Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe
-
Size
456KB
-
MD5
7aeb93f5cb8385c002a3bb03081a4680
-
SHA1
a268e9a3e11008bf1c20e19224e9654ad4d15000
-
SHA256
c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2c
-
SHA512
05357d1f34f3717502eac809122dca827ff57f431efbc1e6e0073f7b9571807b62d161efa85be633f728c1c3b5df9181003d5340e027e92b89ab16f7e6797fd0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3872-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-1168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 212 dddvd.exe 4188 rfrlflf.exe 4824 hbtnbb.exe 5036 pvpjd.exe 4532 jvpjv.exe 4540 llrllfx.exe 4440 hbhbbb.exe 4968 rllllll.exe 832 btbttt.exe 1948 ddddv.exe 4792 jvppp.exe 3340 bbnhhb.exe 4608 tbnhhh.exe 1592 lflllll.exe 808 9nbhbn.exe 4828 jvvpj.exe 4692 jpdvp.exe 4324 vvdvv.exe 3664 xflxrlf.exe 208 rrlfxxr.exe 2540 9frllll.exe 1544 3ffxxxr.exe 2040 htbnhh.exe 4744 lrlxrrr.exe 680 jjpjd.exe 3372 flrlxxr.exe 1032 lrxrrxx.exe 3452 hhnhhb.exe 3032 vppjd.exe 4772 hntnhb.exe 4376 lxxxrxr.exe 1712 lrxrllf.exe 1932 thbtbb.exe 1832 7xlfxxf.exe 4820 btbbhh.exe 2724 vpddj.exe 3420 rllfxxr.exe 464 nhtbtb.exe 4716 dvdjj.exe 4392 ffrfffx.exe 968 xllxxrx.exe 1148 hbbttn.exe 5020 1vdpp.exe 1744 rllflfx.exe 872 ttnhbh.exe 3528 hhnhbb.exe 4284 pvvpj.exe 944 rxxrfxl.exe 2188 nhtnnn.exe 4604 nbbnbb.exe 4240 vpvpj.exe 4188 fxlfxrl.exe 1208 hnnbtt.exe 2320 pdjdd.exe 3116 jdjdv.exe 4540 5xrlfxx.exe 2996 btbnbt.exe 1340 thnhbb.exe 5016 jpvpp.exe 4056 frfxrrr.exe 1652 thnnnb.exe 400 pdddv.exe 2388 jjjdd.exe 5060 lxrlflr.exe -
resource yara_rule behavioral2/memory/3872-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-721-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrxfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3872 wrote to memory of 212 3872 c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe 83 PID 3872 wrote to memory of 212 3872 c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe 83 PID 3872 wrote to memory of 212 3872 c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe 83 PID 212 wrote to memory of 4188 212 dddvd.exe 84 PID 212 wrote to memory of 4188 212 dddvd.exe 84 PID 212 wrote to memory of 4188 212 dddvd.exe 84 PID 4188 wrote to memory of 4824 4188 rfrlflf.exe 85 PID 4188 wrote to memory of 4824 4188 rfrlflf.exe 85 PID 4188 wrote to memory of 4824 4188 rfrlflf.exe 85 PID 4824 wrote to memory of 5036 4824 hbtnbb.exe 86 PID 4824 wrote to memory of 5036 4824 hbtnbb.exe 86 PID 4824 wrote to memory of 5036 4824 hbtnbb.exe 86 PID 5036 wrote to memory of 4532 5036 pvpjd.exe 87 PID 5036 wrote to memory of 4532 5036 pvpjd.exe 87 PID 5036 wrote to memory of 4532 5036 pvpjd.exe 87 PID 4532 wrote to memory of 4540 4532 jvpjv.exe 88 PID 4532 wrote to memory of 4540 4532 jvpjv.exe 88 PID 4532 wrote to memory of 4540 4532 jvpjv.exe 88 PID 4540 wrote to memory of 4440 4540 llrllfx.exe 89 PID 4540 wrote to memory of 4440 4540 llrllfx.exe 89 PID 4540 wrote to memory of 4440 4540 llrllfx.exe 89 PID 4440 wrote to memory of 4968 4440 hbhbbb.exe 90 PID 4440 wrote to memory of 4968 4440 hbhbbb.exe 90 PID 4440 wrote to memory of 4968 4440 hbhbbb.exe 90 PID 4968 wrote to memory of 832 4968 rllllll.exe 91 PID 4968 wrote to memory of 832 4968 rllllll.exe 91 PID 4968 wrote to memory of 832 4968 rllllll.exe 91 PID 832 wrote to memory of 1948 832 btbttt.exe 92 PID 832 wrote to memory of 1948 832 btbttt.exe 92 PID 832 wrote to memory of 1948 832 btbttt.exe 92 PID 1948 wrote to memory of 4792 1948 ddddv.exe 93 PID 1948 wrote to memory of 4792 1948 ddddv.exe 93 PID 1948 wrote to memory of 4792 1948 ddddv.exe 93 PID 4792 wrote to memory of 3340 4792 jvppp.exe 94 PID 4792 wrote to memory of 3340 4792 jvppp.exe 94 PID 4792 wrote to memory of 3340 4792 jvppp.exe 94 PID 3340 wrote to memory of 4608 3340 bbnhhb.exe 95 PID 3340 wrote to memory of 4608 3340 bbnhhb.exe 95 PID 3340 wrote to memory of 4608 3340 bbnhhb.exe 95 PID 4608 wrote to memory of 1592 4608 tbnhhh.exe 96 PID 4608 wrote to memory of 1592 4608 tbnhhh.exe 96 PID 4608 wrote to memory of 1592 4608 tbnhhh.exe 96 PID 1592 wrote to memory of 808 1592 lflllll.exe 97 PID 1592 wrote to memory of 808 1592 lflllll.exe 97 PID 1592 wrote to memory of 808 1592 lflllll.exe 97 PID 808 wrote to memory of 4828 808 9nbhbn.exe 98 PID 808 wrote to memory of 4828 808 9nbhbn.exe 98 PID 808 wrote to memory of 4828 808 9nbhbn.exe 98 PID 4828 wrote to memory of 4692 4828 jvvpj.exe 99 PID 4828 wrote to memory of 4692 4828 jvvpj.exe 99 PID 4828 wrote to memory of 4692 4828 jvvpj.exe 99 PID 4692 wrote to memory of 4324 4692 jpdvp.exe 100 PID 4692 wrote to memory of 4324 4692 jpdvp.exe 100 PID 4692 wrote to memory of 4324 4692 jpdvp.exe 100 PID 4324 wrote to memory of 3664 4324 vvdvv.exe 101 PID 4324 wrote to memory of 3664 4324 vvdvv.exe 101 PID 4324 wrote to memory of 3664 4324 vvdvv.exe 101 PID 3664 wrote to memory of 208 3664 xflxrlf.exe 102 PID 3664 wrote to memory of 208 3664 xflxrlf.exe 102 PID 3664 wrote to memory of 208 3664 xflxrlf.exe 102 PID 208 wrote to memory of 2540 208 rrlfxxr.exe 103 PID 208 wrote to memory of 2540 208 rrlfxxr.exe 103 PID 208 wrote to memory of 2540 208 rrlfxxr.exe 103 PID 2540 wrote to memory of 1544 2540 9frllll.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe"C:\Users\Admin\AppData\Local\Temp\c1b25b1371913b22cbba844d9ac8cd5d844e98fc4826eadfb9740f708a4a6d2cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\dddvd.exec:\dddvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\rfrlflf.exec:\rfrlflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\hbtnbb.exec:\hbtnbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\pvpjd.exec:\pvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\jvpjv.exec:\jvpjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\llrllfx.exec:\llrllfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\hbhbbb.exec:\hbhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\rllllll.exec:\rllllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\btbttt.exec:\btbttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\ddddv.exec:\ddddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\jvppp.exec:\jvppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\bbnhhb.exec:\bbnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\tbnhhh.exec:\tbnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\lflllll.exec:\lflllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\9nbhbn.exec:\9nbhbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\jvvpj.exec:\jvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\jpdvp.exec:\jpdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\vvdvv.exec:\vvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\xflxrlf.exec:\xflxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\9frllll.exec:\9frllll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\3ffxxxr.exec:\3ffxxxr.exe23⤵
- Executes dropped EXE
PID:1544 -
\??\c:\htbnhh.exec:\htbnhh.exe24⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lrlxrrr.exec:\lrlxrrr.exe25⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jjpjd.exec:\jjpjd.exe26⤵
- Executes dropped EXE
PID:680 -
\??\c:\flrlxxr.exec:\flrlxxr.exe27⤵
- Executes dropped EXE
PID:3372 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe28⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hhnhhb.exec:\hhnhhb.exe29⤵
- Executes dropped EXE
PID:3452 -
\??\c:\vppjd.exec:\vppjd.exe30⤵
- Executes dropped EXE
PID:3032 -
\??\c:\hntnhb.exec:\hntnhb.exe31⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lxxxrxr.exec:\lxxxrxr.exe32⤵
- Executes dropped EXE
PID:4376 -
\??\c:\lrxrllf.exec:\lrxrllf.exe33⤵
- Executes dropped EXE
PID:1712 -
\??\c:\thbtbb.exec:\thbtbb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
\??\c:\7xlfxxf.exec:\7xlfxxf.exe35⤵
- Executes dropped EXE
PID:1832 -
\??\c:\btbbhh.exec:\btbbhh.exe36⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vpddj.exec:\vpddj.exe37⤵
- Executes dropped EXE
PID:2724 -
\??\c:\rllfxxr.exec:\rllfxxr.exe38⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nhtbtb.exec:\nhtbtb.exe39⤵
- Executes dropped EXE
PID:464 -
\??\c:\dvdjj.exec:\dvdjj.exe40⤵
- Executes dropped EXE
PID:4716 -
\??\c:\ffrfffx.exec:\ffrfffx.exe41⤵
- Executes dropped EXE
PID:4392 -
\??\c:\xllxxrx.exec:\xllxxrx.exe42⤵
- Executes dropped EXE
PID:968 -
\??\c:\hbbttn.exec:\hbbttn.exe43⤵
- Executes dropped EXE
PID:1148 -
\??\c:\1vdpp.exec:\1vdpp.exe44⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rllflfx.exec:\rllflfx.exe45⤵
- Executes dropped EXE
PID:1744 -
\??\c:\ttnhbh.exec:\ttnhbh.exe46⤵
- Executes dropped EXE
PID:872 -
\??\c:\hhnhbb.exec:\hhnhbb.exe47⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pvvpj.exec:\pvvpj.exe48⤵
- Executes dropped EXE
PID:4284 -
\??\c:\rxxrfxl.exec:\rxxrfxl.exe49⤵
- Executes dropped EXE
PID:944 -
\??\c:\nhtnnn.exec:\nhtnnn.exe50⤵
- Executes dropped EXE
PID:2188 -
\??\c:\nbbnbb.exec:\nbbnbb.exe51⤵
- Executes dropped EXE
PID:4604 -
\??\c:\vpvpj.exec:\vpvpj.exe52⤵
- Executes dropped EXE
PID:4240 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe53⤵
- Executes dropped EXE
PID:4188 -
\??\c:\hnnbtt.exec:\hnnbtt.exe54⤵
- Executes dropped EXE
PID:1208 -
\??\c:\pdjdd.exec:\pdjdd.exe55⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jdjdv.exec:\jdjdv.exe56⤵
- Executes dropped EXE
PID:3116 -
\??\c:\5xrlfxx.exec:\5xrlfxx.exe57⤵
- Executes dropped EXE
PID:4540 -
\??\c:\btbnbt.exec:\btbnbt.exe58⤵
- Executes dropped EXE
PID:2996 -
\??\c:\thnhbb.exec:\thnhbb.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\jpvpp.exec:\jpvpp.exe60⤵
- Executes dropped EXE
PID:5016 -
\??\c:\frfxrrr.exec:\frfxrrr.exe61⤵
- Executes dropped EXE
PID:4056 -
\??\c:\thnnnb.exec:\thnnnb.exe62⤵
- Executes dropped EXE
PID:1652 -
\??\c:\pdddv.exec:\pdddv.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
\??\c:\jjjdd.exec:\jjjdd.exe64⤵
- Executes dropped EXE
PID:2388 -
\??\c:\lxrlflr.exec:\lxrlflr.exe65⤵
- Executes dropped EXE
PID:5060 -
\??\c:\hbhbnn.exec:\hbhbnn.exe66⤵PID:3740
-
\??\c:\vdjvp.exec:\vdjvp.exe67⤵PID:2460
-
\??\c:\flrllff.exec:\flrllff.exe68⤵PID:4608
-
\??\c:\nhtbtb.exec:\nhtbtb.exe69⤵PID:4844
-
\??\c:\ppvpj.exec:\ppvpj.exe70⤵PID:1748
-
\??\c:\rllffxx.exec:\rllffxx.exe71⤵PID:924
-
\??\c:\flrlffx.exec:\flrlffx.exe72⤵PID:4216
-
\??\c:\ntbtnb.exec:\ntbtnb.exe73⤵PID:3640
-
\??\c:\vdjvj.exec:\vdjvj.exe74⤵PID:4676
-
\??\c:\xllfxrr.exec:\xllfxrr.exe75⤵PID:1780
-
\??\c:\ntthbn.exec:\ntthbn.exe76⤵PID:4912
-
\??\c:\ppvjv.exec:\ppvjv.exe77⤵PID:4092
-
\??\c:\pdjdv.exec:\pdjdv.exe78⤵PID:4908
-
\??\c:\lllfrrl.exec:\lllfrrl.exe79⤵PID:208
-
\??\c:\7flfffl.exec:\7flfffl.exe80⤵PID:2020
-
\??\c:\ntbthb.exec:\ntbthb.exe81⤵PID:2640
-
\??\c:\7vvpd.exec:\7vvpd.exe82⤵PID:3840
-
\??\c:\3xxlxrf.exec:\3xxlxrf.exe83⤵PID:2176
-
\??\c:\nhhthb.exec:\nhhthb.exe84⤵PID:4224
-
\??\c:\jdjdv.exec:\jdjdv.exe85⤵PID:692
-
\??\c:\1jjvp.exec:\1jjvp.exe86⤵PID:4976
-
\??\c:\ffrlxxx.exec:\ffrlxxx.exe87⤵PID:4104
-
\??\c:\1tthbt.exec:\1tthbt.exe88⤵PID:4428
-
\??\c:\3pppj.exec:\3pppj.exe89⤵PID:3804
-
\??\c:\llxlffx.exec:\llxlffx.exe90⤵PID:1392
-
\??\c:\btbnbt.exec:\btbnbt.exe91⤵PID:3452
-
\??\c:\bbbttn.exec:\bbbttn.exe92⤵PID:4936
-
\??\c:\vvdpj.exec:\vvdpj.exe93⤵PID:2340
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe94⤵PID:4108
-
\??\c:\bnhbnn.exec:\bnhbnn.exe95⤵PID:708
-
\??\c:\bttnbh.exec:\bttnbh.exe96⤵PID:1596
-
\??\c:\jdjdd.exec:\jdjdd.exe97⤵PID:2896
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe98⤵PID:1564
-
\??\c:\nhnhbb.exec:\nhnhbb.exe99⤵PID:1972
-
\??\c:\thbtnn.exec:\thbtnn.exe100⤵PID:5024
-
\??\c:\lffxrrf.exec:\lffxrrf.exe101⤵PID:1112
-
\??\c:\nttnbb.exec:\nttnbb.exe102⤵PID:464
-
\??\c:\pppjj.exec:\pppjj.exe103⤵PID:1732
-
\??\c:\vpddd.exec:\vpddd.exe104⤵PID:1604
-
\??\c:\lxxxrlf.exec:\lxxxrlf.exe105⤵PID:2396
-
\??\c:\bttnhh.exec:\bttnhh.exe106⤵PID:1304
-
\??\c:\pvdvp.exec:\pvdvp.exe107⤵PID:1200
-
\??\c:\vpvpj.exec:\vpvpj.exe108⤵PID:4944
-
\??\c:\fxlllrx.exec:\fxlllrx.exe109⤵PID:3636
-
\??\c:\hntnbt.exec:\hntnbt.exe110⤵PID:1004
-
\??\c:\djvpd.exec:\djvpd.exe111⤵PID:4316
-
\??\c:\3llxrlf.exec:\3llxrlf.exe112⤵PID:4684
-
\??\c:\tbhbtt.exec:\tbhbtt.exe113⤵PID:1028
-
\??\c:\3ddpd.exec:\3ddpd.exe114⤵PID:3292
-
\??\c:\pvdvp.exec:\pvdvp.exe115⤵PID:3660
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe116⤵PID:1156
-
\??\c:\3nnhtn.exec:\3nnhtn.exe117⤵PID:1208
-
\??\c:\vdpdv.exec:\vdpdv.exe118⤵PID:4708
-
\??\c:\frxrrrr.exec:\frxrrrr.exe119⤵PID:1316
-
\??\c:\frxxxff.exec:\frxxxff.exe120⤵PID:3012
-
\??\c:\hbhbbb.exec:\hbhbbb.exe121⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-