec:\hntnbt.exe65⤵
- Executes dropped EXE
PID:2268 -
\??\c:\lfxrlll.exec:\lfxrlll.exe66⤵PID:4316
-
\??\c:\htntbn.exec:\htntbn.exe67⤵PID:4564
-
\??\c:\44604.exec:\44604.exe68⤵PID:1400
-
\??\c:\006666.exec:\006666.exe69⤵PID:4104
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe70⤵PID:636
-
\??\c:\e40448.exec:\e40448.exe71⤵PID:3668
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe72⤵PID:3632
-
\??\c:\q24606.exec:\q24606.exe73⤵PID:2200
-
\??\c:\ppjjd.exec:\ppjjd.exe74⤵PID:4504
-
\??\c:\424608.exec:\424608.exe75⤵PID:2364
-
\??\c:\0828624.exec:\0828624.exe76⤵PID:468
-
\??\c:\268660.exec:\268660.exe77⤵PID:4244
-
\??\c:\44248.exec:\44248.exe78⤵PID:4028
-
\??\c:\frxlfxr.exec:\frxlfxr.exe79⤵PID:2272
-
\??\c:\6840044.exec:\6840044.exe80⤵PID:4240
-
\??\c:\pvvjd.exec:\pvvjd.exe81⤵PID:5016
-
\??\c:\8204488.exec:\8204488.exe82⤵PID:3540
-
\??\c:\9xlfxrl.exec:\9xlfxrl.exe83⤵PID:1776
-
\??\c:\8404820.exec:\8404820.exe84⤵PID:1456
-
\??\c:\4220420.exec:\4220420.exe85⤵PID:4344
-
\??\c:\k06048.exec:\k06048.exe86⤵PID:3652
-
\??\c:\ppdvj.exec:\ppdvj.exe87⤵PID:3612
-
\??\c:\rrxxllf.exec:\rrxxllf.exe88⤵PID:3992
-
\??\c:\btbttt.exec:\btbttt.exe89⤵PID:596
-
\??\c:\nttnnb.exec:\nttnnb.exe90⤵PID:732
-
\??\c:\bntbtt.exec:\bntbtt.exe91⤵PID:5028
-
\??\c:\600422.exec:\600422.exe92⤵PID:3592
-
\??\c:\0448248.exec:\0448248.exe93⤵PID:4352
-
\??\c:\vpdjj.exec:\vpdjj.exe94⤵PID:5060
-
\??\c:\00604.exec:\00604.exe95⤵PID:3488
-
\??\c:\08886.exec:\08886.exe96⤵PID:1664
-
\??\c:\tnhbnn.exec:\tnhbnn.exe97⤵PID:716
-
\??\c:\1vpdp.exec:\1vpdp.exe98⤵PID:4016
-
\??\c:\844882.exec:\844882.exe99⤵PID:1984
-
\??\c:\7jjvd.exec:\7jjvd.exe100⤵PID:3308
-
\??\c:\btnbnb.exec:\btnbnb.exe101⤵PID:2532
-
\??\c:\pvdpd.exec:\pvdpd.exe102⤵PID:1516
-
\??\c:\vdjvj.exec:\vdjvj.exe103⤵PID:1376
-
\??\c:\8606488.exec:\8606488.exe104⤵PID:772
-
\??\c:\1ttntt.exec:\1ttntt.exe105⤵PID:5104
-
\??\c:\6660822.exec:\6660822.exe106⤵PID:4880
-
\??\c:\frfxrlf.exec:\frfxrlf.exe107⤵PID:1672
-
\??\c:\dpdpv.exec:\dpdpv.exe108⤵PID:3924
-
\??\c:\jpvpj.exec:\jpvpj.exe109⤵PID:700
-
\??\c:\hbbbnt.exec:\hbbbnt.exe110⤵PID:2380
-
\??\c:\bhhthh.exec:\bhhthh.exe111⤵PID:1284
-
\??\c:\w22860.exec:\w22860.exe112⤵PID:1520
-
\??\c:\222048.exec:\222048.exe113⤵PID:1424
-
\??\c:\fxfffxx.exec:\fxfffxx.exe114⤵PID:228
-
\??\c:\866046.exec:\866046.exe115⤵PID:756
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe116⤵PID:1400
-
\??\c:\26200.exec:\26200.exe117⤵PID:792
-
\??\c:\hbhtbh.exec:\hbhtbh.exe118⤵PID:3536
-
\??\c:\22208.exec:\22208.exe119⤵PID:388
-
\??\c:\9nnhbh.exec:\9nnhbh.exe120⤵
- System Location Discovery: System Language Discovery
PID:2440 -
\??\c:\thhtnh.exec:\thhtnh.exe121⤵PID:4404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-