Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe
-
Size
455KB
-
MD5
df722c42c6876bad99492aa2f44902f0
-
SHA1
008d771f81dc3fe27a4330b3897c5389da0e423e
-
SHA256
cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6
-
SHA512
011e6cb796bb0ca94ffad1ce9f785f03e4848bafa4035f07868fb298ed6eeda5265246ef867a088dfabb3024429b40c006f6db6d730656abe01c3d84b299755d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2324-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-1177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-1293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3964 jvdvv.exe 2464 nbthbn.exe 624 jjjdd.exe 4664 1dvjv.exe 4484 lrfrllx.exe 3980 vvvjv.exe 2332 9nnbnn.exe 1924 dvjvp.exe 4728 nbtnbt.exe 2148 xrllxrf.exe 348 thhthb.exe 3664 jvpdp.exe 2020 pjvpd.exe 2928 jvpdv.exe 5100 9nbthn.exe 1992 jvjvj.exe 3944 9hhthh.exe 4760 jvvpj.exe 3736 lflfrlr.exe 2096 7ppdv.exe 440 xllxrlf.exe 2588 tthtnh.exe 1836 thhtht.exe 4812 vjjvp.exe 1500 rllfxrf.exe 2072 rrrllfx.exe 3524 tbhthb.exe 2604 3pjvv.exe 2880 dpjpd.exe 4940 frrxlfx.exe 4732 hhthtn.exe 4828 bbthth.exe 4020 pdjvj.exe 1832 rrrfxlx.exe 2160 rflfxrl.exe 1004 httbnt.exe 4284 7ppdp.exe 688 vpvjp.exe 4292 fllfxrl.exe 1712 7lxrxxr.exe 2692 bbnnbh.exe 1564 jvjvv.exe 1800 vvvpj.exe 3348 xxfxlfl.exe 908 bnhtnb.exe 2360 nnnhth.exe 3296 3jvdj.exe 4140 fffrfrf.exe 1612 5bbttt.exe 1144 5pdvj.exe 3948 hthttb.exe 2324 ddjvj.exe 4496 rrrfrfl.exe 4400 xxrllff.exe 3136 9bhbnn.exe 384 jjddv.exe 5064 1jdpj.exe 368 hthnnh.exe 4952 vjpjd.exe 4960 rrxrxrx.exe 4468 rlrlxfr.exe 2200 hnnbnb.exe 3644 htbbtt.exe 4972 pppjd.exe -
resource yara_rule behavioral2/memory/2324-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-716-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3964 2324 cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe 82 PID 2324 wrote to memory of 3964 2324 cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe 82 PID 2324 wrote to memory of 3964 2324 cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe 82 PID 3964 wrote to memory of 2464 3964 jvdvv.exe 83 PID 3964 wrote to memory of 2464 3964 jvdvv.exe 83 PID 3964 wrote to memory of 2464 3964 jvdvv.exe 83 PID 2464 wrote to memory of 624 2464 nbthbn.exe 84 PID 2464 wrote to memory of 624 2464 nbthbn.exe 84 PID 2464 wrote to memory of 624 2464 nbthbn.exe 84 PID 624 wrote to memory of 4664 624 jjjdd.exe 85 PID 624 wrote to memory of 4664 624 jjjdd.exe 85 PID 624 wrote to memory of 4664 624 jjjdd.exe 85 PID 4664 wrote to memory of 4484 4664 1dvjv.exe 86 PID 4664 wrote to memory of 4484 4664 1dvjv.exe 86 PID 4664 wrote to memory of 4484 4664 1dvjv.exe 86 PID 4484 wrote to memory of 3980 4484 lrfrllx.exe 87 PID 4484 wrote to memory of 3980 4484 lrfrllx.exe 87 PID 4484 wrote to memory of 3980 4484 lrfrllx.exe 87 PID 3980 wrote to memory of 2332 3980 vvvjv.exe 88 PID 3980 wrote to memory of 2332 3980 vvvjv.exe 88 PID 3980 wrote to memory of 2332 3980 vvvjv.exe 88 PID 2332 wrote to memory of 1924 2332 9nnbnn.exe 89 PID 2332 wrote to memory of 1924 2332 9nnbnn.exe 89 PID 2332 wrote to memory of 1924 2332 9nnbnn.exe 89 PID 1924 wrote to memory of 4728 1924 dvjvp.exe 90 PID 1924 wrote to memory of 4728 1924 dvjvp.exe 90 PID 1924 wrote to memory of 4728 1924 dvjvp.exe 90 PID 4728 wrote to memory of 2148 4728 nbtnbt.exe 91 PID 4728 wrote to memory of 2148 4728 nbtnbt.exe 91 PID 4728 wrote to memory of 2148 4728 nbtnbt.exe 91 PID 2148 wrote to memory of 348 2148 xrllxrf.exe 92 PID 2148 wrote to memory of 348 2148 xrllxrf.exe 92 PID 2148 wrote to memory of 348 2148 xrllxrf.exe 92 PID 348 wrote to memory of 3664 348 thhthb.exe 93 PID 348 wrote to memory of 3664 348 thhthb.exe 93 PID 348 wrote to memory of 3664 348 thhthb.exe 93 PID 3664 wrote to memory of 2020 3664 jvpdp.exe 94 PID 3664 wrote to memory of 2020 3664 jvpdp.exe 94 PID 3664 wrote to memory of 2020 3664 jvpdp.exe 94 PID 2020 wrote to memory of 2928 2020 pjvpd.exe 95 PID 2020 wrote to memory of 2928 2020 pjvpd.exe 95 PID 2020 wrote to memory of 2928 2020 pjvpd.exe 95 PID 2928 wrote to memory of 5100 2928 jvpdv.exe 96 PID 2928 wrote to memory of 5100 2928 jvpdv.exe 96 PID 2928 wrote to memory of 5100 2928 jvpdv.exe 96 PID 5100 wrote to memory of 1992 5100 9nbthn.exe 97 PID 5100 wrote to memory of 1992 5100 9nbthn.exe 97 PID 5100 wrote to memory of 1992 5100 9nbthn.exe 97 PID 1992 wrote to memory of 3944 1992 jvjvj.exe 98 PID 1992 wrote to memory of 3944 1992 jvjvj.exe 98 PID 1992 wrote to memory of 3944 1992 jvjvj.exe 98 PID 3944 wrote to memory of 4760 3944 9hhthh.exe 99 PID 3944 wrote to memory of 4760 3944 9hhthh.exe 99 PID 3944 wrote to memory of 4760 3944 9hhthh.exe 99 PID 4760 wrote to memory of 3736 4760 jvvpj.exe 100 PID 4760 wrote to memory of 3736 4760 jvvpj.exe 100 PID 4760 wrote to memory of 3736 4760 jvvpj.exe 100 PID 3736 wrote to memory of 2096 3736 lflfrlr.exe 101 PID 3736 wrote to memory of 2096 3736 lflfrlr.exe 101 PID 3736 wrote to memory of 2096 3736 lflfrlr.exe 101 PID 2096 wrote to memory of 440 2096 7ppdv.exe 102 PID 2096 wrote to memory of 440 2096 7ppdv.exe 102 PID 2096 wrote to memory of 440 2096 7ppdv.exe 102 PID 440 wrote to memory of 2588 440 xllxrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe"C:\Users\Admin\AppData\Local\Temp\cc114f4ee21868c5e1806422ac0ee93fc38233fab7544b33b77aafbb609434e6N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
\??\c:\jvdvv.exec:\jvdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\nbthbn.exec:\nbthbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\jjjdd.exec:\jjjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\1dvjv.exec:\1dvjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\lrfrllx.exec:\lrfrllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\vvvjv.exec:\vvvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\9nnbnn.exec:\9nnbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\dvjvp.exec:\dvjvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\nbtnbt.exec:\nbtnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\xrllxrf.exec:\xrllxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\thhthb.exec:\thhthb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\jvpdp.exec:\jvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\pjvpd.exec:\pjvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\jvpdv.exec:\jvpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\9nbthn.exec:\9nbthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\jvjvj.exec:\jvjvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\9hhthh.exec:\9hhthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\jvvpj.exec:\jvvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\lflfrlr.exec:\lflfrlr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
\??\c:\7ppdv.exec:\7ppdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\xllxrlf.exec:\xllxrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\tthtnh.exec:\tthtnh.exe23⤵
- Executes dropped EXE
PID:2588 -
\??\c:\thhtht.exec:\thhtht.exe24⤵
- Executes dropped EXE
PID:1836 -
\??\c:\vjjvp.exec:\vjjvp.exe25⤵
- Executes dropped EXE
PID:4812 -
\??\c:\rllfxrf.exec:\rllfxrf.exe26⤵
- Executes dropped EXE
PID:1500 -
\??\c:\rrrllfx.exec:\rrrllfx.exe27⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tbhthb.exec:\tbhthb.exe28⤵
- Executes dropped EXE
PID:3524 -
\??\c:\3pjvv.exec:\3pjvv.exe29⤵
- Executes dropped EXE
PID:2604 -
\??\c:\dpjpd.exec:\dpjpd.exe30⤵
- Executes dropped EXE
PID:2880 -
\??\c:\frrxlfx.exec:\frrxlfx.exe31⤵
- Executes dropped EXE
PID:4940 -
\??\c:\hhthtn.exec:\hhthtn.exe32⤵
- Executes dropped EXE
PID:4732 -
\??\c:\bbthth.exec:\bbthth.exe33⤵
- Executes dropped EXE
PID:4828 -
\??\c:\pdjvj.exec:\pdjvj.exe34⤵
- Executes dropped EXE
PID:4020 -
\??\c:\rrrfxlx.exec:\rrrfxlx.exe35⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rflfxrl.exec:\rflfxrl.exe36⤵
- Executes dropped EXE
PID:2160 -
\??\c:\httbnt.exec:\httbnt.exe37⤵
- Executes dropped EXE
PID:1004 -
\??\c:\7ppdp.exec:\7ppdp.exe38⤵
- Executes dropped EXE
PID:4284 -
\??\c:\vpvjp.exec:\vpvjp.exe39⤵
- Executes dropped EXE
PID:688 -
\??\c:\fllfxrl.exec:\fllfxrl.exe40⤵
- Executes dropped EXE
PID:4292 -
\??\c:\7lxrxxr.exec:\7lxrxxr.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
\??\c:\bbnnbh.exec:\bbnnbh.exe42⤵
- Executes dropped EXE
PID:2692 -
\??\c:\jvjvv.exec:\jvjvv.exe43⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vvvpj.exec:\vvvpj.exe44⤵
- Executes dropped EXE
PID:1800 -
\??\c:\xxfxlfl.exec:\xxfxlfl.exe45⤵
- Executes dropped EXE
PID:3348 -
\??\c:\bnhtnb.exec:\bnhtnb.exe46⤵
- Executes dropped EXE
PID:908 -
\??\c:\nnnhth.exec:\nnnhth.exe47⤵
- Executes dropped EXE
PID:2360 -
\??\c:\3jvdj.exec:\3jvdj.exe48⤵
- Executes dropped EXE
PID:3296 -
\??\c:\fffrfrf.exec:\fffrfrf.exe49⤵
- Executes dropped EXE
PID:4140 -
\??\c:\5bbttt.exec:\5bbttt.exe50⤵
- Executes dropped EXE
PID:1612 -
\??\c:\5pdvj.exec:\5pdvj.exe51⤵
- Executes dropped EXE
PID:1144 -
\??\c:\hthttb.exec:\hthttb.exe52⤵
- Executes dropped EXE
PID:3948 -
\??\c:\ddjvj.exec:\ddjvj.exe53⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rrrfrfl.exec:\rrrfrfl.exe54⤵
- Executes dropped EXE
PID:4496 -
\??\c:\xxrllff.exec:\xxrllff.exe55⤵
- Executes dropped EXE
PID:4400 -
\??\c:\9bhbnn.exec:\9bhbnn.exe56⤵
- Executes dropped EXE
PID:3136 -
\??\c:\jjddv.exec:\jjddv.exe57⤵
- Executes dropped EXE
PID:384 -
\??\c:\1jdpj.exec:\1jdpj.exe58⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hthnnh.exec:\hthnnh.exe59⤵
- Executes dropped EXE
PID:368 -
\??\c:\vjpjd.exec:\vjpjd.exe60⤵
- Executes dropped EXE
PID:4952 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe61⤵
- Executes dropped EXE
PID:4960 -
\??\c:\rlrlxfr.exec:\rlrlxfr.exe62⤵
- Executes dropped EXE
PID:4468 -
\??\c:\hnnbnb.exec:\hnnbnb.exe63⤵
- Executes dropped EXE
PID:2200 -
\??\c:\htbbtt.exec:\htbbtt.exe64⤵
- Executes dropped EXE
PID:3644 -
\??\c:\pppjd.exec:\pppjd.exe65⤵
- Executes dropped EXE
PID:4972 -
\??\c:\5rrfrlf.exec:\5rrfrlf.exe66⤵PID:2760
-
\??\c:\btbnbt.exec:\btbnbt.exe67⤵PID:2432
-
\??\c:\7rlfrlf.exec:\7rlfrlf.exe68⤵PID:4532
-
\??\c:\5ttnhb.exec:\5ttnhb.exe69⤵PID:800
-
\??\c:\nbhtnn.exec:\nbhtnn.exe70⤵PID:2456
-
\??\c:\9dpjv.exec:\9dpjv.exe71⤵PID:4172
-
\??\c:\xffrfrl.exec:\xffrfrl.exe72⤵PID:2780
-
\??\c:\httthn.exec:\httthn.exe73⤵PID:3028
-
\??\c:\tnhbnh.exec:\tnhbnh.exe74⤵PID:2736
-
\??\c:\jdvvp.exec:\jdvvp.exe75⤵PID:3484
-
\??\c:\3frxlfx.exec:\3frxlfx.exe76⤵PID:2720
-
\??\c:\ttbthb.exec:\ttbthb.exe77⤵PID:3708
-
\??\c:\hbnhnh.exec:\hbnhnh.exe78⤵PID:3444
-
\??\c:\5xlfrrl.exec:\5xlfrrl.exe79⤵PID:4840
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe80⤵PID:3232
-
\??\c:\bthbtn.exec:\bthbtn.exe81⤵PID:4524
-
\??\c:\dvvvp.exec:\dvvvp.exe82⤵PID:3768
-
\??\c:\pvjdv.exec:\pvjdv.exe83⤵PID:2596
-
\??\c:\lfrllll.exec:\lfrllll.exe84⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\nhttbh.exec:\nhttbh.exe85⤵PID:440
-
\??\c:\jpvjv.exec:\jpvjv.exe86⤵PID:400
-
\??\c:\xrrfrfx.exec:\xrrfrfx.exe87⤵PID:740
-
\??\c:\bbhbhb.exec:\bbhbhb.exe88⤵PID:5052
-
\??\c:\5jdvp.exec:\5jdvp.exe89⤵PID:2072
-
\??\c:\pjpjv.exec:\pjpjv.exe90⤵PID:1624
-
\??\c:\lfrfrlf.exec:\lfrfrlf.exe91⤵PID:1088
-
\??\c:\thhtnh.exec:\thhtnh.exe92⤵PID:4928
-
\??\c:\pdvpv.exec:\pdvpv.exe93⤵PID:3916
-
\??\c:\vddpj.exec:\vddpj.exe94⤵PID:1632
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe95⤵PID:4220
-
\??\c:\hbhhbb.exec:\hbhhbb.exe96⤵PID:3408
-
\??\c:\5jjdp.exec:\5jjdp.exe97⤵PID:1600
-
\??\c:\3xxlxlx.exec:\3xxlxlx.exe98⤵PID:4004
-
\??\c:\xfffxxr.exec:\xfffxxr.exe99⤵PID:2608
-
\??\c:\bhnhtn.exec:\bhnhtn.exe100⤵PID:1004
-
\??\c:\7djdp.exec:\7djdp.exe101⤵PID:2316
-
\??\c:\flrfrfr.exec:\flrfrfr.exe102⤵PID:1040
-
\??\c:\rflffrx.exec:\rflffrx.exe103⤵PID:4844
-
\??\c:\hbtntn.exec:\hbtntn.exe104⤵PID:2384
-
\??\c:\pjvpp.exec:\pjvpp.exe105⤵PID:1676
-
\??\c:\pddpd.exec:\pddpd.exe106⤵PID:5076
-
\??\c:\lrfrfrl.exec:\lrfrfrl.exe107⤵PID:2600
-
\??\c:\1rfrfxl.exec:\1rfrfxl.exe108⤵PID:1800
-
\??\c:\7tnhbt.exec:\7tnhbt.exe109⤵PID:3120
-
\??\c:\dvvdp.exec:\dvvdp.exe110⤵PID:3348
-
\??\c:\rrrlrrl.exec:\rrrlrrl.exe111⤵PID:4784
-
\??\c:\bbthtt.exec:\bbthtt.exe112⤵PID:1284
-
\??\c:\jvdpv.exec:\jvdpv.exe113⤵PID:2052
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe114⤵PID:4916
-
\??\c:\bntttt.exec:\bntttt.exe115⤵PID:3108
-
\??\c:\pdvpj.exec:\pdvpj.exe116⤵PID:4364
-
\??\c:\ddjdv.exec:\ddjdv.exe117⤵PID:1612
-
\??\c:\7xlfxfx.exec:\7xlfxfx.exe118⤵PID:2312
-
\??\c:\hbtnbb.exec:\hbtnbb.exe119⤵PID:3948
-
\??\c:\pdvvp.exec:\pdvvp.exe120⤵PID:2324
-
\??\c:\pdddv.exec:\pdddv.exe121⤵PID:4328
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-