Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 23:06
Behavioral task
behavioral1
Sample
c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe
-
Size
85KB
-
MD5
dac22bff5fbbd188307e6a02e3ba7def
-
SHA1
ace66429bf85d99eda6f333500165bf2c3a2104c
-
SHA256
c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b
-
SHA512
17b4b4ce7959b12632209bbfbf00102f60dc625708e15b7390b6d04aef113e76aea5b6ae0a0540992adf781c8551dd215f2fd8a7a29c0bf0da9c5582b01f6e63
-
SSDEEP
1536:cvQBeOGtrYS3srx93UBWfwC6Ggnouy8HglW8wk8miJd1Rtt8Nqz1xw+a:chOmTsF93UYfwC6GIout3tk8mItt8N5F
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2780-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3768-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4892-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2544-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5108-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2412-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3032-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2928-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/796-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1712-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2316-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4372-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3600-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3724-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-351-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5052-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2712-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2136-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/116-468-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4848-653-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-663-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-667-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-737-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2224-756-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-968-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-1211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-1278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-1414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-1501-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4816 9nbtnn.exe 5040 vdddd.exe 2700 lxxlfxr.exe 3768 lfllrxx.exe 1780 thbtbb.exe 4872 1jpjv.exe 4116 jdjpj.exe 2736 ffxxrrr.exe 228 ffrllll.exe 2008 nhhbbb.exe 4892 1pjjd.exe 3892 5fxxxxx.exe 2544 tntnhh.exe 4792 vpvjp.exe 4580 5dppp.exe 1476 rfrfxrr.exe 1364 fxffrff.exe 2288 pdvdd.exe 3772 jvddv.exe 3088 5tbbhn.exe 4768 5bbthb.exe 1048 jvvpp.exe 1548 xrllflx.exe 4512 nbhbbh.exe 5108 nbbtnn.exe 2412 pddvj.exe 3456 7pvdd.exe 2336 xffrfxl.exe 1928 bnbhbb.exe 4740 hbhbtt.exe 3032 vpddj.exe 2568 1flrflf.exe 2552 htnnhh.exe 2928 tbbthh.exe 2144 dvjdp.exe 2468 rfffxxr.exe 1280 thbtnh.exe 3536 lrflflf.exe 2148 bnbnbn.exe 4976 bnnbnb.exe 4844 3jvpp.exe 796 rfxlxfr.exe 3012 flfrfrl.exe 1008 tbbnbt.exe 3420 bbthtn.exe 4244 pppdp.exe 4428 vjdpj.exe 1712 rfxrfxf.exe 2984 1rxfxlf.exe 4800 7hbtht.exe 5040 5ppdp.exe 2700 jvppv.exe 3432 rllffff.exe 2316 xxrlxrf.exe 1172 httnbn.exe 3024 bttthh.exe 2936 7dppd.exe 3940 lrrlrrf.exe 3372 lxxrlfr.exe 4372 btnhbt.exe 1932 hhhtnh.exe 2084 9pdvd.exe 4952 9ppjv.exe 3976 fxlfrrl.exe -
resource yara_rule behavioral2/memory/2780-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2780-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c56-3.dat upx behavioral2/files/0x0008000000023cbc-9.dat upx behavioral2/memory/4816-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-13.dat upx behavioral2/memory/2700-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5040-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3768-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-23.dat upx behavioral2/memory/3768-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc0-31.dat upx behavioral2/memory/1780-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-34.dat upx behavioral2/files/0x0007000000023cc2-40.dat upx behavioral2/memory/4872-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4872-37-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-46.dat upx behavioral2/memory/4116-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc4-52.dat upx behavioral2/files/0x0007000000023cc5-58.dat upx behavioral2/memory/228-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc6-63.dat upx behavioral2/memory/2008-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4892-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-69.dat upx behavioral2/files/0x0007000000023cc8-74.dat upx behavioral2/files/0x0007000000023cc9-78.dat upx behavioral2/memory/2544-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cca-83.dat upx behavioral2/files/0x0007000000023ccb-88.dat upx behavioral2/memory/4580-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccc-94.dat upx behavioral2/memory/1476-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccd-100.dat upx behavioral2/files/0x0007000000023cce-105.dat upx behavioral2/memory/3772-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ccf-112.dat upx behavioral2/files/0x0007000000023cd0-118.dat upx behavioral2/memory/3088-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd1-122.dat upx behavioral2/memory/4768-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd2-128.dat upx behavioral2/memory/1048-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd3-134.dat upx behavioral2/memory/1548-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd4-139.dat upx behavioral2/memory/4512-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5108-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd6-147.dat upx behavioral2/files/0x0007000000023cd7-152.dat upx behavioral2/memory/2412-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd9-166.dat upx behavioral2/memory/2336-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cd8-159.dat upx behavioral2/files/0x0007000000023cda-173.dat upx behavioral2/memory/1928-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4740-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cba-178.dat upx behavioral2/files/0x0007000000023cdb-183.dat upx behavioral2/memory/3032-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2928-196-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 4816 2780 c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe 84 PID 2780 wrote to memory of 4816 2780 c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe 84 PID 2780 wrote to memory of 4816 2780 c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe 84 PID 4816 wrote to memory of 5040 4816 9nbtnn.exe 85 PID 4816 wrote to memory of 5040 4816 9nbtnn.exe 85 PID 4816 wrote to memory of 5040 4816 9nbtnn.exe 85 PID 5040 wrote to memory of 2700 5040 vdddd.exe 86 PID 5040 wrote to memory of 2700 5040 vdddd.exe 86 PID 5040 wrote to memory of 2700 5040 vdddd.exe 86 PID 2700 wrote to memory of 3768 2700 lxxlfxr.exe 87 PID 2700 wrote to memory of 3768 2700 lxxlfxr.exe 87 PID 2700 wrote to memory of 3768 2700 lxxlfxr.exe 87 PID 3768 wrote to memory of 1780 3768 lfllrxx.exe 88 PID 3768 wrote to memory of 1780 3768 lfllrxx.exe 88 PID 3768 wrote to memory of 1780 3768 lfllrxx.exe 88 PID 1780 wrote to memory of 4872 1780 thbtbb.exe 89 PID 1780 wrote to memory of 4872 1780 thbtbb.exe 89 PID 1780 wrote to memory of 4872 1780 thbtbb.exe 89 PID 4872 wrote to memory of 4116 4872 1jpjv.exe 90 PID 4872 wrote to memory of 4116 4872 1jpjv.exe 90 PID 4872 wrote to memory of 4116 4872 1jpjv.exe 90 PID 4116 wrote to memory of 2736 4116 jdjpj.exe 91 PID 4116 wrote to memory of 2736 4116 jdjpj.exe 91 PID 4116 wrote to memory of 2736 4116 jdjpj.exe 91 PID 2736 wrote to memory of 228 2736 ffxxrrr.exe 92 PID 2736 wrote to memory of 228 2736 ffxxrrr.exe 92 PID 2736 wrote to memory of 228 2736 ffxxrrr.exe 92 PID 228 wrote to memory of 2008 228 ffrllll.exe 93 PID 228 wrote to memory of 2008 228 ffrllll.exe 93 PID 228 wrote to memory of 2008 228 ffrllll.exe 93 PID 2008 wrote to memory of 4892 2008 nhhbbb.exe 94 PID 2008 wrote to memory of 4892 2008 nhhbbb.exe 94 PID 2008 wrote to memory of 4892 2008 nhhbbb.exe 94 PID 4892 wrote to memory of 3892 4892 1pjjd.exe 95 PID 4892 wrote to memory of 3892 4892 1pjjd.exe 95 PID 4892 wrote to memory of 3892 4892 1pjjd.exe 95 PID 3892 wrote to memory of 2544 3892 5fxxxxx.exe 96 PID 3892 wrote to memory of 2544 3892 5fxxxxx.exe 96 PID 3892 wrote to memory of 2544 3892 5fxxxxx.exe 96 PID 2544 wrote to memory of 4792 2544 tntnhh.exe 97 PID 2544 wrote to memory of 4792 2544 tntnhh.exe 97 PID 2544 wrote to memory of 4792 2544 tntnhh.exe 97 PID 4792 wrote to memory of 4580 4792 vpvjp.exe 98 PID 4792 wrote to memory of 4580 4792 vpvjp.exe 98 PID 4792 wrote to memory of 4580 4792 vpvjp.exe 98 PID 4580 wrote to memory of 1476 4580 5dppp.exe 99 PID 4580 wrote to memory of 1476 4580 5dppp.exe 99 PID 4580 wrote to memory of 1476 4580 5dppp.exe 99 PID 1476 wrote to memory of 1364 1476 rfrfxrr.exe 100 PID 1476 wrote to memory of 1364 1476 rfrfxrr.exe 100 PID 1476 wrote to memory of 1364 1476 rfrfxrr.exe 100 PID 1364 wrote to memory of 2288 1364 fxffrff.exe 101 PID 1364 wrote to memory of 2288 1364 fxffrff.exe 101 PID 1364 wrote to memory of 2288 1364 fxffrff.exe 101 PID 2288 wrote to memory of 3772 2288 pdvdd.exe 102 PID 2288 wrote to memory of 3772 2288 pdvdd.exe 102 PID 2288 wrote to memory of 3772 2288 pdvdd.exe 102 PID 3772 wrote to memory of 3088 3772 jvddv.exe 103 PID 3772 wrote to memory of 3088 3772 jvddv.exe 103 PID 3772 wrote to memory of 3088 3772 jvddv.exe 103 PID 3088 wrote to memory of 4768 3088 5tbbhn.exe 104 PID 3088 wrote to memory of 4768 3088 5tbbhn.exe 104 PID 3088 wrote to memory of 4768 3088 5tbbhn.exe 104 PID 4768 wrote to memory of 1048 4768 5bbthb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe"C:\Users\Admin\AppData\Local\Temp\c71eef7ed30793a6e179deabd3124e8701144799f0d905584416f2ab6a03062b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\9nbtnn.exec:\9nbtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\vdddd.exec:\vdddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\lfllrxx.exec:\lfllrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\thbtbb.exec:\thbtbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\1jpjv.exec:\1jpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\jdjpj.exec:\jdjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\ffxxrrr.exec:\ffxxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\ffrllll.exec:\ffrllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\nhhbbb.exec:\nhhbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\1pjjd.exec:\1pjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\5fxxxxx.exec:\5fxxxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\tntnhh.exec:\tntnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vpvjp.exec:\vpvjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\5dppp.exec:\5dppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\rfrfxrr.exec:\rfrfxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\fxffrff.exec:\fxffrff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\pdvdd.exec:\pdvdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\jvddv.exec:\jvddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\5tbbhn.exec:\5tbbhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\5bbthb.exec:\5bbthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\jvvpp.exec:\jvvpp.exe23⤵
- Executes dropped EXE
PID:1048 -
\??\c:\xrllflx.exec:\xrllflx.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\nbhbbh.exec:\nbhbbh.exe25⤵
- Executes dropped EXE
PID:4512 -
\??\c:\nbbtnn.exec:\nbbtnn.exe26⤵
- Executes dropped EXE
PID:5108 -
\??\c:\pddvj.exec:\pddvj.exe27⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7pvdd.exec:\7pvdd.exe28⤵
- Executes dropped EXE
PID:3456 -
\??\c:\xffrfxl.exec:\xffrfxl.exe29⤵
- Executes dropped EXE
PID:2336 -
\??\c:\bnbhbb.exec:\bnbhbb.exe30⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hbhbtt.exec:\hbhbtt.exe31⤵
- Executes dropped EXE
PID:4740 -
\??\c:\vpddj.exec:\vpddj.exe32⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1flrflf.exec:\1flrflf.exe33⤵
- Executes dropped EXE
PID:2568 -
\??\c:\htnnhh.exec:\htnnhh.exe34⤵
- Executes dropped EXE
PID:2552 -
\??\c:\tbbthh.exec:\tbbthh.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dvjdp.exec:\dvjdp.exe36⤵
- Executes dropped EXE
PID:2144 -
\??\c:\rfffxxr.exec:\rfffxxr.exe37⤵
- Executes dropped EXE
PID:2468 -
\??\c:\thbtnh.exec:\thbtnh.exe38⤵
- Executes dropped EXE
PID:1280 -
\??\c:\lrflflf.exec:\lrflflf.exe39⤵
- Executes dropped EXE
PID:3536 -
\??\c:\bnbnbn.exec:\bnbnbn.exe40⤵
- Executes dropped EXE
PID:2148 -
\??\c:\bnnbnb.exec:\bnnbnb.exe41⤵
- Executes dropped EXE
PID:4976 -
\??\c:\3jvpp.exec:\3jvpp.exe42⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rfxlxfr.exec:\rfxlxfr.exe43⤵
- Executes dropped EXE
PID:796 -
\??\c:\flfrfrl.exec:\flfrfrl.exe44⤵
- Executes dropped EXE
PID:3012 -
\??\c:\tbbnbt.exec:\tbbnbt.exe45⤵
- Executes dropped EXE
PID:1008 -
\??\c:\bbthtn.exec:\bbthtn.exe46⤵
- Executes dropped EXE
PID:3420 -
\??\c:\pppdp.exec:\pppdp.exe47⤵
- Executes dropped EXE
PID:4244 -
\??\c:\vjdpj.exec:\vjdpj.exe48⤵
- Executes dropped EXE
PID:4428 -
\??\c:\rfxrfxf.exec:\rfxrfxf.exe49⤵
- Executes dropped EXE
PID:1712 -
\??\c:\1rxfxlf.exec:\1rxfxlf.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\7hbtht.exec:\7hbtht.exe51⤵
- Executes dropped EXE
PID:4800 -
\??\c:\5ppdp.exec:\5ppdp.exe52⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jvppv.exec:\jvppv.exe53⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rllffff.exec:\rllffff.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3432 -
\??\c:\xxrlxrf.exec:\xxrlxrf.exe55⤵
- Executes dropped EXE
PID:2316 -
\??\c:\httnbn.exec:\httnbn.exe56⤵
- Executes dropped EXE
PID:1172 -
\??\c:\bttthh.exec:\bttthh.exe57⤵
- Executes dropped EXE
PID:3024 -
\??\c:\7dppd.exec:\7dppd.exe58⤵
- Executes dropped EXE
PID:2936 -
\??\c:\lrrlrrf.exec:\lrrlrrf.exe59⤵
- Executes dropped EXE
PID:3940 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe60⤵
- Executes dropped EXE
PID:3372 -
\??\c:\btnhbt.exec:\btnhbt.exe61⤵
- Executes dropped EXE
PID:4372 -
\??\c:\hhhtnh.exec:\hhhtnh.exe62⤵
- Executes dropped EXE
PID:1932 -
\??\c:\9pdvd.exec:\9pdvd.exe63⤵
- Executes dropped EXE
PID:2084 -
\??\c:\9ppjv.exec:\9ppjv.exe64⤵
- Executes dropped EXE
PID:4952 -
\??\c:\fxlfrrl.exec:\fxlfrrl.exe65⤵
- Executes dropped EXE
PID:3976 -
\??\c:\3htnnh.exec:\3htnnh.exe66⤵PID:216
-
\??\c:\hnhbnh.exec:\hnhbnh.exe67⤵PID:3600
-
\??\c:\9pvjd.exec:\9pvjd.exe68⤵PID:3724
-
\??\c:\vdjvd.exec:\vdjvd.exe69⤵PID:2120
-
\??\c:\fxfrfrl.exec:\fxfrfrl.exe70⤵PID:4792
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe71⤵PID:2124
-
\??\c:\1btnhn.exec:\1btnhn.exe72⤵PID:1476
-
\??\c:\nhhbnh.exec:\nhhbnh.exe73⤵PID:3640
-
\??\c:\ppdvd.exec:\ppdvd.exe74⤵PID:3660
-
\??\c:\jdvjv.exec:\jdvjv.exe75⤵PID:3672
-
\??\c:\9xxlfxx.exec:\9xxlfxx.exe76⤵PID:944
-
\??\c:\xffrlff.exec:\xffrlff.exe77⤵PID:2356
-
\??\c:\ntnnhb.exec:\ntnnhb.exe78⤵PID:1748
-
\??\c:\hbthbt.exec:\hbthbt.exe79⤵PID:4216
-
\??\c:\jpjpv.exec:\jpjpv.exe80⤵PID:1384
-
\??\c:\vdppj.exec:\vdppj.exe81⤵PID:448
-
\??\c:\fxllrrf.exec:\fxllrrf.exe82⤵PID:4532
-
\??\c:\rrrfxrf.exec:\rrrfxrf.exe83⤵PID:3520
-
\??\c:\ttbthh.exec:\ttbthh.exe84⤵PID:2236
-
\??\c:\nbthtn.exec:\nbthtn.exe85⤵
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\vdvpv.exec:\vdvpv.exe86⤵PID:392
-
\??\c:\pdjvv.exec:\pdjvv.exe87⤵PID:2516
-
\??\c:\lrfxrlx.exec:\lrfxrlx.exe88⤵PID:4628
-
\??\c:\xffxlfr.exec:\xffxlfr.exe89⤵PID:2496
-
\??\c:\nbnbth.exec:\nbnbth.exe90⤵PID:1928
-
\??\c:\thnnbn.exec:\thnnbn.exe91⤵PID:1344
-
\??\c:\dddvp.exec:\dddvp.exe92⤵PID:4680
-
\??\c:\xrrrxxl.exec:\xrrrxxl.exe93⤵PID:4780
-
\??\c:\frlfxxx.exec:\frlfxxx.exe94⤵PID:4432
-
\??\c:\tnbhnn.exec:\tnbhnn.exe95⤵PID:1520
-
\??\c:\nntnhh.exec:\nntnhh.exe96⤵PID:1188
-
\??\c:\vdpdj.exec:\vdpdj.exe97⤵PID:1612
-
\??\c:\vvjjj.exec:\vvjjj.exe98⤵PID:4308
-
\??\c:\llrlxxr.exec:\llrlxxr.exe99⤵PID:3908
-
\??\c:\bntnhh.exec:\bntnhh.exe100⤵PID:1484
-
\??\c:\ttnhhn.exec:\ttnhhn.exe101⤵PID:5044
-
\??\c:\pjvjd.exec:\pjvjd.exe102⤵PID:3536
-
\??\c:\rfxrffx.exec:\rfxrffx.exe103⤵PID:1644
-
\??\c:\hbhbtt.exec:\hbhbtt.exe104⤵PID:1396
-
\??\c:\nbbbnh.exec:\nbbbnh.exe105⤵PID:5052
-
\??\c:\dppjj.exec:\dppjj.exe106⤵PID:2712
-
\??\c:\7fxrflf.exec:\7fxrflf.exe107⤵PID:3012
-
\??\c:\fxrrlrl.exec:\fxrrlrl.exe108⤵PID:1008
-
\??\c:\hbtttt.exec:\hbtttt.exe109⤵PID:852
-
\??\c:\7hnhbb.exec:\7hnhbb.exe110⤵PID:4492
-
\??\c:\vvpjd.exec:\vvpjd.exe111⤵PID:2136
-
\??\c:\lffxrrx.exec:\lffxrrx.exe112⤵PID:1712
-
\??\c:\xrllfff.exec:\xrllfff.exe113⤵PID:3056
-
\??\c:\1bhbtt.exec:\1bhbtt.exe114⤵
- System Location Discovery: System Language Discovery
PID:3928 -
\??\c:\7pddv.exec:\7pddv.exe115⤵PID:972
-
\??\c:\ddjpp.exec:\ddjpp.exe116⤵PID:3960
-
\??\c:\rlfllrl.exec:\rlfllrl.exe117⤵PID:3260
-
\??\c:\bbnbnn.exec:\bbnbnn.exe118⤵PID:468
-
\??\c:\ppvvv.exec:\ppvvv.exe119⤵PID:116
-
\??\c:\ddvpp.exec:\ddvpp.exe120⤵PID:3152
-
\??\c:\lfrrrlx.exec:\lfrrrlx.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-