Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe
-
Size
454KB
-
MD5
4c5e831e17bdbe5a12e353f3d4e3debf
-
SHA1
68d40e6829b7a3d040086abf68e3d1fe58fcb36b
-
SHA256
c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3
-
SHA512
0bd7fe7a742ec891d5582feccd030f68daecbba1659bca416b1b1e3faaa15c45ef834ac89c81a0c6c3a15857f5287f75acd21af7aeb44b5a3f691e58b6e7e5d5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeO:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3760-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-1327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-1954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 ttntnn.exe 1728 dvdvd.exe 1228 bbbtnn.exe 4584 fxrrlxx.exe 3356 hbnhhh.exe 2148 xrxxffx.exe 2176 djpjp.exe 2868 hbtnhh.exe 2620 vvvjd.exe 1336 9lfxllf.exe 920 nhnhhh.exe 4236 rlffrfl.exe 2528 bnnthn.exe 2004 dvvpj.exe 3520 xlxxrll.exe 4776 7ppjv.exe 3444 btbnnh.exe 2084 5vvjd.exe 3832 9nbtnh.exe 3572 3bnbtt.exe 4616 pdvjv.exe 768 5nnhnt.exe 1016 vdvpp.exe 1104 rxfxlfr.exe 4996 hbbnbt.exe 1360 jdvjv.exe 2708 bhnhtt.exe 5048 3pjdv.exe 4536 pvvpd.exe 2728 5lrllfl.exe 1784 hnthhb.exe 4428 fllxlrl.exe 3912 3htnnh.exe 2696 1vpjv.exe 4244 9fxrrrl.exe 4912 frlxlrf.exe 4552 7nnbtn.exe 2628 pjpdv.exe 2800 1lxrllf.exe 3260 hhnthb.exe 4524 1bbnhb.exe 3372 3dpjd.exe 3128 vdvpj.exe 2848 7lxfxxl.exe 1152 nbhtnh.exe 4644 vpjvj.exe 2140 rlxrxfx.exe 972 btnnbn.exe 3188 1dvpp.exe 816 9vdvd.exe 2268 1xllfxf.exe 4880 btthtt.exe 4788 9bhbnn.exe 2428 pppjd.exe 3196 lfxrffx.exe 948 5ntntt.exe 1336 vppjd.exe 2384 jpddd.exe 2820 frrlfff.exe 2668 7htbtt.exe 3480 pppvj.exe 1668 frrfrxr.exe 1708 5thbbb.exe 1632 dvpdp.exe -
resource yara_rule behavioral2/memory/3760-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-861-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xllfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3760 wrote to memory of 228 3760 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 84 PID 3760 wrote to memory of 228 3760 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 84 PID 3760 wrote to memory of 228 3760 c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe 84 PID 228 wrote to memory of 1728 228 ttntnn.exe 85 PID 228 wrote to memory of 1728 228 ttntnn.exe 85 PID 228 wrote to memory of 1728 228 ttntnn.exe 85 PID 1728 wrote to memory of 1228 1728 dvdvd.exe 86 PID 1728 wrote to memory of 1228 1728 dvdvd.exe 86 PID 1728 wrote to memory of 1228 1728 dvdvd.exe 86 PID 1228 wrote to memory of 4584 1228 bbbtnn.exe 87 PID 1228 wrote to memory of 4584 1228 bbbtnn.exe 87 PID 1228 wrote to memory of 4584 1228 bbbtnn.exe 87 PID 4584 wrote to memory of 3356 4584 fxrrlxx.exe 88 PID 4584 wrote to memory of 3356 4584 fxrrlxx.exe 88 PID 4584 wrote to memory of 3356 4584 fxrrlxx.exe 88 PID 3356 wrote to memory of 2148 3356 hbnhhh.exe 89 PID 3356 wrote to memory of 2148 3356 hbnhhh.exe 89 PID 3356 wrote to memory of 2148 3356 hbnhhh.exe 89 PID 2148 wrote to memory of 2176 2148 xrxxffx.exe 90 PID 2148 wrote to memory of 2176 2148 xrxxffx.exe 90 PID 2148 wrote to memory of 2176 2148 xrxxffx.exe 90 PID 2176 wrote to memory of 2868 2176 djpjp.exe 91 PID 2176 wrote to memory of 2868 2176 djpjp.exe 91 PID 2176 wrote to memory of 2868 2176 djpjp.exe 91 PID 2868 wrote to memory of 2620 2868 hbtnhh.exe 92 PID 2868 wrote to memory of 2620 2868 hbtnhh.exe 92 PID 2868 wrote to memory of 2620 2868 hbtnhh.exe 92 PID 2620 wrote to memory of 1336 2620 vvvjd.exe 93 PID 2620 wrote to memory of 1336 2620 vvvjd.exe 93 PID 2620 wrote to memory of 1336 2620 vvvjd.exe 93 PID 1336 wrote to memory of 920 1336 9lfxllf.exe 94 PID 1336 wrote to memory of 920 1336 9lfxllf.exe 94 PID 1336 wrote to memory of 920 1336 9lfxllf.exe 94 PID 920 wrote to memory of 4236 920 nhnhhh.exe 95 PID 920 wrote to memory of 4236 920 nhnhhh.exe 95 PID 920 wrote to memory of 4236 920 nhnhhh.exe 95 PID 4236 wrote to memory of 2528 4236 rlffrfl.exe 96 PID 4236 wrote to memory of 2528 4236 rlffrfl.exe 96 PID 4236 wrote to memory of 2528 4236 rlffrfl.exe 96 PID 2528 wrote to memory of 2004 2528 bnnthn.exe 97 PID 2528 wrote to memory of 2004 2528 bnnthn.exe 97 PID 2528 wrote to memory of 2004 2528 bnnthn.exe 97 PID 2004 wrote to memory of 3520 2004 dvvpj.exe 98 PID 2004 wrote to memory of 3520 2004 dvvpj.exe 98 PID 2004 wrote to memory of 3520 2004 dvvpj.exe 98 PID 3520 wrote to memory of 4776 3520 xlxxrll.exe 99 PID 3520 wrote to memory of 4776 3520 xlxxrll.exe 99 PID 3520 wrote to memory of 4776 3520 xlxxrll.exe 99 PID 4776 wrote to memory of 3444 4776 7ppjv.exe 100 PID 4776 wrote to memory of 3444 4776 7ppjv.exe 100 PID 4776 wrote to memory of 3444 4776 7ppjv.exe 100 PID 3444 wrote to memory of 2084 3444 btbnnh.exe 101 PID 3444 wrote to memory of 2084 3444 btbnnh.exe 101 PID 3444 wrote to memory of 2084 3444 btbnnh.exe 101 PID 2084 wrote to memory of 3832 2084 5vvjd.exe 102 PID 2084 wrote to memory of 3832 2084 5vvjd.exe 102 PID 2084 wrote to memory of 3832 2084 5vvjd.exe 102 PID 3832 wrote to memory of 3572 3832 9nbtnh.exe 103 PID 3832 wrote to memory of 3572 3832 9nbtnh.exe 103 PID 3832 wrote to memory of 3572 3832 9nbtnh.exe 103 PID 3572 wrote to memory of 4616 3572 3bnbtt.exe 104 PID 3572 wrote to memory of 4616 3572 3bnbtt.exe 104 PID 3572 wrote to memory of 4616 3572 3bnbtt.exe 104 PID 4616 wrote to memory of 768 4616 pdvjv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe"C:\Users\Admin\AppData\Local\Temp\c01f28480ebeee8fcded89057db6cbbb613dd477cbbf25beb2a05012172b2bc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\ttntnn.exec:\ttntnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\dvdvd.exec:\dvdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\bbbtnn.exec:\bbbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\fxrrlxx.exec:\fxrrlxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\hbnhhh.exec:\hbnhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\xrxxffx.exec:\xrxxffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\djpjp.exec:\djpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\hbtnhh.exec:\hbtnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vvvjd.exec:\vvvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\9lfxllf.exec:\9lfxllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\nhnhhh.exec:\nhnhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\rlffrfl.exec:\rlffrfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\bnnthn.exec:\bnnthn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\dvvpj.exec:\dvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\xlxxrll.exec:\xlxxrll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\7ppjv.exec:\7ppjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\btbnnh.exec:\btbnnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\5vvjd.exec:\5vvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\9nbtnh.exec:\9nbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\3bnbtt.exec:\3bnbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\pdvjv.exec:\pdvjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\5nnhnt.exec:\5nnhnt.exe23⤵
- Executes dropped EXE
PID:768 -
\??\c:\vdvpp.exec:\vdvpp.exe24⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rxfxlfr.exec:\rxfxlfr.exe25⤵
- Executes dropped EXE
PID:1104 -
\??\c:\hbbnbt.exec:\hbbnbt.exe26⤵
- Executes dropped EXE
PID:4996 -
\??\c:\jdvjv.exec:\jdvjv.exe27⤵
- Executes dropped EXE
PID:1360 -
\??\c:\bhnhtt.exec:\bhnhtt.exe28⤵
- Executes dropped EXE
PID:2708 -
\??\c:\3pjdv.exec:\3pjdv.exe29⤵
- Executes dropped EXE
PID:5048 -
\??\c:\pvvpd.exec:\pvvpd.exe30⤵
- Executes dropped EXE
PID:4536 -
\??\c:\5lrllfl.exec:\5lrllfl.exe31⤵
- Executes dropped EXE
PID:2728 -
\??\c:\hnthhb.exec:\hnthhb.exe32⤵
- Executes dropped EXE
PID:1784 -
\??\c:\fllxlrl.exec:\fllxlrl.exe33⤵
- Executes dropped EXE
PID:4428 -
\??\c:\3htnnh.exec:\3htnnh.exe34⤵
- Executes dropped EXE
PID:3912 -
\??\c:\1vpjv.exec:\1vpjv.exe35⤵
- Executes dropped EXE
PID:2696 -
\??\c:\9fxrrrl.exec:\9fxrrrl.exe36⤵
- Executes dropped EXE
PID:4244 -
\??\c:\frlxlrf.exec:\frlxlrf.exe37⤵
- Executes dropped EXE
PID:4912 -
\??\c:\7nnbtn.exec:\7nnbtn.exe38⤵
- Executes dropped EXE
PID:4552 -
\??\c:\pjpdv.exec:\pjpdv.exe39⤵
- Executes dropped EXE
PID:2628 -
\??\c:\1lxrllf.exec:\1lxrllf.exe40⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hhnthb.exec:\hhnthb.exe41⤵
- Executes dropped EXE
PID:3260 -
\??\c:\1bbnhb.exec:\1bbnhb.exe42⤵
- Executes dropped EXE
PID:4524 -
\??\c:\3dpjd.exec:\3dpjd.exe43⤵
- Executes dropped EXE
PID:3372 -
\??\c:\vdvpj.exec:\vdvpj.exe44⤵
- Executes dropped EXE
PID:3128 -
\??\c:\7lxfxxl.exec:\7lxfxxl.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nbhtnh.exec:\nbhtnh.exe46⤵
- Executes dropped EXE
PID:1152 -
\??\c:\vpjvj.exec:\vpjvj.exe47⤵
- Executes dropped EXE
PID:4644 -
\??\c:\rlxrxfx.exec:\rlxrxfx.exe48⤵
- Executes dropped EXE
PID:2140 -
\??\c:\btnnbn.exec:\btnnbn.exe49⤵
- Executes dropped EXE
PID:972 -
\??\c:\1dvpp.exec:\1dvpp.exe50⤵
- Executes dropped EXE
PID:3188 -
\??\c:\9vdvd.exec:\9vdvd.exe51⤵
- Executes dropped EXE
PID:816 -
\??\c:\1xllfxf.exec:\1xllfxf.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\btthtt.exec:\btthtt.exe53⤵
- Executes dropped EXE
PID:4880 -
\??\c:\9bhbnn.exec:\9bhbnn.exe54⤵
- Executes dropped EXE
PID:4788 -
\??\c:\pppjd.exec:\pppjd.exe55⤵
- Executes dropped EXE
PID:2428 -
\??\c:\lfxrffx.exec:\lfxrffx.exe56⤵
- Executes dropped EXE
PID:3196 -
\??\c:\5ntntt.exec:\5ntntt.exe57⤵
- Executes dropped EXE
PID:948 -
\??\c:\vppjd.exec:\vppjd.exe58⤵
- Executes dropped EXE
PID:1336 -
\??\c:\jpddd.exec:\jpddd.exe59⤵
- Executes dropped EXE
PID:2384 -
\??\c:\frrlfff.exec:\frrlfff.exe60⤵
- Executes dropped EXE
PID:2820 -
\??\c:\7htbtt.exec:\7htbtt.exe61⤵
- Executes dropped EXE
PID:2668 -
\??\c:\pppvj.exec:\pppvj.exe62⤵
- Executes dropped EXE
PID:3480 -
\??\c:\frrfrxr.exec:\frrfrxr.exe63⤵
- Executes dropped EXE
PID:1668 -
\??\c:\5thbbb.exec:\5thbbb.exe64⤵
- Executes dropped EXE
PID:1708 -
\??\c:\dvpdp.exec:\dvpdp.exe65⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jvpdd.exec:\jvpdd.exe66⤵PID:2864
-
\??\c:\7fxrllf.exec:\7fxrllf.exe67⤵PID:2196
-
\??\c:\bhhbbh.exec:\bhhbbh.exe68⤵PID:2948
-
\??\c:\bbbbtn.exec:\bbbbtn.exe69⤵PID:3696
-
\??\c:\9jdpj.exec:\9jdpj.exe70⤵PID:2540
-
\??\c:\frrrllr.exec:\frrrllr.exe71⤵PID:1472
-
\??\c:\bthbnt.exec:\bthbnt.exe72⤵PID:1660
-
\??\c:\jvddp.exec:\jvddp.exe73⤵PID:4616
-
\??\c:\7pdpj.exec:\7pdpj.exe74⤵PID:768
-
\??\c:\1flfffx.exec:\1flfffx.exe75⤵PID:1916
-
\??\c:\thtnbb.exec:\thtnbb.exe76⤵PID:1988
-
\??\c:\tbhbtt.exec:\tbhbtt.exe77⤵PID:1760
-
\??\c:\ddjvd.exec:\ddjvd.exe78⤵PID:1296
-
\??\c:\3fxrfxf.exec:\3fxrfxf.exe79⤵PID:2024
-
\??\c:\tthhhb.exec:\tthhhb.exe80⤵PID:3124
-
\??\c:\nnnbhh.exec:\nnnbhh.exe81⤵PID:3488
-
\??\c:\pddpd.exec:\pddpd.exe82⤵PID:4656
-
\??\c:\5rxlfxr.exec:\5rxlfxr.exe83⤵PID:3012
-
\??\c:\9hthth.exec:\9hthth.exe84⤵PID:2368
-
\??\c:\5bnbnn.exec:\5bnbnn.exe85⤵PID:4160
-
\??\c:\7jvdv.exec:\7jvdv.exe86⤵
- System Location Discovery: System Language Discovery
PID:3476 -
\??\c:\lrxflxf.exec:\lrxflxf.exe87⤵PID:2676
-
\??\c:\9thttn.exec:\9thttn.exe88⤵PID:2264
-
\??\c:\pvdpd.exec:\pvdpd.exe89⤵PID:1640
-
\??\c:\pjjvp.exec:\pjjvp.exe90⤵PID:4216
-
\??\c:\flfrxrr.exec:\flfrxrr.exe91⤵PID:3008
-
\??\c:\htbnht.exec:\htbnht.exe92⤵PID:4912
-
\??\c:\jvvpp.exec:\jvvpp.exe93⤵PID:5072
-
\??\c:\vdddv.exec:\vdddv.exe94⤵PID:5040
-
\??\c:\flfxllf.exec:\flfxllf.exe95⤵PID:4520
-
\??\c:\ttthtn.exec:\ttthtn.exe96⤵PID:3260
-
\??\c:\jppdv.exec:\jppdv.exe97⤵PID:2672
-
\??\c:\pjdvd.exec:\pjdvd.exe98⤵PID:3372
-
\??\c:\flrfrlf.exec:\flrfrlf.exe99⤵PID:3128
-
\??\c:\tbbbnh.exec:\tbbbnh.exe100⤵PID:1188
-
\??\c:\dpvdj.exec:\dpvdj.exe101⤵PID:3780
-
\??\c:\rflfrrx.exec:\rflfrrx.exe102⤵PID:3844
-
\??\c:\nhnbhb.exec:\nhnbhb.exe103⤵PID:1704
-
\??\c:\thnbth.exec:\thnbth.exe104⤵PID:1084
-
\??\c:\jvvjd.exec:\jvvjd.exe105⤵PID:5032
-
\??\c:\9llfrrl.exec:\9llfrrl.exe106⤵PID:2228
-
\??\c:\hhnbbn.exec:\hhnbbn.exe107⤵PID:2148
-
\??\c:\1jjvj.exec:\1jjvj.exe108⤵PID:2268
-
\??\c:\fxxrxxr.exec:\fxxrxxr.exe109⤵PID:4880
-
\??\c:\fllrrlf.exec:\fllrrlf.exe110⤵PID:848
-
\??\c:\3thbbb.exec:\3thbbb.exe111⤵PID:2428
-
\??\c:\jvjdp.exec:\jvjdp.exe112⤵PID:3196
-
\??\c:\dpdpp.exec:\dpdpp.exe113⤵PID:976
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe114⤵PID:1336
-
\??\c:\btnbth.exec:\btnbth.exe115⤵PID:2384
-
\??\c:\ntbbnh.exec:\ntbbnh.exe116⤵PID:4940
-
\??\c:\pdvjv.exec:\pdvjv.exe117⤵PID:4012
-
\??\c:\rflxrlf.exec:\rflxrlf.exe118⤵PID:3712
-
\??\c:\thhbnn.exec:\thhbnn.exe119⤵PID:4820
-
\??\c:\1jjdv.exec:\1jjdv.exe120⤵PID:3672
-
\??\c:\1lrlxrr.exec:\1lrlxrr.exe121⤵PID:4780
-
\??\c:\flrfxxr.exec:\flrfxxr.exe122⤵
- System Location Discovery: System Language Discovery
PID:720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-