Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 16:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe
-
Size
453KB
-
MD5
7f36f13f2aa2a43da3458c44b3f19b40
-
SHA1
d6a5964b07bd3d3cca415aa8b7547a3ad17b751a
-
SHA256
2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867
-
SHA512
13ee582fd27bcda4cdf06d5f7fb6df521aa2bea0cb57370dad11f4e9a3f46c0448517cb9fec4d41482af1398d0f1757a4f2dce8ac1b30951e5e5f9164d2f3b3e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2728-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-1231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-1243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-1572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4816 djddp.exe 764 rflxfff.exe 1124 bnbbbt.exe 3372 pjvpv.exe 5088 lflllxx.exe 4844 tnhhhb.exe 1392 7nnnhn.exe 224 thhhbb.exe 1884 7ppvp.exe 4016 vvvvd.exe 3340 rffrfrf.exe 3148 jddvp.exe 2504 bnnbtn.exe 4756 vpdvj.exe 1720 vjdvp.exe 4948 dvvdp.exe 1364 ntbnhb.exe 1332 hbthtn.exe 5012 ddjdv.exe 1380 tbbhhh.exe 5108 pjdvp.exe 4804 ddjdp.exe 3544 nhtnbb.exe 1412 3vpjd.exe 1832 lxxrlfl.exe 1836 fxlxrlf.exe 2928 pvvjd.exe 2788 flxrllf.exe 2568 htthtn.exe 4100 dpjvp.exe 796 7rflrrl.exe 972 hnbnbt.exe 4228 pjvpp.exe 1640 nbbtnh.exe 2196 pjpjd.exe 808 lxrfxfr.exe 2004 hntnbt.exe 3328 3nhbnn.exe 4540 5rxrlll.exe 3408 tnnhhh.exe 5072 lffxrlf.exe 3552 9tnhnn.exe 3732 ddpvd.exe 3876 rfffffl.exe 4256 ttnnnt.exe 2188 vvpjv.exe 4520 ddjdv.exe 1580 rxrrlrx.exe 4372 tbhhhn.exe 2784 pjvpv.exe 540 5rrrrfr.exe 4676 nnnntb.exe 3588 jvddd.exe 2528 rxffflr.exe 3372 hthhhh.exe 4500 7dddv.exe 3488 pjvvv.exe 5008 xxxffrf.exe 3016 nntttb.exe 1384 1pvpp.exe 4772 ddjvv.exe 2088 ffffxff.exe 448 vpddj.exe 1960 ppppv.exe -
resource yara_rule behavioral2/memory/2728-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-595-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2728 wrote to memory of 4816 2728 2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe 83 PID 2728 wrote to memory of 4816 2728 2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe 83 PID 2728 wrote to memory of 4816 2728 2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe 83 PID 4816 wrote to memory of 764 4816 djddp.exe 84 PID 4816 wrote to memory of 764 4816 djddp.exe 84 PID 4816 wrote to memory of 764 4816 djddp.exe 84 PID 764 wrote to memory of 1124 764 rflxfff.exe 85 PID 764 wrote to memory of 1124 764 rflxfff.exe 85 PID 764 wrote to memory of 1124 764 rflxfff.exe 85 PID 1124 wrote to memory of 3372 1124 bnbbbt.exe 86 PID 1124 wrote to memory of 3372 1124 bnbbbt.exe 86 PID 1124 wrote to memory of 3372 1124 bnbbbt.exe 86 PID 3372 wrote to memory of 5088 3372 pjvpv.exe 87 PID 3372 wrote to memory of 5088 3372 pjvpv.exe 87 PID 3372 wrote to memory of 5088 3372 pjvpv.exe 87 PID 5088 wrote to memory of 4844 5088 lflllxx.exe 88 PID 5088 wrote to memory of 4844 5088 lflllxx.exe 88 PID 5088 wrote to memory of 4844 5088 lflllxx.exe 88 PID 4844 wrote to memory of 1392 4844 tnhhhb.exe 89 PID 4844 wrote to memory of 1392 4844 tnhhhb.exe 89 PID 4844 wrote to memory of 1392 4844 tnhhhb.exe 89 PID 1392 wrote to memory of 224 1392 7nnnhn.exe 90 PID 1392 wrote to memory of 224 1392 7nnnhn.exe 90 PID 1392 wrote to memory of 224 1392 7nnnhn.exe 90 PID 224 wrote to memory of 1884 224 thhhbb.exe 91 PID 224 wrote to memory of 1884 224 thhhbb.exe 91 PID 224 wrote to memory of 1884 224 thhhbb.exe 91 PID 1884 wrote to memory of 4016 1884 7ppvp.exe 92 PID 1884 wrote to memory of 4016 1884 7ppvp.exe 92 PID 1884 wrote to memory of 4016 1884 7ppvp.exe 92 PID 4016 wrote to memory of 3340 4016 vvvvd.exe 93 PID 4016 wrote to memory of 3340 4016 vvvvd.exe 93 PID 4016 wrote to memory of 3340 4016 vvvvd.exe 93 PID 3340 wrote to memory of 3148 3340 rffrfrf.exe 94 PID 3340 wrote to memory of 3148 3340 rffrfrf.exe 94 PID 3340 wrote to memory of 3148 3340 rffrfrf.exe 94 PID 3148 wrote to memory of 2504 3148 jddvp.exe 95 PID 3148 wrote to memory of 2504 3148 jddvp.exe 95 PID 3148 wrote to memory of 2504 3148 jddvp.exe 95 PID 2504 wrote to memory of 4756 2504 bnnbtn.exe 96 PID 2504 wrote to memory of 4756 2504 bnnbtn.exe 96 PID 2504 wrote to memory of 4756 2504 bnnbtn.exe 96 PID 4756 wrote to memory of 1720 4756 vpdvj.exe 97 PID 4756 wrote to memory of 1720 4756 vpdvj.exe 97 PID 4756 wrote to memory of 1720 4756 vpdvj.exe 97 PID 1720 wrote to memory of 4948 1720 vjdvp.exe 98 PID 1720 wrote to memory of 4948 1720 vjdvp.exe 98 PID 1720 wrote to memory of 4948 1720 vjdvp.exe 98 PID 4948 wrote to memory of 1364 4948 dvvdp.exe 99 PID 4948 wrote to memory of 1364 4948 dvvdp.exe 99 PID 4948 wrote to memory of 1364 4948 dvvdp.exe 99 PID 1364 wrote to memory of 1332 1364 ntbnhb.exe 100 PID 1364 wrote to memory of 1332 1364 ntbnhb.exe 100 PID 1364 wrote to memory of 1332 1364 ntbnhb.exe 100 PID 1332 wrote to memory of 5012 1332 hbthtn.exe 101 PID 1332 wrote to memory of 5012 1332 hbthtn.exe 101 PID 1332 wrote to memory of 5012 1332 hbthtn.exe 101 PID 5012 wrote to memory of 1380 5012 ddjdv.exe 102 PID 5012 wrote to memory of 1380 5012 ddjdv.exe 102 PID 5012 wrote to memory of 1380 5012 ddjdv.exe 102 PID 1380 wrote to memory of 5108 1380 tbbhhh.exe 103 PID 1380 wrote to memory of 5108 1380 tbbhhh.exe 103 PID 1380 wrote to memory of 5108 1380 tbbhhh.exe 103 PID 5108 wrote to memory of 4804 5108 pjdvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe"C:\Users\Admin\AppData\Local\Temp\2cc950ee1a73bd99739406309befec41b994084048a1a44cfb1c8b7df045d867N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\djddp.exec:\djddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\rflxfff.exec:\rflxfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\bnbbbt.exec:\bnbbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\pjvpv.exec:\pjvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\lflllxx.exec:\lflllxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\tnhhhb.exec:\tnhhhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\7nnnhn.exec:\7nnnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\thhhbb.exec:\thhhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\7ppvp.exec:\7ppvp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\vvvvd.exec:\vvvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\rffrfrf.exec:\rffrfrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\jddvp.exec:\jddvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\bnnbtn.exec:\bnnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\vpdvj.exec:\vpdvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\vjdvp.exec:\vjdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\dvvdp.exec:\dvvdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\ntbnhb.exec:\ntbnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\hbthtn.exec:\hbthtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\ddjdv.exec:\ddjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\tbbhhh.exec:\tbbhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\pjdvp.exec:\pjdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\ddjdp.exec:\ddjdp.exe23⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nhtnbb.exec:\nhtnbb.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\3vpjd.exec:\3vpjd.exe25⤵
- Executes dropped EXE
PID:1412 -
\??\c:\lxxrlfl.exec:\lxxrlfl.exe26⤵
- Executes dropped EXE
PID:1832 -
\??\c:\fxlxrlf.exec:\fxlxrlf.exe27⤵
- Executes dropped EXE
PID:1836 -
\??\c:\pvvjd.exec:\pvvjd.exe28⤵
- Executes dropped EXE
PID:2928 -
\??\c:\flxrllf.exec:\flxrllf.exe29⤵
- Executes dropped EXE
PID:2788 -
\??\c:\htthtn.exec:\htthtn.exe30⤵
- Executes dropped EXE
PID:2568 -
\??\c:\dpjvp.exec:\dpjvp.exe31⤵
- Executes dropped EXE
PID:4100 -
\??\c:\7rflrrl.exec:\7rflrrl.exe32⤵
- Executes dropped EXE
PID:796 -
\??\c:\hnbnbt.exec:\hnbnbt.exe33⤵
- Executes dropped EXE
PID:972 -
\??\c:\pjvpp.exec:\pjvpp.exe34⤵
- Executes dropped EXE
PID:4228 -
\??\c:\nbbtnh.exec:\nbbtnh.exe35⤵
- Executes dropped EXE
PID:1640 -
\??\c:\pjpjd.exec:\pjpjd.exe36⤵
- Executes dropped EXE
PID:2196 -
\??\c:\lxrfxfr.exec:\lxrfxfr.exe37⤵
- Executes dropped EXE
PID:808 -
\??\c:\hntnbt.exec:\hntnbt.exe38⤵
- Executes dropped EXE
PID:2004 -
\??\c:\3nhbnn.exec:\3nhbnn.exe39⤵
- Executes dropped EXE
PID:3328 -
\??\c:\5rxrlll.exec:\5rxrlll.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4540 -
\??\c:\tnnhhh.exec:\tnnhhh.exe41⤵
- Executes dropped EXE
PID:3408 -
\??\c:\lffxrlf.exec:\lffxrlf.exe42⤵
- Executes dropped EXE
PID:5072 -
\??\c:\9tnhnn.exec:\9tnhnn.exe43⤵
- Executes dropped EXE
PID:3552 -
\??\c:\ddpvd.exec:\ddpvd.exe44⤵
- Executes dropped EXE
PID:3732 -
\??\c:\rfffffl.exec:\rfffffl.exe45⤵
- Executes dropped EXE
PID:3876 -
\??\c:\ttnnnt.exec:\ttnnnt.exe46⤵
- Executes dropped EXE
PID:4256 -
\??\c:\vvpjv.exec:\vvpjv.exe47⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ddjdv.exec:\ddjdv.exe48⤵
- Executes dropped EXE
PID:4520 -
\??\c:\rxrrlrx.exec:\rxrrlrx.exe49⤵
- Executes dropped EXE
PID:1580 -
\??\c:\tbhhhn.exec:\tbhhhn.exe50⤵
- Executes dropped EXE
PID:4372 -
\??\c:\pjvpv.exec:\pjvpv.exe51⤵
- Executes dropped EXE
PID:2784 -
\??\c:\5rrrrfr.exec:\5rrrrfr.exe52⤵
- Executes dropped EXE
PID:540 -
\??\c:\nnnntb.exec:\nnnntb.exe53⤵
- Executes dropped EXE
PID:4676 -
\??\c:\jvddd.exec:\jvddd.exe54⤵
- Executes dropped EXE
PID:3588 -
\??\c:\rxffflr.exec:\rxffflr.exe55⤵
- Executes dropped EXE
PID:2528 -
\??\c:\hthhhh.exec:\hthhhh.exe56⤵
- Executes dropped EXE
PID:3372 -
\??\c:\7dddv.exec:\7dddv.exe57⤵
- Executes dropped EXE
PID:4500 -
\??\c:\pjvvv.exec:\pjvvv.exe58⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xxxffrf.exec:\xxxffrf.exe59⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nntttb.exec:\nntttb.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\1pvpp.exec:\1pvpp.exe61⤵
- Executes dropped EXE
PID:1384 -
\??\c:\ddjvv.exec:\ddjvv.exe62⤵
- Executes dropped EXE
PID:4772 -
\??\c:\ffffxff.exec:\ffffxff.exe63⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vpddj.exec:\vpddj.exe64⤵
- Executes dropped EXE
PID:448 -
\??\c:\ppppv.exec:\ppppv.exe65⤵
- Executes dropped EXE
PID:1960 -
\??\c:\xxfxxff.exec:\xxfxxff.exe66⤵PID:1876
-
\??\c:\bhtnnt.exec:\bhtnnt.exe67⤵PID:4048
-
\??\c:\3jvvp.exec:\3jvvp.exe68⤵PID:2472
-
\??\c:\frrxxxf.exec:\frrxxxf.exe69⤵PID:3024
-
\??\c:\thtbbh.exec:\thtbbh.exe70⤵PID:3224
-
\??\c:\fllrrxx.exec:\fllrrxx.exe71⤵PID:3236
-
\??\c:\rfrrxfr.exec:\rfrrxfr.exe72⤵PID:4836
-
\??\c:\bbhbbb.exec:\bbhbbb.exe73⤵PID:660
-
\??\c:\9pvvv.exec:\9pvvv.exe74⤵PID:1636
-
\??\c:\rxrlllr.exec:\rxrlllr.exe75⤵PID:4948
-
\??\c:\nbbnnh.exec:\nbbnnh.exe76⤵PID:3632
-
\??\c:\hnbbbh.exec:\hnbbbh.exe77⤵PID:400
-
\??\c:\jjvpj.exec:\jjvpj.exe78⤵PID:2872
-
\??\c:\xrffxff.exec:\xrffxff.exe79⤵PID:3728
-
\??\c:\tnnntt.exec:\tnnntt.exe80⤵PID:1380
-
\??\c:\nbhtnb.exec:\nbhtnb.exe81⤵PID:3720
-
\??\c:\dvjjp.exec:\dvjjp.exe82⤵PID:4804
-
\??\c:\frllllr.exec:\frllllr.exe83⤵PID:388
-
\??\c:\tbnhhn.exec:\tbnhhn.exe84⤵PID:2832
-
\??\c:\7ppjj.exec:\7ppjj.exe85⤵PID:4136
-
\??\c:\1rxrrrl.exec:\1rxrrrl.exe86⤵PID:1412
-
\??\c:\lxrrxxf.exec:\lxrrxxf.exe87⤵PID:2988
-
\??\c:\nnbbhh.exec:\nnbbhh.exe88⤵PID:4524
-
\??\c:\pjvdd.exec:\pjvdd.exe89⤵PID:3764
-
\??\c:\xflfxxx.exec:\xflfxxx.exe90⤵PID:2052
-
\??\c:\nntbbh.exec:\nntbbh.exe91⤵PID:4064
-
\??\c:\vvdpv.exec:\vvdpv.exe92⤵PID:5004
-
\??\c:\rlfffll.exec:\rlfffll.exe93⤵PID:1488
-
\??\c:\1hntbb.exec:\1hntbb.exe94⤵PID:1664
-
\??\c:\nhtttb.exec:\nhtttb.exe95⤵PID:3068
-
\??\c:\djjdj.exec:\djjdj.exe96⤵PID:3740
-
\??\c:\xxllllr.exec:\xxllllr.exe97⤵PID:708
-
\??\c:\jjpvv.exec:\jjpvv.exe98⤵PID:1644
-
\??\c:\ffrrrrx.exec:\ffrrrrx.exe99⤵PID:4928
-
\??\c:\rrxflrx.exec:\rrxflrx.exe100⤵PID:1700
-
\??\c:\bttttn.exec:\bttttn.exe101⤵PID:2920
-
\??\c:\pjpjj.exec:\pjpjj.exe102⤵PID:4112
-
\??\c:\pdjdd.exec:\pdjdd.exe103⤵PID:3328
-
\??\c:\rlrrlfx.exec:\rlrrlfx.exe104⤵PID:4540
-
\??\c:\bbnbbb.exec:\bbnbbb.exe105⤵PID:3780
-
\??\c:\9jpjj.exec:\9jpjj.exe106⤵PID:3448
-
\??\c:\7frffrr.exec:\7frffrr.exe107⤵PID:1424
-
\??\c:\5nttth.exec:\5nttth.exe108⤵PID:1256
-
\??\c:\7pdpv.exec:\7pdpv.exe109⤵PID:1924
-
\??\c:\vppjd.exec:\vppjd.exe110⤵PID:536
-
\??\c:\rxllfff.exec:\rxllfff.exe111⤵PID:3208
-
\??\c:\ttbbhn.exec:\ttbbhn.exe112⤵PID:2688
-
\??\c:\vpppp.exec:\vpppp.exe113⤵PID:3324
-
\??\c:\llfflrr.exec:\llfflrr.exe114⤵PID:2300
-
\??\c:\ttnnnn.exec:\ttnnnn.exe115⤵PID:2060
-
\??\c:\ttnnnt.exec:\ttnnnt.exe116⤵PID:4716
-
\??\c:\dpddv.exec:\dpddv.exe117⤵PID:3916
-
\??\c:\lflffxx.exec:\lflffxx.exe118⤵PID:4712
-
\??\c:\hbhhhn.exec:\hbhhhn.exe119⤵PID:4508
-
\??\c:\jjvpd.exec:\jjvpd.exe120⤵PID:452
-
\??\c:\vdppp.exec:\vdppp.exe121⤵PID:3540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-