Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe
-
Size
453KB
-
MD5
1e403071c2eff357e098a7f46a91e7f0
-
SHA1
70ac0d6363bd3c2cac84d21911c88d8201fc03b8
-
SHA256
cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363
-
SHA512
ef410aef1bc9a2aa37e803ad25cdbd7775a422c5380ea625bda7aa52a0cc38f39b50222b17b385b9c816eee359a4fa355464e454e34fe54908cd52dfee1e3b90
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5060-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-1305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-1384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-1711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 792 xxfrrlf.exe 1680 nbhnth.exe 2608 vjpjj.exe 3988 btbbtb.exe 4792 9vdvv.exe 4308 xfrxxxr.exe 4884 lllfrfx.exe 2588 dpvvv.exe 5036 rffxlrl.exe 3808 hbnhnn.exe 2500 5ppjv.exe 2168 frffxxr.exe 3904 jvvpp.exe 4140 xfxrllx.exe 3760 jdjjp.exe 4924 bhhhbb.exe 760 dvpjd.exe 4004 bttnhb.exe 4500 jdpjv.exe 4300 fxlfrrr.exe 3740 vvvdv.exe 552 nbbhtt.exe 4316 5vpdj.exe 1588 dvvdv.exe 3320 hbbhbh.exe 1820 ddpjd.exe 5056 nbnbtn.exe 3104 ddpdv.exe 3492 ddvvp.exe 5104 lxxrlxr.exe 3180 bbhbtn.exe 3816 9bbbtb.exe 1440 1dvpj.exe 348 jpvjd.exe 3596 dvddj.exe 1784 nhhhtt.exe 4572 rlxrrfl.exe 1860 pvdpj.exe 3944 jjpdp.exe 3352 9lfrflf.exe 4824 ntnhtt.exe 2892 vpvvp.exe 2940 pjjvj.exe 3592 5rlrfxx.exe 3132 hhhhbb.exe 1548 tnnbtn.exe 1480 3vvdv.exe 4356 xrrlffl.exe 2984 thhbnn.exe 1128 vpddd.exe 1540 3vvjd.exe 4420 lrxlllf.exe 3380 bbtttt.exe 2272 3vdvv.exe 1092 lllrlxx.exe 1416 xxxrxrx.exe 2112 bhnhbb.exe 3948 vjdvj.exe 3580 dpjdv.exe 1740 7xfxxfx.exe 4176 tnttnn.exe 3756 vdjvj.exe 4608 dppjp.exe 2604 5rfrllf.exe -
resource yara_rule behavioral2/memory/5060-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-821-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxfxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 792 5060 cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe 82 PID 5060 wrote to memory of 792 5060 cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe 82 PID 5060 wrote to memory of 792 5060 cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe 82 PID 792 wrote to memory of 1680 792 xxfrrlf.exe 83 PID 792 wrote to memory of 1680 792 xxfrrlf.exe 83 PID 792 wrote to memory of 1680 792 xxfrrlf.exe 83 PID 1680 wrote to memory of 2608 1680 nbhnth.exe 84 PID 1680 wrote to memory of 2608 1680 nbhnth.exe 84 PID 1680 wrote to memory of 2608 1680 nbhnth.exe 84 PID 2608 wrote to memory of 3988 2608 vjpjj.exe 85 PID 2608 wrote to memory of 3988 2608 vjpjj.exe 85 PID 2608 wrote to memory of 3988 2608 vjpjj.exe 85 PID 3988 wrote to memory of 4792 3988 btbbtb.exe 86 PID 3988 wrote to memory of 4792 3988 btbbtb.exe 86 PID 3988 wrote to memory of 4792 3988 btbbtb.exe 86 PID 4792 wrote to memory of 4308 4792 9vdvv.exe 87 PID 4792 wrote to memory of 4308 4792 9vdvv.exe 87 PID 4792 wrote to memory of 4308 4792 9vdvv.exe 87 PID 4308 wrote to memory of 4884 4308 xfrxxxr.exe 88 PID 4308 wrote to memory of 4884 4308 xfrxxxr.exe 88 PID 4308 wrote to memory of 4884 4308 xfrxxxr.exe 88 PID 4884 wrote to memory of 2588 4884 lllfrfx.exe 89 PID 4884 wrote to memory of 2588 4884 lllfrfx.exe 89 PID 4884 wrote to memory of 2588 4884 lllfrfx.exe 89 PID 2588 wrote to memory of 5036 2588 dpvvv.exe 90 PID 2588 wrote to memory of 5036 2588 dpvvv.exe 90 PID 2588 wrote to memory of 5036 2588 dpvvv.exe 90 PID 5036 wrote to memory of 3808 5036 rffxlrl.exe 91 PID 5036 wrote to memory of 3808 5036 rffxlrl.exe 91 PID 5036 wrote to memory of 3808 5036 rffxlrl.exe 91 PID 3808 wrote to memory of 2500 3808 hbnhnn.exe 92 PID 3808 wrote to memory of 2500 3808 hbnhnn.exe 92 PID 3808 wrote to memory of 2500 3808 hbnhnn.exe 92 PID 2500 wrote to memory of 2168 2500 5ppjv.exe 93 PID 2500 wrote to memory of 2168 2500 5ppjv.exe 93 PID 2500 wrote to memory of 2168 2500 5ppjv.exe 93 PID 2168 wrote to memory of 3904 2168 frffxxr.exe 94 PID 2168 wrote to memory of 3904 2168 frffxxr.exe 94 PID 2168 wrote to memory of 3904 2168 frffxxr.exe 94 PID 3904 wrote to memory of 4140 3904 jvvpp.exe 95 PID 3904 wrote to memory of 4140 3904 jvvpp.exe 95 PID 3904 wrote to memory of 4140 3904 jvvpp.exe 95 PID 4140 wrote to memory of 3760 4140 xfxrllx.exe 96 PID 4140 wrote to memory of 3760 4140 xfxrllx.exe 96 PID 4140 wrote to memory of 3760 4140 xfxrllx.exe 96 PID 3760 wrote to memory of 4924 3760 jdjjp.exe 97 PID 3760 wrote to memory of 4924 3760 jdjjp.exe 97 PID 3760 wrote to memory of 4924 3760 jdjjp.exe 97 PID 4924 wrote to memory of 760 4924 bhhhbb.exe 98 PID 4924 wrote to memory of 760 4924 bhhhbb.exe 98 PID 4924 wrote to memory of 760 4924 bhhhbb.exe 98 PID 760 wrote to memory of 4004 760 dvpjd.exe 99 PID 760 wrote to memory of 4004 760 dvpjd.exe 99 PID 760 wrote to memory of 4004 760 dvpjd.exe 99 PID 4004 wrote to memory of 4500 4004 bttnhb.exe 100 PID 4004 wrote to memory of 4500 4004 bttnhb.exe 100 PID 4004 wrote to memory of 4500 4004 bttnhb.exe 100 PID 4500 wrote to memory of 4300 4500 jdpjv.exe 101 PID 4500 wrote to memory of 4300 4500 jdpjv.exe 101 PID 4500 wrote to memory of 4300 4500 jdpjv.exe 101 PID 4300 wrote to memory of 3740 4300 fxlfrrr.exe 102 PID 4300 wrote to memory of 3740 4300 fxlfrrr.exe 102 PID 4300 wrote to memory of 3740 4300 fxlfrrr.exe 102 PID 3740 wrote to memory of 552 3740 vvvdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe"C:\Users\Admin\AppData\Local\Temp\cc7983bda85e28918b7a6e4cc7a876f3a1537cc5fa6078027ac53ad0623ad363N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\xxfrrlf.exec:\xxfrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\nbhnth.exec:\nbhnth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\vjpjj.exec:\vjpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\btbbtb.exec:\btbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\9vdvv.exec:\9vdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xfrxxxr.exec:\xfrxxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\lllfrfx.exec:\lllfrfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\dpvvv.exec:\dpvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\rffxlrl.exec:\rffxlrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\hbnhnn.exec:\hbnhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\5ppjv.exec:\5ppjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\frffxxr.exec:\frffxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\jvvpp.exec:\jvvpp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\xfxrllx.exec:\xfxrllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\jdjjp.exec:\jdjjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\bhhhbb.exec:\bhhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\dvpjd.exec:\dvpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\bttnhb.exec:\bttnhb.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\jdpjv.exec:\jdpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\fxlfrrr.exec:\fxlfrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\vvvdv.exec:\vvvdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\nbbhtt.exec:\nbbhtt.exe23⤵
- Executes dropped EXE
PID:552 -
\??\c:\5vpdj.exec:\5vpdj.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316 -
\??\c:\dvvdv.exec:\dvvdv.exe25⤵
- Executes dropped EXE
PID:1588 -
\??\c:\hbbhbh.exec:\hbbhbh.exe26⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ddpjd.exec:\ddpjd.exe27⤵
- Executes dropped EXE
PID:1820 -
\??\c:\nbnbtn.exec:\nbnbtn.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5056 -
\??\c:\ddpdv.exec:\ddpdv.exe29⤵
- Executes dropped EXE
PID:3104 -
\??\c:\ddvvp.exec:\ddvvp.exe30⤵
- Executes dropped EXE
PID:3492 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe31⤵
- Executes dropped EXE
PID:5104 -
\??\c:\bbhbtn.exec:\bbhbtn.exe32⤵
- Executes dropped EXE
PID:3180 -
\??\c:\9bbbtb.exec:\9bbbtb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3816 -
\??\c:\1dvpj.exec:\1dvpj.exe34⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jpvjd.exec:\jpvjd.exe35⤵
- Executes dropped EXE
PID:348 -
\??\c:\dvddj.exec:\dvddj.exe36⤵
- Executes dropped EXE
PID:3596 -
\??\c:\nhhhtt.exec:\nhhhtt.exe37⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rlxrrfl.exec:\rlxrrfl.exe38⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pvdpj.exec:\pvdpj.exe39⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jjpdp.exec:\jjpdp.exe40⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9lfrflf.exec:\9lfrflf.exe41⤵
- Executes dropped EXE
PID:3352 -
\??\c:\ntnhtt.exec:\ntnhtt.exe42⤵
- Executes dropped EXE
PID:4824 -
\??\c:\vpvvp.exec:\vpvvp.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\pjjvj.exec:\pjjvj.exe44⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5rlrfxx.exec:\5rlrfxx.exe45⤵
- Executes dropped EXE
PID:3592 -
\??\c:\hhhhbb.exec:\hhhhbb.exe46⤵
- Executes dropped EXE
PID:3132 -
\??\c:\tnnbtn.exec:\tnnbtn.exe47⤵
- Executes dropped EXE
PID:1548 -
\??\c:\3vvdv.exec:\3vvdv.exe48⤵
- Executes dropped EXE
PID:1480 -
\??\c:\xrrlffl.exec:\xrrlffl.exe49⤵
- Executes dropped EXE
PID:4356 -
\??\c:\thhbnn.exec:\thhbnn.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vpddd.exec:\vpddd.exe51⤵
- Executes dropped EXE
PID:1128 -
\??\c:\3vvjd.exec:\3vvjd.exe52⤵
- Executes dropped EXE
PID:1540 -
\??\c:\lrxlllf.exec:\lrxlllf.exe53⤵
- Executes dropped EXE
PID:4420 -
\??\c:\bbtttt.exec:\bbtttt.exe54⤵
- Executes dropped EXE
PID:3380 -
\??\c:\3vdvv.exec:\3vdvv.exe55⤵
- Executes dropped EXE
PID:2272 -
\??\c:\lllrlxx.exec:\lllrlxx.exe56⤵
- Executes dropped EXE
PID:1092 -
\??\c:\xxxrxrx.exec:\xxxrxrx.exe57⤵
- Executes dropped EXE
PID:1416 -
\??\c:\bhnhbb.exec:\bhnhbb.exe58⤵
- Executes dropped EXE
PID:2112 -
\??\c:\vjdvj.exec:\vjdvj.exe59⤵
- Executes dropped EXE
PID:3948 -
\??\c:\dpjdv.exec:\dpjdv.exe60⤵
- Executes dropped EXE
PID:3580 -
\??\c:\7xfxxfx.exec:\7xfxxfx.exe61⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tnttnn.exec:\tnttnn.exe62⤵
- Executes dropped EXE
PID:4176 -
\??\c:\vdjvj.exec:\vdjvj.exe63⤵
- Executes dropped EXE
PID:3756 -
\??\c:\dppjp.exec:\dppjp.exe64⤵
- Executes dropped EXE
PID:4608 -
\??\c:\5rfrllf.exec:\5rfrllf.exe65⤵
- Executes dropped EXE
PID:2604 -
\??\c:\1hbtnh.exec:\1hbtnh.exe66⤵PID:3980
-
\??\c:\5vjdj.exec:\5vjdj.exe67⤵PID:1384
-
\??\c:\pjpdj.exec:\pjpdj.exe68⤵PID:5112
-
\??\c:\lxxxlrl.exec:\lxxxlrl.exe69⤵PID:2372
-
\??\c:\bttthh.exec:\bttthh.exe70⤵PID:3556
-
\??\c:\9ppjd.exec:\9ppjd.exe71⤵PID:404
-
\??\c:\1vjvd.exec:\1vjvd.exe72⤵PID:3664
-
\??\c:\rlfrrlr.exec:\rlfrrlr.exe73⤵PID:3904
-
\??\c:\7tnbtt.exec:\7tnbtt.exe74⤵PID:3896
-
\??\c:\bnthtt.exec:\bnthtt.exe75⤵PID:1736
-
\??\c:\dvdpj.exec:\dvdpj.exe76⤵PID:1744
-
\??\c:\lffxlfx.exec:\lffxlfx.exe77⤵PID:220
-
\??\c:\fxrrlll.exec:\fxrrlll.exe78⤵PID:1324
-
\??\c:\nhhbtn.exec:\nhhbtn.exe79⤵PID:4944
-
\??\c:\jpjpd.exec:\jpjpd.exe80⤵PID:4776
-
\??\c:\9xlxlxl.exec:\9xlxlxl.exe81⤵PID:2352
-
\??\c:\hhbhth.exec:\hhbhth.exe82⤵PID:4544
-
\??\c:\5pdpv.exec:\5pdpv.exe83⤵PID:4300
-
\??\c:\rxxrflf.exec:\rxxrflf.exe84⤵PID:4312
-
\??\c:\xllfrxr.exec:\xllfrxr.exe85⤵PID:1448
-
\??\c:\nhnhbt.exec:\nhnhbt.exe86⤵PID:1464
-
\??\c:\pjdpv.exec:\pjdpv.exe87⤵PID:3024
-
\??\c:\llxrlfx.exec:\llxrlfx.exe88⤵PID:2748
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe89⤵PID:4808
-
\??\c:\djpdd.exec:\djpdd.exe90⤵PID:5068
-
\??\c:\ddjvj.exec:\ddjvj.exe91⤵PID:2952
-
\??\c:\1rxfxll.exec:\1rxfxll.exe92⤵
- System Location Discovery: System Language Discovery
PID:3852 -
\??\c:\thhtnb.exec:\thhtnb.exe93⤵PID:3104
-
\??\c:\bhntnb.exec:\bhntnb.exe94⤵
- System Location Discovery: System Language Discovery
PID:1096 -
\??\c:\jjjvd.exec:\jjjvd.exe95⤵PID:3492
-
\??\c:\xxflrlx.exec:\xxflrlx.exe96⤵PID:1360
-
\??\c:\lllrfrf.exec:\lllrfrf.exe97⤵PID:440
-
\??\c:\hththb.exec:\hththb.exe98⤵PID:1884
-
\??\c:\htnbhb.exec:\htnbhb.exe99⤵PID:2328
-
\??\c:\pdpdp.exec:\pdpdp.exe100⤵PID:2384
-
\??\c:\lxrxlxl.exec:\lxrxlxl.exe101⤵PID:3888
-
\??\c:\frfrlfx.exec:\frfrlfx.exe102⤵PID:3596
-
\??\c:\hhhtbt.exec:\hhhtbt.exe103⤵PID:2292
-
\??\c:\pppdp.exec:\pppdp.exe104⤵PID:4036
-
\??\c:\vjdpv.exec:\vjdpv.exe105⤵PID:2936
-
\??\c:\xffrxrl.exec:\xffrxrl.exe106⤵PID:976
-
\??\c:\htnbnh.exec:\htnbnh.exe107⤵PID:2484
-
\??\c:\9jvdj.exec:\9jvdj.exe108⤵PID:4480
-
\??\c:\rxrflfr.exec:\rxrflfr.exe109⤵PID:2440
-
\??\c:\xfxlxxl.exec:\xfxlxxl.exe110⤵PID:5048
-
\??\c:\bhthtn.exec:\bhthtn.exe111⤵PID:1976
-
\??\c:\9hbnbn.exec:\9hbnbn.exe112⤵PID:2348
-
\??\c:\dpjvd.exec:\dpjvd.exe113⤵PID:1772
-
\??\c:\lffrxxl.exec:\lffrxxl.exe114⤵PID:4876
-
\??\c:\flllfrr.exec:\flllfrr.exe115⤵PID:2188
-
\??\c:\nbtnbn.exec:\nbtnbn.exe116⤵PID:4356
-
\??\c:\3dvjp.exec:\3dvjp.exe117⤵PID:2984
-
\??\c:\lxrlxfx.exec:\lxrlxfx.exe118⤵PID:1128
-
\??\c:\rrlxlxl.exec:\rrlxlxl.exe119⤵PID:4272
-
\??\c:\1bnbnb.exec:\1bnbnb.exe120⤵PID:4780
-
\??\c:\jpjpp.exec:\jpjpp.exe121⤵PID:5060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-