Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 09:04
Behavioral task
behavioral1
Sample
c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe
-
Size
91KB
-
MD5
f66665e8915c3d3682adc114cd97f658
-
SHA1
790d90a518b13d1abd9356b21b34d84257ff9b30
-
SHA256
c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379
-
SHA512
433dff41a794073667047e34048dd625f0f2cab5757f43d17e98b65a5b188ce83cd1e94e11deaa2210c08f0187e1c9b96bb23b8f28bfedadf3d57a7b4cbbf90b
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADUOj2YUW+S436CS:9hOmTsF93UYfwC6GIoutyaVszyKd+XYM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1760-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2340-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3500-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4196-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4476-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/68-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1180-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1792-74-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2940-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3432-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4284-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4572-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2764-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4788-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4392-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2620-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-402-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3892-588-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-601-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-626-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2304-657-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4136-679-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1288-722-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-774-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1200-823-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-1302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3544 rfxxrfx.exe 2340 hnttbn.exe 3500 pdjjd.exe 2544 lxlfxrr.exe 1640 lrrrlll.exe 4196 ntbttt.exe 4476 dpjvj.exe 68 flrlrfr.exe 4472 ttbbbb.exe 1180 bbhhbb.exe 1368 jjjjv.exe 1792 fflxxff.exe 2940 fxxxxxx.exe 2980 3jpvv.exe 1480 rflfrxx.exe 1880 htbbtt.exe 1908 7rrlffx.exe 3208 nnntht.exe 3680 jddvj.exe 3432 5ddvj.exe 4024 nnhhtt.exe 1540 bnbtbt.exe 4284 vvdpj.exe 4572 rllrrrx.exe 548 nhbtnn.exe 640 hbtnhh.exe 2764 5vddv.exe 4532 rxrrffx.exe 3568 thnnnn.exe 4144 vjjjv.exe 1992 dvjvd.exe 3540 lxlfxxx.exe 3324 7bnhbh.exe 4156 btbbbh.exe 1332 3pjpj.exe 4588 fxlfllr.exe 464 rlffllx.exe 1740 9tbbtt.exe 3716 3pvvv.exe 4408 pvdvp.exe 3452 3xfrlrx.exe 1492 5frlxxf.exe 3164 hnhbtt.exe 3184 nhbbtt.exe 3440 jjvjj.exe 4356 rxfllxf.exe 1320 3bhbhh.exe 4940 3thhtn.exe 1840 djvpd.exe 1980 3rrrllf.exe 2756 bnnhbt.exe 888 tntthn.exe 4132 jpjdv.exe 2932 rlffrrr.exe 4760 7xlfxxr.exe 4888 htbttt.exe 4788 nbnhtt.exe 2400 vpdvj.exe 2952 rllfxxx.exe 2768 1nnhtt.exe 4040 tnhnbb.exe 2588 ddjjv.exe 3808 vdvdp.exe 1848 fflfrlf.exe -
resource yara_rule behavioral2/memory/1760-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1760-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b7a-5.dat upx behavioral2/files/0x0008000000023c5c-9.dat upx behavioral2/memory/3544-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c5d-11.dat upx behavioral2/memory/2340-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c5e-19.dat upx behavioral2/memory/3500-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c5f-25.dat upx behavioral2/memory/1640-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2544-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c60-33.dat upx behavioral2/files/0x0008000000023c61-37.dat upx behavioral2/memory/4196-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c62-45.dat upx behavioral2/memory/4476-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c63-49.dat upx behavioral2/memory/68-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c64-54.dat upx behavioral2/memory/4472-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6d-61.dat upx behavioral2/memory/1180-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6e-67.dat upx behavioral2/memory/1792-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c6f-72.dat upx behavioral2/files/0x0007000000023c70-78.dat upx behavioral2/memory/2940-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c71-84.dat upx behavioral2/memory/2980-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c72-90.dat upx behavioral2/memory/1480-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c73-96.dat upx behavioral2/memory/1880-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c74-102.dat upx behavioral2/memory/1908-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-109.dat upx behavioral2/files/0x0007000000023c76-113.dat upx behavioral2/files/0x0007000000023c77-118.dat upx behavioral2/memory/3432-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-124.dat upx behavioral2/files/0x0007000000023c79-129.dat upx behavioral2/memory/4284-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1540-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7a-137.dat upx behavioral2/memory/4572-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c4e-142.dat upx behavioral2/memory/4572-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7b-149.dat upx behavioral2/files/0x0007000000023c7c-153.dat upx behavioral2/files/0x0007000000023c7d-158.dat upx behavioral2/memory/2764-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-164.dat upx behavioral2/memory/4532-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-170.dat upx behavioral2/files/0x0007000000023c80-175.dat upx behavioral2/memory/4144-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-182.dat upx behavioral2/memory/3540-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4156-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1332-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/464-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1492-221-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3164-225-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 3544 1760 c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe 82 PID 1760 wrote to memory of 3544 1760 c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe 82 PID 1760 wrote to memory of 3544 1760 c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe 82 PID 3544 wrote to memory of 2340 3544 rfxxrfx.exe 83 PID 3544 wrote to memory of 2340 3544 rfxxrfx.exe 83 PID 3544 wrote to memory of 2340 3544 rfxxrfx.exe 83 PID 2340 wrote to memory of 3500 2340 hnttbn.exe 84 PID 2340 wrote to memory of 3500 2340 hnttbn.exe 84 PID 2340 wrote to memory of 3500 2340 hnttbn.exe 84 PID 3500 wrote to memory of 2544 3500 pdjjd.exe 85 PID 3500 wrote to memory of 2544 3500 pdjjd.exe 85 PID 3500 wrote to memory of 2544 3500 pdjjd.exe 85 PID 2544 wrote to memory of 1640 2544 lxlfxrr.exe 86 PID 2544 wrote to memory of 1640 2544 lxlfxrr.exe 86 PID 2544 wrote to memory of 1640 2544 lxlfxrr.exe 86 PID 1640 wrote to memory of 4196 1640 lrrrlll.exe 87 PID 1640 wrote to memory of 4196 1640 lrrrlll.exe 87 PID 1640 wrote to memory of 4196 1640 lrrrlll.exe 87 PID 4196 wrote to memory of 4476 4196 ntbttt.exe 88 PID 4196 wrote to memory of 4476 4196 ntbttt.exe 88 PID 4196 wrote to memory of 4476 4196 ntbttt.exe 88 PID 4476 wrote to memory of 68 4476 dpjvj.exe 89 PID 4476 wrote to memory of 68 4476 dpjvj.exe 89 PID 4476 wrote to memory of 68 4476 dpjvj.exe 89 PID 68 wrote to memory of 4472 68 flrlrfr.exe 90 PID 68 wrote to memory of 4472 68 flrlrfr.exe 90 PID 68 wrote to memory of 4472 68 flrlrfr.exe 90 PID 4472 wrote to memory of 1180 4472 ttbbbb.exe 91 PID 4472 wrote to memory of 1180 4472 ttbbbb.exe 91 PID 4472 wrote to memory of 1180 4472 ttbbbb.exe 91 PID 1180 wrote to memory of 1368 1180 bbhhbb.exe 92 PID 1180 wrote to memory of 1368 1180 bbhhbb.exe 92 PID 1180 wrote to memory of 1368 1180 bbhhbb.exe 92 PID 1368 wrote to memory of 1792 1368 jjjjv.exe 93 PID 1368 wrote to memory of 1792 1368 jjjjv.exe 93 PID 1368 wrote to memory of 1792 1368 jjjjv.exe 93 PID 1792 wrote to memory of 2940 1792 fflxxff.exe 94 PID 1792 wrote to memory of 2940 1792 fflxxff.exe 94 PID 1792 wrote to memory of 2940 1792 fflxxff.exe 94 PID 2940 wrote to memory of 2980 2940 fxxxxxx.exe 95 PID 2940 wrote to memory of 2980 2940 fxxxxxx.exe 95 PID 2940 wrote to memory of 2980 2940 fxxxxxx.exe 95 PID 2980 wrote to memory of 1480 2980 3jpvv.exe 96 PID 2980 wrote to memory of 1480 2980 3jpvv.exe 96 PID 2980 wrote to memory of 1480 2980 3jpvv.exe 96 PID 1480 wrote to memory of 1880 1480 rflfrxx.exe 97 PID 1480 wrote to memory of 1880 1480 rflfrxx.exe 97 PID 1480 wrote to memory of 1880 1480 rflfrxx.exe 97 PID 1880 wrote to memory of 1908 1880 htbbtt.exe 98 PID 1880 wrote to memory of 1908 1880 htbbtt.exe 98 PID 1880 wrote to memory of 1908 1880 htbbtt.exe 98 PID 1908 wrote to memory of 3208 1908 7rrlffx.exe 99 PID 1908 wrote to memory of 3208 1908 7rrlffx.exe 99 PID 1908 wrote to memory of 3208 1908 7rrlffx.exe 99 PID 3208 wrote to memory of 3680 3208 nnntht.exe 100 PID 3208 wrote to memory of 3680 3208 nnntht.exe 100 PID 3208 wrote to memory of 3680 3208 nnntht.exe 100 PID 3680 wrote to memory of 3432 3680 jddvj.exe 101 PID 3680 wrote to memory of 3432 3680 jddvj.exe 101 PID 3680 wrote to memory of 3432 3680 jddvj.exe 101 PID 3432 wrote to memory of 4024 3432 5ddvj.exe 102 PID 3432 wrote to memory of 4024 3432 5ddvj.exe 102 PID 3432 wrote to memory of 4024 3432 5ddvj.exe 102 PID 4024 wrote to memory of 1540 4024 nnhhtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe"C:\Users\Admin\AppData\Local\Temp\c6c4c9e56c0e4c526e57e9229474e1a231b4037971cebb38440a0e286dd75379.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\rfxxrfx.exec:\rfxxrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\hnttbn.exec:\hnttbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\pdjjd.exec:\pdjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\lrrrlll.exec:\lrrrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\ntbttt.exec:\ntbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\dpjvj.exec:\dpjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\flrlrfr.exec:\flrlrfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:68 -
\??\c:\ttbbbb.exec:\ttbbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\bbhhbb.exec:\bbhhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\jjjjv.exec:\jjjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\fflxxff.exec:\fflxxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\3jpvv.exec:\3jpvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\rflfrxx.exec:\rflfrxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\htbbtt.exec:\htbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\7rrlffx.exec:\7rrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\nnntht.exec:\nnntht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\jddvj.exec:\jddvj.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\5ddvj.exec:\5ddvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\nnhhtt.exec:\nnhhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\bnbtbt.exec:\bnbtbt.exe23⤵
- Executes dropped EXE
PID:1540 -
\??\c:\vvdpj.exec:\vvdpj.exe24⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rllrrrx.exec:\rllrrrx.exe25⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nhbtnn.exec:\nhbtnn.exe26⤵
- Executes dropped EXE
PID:548 -
\??\c:\hbtnhh.exec:\hbtnhh.exe27⤵
- Executes dropped EXE
PID:640 -
\??\c:\5vddv.exec:\5vddv.exe28⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rxrrffx.exec:\rxrrffx.exe29⤵
- Executes dropped EXE
PID:4532 -
\??\c:\thnnnn.exec:\thnnnn.exe30⤵
- Executes dropped EXE
PID:3568 -
\??\c:\vjjjv.exec:\vjjjv.exe31⤵
- Executes dropped EXE
PID:4144 -
\??\c:\dvjvd.exec:\dvjvd.exe32⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe33⤵
- Executes dropped EXE
PID:3540 -
\??\c:\7bnhbh.exec:\7bnhbh.exe34⤵
- Executes dropped EXE
PID:3324 -
\??\c:\btbbbh.exec:\btbbbh.exe35⤵
- Executes dropped EXE
PID:4156 -
\??\c:\3pjpj.exec:\3pjpj.exe36⤵
- Executes dropped EXE
PID:1332 -
\??\c:\fxlfllr.exec:\fxlfllr.exe37⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rlffllx.exec:\rlffllx.exe38⤵
- Executes dropped EXE
PID:464 -
\??\c:\9tbbtt.exec:\9tbbtt.exe39⤵
- Executes dropped EXE
PID:1740 -
\??\c:\3pvvv.exec:\3pvvv.exe40⤵
- Executes dropped EXE
PID:3716 -
\??\c:\pvdvp.exec:\pvdvp.exe41⤵
- Executes dropped EXE
PID:4408 -
\??\c:\3xfrlrx.exec:\3xfrlrx.exe42⤵
- Executes dropped EXE
PID:3452 -
\??\c:\5frlxxf.exec:\5frlxxf.exe43⤵
- Executes dropped EXE
PID:1492 -
\??\c:\hnhbtt.exec:\hnhbtt.exe44⤵
- Executes dropped EXE
PID:3164 -
\??\c:\nhbbtt.exec:\nhbbtt.exe45⤵
- Executes dropped EXE
PID:3184 -
\??\c:\jjvjj.exec:\jjvjj.exe46⤵
- Executes dropped EXE
PID:3440 -
\??\c:\rxfllxf.exec:\rxfllxf.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\3bhbhh.exec:\3bhbhh.exe48⤵
- Executes dropped EXE
PID:1320 -
\??\c:\3thhtn.exec:\3thhtn.exe49⤵
- Executes dropped EXE
PID:4940 -
\??\c:\djvpd.exec:\djvpd.exe50⤵
- Executes dropped EXE
PID:1840 -
\??\c:\3rrrllf.exec:\3rrrllf.exe51⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bnnhbt.exec:\bnnhbt.exe52⤵
- Executes dropped EXE
PID:2756 -
\??\c:\tntthn.exec:\tntthn.exe53⤵
- Executes dropped EXE
PID:888 -
\??\c:\jpjdv.exec:\jpjdv.exe54⤵
- Executes dropped EXE
PID:4132 -
\??\c:\rlffrrr.exec:\rlffrrr.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\7xlfxxr.exec:\7xlfxxr.exe56⤵
- Executes dropped EXE
PID:4760 -
\??\c:\htbttt.exec:\htbttt.exe57⤵
- Executes dropped EXE
PID:4888 -
\??\c:\nbnhtt.exec:\nbnhtt.exe58⤵
- Executes dropped EXE
PID:4788 -
\??\c:\vpdvj.exec:\vpdvj.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\rllfxxx.exec:\rllfxxx.exe60⤵
- Executes dropped EXE
PID:2952 -
\??\c:\1nnhtt.exec:\1nnhtt.exe61⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tnhnbb.exec:\tnhnbb.exe62⤵
- Executes dropped EXE
PID:4040 -
\??\c:\ddjjv.exec:\ddjjv.exe63⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vdvdp.exec:\vdvdp.exe64⤵
- Executes dropped EXE
PID:3808 -
\??\c:\fflfrlf.exec:\fflfrlf.exe65⤵
- Executes dropped EXE
PID:1848 -
\??\c:\thhbtt.exec:\thhbtt.exe66⤵PID:3456
-
\??\c:\nbbhtn.exec:\nbbhtn.exe67⤵PID:2088
-
\??\c:\pdvdp.exec:\pdvdp.exe68⤵PID:4020
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe69⤵PID:4204
-
\??\c:\lxflxrl.exec:\lxflxrl.exe70⤵PID:4348
-
\??\c:\7bbnbt.exec:\7bbnbt.exe71⤵PID:4380
-
\??\c:\bbbnhb.exec:\bbbnhb.exe72⤵PID:4828
-
\??\c:\vjjdv.exec:\vjjdv.exe73⤵PID:456
-
\??\c:\lllfxrl.exec:\lllfxrl.exe74⤵PID:3480
-
\??\c:\tnhhtn.exec:\tnhhtn.exe75⤵PID:2992
-
\??\c:\ppdjp.exec:\ppdjp.exe76⤵PID:5064
-
\??\c:\7rrrxrl.exec:\7rrrxrl.exe77⤵PID:1536
-
\??\c:\rrlfxrl.exec:\rrlfxrl.exe78⤵PID:3996
-
\??\c:\nbthbt.exec:\nbthbt.exe79⤵PID:4452
-
\??\c:\pjddv.exec:\pjddv.exe80⤵PID:4392
-
\??\c:\ppppd.exec:\ppppd.exe81⤵PID:2072
-
\??\c:\3lrrlll.exec:\3lrrlll.exe82⤵PID:2620
-
\??\c:\httnnh.exec:\httnnh.exe83⤵PID:4572
-
\??\c:\7hnhbn.exec:\7hnhbn.exe84⤵PID:2732
-
\??\c:\bntnnn.exec:\bntnnn.exe85⤵PID:3264
-
\??\c:\djjpd.exec:\djjpd.exe86⤵PID:4116
-
\??\c:\dpdvv.exec:\dpdvv.exe87⤵PID:4976
-
\??\c:\rrlfllx.exec:\rrlfllx.exe88⤵PID:2080
-
\??\c:\htnnhn.exec:\htnnhn.exe89⤵PID:3636
-
\??\c:\ddddv.exec:\ddddv.exe90⤵PID:2736
-
\??\c:\rffrxxr.exec:\rffrxxr.exe91⤵PID:4532
-
\??\c:\xfxxrlf.exec:\xfxxrlf.exe92⤵PID:4720
-
\??\c:\nnbttt.exec:\nnbttt.exe93⤵PID:4072
-
\??\c:\bntnhh.exec:\bntnhh.exe94⤵PID:4708
-
\??\c:\dvvvp.exec:\dvvvp.exe95⤵PID:1996
-
\??\c:\lffxxrr.exec:\lffxxrr.exe96⤵PID:1148
-
\??\c:\bnhbbb.exec:\bnhbbb.exe97⤵PID:3324
-
\??\c:\nthbnn.exec:\nthbnn.exe98⤵PID:4156
-
\??\c:\tnbbtt.exec:\tnbbtt.exe99⤵PID:3232
-
\??\c:\ppppd.exec:\ppppd.exe100⤵PID:1476
-
\??\c:\5pvpj.exec:\5pvpj.exe101⤵PID:4768
-
\??\c:\5xllxxx.exec:\5xllxxx.exe102⤵PID:1736
-
\??\c:\nhhbtt.exec:\nhhbtt.exe103⤵PID:5056
-
\??\c:\1pvvp.exec:\1pvvp.exe104⤵PID:3716
-
\??\c:\3hbbnn.exec:\3hbbnn.exe105⤵PID:2836
-
\??\c:\hnnbbh.exec:\hnnbbh.exe106⤵PID:436
-
\??\c:\vdddv.exec:\vdddv.exe107⤵PID:3140
-
\??\c:\djvvp.exec:\djvvp.exe108⤵PID:4964
-
\??\c:\lrrlrrl.exec:\lrrlrrl.exe109⤵PID:264
-
\??\c:\fffxxxr.exec:\fffxxxr.exe110⤵PID:4440
-
\??\c:\thhttb.exec:\thhttb.exe111⤵PID:3268
-
\??\c:\hthhbb.exec:\hthhbb.exe112⤵PID:4984
-
\??\c:\dppvp.exec:\dppvp.exe113⤵PID:2812
-
\??\c:\lxlrlll.exec:\lxlrlll.exe114⤵PID:4272
-
\??\c:\nhbtnn.exec:\nhbtnn.exe115⤵PID:4980
-
\??\c:\9btnbb.exec:\9btnbb.exe116⤵PID:1436
-
\??\c:\pjppd.exec:\pjppd.exe117⤵PID:4944
-
\??\c:\jdvdv.exec:\jdvdv.exe118⤵PID:1412
-
\??\c:\rffflrl.exec:\rffflrl.exe119⤵PID:2976
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe120⤵PID:3152
-
\??\c:\bbttbb.exec:\bbttbb.exe121⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-