Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe
-
Size
454KB
-
MD5
c802d90048e2fb3f6ac2509681184c80
-
SHA1
6366b4a95f845a9508331b4406ff684bf7cb0848
-
SHA256
c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a
-
SHA512
b76f1802f84a95720619c35aad85ebf6b4b7b36adb04db655269f9d443eec36adbf1dc65933043b23d5806313eb6f806bce42f0896de9a1ee4190505c383966e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeD:q7Tc2NYHUrAwfMp3CDD
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4400-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-625-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3156 rffrlfx.exe 2984 9nnbtt.exe 216 tntbbt.exe 3296 vjjvj.exe 4704 dvpdd.exe 4048 5fllflf.exe 4140 ttnttb.exe 4488 jjppp.exe 1392 jjjjd.exe 3408 tttbnt.exe 1228 5nttnn.exe 3292 vpvvp.exe 944 llfxrlf.exe 2360 5hnhbb.exe 2956 1jppp.exe 1288 rffrxxf.exe 336 tttntb.exe 2284 rlfxrrl.exe 1316 7bbthb.exe 4848 djvjv.exe 3612 7jppd.exe 4992 lxfxxlf.exe 4572 bhbtbt.exe 4780 jjjdd.exe 4228 xrrlxxx.exe 4708 bthbtt.exe 2116 jvdjd.exe 2472 hbtbhn.exe 2876 3pvvp.exe 3344 lrxxffl.exe 3196 bntnnb.exe 3616 pdjdv.exe 2440 djjjj.exe 1128 9xrrlff.exe 4272 bntnhh.exe 3380 tnttnn.exe 1808 llrrffx.exe 4180 nbntbt.exe 1980 frrlxxr.exe 2396 1frffxx.exe 3632 ntbhbt.exe 4656 dpjvj.exe 4620 jjjdd.exe 3628 frrxrll.exe 968 hnnnhn.exe 4808 jvppp.exe 4712 9pdvv.exe 1456 5xffflr.exe 4956 bttbtt.exe 5092 tbthbt.exe 4188 djjjp.exe 4672 llrrffx.exe 3024 rllffxx.exe 3156 btthtn.exe 3324 1dddv.exe 3332 1dpjd.exe 876 1fxrlfx.exe 2004 7tbhbh.exe 3624 bnthbb.exe 4048 pdpdp.exe 2532 1lrlrrx.exe 4192 1fllrlr.exe 4116 7bnhhn.exe 3520 dvdvp.exe -
resource yara_rule behavioral2/memory/4400-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-625-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-632-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3156 4400 c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe 82 PID 4400 wrote to memory of 3156 4400 c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe 82 PID 4400 wrote to memory of 3156 4400 c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe 82 PID 3156 wrote to memory of 2984 3156 rffrlfx.exe 83 PID 3156 wrote to memory of 2984 3156 rffrlfx.exe 83 PID 3156 wrote to memory of 2984 3156 rffrlfx.exe 83 PID 2984 wrote to memory of 216 2984 9nnbtt.exe 84 PID 2984 wrote to memory of 216 2984 9nnbtt.exe 84 PID 2984 wrote to memory of 216 2984 9nnbtt.exe 84 PID 216 wrote to memory of 3296 216 tntbbt.exe 85 PID 216 wrote to memory of 3296 216 tntbbt.exe 85 PID 216 wrote to memory of 3296 216 tntbbt.exe 85 PID 3296 wrote to memory of 4704 3296 vjjvj.exe 86 PID 3296 wrote to memory of 4704 3296 vjjvj.exe 86 PID 3296 wrote to memory of 4704 3296 vjjvj.exe 86 PID 4704 wrote to memory of 4048 4704 dvpdd.exe 87 PID 4704 wrote to memory of 4048 4704 dvpdd.exe 87 PID 4704 wrote to memory of 4048 4704 dvpdd.exe 87 PID 4048 wrote to memory of 4140 4048 5fllflf.exe 88 PID 4048 wrote to memory of 4140 4048 5fllflf.exe 88 PID 4048 wrote to memory of 4140 4048 5fllflf.exe 88 PID 4140 wrote to memory of 4488 4140 ttnttb.exe 89 PID 4140 wrote to memory of 4488 4140 ttnttb.exe 89 PID 4140 wrote to memory of 4488 4140 ttnttb.exe 89 PID 4488 wrote to memory of 1392 4488 jjppp.exe 90 PID 4488 wrote to memory of 1392 4488 jjppp.exe 90 PID 4488 wrote to memory of 1392 4488 jjppp.exe 90 PID 1392 wrote to memory of 3408 1392 jjjjd.exe 91 PID 1392 wrote to memory of 3408 1392 jjjjd.exe 91 PID 1392 wrote to memory of 3408 1392 jjjjd.exe 91 PID 3408 wrote to memory of 1228 3408 tttbnt.exe 92 PID 3408 wrote to memory of 1228 3408 tttbnt.exe 92 PID 3408 wrote to memory of 1228 3408 tttbnt.exe 92 PID 1228 wrote to memory of 3292 1228 5nttnn.exe 93 PID 1228 wrote to memory of 3292 1228 5nttnn.exe 93 PID 1228 wrote to memory of 3292 1228 5nttnn.exe 93 PID 3292 wrote to memory of 944 3292 vpvvp.exe 94 PID 3292 wrote to memory of 944 3292 vpvvp.exe 94 PID 3292 wrote to memory of 944 3292 vpvvp.exe 94 PID 944 wrote to memory of 2360 944 llfxrlf.exe 95 PID 944 wrote to memory of 2360 944 llfxrlf.exe 95 PID 944 wrote to memory of 2360 944 llfxrlf.exe 95 PID 2360 wrote to memory of 2956 2360 5hnhbb.exe 96 PID 2360 wrote to memory of 2956 2360 5hnhbb.exe 96 PID 2360 wrote to memory of 2956 2360 5hnhbb.exe 96 PID 2956 wrote to memory of 1288 2956 1jppp.exe 97 PID 2956 wrote to memory of 1288 2956 1jppp.exe 97 PID 2956 wrote to memory of 1288 2956 1jppp.exe 97 PID 1288 wrote to memory of 336 1288 rffrxxf.exe 98 PID 1288 wrote to memory of 336 1288 rffrxxf.exe 98 PID 1288 wrote to memory of 336 1288 rffrxxf.exe 98 PID 336 wrote to memory of 2284 336 tttntb.exe 99 PID 336 wrote to memory of 2284 336 tttntb.exe 99 PID 336 wrote to memory of 2284 336 tttntb.exe 99 PID 2284 wrote to memory of 1316 2284 rlfxrrl.exe 100 PID 2284 wrote to memory of 1316 2284 rlfxrrl.exe 100 PID 2284 wrote to memory of 1316 2284 rlfxrrl.exe 100 PID 1316 wrote to memory of 4848 1316 7bbthb.exe 101 PID 1316 wrote to memory of 4848 1316 7bbthb.exe 101 PID 1316 wrote to memory of 4848 1316 7bbthb.exe 101 PID 4848 wrote to memory of 3612 4848 djvjv.exe 102 PID 4848 wrote to memory of 3612 4848 djvjv.exe 102 PID 4848 wrote to memory of 3612 4848 djvjv.exe 102 PID 3612 wrote to memory of 4992 3612 7jppd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe"C:\Users\Admin\AppData\Local\Temp\c1d95313e96cdb4aff831f8aa125591a3c674ee450f3f45bd7b874f3bec0640a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\rffrlfx.exec:\rffrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\9nnbtt.exec:\9nnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\tntbbt.exec:\tntbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\vjjvj.exec:\vjjvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\dvpdd.exec:\dvpdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\5fllflf.exec:\5fllflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\ttnttb.exec:\ttnttb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\jjppp.exec:\jjppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\jjjjd.exec:\jjjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\tttbnt.exec:\tttbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\5nttnn.exec:\5nttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\vpvvp.exec:\vpvvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\llfxrlf.exec:\llfxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\5hnhbb.exec:\5hnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\1jppp.exec:\1jppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\rffrxxf.exec:\rffrxxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\tttntb.exec:\tttntb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\7bbthb.exec:\7bbthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
\??\c:\djvjv.exec:\djvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\7jppd.exec:\7jppd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\lxfxxlf.exec:\lxfxxlf.exe23⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bhbtbt.exec:\bhbtbt.exe24⤵
- Executes dropped EXE
PID:4572 -
\??\c:\jjjdd.exec:\jjjdd.exe25⤵
- Executes dropped EXE
PID:4780 -
\??\c:\xrrlxxx.exec:\xrrlxxx.exe26⤵
- Executes dropped EXE
PID:4228 -
\??\c:\bthbtt.exec:\bthbtt.exe27⤵
- Executes dropped EXE
PID:4708 -
\??\c:\jvdjd.exec:\jvdjd.exe28⤵
- Executes dropped EXE
PID:2116 -
\??\c:\hbtbhn.exec:\hbtbhn.exe29⤵
- Executes dropped EXE
PID:2472 -
\??\c:\3pvvp.exec:\3pvvp.exe30⤵
- Executes dropped EXE
PID:2876 -
\??\c:\lrxxffl.exec:\lrxxffl.exe31⤵
- Executes dropped EXE
PID:3344 -
\??\c:\bntnnb.exec:\bntnnb.exe32⤵
- Executes dropped EXE
PID:3196 -
\??\c:\pdjdv.exec:\pdjdv.exe33⤵
- Executes dropped EXE
PID:3616 -
\??\c:\djjjj.exec:\djjjj.exe34⤵
- Executes dropped EXE
PID:2440 -
\??\c:\9xrrlff.exec:\9xrrlff.exe35⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bntnhh.exec:\bntnhh.exe36⤵
- Executes dropped EXE
PID:4272 -
\??\c:\tnttnn.exec:\tnttnn.exe37⤵
- Executes dropped EXE
PID:3380 -
\??\c:\llrrffx.exec:\llrrffx.exe38⤵
- Executes dropped EXE
PID:1808 -
\??\c:\nbntbt.exec:\nbntbt.exe39⤵
- Executes dropped EXE
PID:4180 -
\??\c:\frrlxxr.exec:\frrlxxr.exe40⤵
- Executes dropped EXE
PID:1980 -
\??\c:\1frffxx.exec:\1frffxx.exe41⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ntbhbt.exec:\ntbhbt.exe42⤵
- Executes dropped EXE
PID:3632 -
\??\c:\dpjvj.exec:\dpjvj.exe43⤵
- Executes dropped EXE
PID:4656 -
\??\c:\jjjdd.exec:\jjjdd.exe44⤵
- Executes dropped EXE
PID:4620 -
\??\c:\frrxrll.exec:\frrxrll.exe45⤵
- Executes dropped EXE
PID:3628 -
\??\c:\hnnnhn.exec:\hnnnhn.exe46⤵
- Executes dropped EXE
PID:968 -
\??\c:\jvppp.exec:\jvppp.exe47⤵
- Executes dropped EXE
PID:4808 -
\??\c:\9pdvv.exec:\9pdvv.exe48⤵
- Executes dropped EXE
PID:4712 -
\??\c:\5xffflr.exec:\5xffflr.exe49⤵
- Executes dropped EXE
PID:1456 -
\??\c:\bttbtt.exec:\bttbtt.exe50⤵
- Executes dropped EXE
PID:4956 -
\??\c:\tbthbt.exec:\tbthbt.exe51⤵
- Executes dropped EXE
PID:5092 -
\??\c:\djjjp.exec:\djjjp.exe52⤵
- Executes dropped EXE
PID:4188 -
\??\c:\llrrffx.exec:\llrrffx.exe53⤵
- Executes dropped EXE
PID:4672 -
\??\c:\rllffxx.exec:\rllffxx.exe54⤵
- Executes dropped EXE
PID:3024 -
\??\c:\btthtn.exec:\btthtn.exe55⤵
- Executes dropped EXE
PID:3156 -
\??\c:\1dddv.exec:\1dddv.exe56⤵
- Executes dropped EXE
PID:3324 -
\??\c:\1dpjd.exec:\1dpjd.exe57⤵
- Executes dropped EXE
PID:3332 -
\??\c:\1fxrlfx.exec:\1fxrlfx.exe58⤵
- Executes dropped EXE
PID:876 -
\??\c:\7tbhbh.exec:\7tbhbh.exe59⤵
- Executes dropped EXE
PID:2004 -
\??\c:\bnthbb.exec:\bnthbb.exe60⤵
- Executes dropped EXE
PID:3624 -
\??\c:\pdpdp.exec:\pdpdp.exe61⤵
- Executes dropped EXE
PID:4048 -
\??\c:\1lrlrrx.exec:\1lrlrrx.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\1fllrlr.exec:\1fllrlr.exe63⤵
- Executes dropped EXE
PID:4192 -
\??\c:\7bnhhn.exec:\7bnhhn.exe64⤵
- Executes dropped EXE
PID:4116 -
\??\c:\dvdvp.exec:\dvdvp.exe65⤵
- Executes dropped EXE
PID:3520 -
\??\c:\lflfxxx.exec:\lflfxxx.exe66⤵PID:2640
-
\??\c:\ntbhtt.exec:\ntbhtt.exe67⤵PID:4976
-
\??\c:\ppppj.exec:\ppppj.exe68⤵
- System Location Discovery: System Language Discovery
PID:5064 -
\??\c:\frrllfr.exec:\frrllfr.exe69⤵PID:3200
-
\??\c:\vdpdv.exec:\vdpdv.exe70⤵PID:1000
-
\??\c:\7llfrrr.exec:\7llfrrr.exe71⤵PID:4940
-
\??\c:\nbtnhb.exec:\nbtnhb.exe72⤵PID:1484
-
\??\c:\llxxfxf.exec:\llxxfxf.exe73⤵PID:2772
-
\??\c:\lxrllff.exec:\lxrllff.exe74⤵PID:5008
-
\??\c:\7jdvd.exec:\7jdvd.exe75⤵PID:1596
-
\??\c:\7tbbnb.exec:\7tbbnb.exe76⤵PID:4044
-
\??\c:\vvppd.exec:\vvppd.exe77⤵PID:336
-
\??\c:\rlllffx.exec:\rlllffx.exe78⤵PID:1096
-
\??\c:\5ttnbb.exec:\5ttnbb.exe79⤵PID:4448
-
\??\c:\vvppp.exec:\vvppp.exe80⤵PID:3052
-
\??\c:\rrrlffx.exec:\rrrlffx.exe81⤵PID:4104
-
\??\c:\nnnbnn.exec:\nnnbnn.exe82⤵PID:3612
-
\??\c:\xlxllfx.exec:\xlxllfx.exe83⤵PID:4644
-
\??\c:\djpvp.exec:\djpvp.exe84⤵PID:3396
-
\??\c:\rrrlfff.exec:\rrrlfff.exe85⤵PID:3288
-
\??\c:\hbnhtt.exec:\hbnhtt.exe86⤵PID:3492
-
\??\c:\pvddd.exec:\pvddd.exe87⤵PID:2252
-
\??\c:\9flfxxr.exec:\9flfxxr.exe88⤵PID:1628
-
\??\c:\bhhnhn.exec:\bhhnhn.exe89⤵PID:804
-
\??\c:\ddpjj.exec:\ddpjj.exe90⤵PID:4896
-
\??\c:\lxflfxl.exec:\lxflfxl.exe91⤵PID:1468
-
\??\c:\hnbtnh.exec:\hnbtnh.exe92⤵PID:2076
-
\??\c:\nhhbhh.exec:\nhhbhh.exe93⤵PID:1740
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe94⤵PID:4736
-
\??\c:\vjpjp.exec:\vjpjp.exe95⤵PID:4912
-
\??\c:\llllffr.exec:\llllffr.exe96⤵PID:1832
-
\??\c:\btbnnh.exec:\btbnnh.exe97⤵PID:1336
-
\??\c:\bbthhh.exec:\bbthhh.exe98⤵PID:2440
-
\??\c:\1ddvp.exec:\1ddvp.exe99⤵PID:1128
-
\??\c:\rllfxrl.exec:\rllfxrl.exe100⤵PID:2988
-
\??\c:\tbnthb.exec:\tbnthb.exe101⤵PID:4936
-
\??\c:\9pjjv.exec:\9pjjv.exe102⤵PID:2888
-
\??\c:\pdjpd.exec:\pdjpd.exe103⤵PID:1412
-
\??\c:\flxrlff.exec:\flxrlff.exe104⤵PID:448
-
\??\c:\1hnhbb.exec:\1hnhbb.exe105⤵PID:1132
-
\??\c:\jjddp.exec:\jjddp.exe106⤵PID:1768
-
\??\c:\lffrlfx.exec:\lffrlfx.exe107⤵
- System Location Discovery: System Language Discovery
PID:4196 -
\??\c:\ttthbt.exec:\ttthbt.exe108⤵PID:2620
-
\??\c:\pjddj.exec:\pjddj.exe109⤵PID:3064
-
\??\c:\vvjjj.exec:\vvjjj.exe110⤵PID:4036
-
\??\c:\7xfxrrl.exec:\7xfxrrl.exe111⤵PID:2720
-
\??\c:\5ntthb.exec:\5ntthb.exe112⤵PID:968
-
\??\c:\dppdj.exec:\dppdj.exe113⤵PID:440
-
\??\c:\lffxlrl.exec:\lffxlrl.exe114⤵PID:4388
-
\??\c:\lffffff.exec:\lffffff.exe115⤵PID:1112
-
\??\c:\ttbnhh.exec:\ttbnhh.exe116⤵PID:1232
-
\??\c:\1dpdv.exec:\1dpdv.exe117⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\lllllll.exec:\lllllll.exe118⤵PID:708
-
\??\c:\ntttnb.exec:\ntttnb.exe119⤵PID:2340
-
\??\c:\dpjvj.exec:\dpjvj.exe120⤵PID:1924
-
\??\c:\3rxrlrl.exec:\3rxrlrl.exe121⤵PID:4692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-