Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe
-
Size
454KB
-
MD5
e7f11f354315ee18674ae1bb40428ad7
-
SHA1
ba2da60abf013f7bb13fe527aae0523b9fb06913
-
SHA256
a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7
-
SHA512
ed71c344ee7af130bad68058bd7bc31371155bb9673ec1f12f34f7efa62a1b871d5a333cb15b9ae81e711232b0c6438fc579ad8438b547f5edf2fd355b0ebec3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1968-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1356-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-1027-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-1705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1664 rrlffxr.exe 2124 ttttnn.exe 760 lrlrfrr.exe 220 bhhbbt.exe 2432 rrrllff.exe 3188 pjdjd.exe 2996 nnhhtt.exe 2892 lxfxfff.exe 2452 htbtnn.exe 1712 fxxxxxl.exe 4996 jvvpp.exe 3420 fxxxrll.exe 1632 djvvd.exe 2308 tbthbt.exe 4056 jdvjd.exe 4264 pdjjv.exe 3876 lxrlxxr.exe 2204 bnhbtn.exe 4400 rfxrllf.exe 1540 7tnbtt.exe 2040 jvdpd.exe 4276 lrrlxrr.exe 5080 bbtnbt.exe 4572 1nbnhn.exe 3076 lrlfrlf.exe 1580 bnhbnh.exe 4948 jjjvj.exe 4852 ttnhtb.exe 1356 lflfrfr.exe 3672 9nhbtb.exe 4076 fxrlffx.exe 1308 thhbbh.exe 4216 9ttnnt.exe 4376 5jjdp.exe 4396 7xrfrlx.exe 5084 9hbbtb.exe 4372 dvpvp.exe 2860 xlrlxrl.exe 3156 7hhhbb.exe 840 tnhtbt.exe 4440 pdddv.exe 2176 llrfxxx.exe 2224 ttbthb.exe 4844 1hhhbh.exe 1968 ffrllff.exe 3128 rrrlffr.exe 2640 hhbbhh.exe 2800 pddvj.exe 2528 jpjvp.exe 3152 xrrlfff.exe 4856 nhbtnn.exe 2984 jdjdv.exe 3700 fxrfrrf.exe 2996 rrxfxff.exe 3936 9hhtnn.exe 2344 jppjj.exe 2792 9xrlxxx.exe 3180 xrxxffl.exe 872 htttnn.exe 2488 7vpjv.exe 4432 7rrlrrl.exe 2976 rflrfxl.exe 1128 btttnn.exe 3388 pdjdp.exe -
resource yara_rule behavioral2/memory/1968-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1356-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-984-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1664 1968 a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe 82 PID 1968 wrote to memory of 1664 1968 a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe 82 PID 1968 wrote to memory of 1664 1968 a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe 82 PID 1664 wrote to memory of 2124 1664 rrlffxr.exe 83 PID 1664 wrote to memory of 2124 1664 rrlffxr.exe 83 PID 1664 wrote to memory of 2124 1664 rrlffxr.exe 83 PID 2124 wrote to memory of 760 2124 ttttnn.exe 84 PID 2124 wrote to memory of 760 2124 ttttnn.exe 84 PID 2124 wrote to memory of 760 2124 ttttnn.exe 84 PID 760 wrote to memory of 220 760 lrlrfrr.exe 85 PID 760 wrote to memory of 220 760 lrlrfrr.exe 85 PID 760 wrote to memory of 220 760 lrlrfrr.exe 85 PID 220 wrote to memory of 2432 220 bhhbbt.exe 86 PID 220 wrote to memory of 2432 220 bhhbbt.exe 86 PID 220 wrote to memory of 2432 220 bhhbbt.exe 86 PID 2432 wrote to memory of 3188 2432 rrrllff.exe 87 PID 2432 wrote to memory of 3188 2432 rrrllff.exe 87 PID 2432 wrote to memory of 3188 2432 rrrllff.exe 87 PID 3188 wrote to memory of 2996 3188 pjdjd.exe 88 PID 3188 wrote to memory of 2996 3188 pjdjd.exe 88 PID 3188 wrote to memory of 2996 3188 pjdjd.exe 88 PID 2996 wrote to memory of 2892 2996 nnhhtt.exe 89 PID 2996 wrote to memory of 2892 2996 nnhhtt.exe 89 PID 2996 wrote to memory of 2892 2996 nnhhtt.exe 89 PID 2892 wrote to memory of 2452 2892 lxfxfff.exe 90 PID 2892 wrote to memory of 2452 2892 lxfxfff.exe 90 PID 2892 wrote to memory of 2452 2892 lxfxfff.exe 90 PID 2452 wrote to memory of 1712 2452 htbtnn.exe 91 PID 2452 wrote to memory of 1712 2452 htbtnn.exe 91 PID 2452 wrote to memory of 1712 2452 htbtnn.exe 91 PID 1712 wrote to memory of 4996 1712 fxxxxxl.exe 92 PID 1712 wrote to memory of 4996 1712 fxxxxxl.exe 92 PID 1712 wrote to memory of 4996 1712 fxxxxxl.exe 92 PID 4996 wrote to memory of 3420 4996 jvvpp.exe 93 PID 4996 wrote to memory of 3420 4996 jvvpp.exe 93 PID 4996 wrote to memory of 3420 4996 jvvpp.exe 93 PID 3420 wrote to memory of 1632 3420 fxxxrll.exe 94 PID 3420 wrote to memory of 1632 3420 fxxxrll.exe 94 PID 3420 wrote to memory of 1632 3420 fxxxrll.exe 94 PID 1632 wrote to memory of 2308 1632 djvvd.exe 95 PID 1632 wrote to memory of 2308 1632 djvvd.exe 95 PID 1632 wrote to memory of 2308 1632 djvvd.exe 95 PID 2308 wrote to memory of 4056 2308 tbthbt.exe 96 PID 2308 wrote to memory of 4056 2308 tbthbt.exe 96 PID 2308 wrote to memory of 4056 2308 tbthbt.exe 96 PID 4056 wrote to memory of 4264 4056 jdvjd.exe 97 PID 4056 wrote to memory of 4264 4056 jdvjd.exe 97 PID 4056 wrote to memory of 4264 4056 jdvjd.exe 97 PID 4264 wrote to memory of 3876 4264 pdjjv.exe 98 PID 4264 wrote to memory of 3876 4264 pdjjv.exe 98 PID 4264 wrote to memory of 3876 4264 pdjjv.exe 98 PID 3876 wrote to memory of 2204 3876 lxrlxxr.exe 99 PID 3876 wrote to memory of 2204 3876 lxrlxxr.exe 99 PID 3876 wrote to memory of 2204 3876 lxrlxxr.exe 99 PID 2204 wrote to memory of 4400 2204 bnhbtn.exe 100 PID 2204 wrote to memory of 4400 2204 bnhbtn.exe 100 PID 2204 wrote to memory of 4400 2204 bnhbtn.exe 100 PID 4400 wrote to memory of 1540 4400 rfxrllf.exe 101 PID 4400 wrote to memory of 1540 4400 rfxrllf.exe 101 PID 4400 wrote to memory of 1540 4400 rfxrllf.exe 101 PID 1540 wrote to memory of 2040 1540 7tnbtt.exe 102 PID 1540 wrote to memory of 2040 1540 7tnbtt.exe 102 PID 1540 wrote to memory of 2040 1540 7tnbtt.exe 102 PID 2040 wrote to memory of 4276 2040 jvdpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe"C:\Users\Admin\AppData\Local\Temp\a6eee5f2844e329a1b748e702878e0d299d3d937c8d0f21b03eb44fc4d510fb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\rrlffxr.exec:\rrlffxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\ttttnn.exec:\ttttnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\lrlrfrr.exec:\lrlrfrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\bhhbbt.exec:\bhhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\rrrllff.exec:\rrrllff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\pjdjd.exec:\pjdjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\nnhhtt.exec:\nnhhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\lxfxfff.exec:\lxfxfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\htbtnn.exec:\htbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\fxxxxxl.exec:\fxxxxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\jvvpp.exec:\jvvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\fxxxrll.exec:\fxxxrll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\djvvd.exec:\djvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\tbthbt.exec:\tbthbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\jdvjd.exec:\jdvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\pdjjv.exec:\pdjjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\bnhbtn.exec:\bnhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\rfxrllf.exec:\rfxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\7tnbtt.exec:\7tnbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\jvdpd.exec:\jvdpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\lrrlxrr.exec:\lrrlxrr.exe23⤵
- Executes dropped EXE
PID:4276 -
\??\c:\bbtnbt.exec:\bbtnbt.exe24⤵
- Executes dropped EXE
PID:5080 -
\??\c:\1nbnhn.exec:\1nbnhn.exe25⤵
- Executes dropped EXE
PID:4572 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe26⤵
- Executes dropped EXE
PID:3076 -
\??\c:\bnhbnh.exec:\bnhbnh.exe27⤵
- Executes dropped EXE
PID:1580 -
\??\c:\jjjvj.exec:\jjjvj.exe28⤵
- Executes dropped EXE
PID:4948 -
\??\c:\ttnhtb.exec:\ttnhtb.exe29⤵
- Executes dropped EXE
PID:4852 -
\??\c:\lflfrfr.exec:\lflfrfr.exe30⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9nhbtb.exec:\9nhbtb.exe31⤵
- Executes dropped EXE
PID:3672 -
\??\c:\fxrlffx.exec:\fxrlffx.exe32⤵
- Executes dropped EXE
PID:4076 -
\??\c:\thhbbh.exec:\thhbbh.exe33⤵
- Executes dropped EXE
PID:1308 -
\??\c:\9ttnnt.exec:\9ttnnt.exe34⤵
- Executes dropped EXE
PID:4216 -
\??\c:\5jjdp.exec:\5jjdp.exe35⤵
- Executes dropped EXE
PID:4376 -
\??\c:\7xrfrlx.exec:\7xrfrlx.exe36⤵
- Executes dropped EXE
PID:4396 -
\??\c:\9hbbtb.exec:\9hbbtb.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5084 -
\??\c:\dvpvp.exec:\dvpvp.exe38⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\7hhhbb.exec:\7hhhbb.exe40⤵
- Executes dropped EXE
PID:3156 -
\??\c:\tnhtbt.exec:\tnhtbt.exe41⤵
- Executes dropped EXE
PID:840 -
\??\c:\pdddv.exec:\pdddv.exe42⤵
- Executes dropped EXE
PID:4440 -
\??\c:\llrfxxx.exec:\llrfxxx.exe43⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ttbthb.exec:\ttbthb.exe44⤵
- Executes dropped EXE
PID:2224 -
\??\c:\1hhhbh.exec:\1hhhbh.exe45⤵
- Executes dropped EXE
PID:4844 -
\??\c:\ffrllff.exec:\ffrllff.exe46⤵
- Executes dropped EXE
PID:1968 -
\??\c:\rrrlffr.exec:\rrrlffr.exe47⤵
- Executes dropped EXE
PID:3128 -
\??\c:\hhbbhh.exec:\hhbbhh.exe48⤵
- Executes dropped EXE
PID:2640 -
\??\c:\pddvj.exec:\pddvj.exe49⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jpjvp.exec:\jpjvp.exe50⤵
- Executes dropped EXE
PID:2528 -
\??\c:\xrrlfff.exec:\xrrlfff.exe51⤵
- Executes dropped EXE
PID:3152 -
\??\c:\nhbtnn.exec:\nhbtnn.exe52⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jdjdv.exec:\jdjdv.exe53⤵
- Executes dropped EXE
PID:2984 -
\??\c:\fxrfrrf.exec:\fxrfrrf.exe54⤵
- Executes dropped EXE
PID:3700 -
\??\c:\rrxfxff.exec:\rrxfxff.exe55⤵
- Executes dropped EXE
PID:2996 -
\??\c:\9hhtnn.exec:\9hhtnn.exe56⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jppjj.exec:\jppjj.exe57⤵
- Executes dropped EXE
PID:2344 -
\??\c:\9xrlxxx.exec:\9xrlxxx.exe58⤵
- Executes dropped EXE
PID:2792 -
\??\c:\xrxxffl.exec:\xrxxffl.exe59⤵
- Executes dropped EXE
PID:3180 -
\??\c:\htttnn.exec:\htttnn.exe60⤵
- Executes dropped EXE
PID:872 -
\??\c:\7vpjv.exec:\7vpjv.exe61⤵
- Executes dropped EXE
PID:2488 -
\??\c:\7rrlrrl.exec:\7rrlrrl.exe62⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rflrfxl.exec:\rflrfxl.exe63⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btttnn.exec:\btttnn.exe64⤵
- Executes dropped EXE
PID:1128 -
\??\c:\pdjdp.exec:\pdjdp.exe65⤵
- Executes dropped EXE
PID:3388 -
\??\c:\dvdvv.exec:\dvdvv.exe66⤵PID:1652
-
\??\c:\rxflfxr.exec:\rxflfxr.exe67⤵PID:1840
-
\??\c:\nhhtnh.exec:\nhhtnh.exe68⤵PID:864
-
\??\c:\dvppd.exec:\dvppd.exe69⤵PID:4732
-
\??\c:\xflxfxr.exec:\xflxfxr.exe70⤵PID:3816
-
\??\c:\thbbtn.exec:\thbbtn.exe71⤵PID:3456
-
\??\c:\7ntntt.exec:\7ntntt.exe72⤵PID:4848
-
\??\c:\7pjdp.exec:\7pjdp.exe73⤵PID:3952
-
\??\c:\llfxlff.exec:\llfxlff.exe74⤵PID:4568
-
\??\c:\thnnhb.exec:\thnnhb.exe75⤵PID:3248
-
\??\c:\jvpjv.exec:\jvpjv.exe76⤵PID:3308
-
\??\c:\dvppj.exec:\dvppj.exe77⤵PID:2248
-
\??\c:\lflffxr.exec:\lflffxr.exe78⤵PID:1536
-
\??\c:\btbntn.exec:\btbntn.exe79⤵PID:2440
-
\??\c:\vpjjd.exec:\vpjjd.exe80⤵PID:232
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe81⤵PID:1580
-
\??\c:\thhbtn.exec:\thhbtn.exe82⤵PID:3532
-
\??\c:\hbtnbt.exec:\hbtnbt.exe83⤵PID:3600
-
\??\c:\ppvjd.exec:\ppvjd.exe84⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\xflfrlx.exec:\xflfrlx.exe85⤵PID:4976
-
\??\c:\rfxrrxx.exec:\rfxrrxx.exe86⤵PID:4248
-
\??\c:\hntnhh.exec:\hntnhh.exe87⤵PID:3920
-
\??\c:\tnbttn.exec:\tnbttn.exe88⤵PID:1132
-
\??\c:\jddvp.exec:\jddvp.exe89⤵PID:3084
-
\??\c:\xrxfffl.exec:\xrxfffl.exe90⤵PID:3232
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe91⤵PID:2240
-
\??\c:\tnhhnb.exec:\tnhhnb.exe92⤵PID:5008
-
\??\c:\jjjdj.exec:\jjjdj.exe93⤵PID:4036
-
\??\c:\xfffflx.exec:\xfffflx.exe94⤵PID:5084
-
\??\c:\3nbbth.exec:\3nbbth.exe95⤵PID:1984
-
\??\c:\hthhhb.exec:\hthhhb.exe96⤵PID:2860
-
\??\c:\jdpjd.exec:\jdpjd.exe97⤵PID:3156
-
\??\c:\rrxrffx.exec:\rrxrffx.exe98⤵PID:3864
-
\??\c:\httnhh.exec:\httnhh.exe99⤵PID:1576
-
\??\c:\jpdvv.exec:\jpdvv.exe100⤵PID:228
-
\??\c:\dvpjj.exec:\dvpjj.exe101⤵PID:3720
-
\??\c:\xllxlfx.exec:\xllxlfx.exe102⤵PID:1428
-
\??\c:\nttnhh.exec:\nttnhh.exe103⤵PID:4836
-
\??\c:\nbhbtt.exec:\nbhbtt.exe104⤵PID:2876
-
\??\c:\lflflfr.exec:\lflflfr.exe105⤵PID:1416
-
\??\c:\xflxxrf.exec:\xflxxrf.exe106⤵PID:3652
-
\??\c:\9tbnbt.exec:\9tbnbt.exe107⤵PID:2476
-
\??\c:\jpdvp.exec:\jpdvp.exe108⤵PID:4656
-
\??\c:\9lfxllf.exec:\9lfxllf.exe109⤵PID:3152
-
\??\c:\btbttt.exec:\btbttt.exe110⤵PID:4048
-
\??\c:\dppjd.exec:\dppjd.exe111⤵PID:1868
-
\??\c:\9xrxrlf.exec:\9xrxrlf.exe112⤵PID:3656
-
\??\c:\fllxrlf.exec:\fllxrlf.exe113⤵PID:3784
-
\??\c:\nhnhbb.exec:\nhnhbb.exe114⤵PID:4232
-
\??\c:\jddpj.exec:\jddpj.exe115⤵PID:1152
-
\??\c:\jjdvd.exec:\jjdvd.exe116⤵PID:2008
-
\??\c:\xrrrxrl.exec:\xrrrxrl.exe117⤵PID:3492
-
\??\c:\hbhbnn.exec:\hbhbnn.exe118⤵PID:2508
-
\??\c:\jjjdp.exec:\jjjdp.exe119⤵
- System Location Discovery: System Language Discovery
PID:1032 -
\??\c:\jppdp.exec:\jppdp.exe120⤵PID:1800
-
\??\c:\rrxxrxr.exec:\rrxxrxr.exe121⤵PID:3420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-