Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe
-
Size
455KB
-
MD5
9857eaa42568b103d9f86b1554071cf8
-
SHA1
dd899c3b8e798fe17ad1d38cb81bdde486829503
-
SHA256
c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc
-
SHA512
d7ee82c6d64a2f4fb531e87c419f68ae90fc3942ae640b807f30df6677b5ddb96ebf481bde64c863920d408d0bb8ca19a1a8429f555fb0c8283b2a8434b57969
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR4:q7Tc2NYHUrAwfMp3CDR4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-1353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4856 1rxrlfr.exe 4420 ffllffx.exe 3568 tnthbt.exe 3516 frrlxxx.exe 3268 nbbtnb.exe 4984 1hnbtn.exe 2276 pjpdd.exe 4564 hbhbbb.exe 2660 nbbnbt.exe 380 vddpj.exe 5024 bthtnh.exe 1096 frrfrrx.exe 3940 hbtnbt.exe 4824 rffxlff.exe 1420 jppdj.exe 2748 1hnhhh.exe 4900 rxfxrrl.exe 3192 3hhbbb.exe 4304 dpvpp.exe 4296 3rrlrrr.exe 4164 xfrrllx.exe 1788 ppdvd.exe 2648 jdppj.exe 2956 7tbttt.exe 2328 3ddvp.exe 4524 llxrxlf.exe 2820 rrrllfr.exe 3696 jjvvv.exe 4516 7nhbtn.exe 3668 jvdvv.exe 4380 hhttnt.exe 4068 5pvpp.exe 3748 bbnhnh.exe 928 7hhhhh.exe 4504 pjpdd.exe 3312 rrllrrf.exe 2064 htbtnb.exe 2536 vdjjd.exe 3772 xlfxxxr.exe 2560 tnthth.exe 3188 1djdp.exe 4544 dpvpj.exe 652 flrllff.exe 5092 btbbbt.exe 1740 ddvjp.exe 4712 rrrrlff.exe 3880 bnnbnb.exe 3956 7djdv.exe 4060 5djjj.exe 3804 lxxrllr.exe 4176 5hhhhh.exe 1948 1vdvp.exe 5052 flffxrr.exe 4288 hnbbht.exe 2460 hbbtnh.exe 376 vdjdv.exe 2324 ffflffl.exe 380 bbnhbb.exe 3484 1vvpp.exe 4800 9jvjd.exe 4336 rlrfrlx.exe 3656 1tttnt.exe 1388 9vpjv.exe 3172 lxrrfxr.exe -
resource yara_rule behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-740-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 4856 4400 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 83 PID 4400 wrote to memory of 4856 4400 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 83 PID 4400 wrote to memory of 4856 4400 c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe 83 PID 4856 wrote to memory of 4420 4856 1rxrlfr.exe 84 PID 4856 wrote to memory of 4420 4856 1rxrlfr.exe 84 PID 4856 wrote to memory of 4420 4856 1rxrlfr.exe 84 PID 4420 wrote to memory of 3568 4420 ffllffx.exe 85 PID 4420 wrote to memory of 3568 4420 ffllffx.exe 85 PID 4420 wrote to memory of 3568 4420 ffllffx.exe 85 PID 3568 wrote to memory of 3516 3568 tnthbt.exe 86 PID 3568 wrote to memory of 3516 3568 tnthbt.exe 86 PID 3568 wrote to memory of 3516 3568 tnthbt.exe 86 PID 3516 wrote to memory of 3268 3516 frrlxxx.exe 87 PID 3516 wrote to memory of 3268 3516 frrlxxx.exe 87 PID 3516 wrote to memory of 3268 3516 frrlxxx.exe 87 PID 3268 wrote to memory of 4984 3268 nbbtnb.exe 88 PID 3268 wrote to memory of 4984 3268 nbbtnb.exe 88 PID 3268 wrote to memory of 4984 3268 nbbtnb.exe 88 PID 4984 wrote to memory of 2276 4984 1hnbtn.exe 89 PID 4984 wrote to memory of 2276 4984 1hnbtn.exe 89 PID 4984 wrote to memory of 2276 4984 1hnbtn.exe 89 PID 2276 wrote to memory of 4564 2276 pjpdd.exe 90 PID 2276 wrote to memory of 4564 2276 pjpdd.exe 90 PID 2276 wrote to memory of 4564 2276 pjpdd.exe 90 PID 4564 wrote to memory of 2660 4564 hbhbbb.exe 91 PID 4564 wrote to memory of 2660 4564 hbhbbb.exe 91 PID 4564 wrote to memory of 2660 4564 hbhbbb.exe 91 PID 2660 wrote to memory of 380 2660 nbbnbt.exe 92 PID 2660 wrote to memory of 380 2660 nbbnbt.exe 92 PID 2660 wrote to memory of 380 2660 nbbnbt.exe 92 PID 380 wrote to memory of 5024 380 vddpj.exe 93 PID 380 wrote to memory of 5024 380 vddpj.exe 93 PID 380 wrote to memory of 5024 380 vddpj.exe 93 PID 5024 wrote to memory of 1096 5024 bthtnh.exe 94 PID 5024 wrote to memory of 1096 5024 bthtnh.exe 94 PID 5024 wrote to memory of 1096 5024 bthtnh.exe 94 PID 1096 wrote to memory of 3940 1096 frrfrrx.exe 95 PID 1096 wrote to memory of 3940 1096 frrfrrx.exe 95 PID 1096 wrote to memory of 3940 1096 frrfrrx.exe 95 PID 3940 wrote to memory of 4824 3940 hbtnbt.exe 96 PID 3940 wrote to memory of 4824 3940 hbtnbt.exe 96 PID 3940 wrote to memory of 4824 3940 hbtnbt.exe 96 PID 4824 wrote to memory of 1420 4824 rffxlff.exe 97 PID 4824 wrote to memory of 1420 4824 rffxlff.exe 97 PID 4824 wrote to memory of 1420 4824 rffxlff.exe 97 PID 1420 wrote to memory of 2748 1420 jppdj.exe 98 PID 1420 wrote to memory of 2748 1420 jppdj.exe 98 PID 1420 wrote to memory of 2748 1420 jppdj.exe 98 PID 2748 wrote to memory of 4900 2748 1hnhhh.exe 99 PID 2748 wrote to memory of 4900 2748 1hnhhh.exe 99 PID 2748 wrote to memory of 4900 2748 1hnhhh.exe 99 PID 4900 wrote to memory of 3192 4900 rxfxrrl.exe 100 PID 4900 wrote to memory of 3192 4900 rxfxrrl.exe 100 PID 4900 wrote to memory of 3192 4900 rxfxrrl.exe 100 PID 3192 wrote to memory of 4304 3192 3hhbbb.exe 101 PID 3192 wrote to memory of 4304 3192 3hhbbb.exe 101 PID 3192 wrote to memory of 4304 3192 3hhbbb.exe 101 PID 4304 wrote to memory of 4296 4304 dpvpp.exe 102 PID 4304 wrote to memory of 4296 4304 dpvpp.exe 102 PID 4304 wrote to memory of 4296 4304 dpvpp.exe 102 PID 4296 wrote to memory of 4164 4296 3rrlrrr.exe 103 PID 4296 wrote to memory of 4164 4296 3rrlrrr.exe 103 PID 4296 wrote to memory of 4164 4296 3rrlrrr.exe 103 PID 4164 wrote to memory of 1788 4164 xfrrllx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"C:\Users\Admin\AppData\Local\Temp\c13fc9f11a5f4ddaddd9b326a4f2dbf8f3ee17cd1dbb3aa1feb25158fe6f59cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\1rxrlfr.exec:\1rxrlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\ffllffx.exec:\ffllffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\tnthbt.exec:\tnthbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\frrlxxx.exec:\frrlxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\nbbtnb.exec:\nbbtnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\1hnbtn.exec:\1hnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\pjpdd.exec:\pjpdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\hbhbbb.exec:\hbhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\nbbnbt.exec:\nbbnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\vddpj.exec:\vddpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\bthtnh.exec:\bthtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\frrfrrx.exec:\frrfrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\hbtnbt.exec:\hbtnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\rffxlff.exec:\rffxlff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\jppdj.exec:\jppdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\1hnhhh.exec:\1hnhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\3hhbbb.exec:\3hhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\dpvpp.exec:\dpvpp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\3rrlrrr.exec:\3rrlrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\xfrrllx.exec:\xfrrllx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\ppdvd.exec:\ppdvd.exe23⤵
- Executes dropped EXE
PID:1788 -
\??\c:\jdppj.exec:\jdppj.exe24⤵
- Executes dropped EXE
PID:2648 -
\??\c:\7tbttt.exec:\7tbttt.exe25⤵
- Executes dropped EXE
PID:2956 -
\??\c:\3ddvp.exec:\3ddvp.exe26⤵
- Executes dropped EXE
PID:2328 -
\??\c:\llxrxlf.exec:\llxrxlf.exe27⤵
- Executes dropped EXE
PID:4524 -
\??\c:\rrrllfr.exec:\rrrllfr.exe28⤵
- Executes dropped EXE
PID:2820 -
\??\c:\jjvvv.exec:\jjvvv.exe29⤵
- Executes dropped EXE
PID:3696 -
\??\c:\7nhbtn.exec:\7nhbtn.exe30⤵
- Executes dropped EXE
PID:4516 -
\??\c:\jvdvv.exec:\jvdvv.exe31⤵
- Executes dropped EXE
PID:3668 -
\??\c:\hhttnt.exec:\hhttnt.exe32⤵
- Executes dropped EXE
PID:4380 -
\??\c:\5pvpp.exec:\5pvpp.exe33⤵
- Executes dropped EXE
PID:4068 -
\??\c:\bbnhnh.exec:\bbnhnh.exe34⤵
- Executes dropped EXE
PID:3748 -
\??\c:\7hhhhh.exec:\7hhhhh.exe35⤵
- Executes dropped EXE
PID:928 -
\??\c:\pjpdd.exec:\pjpdd.exe36⤵
- Executes dropped EXE
PID:4504 -
\??\c:\rrllrrf.exec:\rrllrrf.exe37⤵
- Executes dropped EXE
PID:3312 -
\??\c:\htbtnb.exec:\htbtnb.exe38⤵
- Executes dropped EXE
PID:2064 -
\??\c:\vdjjd.exec:\vdjjd.exe39⤵
- Executes dropped EXE
PID:2536 -
\??\c:\xlfxxxr.exec:\xlfxxxr.exe40⤵
- Executes dropped EXE
PID:3772 -
\??\c:\tnthth.exec:\tnthth.exe41⤵
- Executes dropped EXE
PID:2560 -
\??\c:\1djdp.exec:\1djdp.exe42⤵
- Executes dropped EXE
PID:3188 -
\??\c:\dpvpj.exec:\dpvpj.exe43⤵
- Executes dropped EXE
PID:4544 -
\??\c:\flrllff.exec:\flrllff.exe44⤵
- Executes dropped EXE
PID:652 -
\??\c:\btbbbt.exec:\btbbbt.exe45⤵
- Executes dropped EXE
PID:5092 -
\??\c:\ddvjp.exec:\ddvjp.exe46⤵
- Executes dropped EXE
PID:1740 -
\??\c:\rrrrlff.exec:\rrrrlff.exe47⤵
- Executes dropped EXE
PID:4712 -
\??\c:\bnnbnb.exec:\bnnbnb.exe48⤵
- Executes dropped EXE
PID:3880 -
\??\c:\7djdv.exec:\7djdv.exe49⤵
- Executes dropped EXE
PID:3956 -
\??\c:\5djjj.exec:\5djjj.exe50⤵
- Executes dropped EXE
PID:4060 -
\??\c:\lxxrllr.exec:\lxxrllr.exe51⤵
- Executes dropped EXE
PID:3804 -
\??\c:\5hhhhh.exec:\5hhhhh.exe52⤵
- Executes dropped EXE
PID:4176 -
\??\c:\1vdvp.exec:\1vdvp.exe53⤵
- Executes dropped EXE
PID:1948 -
\??\c:\flffxrr.exec:\flffxrr.exe54⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hnbbht.exec:\hnbbht.exe55⤵
- Executes dropped EXE
PID:4288 -
\??\c:\hbbtnh.exec:\hbbtnh.exe56⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vdjdv.exec:\vdjdv.exe57⤵
- Executes dropped EXE
PID:376 -
\??\c:\ffflffl.exec:\ffflffl.exe58⤵
- Executes dropped EXE
PID:2324 -
\??\c:\bbnhbb.exec:\bbnhbb.exe59⤵
- Executes dropped EXE
PID:380 -
\??\c:\1vvpp.exec:\1vvpp.exe60⤵
- Executes dropped EXE
PID:3484 -
\??\c:\9jvjd.exec:\9jvjd.exe61⤵
- Executes dropped EXE
PID:4800 -
\??\c:\rlrfrlx.exec:\rlrfrlx.exe62⤵
- Executes dropped EXE
PID:4336 -
\??\c:\1tttnt.exec:\1tttnt.exe63⤵
- Executes dropped EXE
PID:3656 -
\??\c:\9vpjv.exec:\9vpjv.exe64⤵
- Executes dropped EXE
PID:1388 -
\??\c:\lxrrfxr.exec:\lxrrfxr.exe65⤵
- Executes dropped EXE
PID:3172 -
\??\c:\bnttbt.exec:\bnttbt.exe66⤵PID:4556
-
\??\c:\pjpdp.exec:\pjpdp.exe67⤵PID:5016
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:4900
-
\??\c:\fflfxxr.exec:\fflfxxr.exe69⤵PID:440
-
\??\c:\tttnhb.exec:\tttnhb.exe70⤵PID:3100
-
\??\c:\djpjv.exec:\djpjv.exe71⤵PID:3700
-
\??\c:\xllxlfx.exec:\xllxlfx.exe72⤵PID:4932
-
\??\c:\1nnhnt.exec:\1nnhnt.exe73⤵PID:4324
-
\??\c:\nnnnnt.exec:\nnnnnt.exe74⤵PID:2172
-
\??\c:\ppddp.exec:\ppddp.exe75⤵PID:2288
-
\??\c:\ffxfxfx.exec:\ffxfxfx.exe76⤵PID:4172
-
\??\c:\fxlflrl.exec:\fxlflrl.exe77⤵PID:4124
-
\??\c:\hthbnh.exec:\hthbnh.exe78⤵PID:2956
-
\??\c:\jpvpd.exec:\jpvpd.exe79⤵PID:3520
-
\??\c:\xlxrlll.exec:\xlxrlll.exe80⤵PID:1228
-
\??\c:\3rrlffx.exec:\3rrlffx.exe81⤵PID:940
-
\??\c:\hthbnh.exec:\hthbnh.exe82⤵PID:4448
-
\??\c:\1dvpd.exec:\1dvpd.exe83⤵PID:3332
-
\??\c:\ffrlfxx.exec:\ffrlfxx.exe84⤵PID:1912
-
\??\c:\7bbthb.exec:\7bbthb.exe85⤵PID:4536
-
\??\c:\7vvpj.exec:\7vvpj.exe86⤵PID:3608
-
\??\c:\jjppp.exec:\jjppp.exe87⤵PID:4668
-
\??\c:\lxfrrll.exec:\lxfrrll.exe88⤵PID:3988
-
\??\c:\btnnnn.exec:\btnnnn.exe89⤵PID:2904
-
\??\c:\pdpdp.exec:\pdpdp.exe90⤵PID:4864
-
\??\c:\lrrlllf.exec:\lrrlllf.exe91⤵PID:2864
-
\??\c:\bhbhbb.exec:\bhbhbb.exe92⤵PID:2356
-
\??\c:\nnnhbt.exec:\nnnhbt.exe93⤵PID:4140
-
\??\c:\ppjjj.exec:\ppjjj.exe94⤵PID:1328
-
\??\c:\rffrfxx.exec:\rffrfxx.exe95⤵PID:4852
-
\??\c:\rlllfff.exec:\rlllfff.exe96⤵PID:1520
-
\??\c:\bnnhhh.exec:\bnnhhh.exe97⤵PID:700
-
\??\c:\vpvpp.exec:\vpvpp.exe98⤵PID:1660
-
\??\c:\lffxllf.exec:\lffxllf.exe99⤵PID:3188
-
\??\c:\ntbbnb.exec:\ntbbnb.exe100⤵PID:4284
-
\??\c:\nnbhnn.exec:\nnbhnn.exe101⤵PID:3456
-
\??\c:\9vdpd.exec:\9vdpd.exe102⤵PID:3440
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe103⤵PID:2312
-
\??\c:\nbhhbn.exec:\nbhhbn.exe104⤵PID:636
-
\??\c:\nhtnnn.exec:\nhtnnn.exe105⤵PID:556
-
\??\c:\9jjvj.exec:\9jjvj.exe106⤵PID:3744
-
\??\c:\lfrrlrl.exec:\lfrrlrl.exe107⤵PID:3472
-
\??\c:\bthhbb.exec:\bthhbb.exe108⤵PID:4476
-
\??\c:\vvdvd.exec:\vvdvd.exe109⤵PID:4060
-
\??\c:\pdddv.exec:\pdddv.exe110⤵PID:2256
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe111⤵PID:2652
-
\??\c:\nhnhnn.exec:\nhnhnn.exe112⤵PID:3640
-
\??\c:\bhnhbt.exec:\bhnhbt.exe113⤵PID:1044
-
\??\c:\jdjdd.exec:\jdjdd.exe114⤵PID:1652
-
\??\c:\pjdvp.exec:\pjdvp.exe115⤵PID:2024
-
\??\c:\xflxlfx.exec:\xflxlfx.exe116⤵PID:4288
-
\??\c:\pdddv.exec:\pdddv.exe117⤵PID:2136
-
\??\c:\1jjdv.exec:\1jjdv.exe118⤵PID:2868
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe119⤵PID:2896
-
\??\c:\9tnthb.exec:\9tnthb.exe120⤵PID:2516
-
\??\c:\pppjp.exec:\pppjp.exe121⤵PID:380
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-