Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/12/2024, 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe
-
Size
456KB
-
MD5
99b19db190a700077b66f0fb212ca59f
-
SHA1
b0199d5796e89cec99ac5250e7d738b4a891ad54
-
SHA256
cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034
-
SHA512
23a2f8a595b669ebf0646aea5bcfda29f435ed07e4dea63db4ec532bec053f2c3c5a18b7e367e388ed3143562ca22cd1d08413778d414617df3fdb3f866e28c1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2092-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2980-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-84-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/3056-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/664-108-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1200-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-124-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1984-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-162-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1692-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-302-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2084-303-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1524-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/832-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-413-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2920-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1660-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-459-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/604-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-519-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1964-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-626-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/776-689-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2148-708-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/380-733-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2116-758-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2276-765-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/848-796-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1628-813-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/532-841-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1440-849-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1420-1105-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1624-1113-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2544 rflrrxf.exe 2092 3dppd.exe 2460 9dpjj.exe 2736 5httbb.exe 2980 3jpjp.exe 2788 ppdvp.exe 2944 nhnnbb.exe 2672 xfflxfx.exe 2644 nbnhnn.exe 3056 vdpvd.exe 664 lxfxxxl.exe 1052 tthhnb.exe 1200 dvjpj.exe 2920 dvddj.exe 1716 3tntbb.exe 1372 vpvpv.exe 1508 xffrfrf.exe 1984 pjjjv.exe 1692 jvjpd.exe 2200 bthhnn.exe 840 vjvpp.exe 2356 7htntt.exe 1548 1djpv.exe 1708 1lxxrrr.exe 2000 3ntnnb.exe 688 7pvpp.exe 2292 rlxfrxf.exe 1552 dpdvv.exe 1848 rrxrxxx.exe 1152 7jvpp.exe 2008 vjpjp.exe 3036 lxlfrrx.exe 2084 btbttb.exe 2552 dpjjj.exe 2576 5dpdd.exe 560 1lrlrrr.exe 2872 lflxxxf.exe 2784 nhhhbb.exe 2884 dpvvv.exe 2904 frxxffl.exe 2632 lflrffl.exe 1524 htthhb.exe 2892 jvdpj.exe 2692 7rrrrlx.exe 2260 lflrrxf.exe 2796 thtttn.exe 1572 bnbhhb.exe 832 7dvpj.exe 1212 9frlrxf.exe 1200 3fxxxrx.exe 2920 bntnnh.exe 1992 vdppj.exe 952 5xfllrr.exe 2844 frrrlrf.exe 1660 ntthhh.exe 1584 vjvjd.exe 1616 dpdvv.exe 1692 lrlxlrf.exe 2276 bnbhnn.exe 2804 vjvpv.exe 2308 xfllfff.exe 1300 3flxxrr.exe 604 9ntthh.exe 948 7bnnnn.exe -
resource yara_rule behavioral1/memory/2404-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1848-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/604-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-758-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2556-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-856-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-978-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1504-993-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-992-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1852-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2544 2404 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2404 wrote to memory of 2544 2404 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2404 wrote to memory of 2544 2404 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2404 wrote to memory of 2544 2404 cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe 30 PID 2544 wrote to memory of 2092 2544 rflrrxf.exe 31 PID 2544 wrote to memory of 2092 2544 rflrrxf.exe 31 PID 2544 wrote to memory of 2092 2544 rflrrxf.exe 31 PID 2544 wrote to memory of 2092 2544 rflrrxf.exe 31 PID 2092 wrote to memory of 2460 2092 3dppd.exe 32 PID 2092 wrote to memory of 2460 2092 3dppd.exe 32 PID 2092 wrote to memory of 2460 2092 3dppd.exe 32 PID 2092 wrote to memory of 2460 2092 3dppd.exe 32 PID 2460 wrote to memory of 2736 2460 9dpjj.exe 33 PID 2460 wrote to memory of 2736 2460 9dpjj.exe 33 PID 2460 wrote to memory of 2736 2460 9dpjj.exe 33 PID 2460 wrote to memory of 2736 2460 9dpjj.exe 33 PID 2736 wrote to memory of 2980 2736 5httbb.exe 34 PID 2736 wrote to memory of 2980 2736 5httbb.exe 34 PID 2736 wrote to memory of 2980 2736 5httbb.exe 34 PID 2736 wrote to memory of 2980 2736 5httbb.exe 34 PID 2980 wrote to memory of 2788 2980 3jpjp.exe 35 PID 2980 wrote to memory of 2788 2980 3jpjp.exe 35 PID 2980 wrote to memory of 2788 2980 3jpjp.exe 35 PID 2980 wrote to memory of 2788 2980 3jpjp.exe 35 PID 2788 wrote to memory of 2944 2788 ppdvp.exe 36 PID 2788 wrote to memory of 2944 2788 ppdvp.exe 36 PID 2788 wrote to memory of 2944 2788 ppdvp.exe 36 PID 2788 wrote to memory of 2944 2788 ppdvp.exe 36 PID 2944 wrote to memory of 2672 2944 nhnnbb.exe 37 PID 2944 wrote to memory of 2672 2944 nhnnbb.exe 37 PID 2944 wrote to memory of 2672 2944 nhnnbb.exe 37 PID 2944 wrote to memory of 2672 2944 nhnnbb.exe 37 PID 2672 wrote to memory of 2644 2672 xfflxfx.exe 38 PID 2672 wrote to memory of 2644 2672 xfflxfx.exe 38 PID 2672 wrote to memory of 2644 2672 xfflxfx.exe 38 PID 2672 wrote to memory of 2644 2672 xfflxfx.exe 38 PID 2644 wrote to memory of 3056 2644 nbnhnn.exe 39 PID 2644 wrote to memory of 3056 2644 nbnhnn.exe 39 PID 2644 wrote to memory of 3056 2644 nbnhnn.exe 39 PID 2644 wrote to memory of 3056 2644 nbnhnn.exe 39 PID 3056 wrote to memory of 664 3056 vdpvd.exe 40 PID 3056 wrote to memory of 664 3056 vdpvd.exe 40 PID 3056 wrote to memory of 664 3056 vdpvd.exe 40 PID 3056 wrote to memory of 664 3056 vdpvd.exe 40 PID 664 wrote to memory of 1052 664 lxfxxxl.exe 41 PID 664 wrote to memory of 1052 664 lxfxxxl.exe 41 PID 664 wrote to memory of 1052 664 lxfxxxl.exe 41 PID 664 wrote to memory of 1052 664 lxfxxxl.exe 41 PID 1052 wrote to memory of 1200 1052 tthhnb.exe 42 PID 1052 wrote to memory of 1200 1052 tthhnb.exe 42 PID 1052 wrote to memory of 1200 1052 tthhnb.exe 42 PID 1052 wrote to memory of 1200 1052 tthhnb.exe 42 PID 1200 wrote to memory of 2920 1200 dvjpj.exe 43 PID 1200 wrote to memory of 2920 1200 dvjpj.exe 43 PID 1200 wrote to memory of 2920 1200 dvjpj.exe 43 PID 1200 wrote to memory of 2920 1200 dvjpj.exe 43 PID 2920 wrote to memory of 1716 2920 dvddj.exe 44 PID 2920 wrote to memory of 1716 2920 dvddj.exe 44 PID 2920 wrote to memory of 1716 2920 dvddj.exe 44 PID 2920 wrote to memory of 1716 2920 dvddj.exe 44 PID 1716 wrote to memory of 1372 1716 3tntbb.exe 45 PID 1716 wrote to memory of 1372 1716 3tntbb.exe 45 PID 1716 wrote to memory of 1372 1716 3tntbb.exe 45 PID 1716 wrote to memory of 1372 1716 3tntbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe"C:\Users\Admin\AppData\Local\Temp\cc42dbcb9a9be80b9ca1f5c2f58f5b25f8b49b6dad0dac0a55f3f3c16eed0034.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\rflrrxf.exec:\rflrrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\3dppd.exec:\3dppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\9dpjj.exec:\9dpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\5httbb.exec:\5httbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\3jpjp.exec:\3jpjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\ppdvp.exec:\ppdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\nhnnbb.exec:\nhnnbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xfflxfx.exec:\xfflxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\nbnhnn.exec:\nbnhnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\vdpvd.exec:\vdpvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\lxfxxxl.exec:\lxfxxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\tthhnb.exec:\tthhnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\dvjpj.exec:\dvjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\dvddj.exec:\dvddj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\3tntbb.exec:\3tntbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\vpvpv.exec:\vpvpv.exe17⤵
- Executes dropped EXE
PID:1372 -
\??\c:\xffrfrf.exec:\xffrfrf.exe18⤵
- Executes dropped EXE
PID:1508 -
\??\c:\pjjjv.exec:\pjjjv.exe19⤵
- Executes dropped EXE
PID:1984 -
\??\c:\jvjpd.exec:\jvjpd.exe20⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bthhnn.exec:\bthhnn.exe21⤵
- Executes dropped EXE
PID:2200 -
\??\c:\vjvpp.exec:\vjvpp.exe22⤵
- Executes dropped EXE
PID:840 -
\??\c:\7htntt.exec:\7htntt.exe23⤵
- Executes dropped EXE
PID:2356 -
\??\c:\1djpv.exec:\1djpv.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\1lxxrrr.exec:\1lxxrrr.exe25⤵
- Executes dropped EXE
PID:1708 -
\??\c:\3ntnnb.exec:\3ntnnb.exe26⤵
- Executes dropped EXE
PID:2000 -
\??\c:\7pvpp.exec:\7pvpp.exe27⤵
- Executes dropped EXE
PID:688 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe28⤵
- Executes dropped EXE
PID:2292 -
\??\c:\dpdvv.exec:\dpdvv.exe29⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rrxrxxx.exec:\rrxrxxx.exe30⤵
- Executes dropped EXE
PID:1848 -
\??\c:\7jvpp.exec:\7jvpp.exe31⤵
- Executes dropped EXE
PID:1152 -
\??\c:\vjpjp.exec:\vjpjp.exe32⤵
- Executes dropped EXE
PID:2008 -
\??\c:\lxlfrrx.exec:\lxlfrrx.exe33⤵
- Executes dropped EXE
PID:3036 -
\??\c:\btbttb.exec:\btbttb.exe34⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dpjjj.exec:\dpjjj.exe35⤵
- Executes dropped EXE
PID:2552 -
\??\c:\5dpdd.exec:\5dpdd.exe36⤵
- Executes dropped EXE
PID:2576 -
\??\c:\1lrlrrr.exec:\1lrlrrr.exe37⤵
- Executes dropped EXE
PID:560 -
\??\c:\lflxxxf.exec:\lflxxxf.exe38⤵
- Executes dropped EXE
PID:2872 -
\??\c:\nhhhbb.exec:\nhhhbb.exe39⤵
- Executes dropped EXE
PID:2784 -
\??\c:\dpvvv.exec:\dpvvv.exe40⤵
- Executes dropped EXE
PID:2884 -
\??\c:\frxxffl.exec:\frxxffl.exe41⤵
- Executes dropped EXE
PID:2904 -
\??\c:\lflrffl.exec:\lflrffl.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\htthhb.exec:\htthhb.exe43⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jvdpj.exec:\jvdpj.exe44⤵
- Executes dropped EXE
PID:2892 -
\??\c:\7rrrrlx.exec:\7rrrrlx.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\lflrrxf.exec:\lflrrxf.exe46⤵
- Executes dropped EXE
PID:2260 -
\??\c:\thtttn.exec:\thtttn.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\bnbhhb.exec:\bnbhhb.exe48⤵
- Executes dropped EXE
PID:1572 -
\??\c:\7dvpj.exec:\7dvpj.exe49⤵
- Executes dropped EXE
PID:832 -
\??\c:\9frlrxf.exec:\9frlrxf.exe50⤵
- Executes dropped EXE
PID:1212 -
\??\c:\3fxxxrx.exec:\3fxxxrx.exe51⤵
- Executes dropped EXE
PID:1200 -
\??\c:\bntnnh.exec:\bntnnh.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vdppj.exec:\vdppj.exe53⤵
- Executes dropped EXE
PID:1992 -
\??\c:\5xfllrr.exec:\5xfllrr.exe54⤵
- Executes dropped EXE
PID:952 -
\??\c:\frrrlrf.exec:\frrrlrf.exe55⤵
- Executes dropped EXE
PID:2844 -
\??\c:\ntthhh.exec:\ntthhh.exe56⤵
- Executes dropped EXE
PID:1660 -
\??\c:\vjvjd.exec:\vjvjd.exe57⤵
- Executes dropped EXE
PID:1584 -
\??\c:\dpdvv.exec:\dpdvv.exe58⤵
- Executes dropped EXE
PID:1616 -
\??\c:\lrlxlrf.exec:\lrlxlrf.exe59⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bnbhnn.exec:\bnbhnn.exe60⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vjvpv.exec:\vjvpv.exe61⤵
- Executes dropped EXE
PID:2804 -
\??\c:\xfllfff.exec:\xfllfff.exe62⤵
- Executes dropped EXE
PID:2308 -
\??\c:\3flxxrr.exec:\3flxxrr.exe63⤵
- Executes dropped EXE
PID:1300 -
\??\c:\9ntthh.exec:\9ntthh.exe64⤵
- Executes dropped EXE
PID:604 -
\??\c:\7bnnnn.exec:\7bnnnn.exe65⤵
- Executes dropped EXE
PID:948 -
\??\c:\dvddj.exec:\dvddj.exe66⤵PID:1728
-
\??\c:\frlfffr.exec:\frlfffr.exe67⤵PID:2000
-
\??\c:\7rlrlrx.exec:\7rlrlrx.exe68⤵PID:1604
-
\??\c:\hhtntt.exec:\hhtntt.exe69⤵PID:1964
-
\??\c:\dpddj.exec:\dpddj.exe70⤵PID:2028
-
\??\c:\5frrrlf.exec:\5frrrlf.exe71⤵PID:2128
-
\??\c:\rflfxxx.exec:\rflfxxx.exe72⤵PID:2392
-
\??\c:\tbtnhh.exec:\tbtnhh.exe73⤵PID:2312
-
\??\c:\jpvpd.exec:\jpvpd.exe74⤵PID:2004
-
\??\c:\5vjjd.exec:\5vjjd.exe75⤵PID:1436
-
\??\c:\frxxxlr.exec:\frxxxlr.exe76⤵PID:1644
-
\??\c:\tnbtth.exec:\tnbtth.exe77⤵PID:1528
-
\??\c:\bnbhnn.exec:\bnbhnn.exe78⤵PID:1032
-
\??\c:\vpddd.exec:\vpddd.exe79⤵PID:2768
-
\??\c:\5vdvd.exec:\5vdvd.exe80⤵PID:2864
-
\??\c:\3thbbb.exec:\3thbbb.exe81⤵PID:2772
-
\??\c:\1bhbbt.exec:\1bhbbt.exe82⤵PID:2880
-
\??\c:\jpdvv.exec:\jpdvv.exe83⤵PID:2820
-
\??\c:\jdpjp.exec:\jdpjp.exe84⤵PID:2896
-
\??\c:\rflffxl.exec:\rflffxl.exe85⤵PID:2652
-
\??\c:\1nbnnn.exec:\1nbnnn.exe86⤵PID:1524
-
\??\c:\htbnnn.exec:\htbnnn.exe87⤵PID:2700
-
\??\c:\pjvvd.exec:\pjvvd.exe88⤵PID:2644
-
\??\c:\lxffrll.exec:\lxffrll.exe89⤵PID:2748
-
\??\c:\3rfxrrr.exec:\3rfxrrr.exe90⤵PID:1592
-
\??\c:\9tbtnh.exec:\9tbtnh.exe91⤵PID:664
-
\??\c:\dpdvd.exec:\dpdvd.exe92⤵PID:776
-
\??\c:\vjvvd.exec:\vjvvd.exe93⤵PID:2040
-
\??\c:\xlrxrxl.exec:\xlrxrxl.exe94⤵
- System Location Discovery: System Language Discovery
PID:1112 -
\??\c:\tbbbbb.exec:\tbbbbb.exe95⤵PID:2148
-
\??\c:\hbnhhh.exec:\hbnhhh.exe96⤵PID:1504
-
\??\c:\3ddvv.exec:\3ddvv.exe97⤵PID:1372
-
\??\c:\9xfrlfl.exec:\9xfrlfl.exe98⤵PID:952
-
\??\c:\rfrxrrx.exec:\rfrxrrx.exe99⤵PID:380
-
\??\c:\hthbbb.exec:\hthbbb.exe100⤵PID:2264
-
\??\c:\pdddd.exec:\pdddd.exe101⤵PID:1832
-
\??\c:\9djjd.exec:\9djjd.exe102⤵PID:2472
-
\??\c:\frflllr.exec:\frflllr.exe103⤵PID:2116
-
\??\c:\bhnhhh.exec:\bhnhhh.exe104⤵PID:2276
-
\??\c:\3hnhbt.exec:\3hnhbt.exe105⤵PID:2176
-
\??\c:\jvvvj.exec:\jvvvj.exe106⤵PID:1968
-
\??\c:\dpdjj.exec:\dpdjj.exe107⤵PID:1936
-
\??\c:\fxffrrf.exec:\fxffrrf.exe108⤵PID:2316
-
\??\c:\tnhhnn.exec:\tnhhnn.exe109⤵PID:848
-
\??\c:\1tbtnn.exec:\1tbtnn.exe110⤵PID:1216
-
\??\c:\jvjdj.exec:\jvjdj.exe111⤵PID:2000
-
\??\c:\fxllrrf.exec:\fxllrrf.exe112⤵PID:1628
-
\??\c:\frxfxxr.exec:\frxfxxr.exe113⤵PID:2556
-
\??\c:\bnhhhh.exec:\bnhhhh.exe114⤵PID:2028
-
\??\c:\9jvpp.exec:\9jvpp.exe115⤵PID:1704
-
\??\c:\jvjpv.exec:\jvjpv.exe116⤵
- System Location Discovery: System Language Discovery
PID:532 -
\??\c:\rflfxxx.exec:\rflfxxx.exe117⤵PID:1440
-
\??\c:\xrfxfff.exec:\xrfxfff.exe118⤵PID:2012
-
\??\c:\bntnnn.exec:\bntnnn.exe119⤵PID:1620
-
\??\c:\jvjpd.exec:\jvjpd.exe120⤵PID:2400
-
\??\c:\xxxfxfx.exec:\xxxfxfx.exe121⤵PID:2572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-