Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe
-
Size
456KB
-
MD5
99b19db190a700077b66f0fb212ca59f
-
SHA1
b0199d5796e89cec99ac5250e7d738b4a891ad54
-
SHA256
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034
-
SHA512
23a2f8a595b669ebf0646aea5bcfda29f435ed07e4dea63db4ec532bec053f2c3c5a18b7e367e388ed3143562ca22cd1d08413778d414617df3fdb3f866e28c1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 37 IoCs
resource yara_rule behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/916-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-119-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2024-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/920-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/960-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-699-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1132-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1428-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-949-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2212 nhttbb.exe 916 lfxfrrf.exe 1972 ddvjp.exe 2756 rlfxxlx.exe 2972 nbthht.exe 2840 ppvdj.exe 2568 9thhhb.exe 2784 dpjjj.exe 2620 lfxxxxf.exe 3044 frlrxxl.exe 1704 jvdjv.exe 1796 5rrxflx.exe 2024 tnbbbt.exe 2144 7vpvp.exe 860 tbhhhn.exe 1756 jpjpd.exe 1956 3nnhnn.exe 1444 7lxffff.exe 1968 nbhntt.exe 2036 9djpp.exe 1308 1xlflfl.exe 920 1thhnn.exe 832 5lxxxxx.exe 1664 bhnhhh.exe 2420 xxlxllx.exe 2264 xrlrlrf.exe 2044 nhthnn.exe 1492 jdvdp.exe 2200 bnhbhh.exe 1648 xrflrrl.exe 2244 nbnnnh.exe 2572 7dvvd.exe 1328 bhnnhh.exe 1524 nthnth.exe 2696 1vjvv.exe 2284 rlflxlf.exe 2812 3hnbtt.exe 2876 vjpvj.exe 2860 5rfxrrr.exe 2772 ttthnt.exe 2616 jddjv.exe 2568 dvpdp.exe 2752 rfxxxfl.exe 2608 hhbntb.exe 1176 dvppj.exe 3044 xxrrrrx.exe 1360 hbthnt.exe 1580 hbtbtt.exe 1064 vvvdj.exe 1984 xxrrxxl.exe 2440 thbtbb.exe 444 djpdd.exe 464 rlfflll.exe 1040 bthhtt.exe 1760 btttbt.exe 1048 ppppv.exe 1292 lfxfxfr.exe 2988 5hbnbb.exe 692 jdddp.exe 2056 vpjjv.exe 1996 9xllrrr.exe 936 3bntbb.exe 960 5jvvp.exe 832 xrrfrrl.exe -
resource yara_rule behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/920-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2420-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1100-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1236-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1132-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1428-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-936-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2212 2380 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2380 wrote to memory of 2212 2380 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2380 wrote to memory of 2212 2380 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2380 wrote to memory of 2212 2380 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2212 wrote to memory of 916 2212 nhttbb.exe 31 PID 2212 wrote to memory of 916 2212 nhttbb.exe 31 PID 2212 wrote to memory of 916 2212 nhttbb.exe 31 PID 2212 wrote to memory of 916 2212 nhttbb.exe 31 PID 916 wrote to memory of 1972 916 lfxfrrf.exe 32 PID 916 wrote to memory of 1972 916 lfxfrrf.exe 32 PID 916 wrote to memory of 1972 916 lfxfrrf.exe 32 PID 916 wrote to memory of 1972 916 lfxfrrf.exe 32 PID 1972 wrote to memory of 2756 1972 ddvjp.exe 33 PID 1972 wrote to memory of 2756 1972 ddvjp.exe 33 PID 1972 wrote to memory of 2756 1972 ddvjp.exe 33 PID 1972 wrote to memory of 2756 1972 ddvjp.exe 33 PID 2756 wrote to memory of 2972 2756 rlfxxlx.exe 34 PID 2756 wrote to memory of 2972 2756 rlfxxlx.exe 34 PID 2756 wrote to memory of 2972 2756 rlfxxlx.exe 34 PID 2756 wrote to memory of 2972 2756 rlfxxlx.exe 34 PID 2972 wrote to memory of 2840 2972 nbthht.exe 35 PID 2972 wrote to memory of 2840 2972 nbthht.exe 35 PID 2972 wrote to memory of 2840 2972 nbthht.exe 35 PID 2972 wrote to memory of 2840 2972 nbthht.exe 35 PID 2840 wrote to memory of 2568 2840 ppvdj.exe 36 PID 2840 wrote to memory of 2568 2840 ppvdj.exe 36 PID 2840 wrote to memory of 2568 2840 ppvdj.exe 36 PID 2840 wrote to memory of 2568 2840 ppvdj.exe 36 PID 2568 wrote to memory of 2784 2568 9thhhb.exe 37 PID 2568 wrote to memory of 2784 2568 9thhhb.exe 37 PID 2568 wrote to memory of 2784 2568 9thhhb.exe 37 PID 2568 wrote to memory of 2784 2568 9thhhb.exe 37 PID 2784 wrote to memory of 2620 2784 dpjjj.exe 38 PID 2784 wrote to memory of 2620 2784 dpjjj.exe 38 PID 2784 wrote to memory of 2620 2784 dpjjj.exe 38 PID 2784 wrote to memory of 2620 2784 dpjjj.exe 38 PID 2620 wrote to memory of 3044 2620 lfxxxxf.exe 39 PID 2620 wrote to memory of 3044 2620 lfxxxxf.exe 39 PID 2620 wrote to memory of 3044 2620 lfxxxxf.exe 39 PID 2620 wrote to memory of 3044 2620 lfxxxxf.exe 39 PID 3044 wrote to memory of 1704 3044 frlrxxl.exe 40 PID 3044 wrote to memory of 1704 3044 frlrxxl.exe 40 PID 3044 wrote to memory of 1704 3044 frlrxxl.exe 40 PID 3044 wrote to memory of 1704 3044 frlrxxl.exe 40 PID 1704 wrote to memory of 1796 1704 jvdjv.exe 41 PID 1704 wrote to memory of 1796 1704 jvdjv.exe 41 PID 1704 wrote to memory of 1796 1704 jvdjv.exe 41 PID 1704 wrote to memory of 1796 1704 jvdjv.exe 41 PID 1796 wrote to memory of 2024 1796 5rrxflx.exe 42 PID 1796 wrote to memory of 2024 1796 5rrxflx.exe 42 PID 1796 wrote to memory of 2024 1796 5rrxflx.exe 42 PID 1796 wrote to memory of 2024 1796 5rrxflx.exe 42 PID 2024 wrote to memory of 2144 2024 tnbbbt.exe 43 PID 2024 wrote to memory of 2144 2024 tnbbbt.exe 43 PID 2024 wrote to memory of 2144 2024 tnbbbt.exe 43 PID 2024 wrote to memory of 2144 2024 tnbbbt.exe 43 PID 2144 wrote to memory of 860 2144 7vpvp.exe 44 PID 2144 wrote to memory of 860 2144 7vpvp.exe 44 PID 2144 wrote to memory of 860 2144 7vpvp.exe 44 PID 2144 wrote to memory of 860 2144 7vpvp.exe 44 PID 860 wrote to memory of 1756 860 tbhhhn.exe 45 PID 860 wrote to memory of 1756 860 tbhhhn.exe 45 PID 860 wrote to memory of 1756 860 tbhhhn.exe 45 PID 860 wrote to memory of 1756 860 tbhhhn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe"C:\Users\Admin\AppData\Local\Temp\cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\nhttbb.exec:\nhttbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lfxfrrf.exec:\lfxfrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\ddvjp.exec:\ddvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\rlfxxlx.exec:\rlfxxlx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\nbthht.exec:\nbthht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\ppvdj.exec:\ppvdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\9thhhb.exec:\9thhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\dpjjj.exec:\dpjjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\lfxxxxf.exec:\lfxxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\frlrxxl.exec:\frlrxxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\jvdjv.exec:\jvdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\5rrxflx.exec:\5rrxflx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\tnbbbt.exec:\tnbbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\7vpvp.exec:\7vpvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\tbhhhn.exec:\tbhhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\jpjpd.exec:\jpjpd.exe17⤵
- Executes dropped EXE
PID:1756 -
\??\c:\3nnhnn.exec:\3nnhnn.exe18⤵
- Executes dropped EXE
PID:1956 -
\??\c:\7lxffff.exec:\7lxffff.exe19⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nbhntt.exec:\nbhntt.exe20⤵
- Executes dropped EXE
PID:1968 -
\??\c:\9djpp.exec:\9djpp.exe21⤵
- Executes dropped EXE
PID:2036 -
\??\c:\1xlflfl.exec:\1xlflfl.exe22⤵
- Executes dropped EXE
PID:1308 -
\??\c:\1thhnn.exec:\1thhnn.exe23⤵
- Executes dropped EXE
PID:920 -
\??\c:\5lxxxxx.exec:\5lxxxxx.exe24⤵
- Executes dropped EXE
PID:832 -
\??\c:\bhnhhh.exec:\bhnhhh.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\xxlxllx.exec:\xxlxllx.exe26⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xrlrlrf.exec:\xrlrlrf.exe27⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nhthnn.exec:\nhthnn.exe28⤵
- Executes dropped EXE
PID:2044 -
\??\c:\jdvdp.exec:\jdvdp.exe29⤵
- Executes dropped EXE
PID:1492 -
\??\c:\bnhbhh.exec:\bnhbhh.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
\??\c:\xrflrrl.exec:\xrflrrl.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nbnnnh.exec:\nbnnnh.exe32⤵
- Executes dropped EXE
PID:2244 -
\??\c:\7dvvd.exec:\7dvvd.exe33⤵
- Executes dropped EXE
PID:2572 -
\??\c:\bhnnhh.exec:\bhnnhh.exe34⤵
- Executes dropped EXE
PID:1328 -
\??\c:\nthnth.exec:\nthnth.exe35⤵
- Executes dropped EXE
PID:1524 -
\??\c:\1vjvv.exec:\1vjvv.exe36⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rlflxlf.exec:\rlflxlf.exe37⤵
- Executes dropped EXE
PID:2284 -
\??\c:\3hnbtt.exec:\3hnbtt.exe38⤵
- Executes dropped EXE
PID:2812 -
\??\c:\vjpvj.exec:\vjpvj.exe39⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5rfxrrr.exec:\5rfxrrr.exe40⤵
- Executes dropped EXE
PID:2860 -
\??\c:\ttthnt.exec:\ttthnt.exe41⤵
- Executes dropped EXE
PID:2772 -
\??\c:\jddjv.exec:\jddjv.exe42⤵
- Executes dropped EXE
PID:2616 -
\??\c:\dvpdp.exec:\dvpdp.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\rfxxxfl.exec:\rfxxxfl.exe44⤵
- Executes dropped EXE
PID:2752 -
\??\c:\hhbntb.exec:\hhbntb.exe45⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dvppj.exec:\dvppj.exe46⤵
- Executes dropped EXE
PID:1176 -
\??\c:\xxrrrrx.exec:\xxrrrrx.exe47⤵
- Executes dropped EXE
PID:3044 -
\??\c:\hbthnt.exec:\hbthnt.exe48⤵
- Executes dropped EXE
PID:1360 -
\??\c:\hbtbtt.exec:\hbtbtt.exe49⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vvvdj.exec:\vvvdj.exe50⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xxrrxxl.exec:\xxrrxxl.exe51⤵
- Executes dropped EXE
PID:1984 -
\??\c:\thbtbb.exec:\thbtbb.exe52⤵
- Executes dropped EXE
PID:2440 -
\??\c:\djpdd.exec:\djpdd.exe53⤵
- Executes dropped EXE
PID:444 -
\??\c:\rlfflll.exec:\rlfflll.exe54⤵
- Executes dropped EXE
PID:464 -
\??\c:\bthhtt.exec:\bthhtt.exe55⤵
- Executes dropped EXE
PID:1040 -
\??\c:\btttbt.exec:\btttbt.exe56⤵
- Executes dropped EXE
PID:1760 -
\??\c:\ppppv.exec:\ppppv.exe57⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfxfxfr.exec:\lfxfxfr.exe58⤵
- Executes dropped EXE
PID:1292 -
\??\c:\5hbnbb.exec:\5hbnbb.exe59⤵
- Executes dropped EXE
PID:2988 -
\??\c:\jdddp.exec:\jdddp.exe60⤵
- Executes dropped EXE
PID:692 -
\??\c:\vpjjv.exec:\vpjjv.exe61⤵
- Executes dropped EXE
PID:2056 -
\??\c:\9xllrrr.exec:\9xllrrr.exe62⤵
- Executes dropped EXE
PID:1996 -
\??\c:\3bntbb.exec:\3bntbb.exe63⤵
- Executes dropped EXE
PID:936 -
\??\c:\5jvvp.exec:\5jvvp.exe64⤵
- Executes dropped EXE
PID:960 -
\??\c:\xrrfrrl.exec:\xrrfrrl.exe65⤵
- Executes dropped EXE
PID:832 -
\??\c:\7nbttb.exec:\7nbttb.exe66⤵PID:1668
-
\??\c:\xfrlllx.exec:\xfrlllx.exe67⤵PID:2792
-
\??\c:\btnbbh.exec:\btnbbh.exe68⤵PID:1264
-
\??\c:\tbhbbh.exec:\tbhbbh.exe69⤵PID:2320
-
\??\c:\7jvvv.exec:\7jvvv.exe70⤵PID:1652
-
\??\c:\lxrrlfx.exec:\lxrrlfx.exe71⤵PID:1848
-
\??\c:\3tnhbh.exec:\3tnhbh.exe72⤵PID:1492
-
\??\c:\ppvdj.exec:\ppvdj.exe73⤵PID:2236
-
\??\c:\pjvdj.exec:\pjvdj.exe74⤵PID:2540
-
\??\c:\frllrrx.exec:\frllrrx.exe75⤵PID:2000
-
\??\c:\1httbb.exec:\1httbb.exe76⤵PID:1708
-
\??\c:\ddvjp.exec:\ddvjp.exe77⤵PID:1100
-
\??\c:\djjvj.exec:\djjvj.exe78⤵PID:108
-
\??\c:\rlxflxl.exec:\rlxflxl.exe79⤵PID:1036
-
\??\c:\bthbhn.exec:\bthbhn.exe80⤵PID:2696
-
\??\c:\pdvdp.exec:\pdvdp.exe81⤵PID:2716
-
\??\c:\rfxxffl.exec:\rfxxffl.exe82⤵PID:2864
-
\??\c:\ttnnbh.exec:\ttnnbh.exe83⤵PID:2876
-
\??\c:\jddpd.exec:\jddpd.exe84⤵PID:2892
-
\??\c:\jjdjv.exec:\jjdjv.exe85⤵PID:2772
-
\??\c:\ffxxffr.exec:\ffxxffr.exe86⤵PID:2796
-
\??\c:\7ttbnt.exec:\7ttbnt.exe87⤵PID:2568
-
\??\c:\dpvpj.exec:\dpvpj.exe88⤵PID:2668
-
\??\c:\fxxflfx.exec:\fxxflfx.exe89⤵PID:812
-
\??\c:\7nnnnh.exec:\7nnnnh.exe90⤵PID:1684
-
\??\c:\jpvjj.exec:\jpvjj.exe91⤵PID:2544
-
\??\c:\1xxlrxr.exec:\1xxlrxr.exe92⤵PID:1236
-
\??\c:\7tbbhh.exec:\7tbbhh.exe93⤵PID:2340
-
\??\c:\vjddj.exec:\vjddj.exe94⤵PID:1776
-
\??\c:\djpvj.exec:\djpvj.exe95⤵PID:1084
-
\??\c:\lflxxxl.exec:\lflxxxl.exe96⤵PID:860
-
\??\c:\hhhhhh.exec:\hhhhhh.exe97⤵PID:1132
-
\??\c:\thbbbh.exec:\thbbbh.exe98⤵PID:768
-
\??\c:\vpvpv.exec:\vpvpv.exe99⤵PID:1692
-
\??\c:\3fffrxf.exec:\3fffrxf.exe100⤵PID:1956
-
\??\c:\btnntt.exec:\btnntt.exe101⤵PID:2148
-
\??\c:\ttntbb.exec:\ttntbb.exe102⤵PID:836
-
\??\c:\3dvvj.exec:\3dvvj.exe103⤵PID:1880
-
\??\c:\lrlxlrf.exec:\lrlxlrf.exe104⤵PID:2096
-
\??\c:\thbbhn.exec:\thbbhn.exe105⤵PID:1612
-
\??\c:\bnbhtn.exec:\bnbhtn.exe106⤵PID:608
-
\??\c:\dpvpp.exec:\dpvpp.exe107⤵PID:2912
-
\??\c:\rrfrlxf.exec:\rrfrlxf.exe108⤵PID:2924
-
\??\c:\5hbbhh.exec:\5hbbhh.exe109⤵PID:2104
-
\??\c:\thbbhh.exec:\thbbhh.exe110⤵PID:1428
-
\??\c:\jdpjp.exec:\jdpjp.exe111⤵PID:2920
-
\??\c:\xrfxrrx.exec:\xrfxrrx.exe112⤵PID:2364
-
\??\c:\tthnhh.exec:\tthnhh.exe113⤵PID:2044
-
\??\c:\pjjjd.exec:\pjjjd.exe114⤵PID:1480
-
\??\c:\xrfrlxl.exec:\xrfrlxl.exe115⤵PID:2120
-
\??\c:\bnhhhh.exec:\bnhhhh.exe116⤵PID:888
-
\??\c:\jvpvj.exec:\jvpvj.exe117⤵PID:2236
-
\??\c:\9xxlfrx.exec:\9xxlfrx.exe118⤵PID:1596
-
\??\c:\nnnbht.exec:\nnnbht.exe119⤵PID:2000
-
\??\c:\7tthhn.exec:\7tthhn.exe120⤵PID:2380
-
\??\c:\9djdj.exec:\9djdj.exe121⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-