Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
-
Size
455KB
-
MD5
9857eaa42568b103d9f86b1554071cf8
-
SHA1
dd899c3b8e798fe17ad1d38cb81bdde486829503
-
SHA256
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc
-
SHA512
d7ee82c6d64a2f4fb531e87c419f68ae90fc3942ae640b807f30df6677b5ddb96ebf481bde64c863920d408d0bb8ca19a1a8429f555fb0c8283b2a8434b57969
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR4:q7Tc2NYHUrAwfMp3CDR4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3116-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-1229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-1233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-1541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3116 1tbnnb.exe 1868 vvvjv.exe 4456 ddjdp.exe 2208 7fxlxxl.exe 1264 tnbthh.exe 764 1jppd.exe 932 1dpvv.exe 5088 nbtnbt.exe 3628 vvvjd.exe 4808 fxrlfxx.exe 2092 tnttnt.exe 3088 3xrlffx.exe 3548 bbhbtn.exe 3744 hbtnhb.exe 2788 dpppp.exe 2080 xffrfxl.exe 3164 thnhhb.exe 1936 5jvjj.exe 2280 ppjpd.exe 4576 3ffxllx.exe 3236 bnnbnh.exe 4416 vppdj.exe 512 xfxxfxx.exe 2264 nhbnht.exe 3484 vdvjv.exe 1772 llfxxrr.exe 2600 9pjvp.exe 4956 fxfxxrf.exe 2776 btthtn.exe 2880 pjjjd.exe 4908 rlxrfrf.exe 4516 hhnbtn.exe 3720 thnbhb.exe 3140 jvdpp.exe 760 xrxrxrl.exe 972 nnnhbt.exe 1800 vpvjp.exe 620 jjpdv.exe 3032 bntnnn.exe 3752 1hnhtt.exe 3064 pdvpj.exe 4860 xlxrlfr.exe 4856 1llfffl.exe 2632 1hhthh.exe 3640 nbthbb.exe 4392 jpvpp.exe 1068 fffxrlf.exe 3856 fflxlfx.exe 3024 5tthtb.exe 4736 hhnhtn.exe 232 dppjv.exe 2836 xlrlrlf.exe 4780 7ttbbt.exe 1264 nbbtbt.exe 2772 djvjv.exe 3964 dpvjv.exe 4092 3xxxffr.exe 4700 bnhntn.exe 3620 hhhtnn.exe 3876 1pjdp.exe 2276 fxfrlxx.exe 3564 nbtnbt.exe 2780 jpjvv.exe 1440 xxlxxlf.exe -
resource yara_rule behavioral2/memory/3116-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-761-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-1229-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1948 wrote to memory of 3116 1948 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 82 PID 1948 wrote to memory of 3116 1948 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 82 PID 1948 wrote to memory of 3116 1948 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 82 PID 3116 wrote to memory of 1868 3116 1tbnnb.exe 83 PID 3116 wrote to memory of 1868 3116 1tbnnb.exe 83 PID 3116 wrote to memory of 1868 3116 1tbnnb.exe 83 PID 1868 wrote to memory of 4456 1868 vvvjv.exe 84 PID 1868 wrote to memory of 4456 1868 vvvjv.exe 84 PID 1868 wrote to memory of 4456 1868 vvvjv.exe 84 PID 4456 wrote to memory of 2208 4456 ddjdp.exe 85 PID 4456 wrote to memory of 2208 4456 ddjdp.exe 85 PID 4456 wrote to memory of 2208 4456 ddjdp.exe 85 PID 2208 wrote to memory of 1264 2208 7fxlxxl.exe 86 PID 2208 wrote to memory of 1264 2208 7fxlxxl.exe 86 PID 2208 wrote to memory of 1264 2208 7fxlxxl.exe 86 PID 1264 wrote to memory of 764 1264 tnbthh.exe 87 PID 1264 wrote to memory of 764 1264 tnbthh.exe 87 PID 1264 wrote to memory of 764 1264 tnbthh.exe 87 PID 764 wrote to memory of 932 764 1jppd.exe 88 PID 764 wrote to memory of 932 764 1jppd.exe 88 PID 764 wrote to memory of 932 764 1jppd.exe 88 PID 932 wrote to memory of 5088 932 1dpvv.exe 89 PID 932 wrote to memory of 5088 932 1dpvv.exe 89 PID 932 wrote to memory of 5088 932 1dpvv.exe 89 PID 5088 wrote to memory of 3628 5088 nbtnbt.exe 90 PID 5088 wrote to memory of 3628 5088 nbtnbt.exe 90 PID 5088 wrote to memory of 3628 5088 nbtnbt.exe 90 PID 3628 wrote to memory of 4808 3628 vvvjd.exe 91 PID 3628 wrote to memory of 4808 3628 vvvjd.exe 91 PID 3628 wrote to memory of 4808 3628 vvvjd.exe 91 PID 4808 wrote to memory of 2092 4808 fxrlfxx.exe 92 PID 4808 wrote to memory of 2092 4808 fxrlfxx.exe 92 PID 4808 wrote to memory of 2092 4808 fxrlfxx.exe 92 PID 2092 wrote to memory of 3088 2092 tnttnt.exe 93 PID 2092 wrote to memory of 3088 2092 tnttnt.exe 93 PID 2092 wrote to memory of 3088 2092 tnttnt.exe 93 PID 3088 wrote to memory of 3548 3088 3xrlffx.exe 94 PID 3088 wrote to memory of 3548 3088 3xrlffx.exe 94 PID 3088 wrote to memory of 3548 3088 3xrlffx.exe 94 PID 3548 wrote to memory of 3744 3548 bbhbtn.exe 95 PID 3548 wrote to memory of 3744 3548 bbhbtn.exe 95 PID 3548 wrote to memory of 3744 3548 bbhbtn.exe 95 PID 3744 wrote to memory of 2788 3744 hbtnhb.exe 96 PID 3744 wrote to memory of 2788 3744 hbtnhb.exe 96 PID 3744 wrote to memory of 2788 3744 hbtnhb.exe 96 PID 2788 wrote to memory of 2080 2788 dpppp.exe 97 PID 2788 wrote to memory of 2080 2788 dpppp.exe 97 PID 2788 wrote to memory of 2080 2788 dpppp.exe 97 PID 2080 wrote to memory of 3164 2080 xffrfxl.exe 98 PID 2080 wrote to memory of 3164 2080 xffrfxl.exe 98 PID 2080 wrote to memory of 3164 2080 xffrfxl.exe 98 PID 3164 wrote to memory of 1936 3164 thnhhb.exe 99 PID 3164 wrote to memory of 1936 3164 thnhhb.exe 99 PID 3164 wrote to memory of 1936 3164 thnhhb.exe 99 PID 1936 wrote to memory of 2280 1936 5jvjj.exe 100 PID 1936 wrote to memory of 2280 1936 5jvjj.exe 100 PID 1936 wrote to memory of 2280 1936 5jvjj.exe 100 PID 2280 wrote to memory of 4576 2280 ppjpd.exe 101 PID 2280 wrote to memory of 4576 2280 ppjpd.exe 101 PID 2280 wrote to memory of 4576 2280 ppjpd.exe 101 PID 4576 wrote to memory of 3236 4576 3ffxllx.exe 102 PID 4576 wrote to memory of 3236 4576 3ffxllx.exe 102 PID 4576 wrote to memory of 3236 4576 3ffxllx.exe 102 PID 3236 wrote to memory of 4416 3236 bnnbnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\1tbnnb.exec:\1tbnnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\vvvjv.exec:\vvvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\ddjdp.exec:\ddjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\7fxlxxl.exec:\7fxlxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\tnbthh.exec:\tnbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\1jppd.exec:\1jppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\1dpvv.exec:\1dpvv.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\nbtnbt.exec:\nbtnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\vvvjd.exec:\vvvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\fxrlfxx.exec:\fxrlfxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\tnttnt.exec:\tnttnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\3xrlffx.exec:\3xrlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\bbhbtn.exec:\bbhbtn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\hbtnhb.exec:\hbtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\dpppp.exec:\dpppp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xffrfxl.exec:\xffrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\thnhhb.exec:\thnhhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\5jvjj.exec:\5jvjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\ppjpd.exec:\ppjpd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\3ffxllx.exec:\3ffxllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\bnnbnh.exec:\bnnbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\vppdj.exec:\vppdj.exe23⤵
- Executes dropped EXE
PID:4416 -
\??\c:\xfxxfxx.exec:\xfxxfxx.exe24⤵
- Executes dropped EXE
PID:512 -
\??\c:\nhbnht.exec:\nhbnht.exe25⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vdvjv.exec:\vdvjv.exe26⤵
- Executes dropped EXE
PID:3484 -
\??\c:\llfxxrr.exec:\llfxxrr.exe27⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9pjvp.exec:\9pjvp.exe28⤵
- Executes dropped EXE
PID:2600 -
\??\c:\fxfxxrf.exec:\fxfxxrf.exe29⤵
- Executes dropped EXE
PID:4956 -
\??\c:\btthtn.exec:\btthtn.exe30⤵
- Executes dropped EXE
PID:2776 -
\??\c:\pjjjd.exec:\pjjjd.exe31⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rlxrfrf.exec:\rlxrfrf.exe32⤵
- Executes dropped EXE
PID:4908 -
\??\c:\hhnbtn.exec:\hhnbtn.exe33⤵
- Executes dropped EXE
PID:4516 -
\??\c:\thnbhb.exec:\thnbhb.exe34⤵
- Executes dropped EXE
PID:3720 -
\??\c:\jvdpp.exec:\jvdpp.exe35⤵
- Executes dropped EXE
PID:3140 -
\??\c:\xrxrxrl.exec:\xrxrxrl.exe36⤵
- Executes dropped EXE
PID:760 -
\??\c:\nnnhbt.exec:\nnnhbt.exe37⤵
- Executes dropped EXE
PID:972 -
\??\c:\vpvjp.exec:\vpvjp.exe38⤵
- Executes dropped EXE
PID:1800 -
\??\c:\jjpdv.exec:\jjpdv.exe39⤵
- Executes dropped EXE
PID:620 -
\??\c:\bntnnn.exec:\bntnnn.exe40⤵
- Executes dropped EXE
PID:3032 -
\??\c:\1hnhtt.exec:\1hnhtt.exe41⤵
- Executes dropped EXE
PID:3752 -
\??\c:\pdvpj.exec:\pdvpj.exe42⤵
- Executes dropped EXE
PID:3064 -
\??\c:\xlxrlfr.exec:\xlxrlfr.exe43⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1llfffl.exec:\1llfffl.exe44⤵
- Executes dropped EXE
PID:4856 -
\??\c:\1hhthh.exec:\1hhthh.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\nbthbb.exec:\nbthbb.exe46⤵
- Executes dropped EXE
PID:3640 -
\??\c:\jpvpp.exec:\jpvpp.exe47⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fffxrlf.exec:\fffxrlf.exe48⤵
- Executes dropped EXE
PID:1068 -
\??\c:\fflxlfx.exec:\fflxlfx.exe49⤵
- Executes dropped EXE
PID:3856 -
\??\c:\5tthtb.exec:\5tthtb.exe50⤵
- Executes dropped EXE
PID:3024 -
\??\c:\hhnhtn.exec:\hhnhtn.exe51⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dppjv.exec:\dppjv.exe52⤵
- Executes dropped EXE
PID:232 -
\??\c:\xlrlrlf.exec:\xlrlrlf.exe53⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7ttbbt.exec:\7ttbbt.exe54⤵
- Executes dropped EXE
PID:4780 -
\??\c:\nbbtbt.exec:\nbbtbt.exe55⤵
- Executes dropped EXE
PID:1264 -
\??\c:\djvjv.exec:\djvjv.exe56⤵
- Executes dropped EXE
PID:2772 -
\??\c:\dpvjv.exec:\dpvjv.exe57⤵
- Executes dropped EXE
PID:3964 -
\??\c:\3xxxffr.exec:\3xxxffr.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092 -
\??\c:\bnhntn.exec:\bnhntn.exe59⤵
- Executes dropped EXE
PID:4700 -
\??\c:\hhhtnn.exec:\hhhtnn.exe60⤵
- Executes dropped EXE
PID:3620 -
\??\c:\1pjdp.exec:\1pjdp.exe61⤵
- Executes dropped EXE
PID:3876 -
\??\c:\fxfrlxx.exec:\fxfrlxx.exe62⤵
- Executes dropped EXE
PID:2276 -
\??\c:\nbtnbt.exec:\nbtnbt.exe63⤵
- Executes dropped EXE
PID:3564 -
\??\c:\jpjvv.exec:\jpjvv.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
\??\c:\xxlxxlf.exec:\xxlxxlf.exe65⤵
- Executes dropped EXE
PID:1440 -
\??\c:\frxlxfr.exec:\frxlxfr.exe66⤵PID:2408
-
\??\c:\nnhnhb.exec:\nnhnhb.exe67⤵PID:2284
-
\??\c:\jjvjd.exec:\jjvjd.exe68⤵PID:2788
-
\??\c:\dpdpp.exec:\dpdpp.exe69⤵PID:4304
-
\??\c:\xllxlfx.exec:\xllxlfx.exe70⤵PID:1928
-
\??\c:\tthhhh.exec:\tthhhh.exe71⤵PID:3164
-
\??\c:\1hhtnh.exec:\1hhtnh.exe72⤵PID:820
-
\??\c:\dpppd.exec:\dpppd.exe73⤵PID:3960
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe74⤵PID:1828
-
\??\c:\rfxlfxl.exec:\rfxlfxl.exe75⤵PID:4208
-
\??\c:\9bbnbt.exec:\9bbnbt.exe76⤵PID:3332
-
\??\c:\nhtnbh.exec:\nhtnbh.exe77⤵PID:2184
-
\??\c:\pjdpj.exec:\pjdpj.exe78⤵PID:4612
-
\??\c:\rlflxrf.exec:\rlflxrf.exe79⤵PID:532
-
\??\c:\7fxlxxr.exec:\7fxlxxr.exe80⤵PID:3104
-
\??\c:\btthhb.exec:\btthhb.exe81⤵PID:4220
-
\??\c:\5tnhhh.exec:\5tnhhh.exe82⤵PID:4284
-
\??\c:\jvvjv.exec:\jvvjv.exe83⤵PID:1972
-
\??\c:\7ffrfrl.exec:\7ffrfrl.exe84⤵PID:4204
-
\??\c:\rlxfxll.exec:\rlxfxll.exe85⤵PID:2840
-
\??\c:\btbtbt.exec:\btbtbt.exe86⤵PID:3580
-
\??\c:\hbttnh.exec:\hbttnh.exe87⤵PID:412
-
\??\c:\jppdp.exec:\jppdp.exe88⤵PID:2164
-
\??\c:\rrfxxrf.exec:\rrfxxrf.exe89⤵PID:1244
-
\??\c:\frrlfxx.exec:\frrlfxx.exe90⤵PID:3840
-
\??\c:\thhtnh.exec:\thhtnh.exe91⤵PID:4868
-
\??\c:\nbbnbt.exec:\nbbnbt.exe92⤵PID:2696
-
\??\c:\dvdjj.exec:\dvdjj.exe93⤵PID:1652
-
\??\c:\lxxlxxx.exec:\lxxlxxx.exe94⤵PID:392
-
\??\c:\3fxlfxl.exec:\3fxlfxl.exe95⤵PID:3308
-
\??\c:\hbthtn.exec:\hbthtn.exe96⤵PID:2044
-
\??\c:\pvpvj.exec:\pvpvj.exe97⤵PID:1048
-
\??\c:\jvjdv.exec:\jvjdv.exe98⤵PID:1232
-
\??\c:\frrfrfr.exec:\frrfrfr.exe99⤵PID:628
-
\??\c:\3llxrrl.exec:\3llxrrl.exe100⤵PID:3808
-
\??\c:\bbhbnb.exec:\bbhbnb.exe101⤵PID:3692
-
\??\c:\dppjv.exec:\dppjv.exe102⤵PID:2784
-
\??\c:\vjpjp.exec:\vjpjp.exe103⤵PID:2288
-
\??\c:\lxlfxrf.exec:\lxlfxrf.exe104⤵PID:4376
-
\??\c:\fxlxlxf.exec:\fxlxlxf.exe105⤵PID:3640
-
\??\c:\htnhbt.exec:\htnhbt.exe106⤵PID:448
-
\??\c:\dppvp.exec:\dppvp.exe107⤵PID:4608
-
\??\c:\pvpdv.exec:\pvpdv.exe108⤵PID:1016
-
\??\c:\xrxrxxl.exec:\xrxrxxl.exe109⤵PID:588
-
\??\c:\5nbnbt.exec:\5nbnbt.exe110⤵PID:432
-
\??\c:\bnnhnh.exec:\bnnhnh.exe111⤵PID:4312
-
\??\c:\pdvjd.exec:\pdvjd.exe112⤵PID:4000
-
\??\c:\vvvjp.exec:\vvvjp.exe113⤵PID:4816
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe114⤵PID:3896
-
\??\c:\nnhthb.exec:\nnhthb.exe115⤵PID:1264
-
\??\c:\bnnbnh.exec:\bnnbnh.exe116⤵PID:4216
-
\??\c:\jvjvp.exec:\jvjvp.exe117⤵PID:2652
-
\??\c:\1vjvp.exec:\1vjvp.exe118⤵PID:5088
-
\??\c:\ffxrfxl.exec:\ffxrfxl.exe119⤵PID:4040
-
\??\c:\1bnbnh.exec:\1bnbnh.exe120⤵PID:3988
-
\??\c:\bbbnhb.exec:\bbbnhb.exe121⤵PID:2324
-
\??\c:\vddjj.exec:\vddjj.exe122⤵PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-