Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
-
Size
455KB
-
MD5
e0d00ed264faec5d76d903c971c763e0
-
SHA1
ad09bd392b05e1e7363977bb402f5fb82ff0e1b7
-
SHA256
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2
-
SHA512
92da5a8971317a490735ef7fbce0ff19a513c585adb5f279e4e015d39fef09cadd399e67311eb4b03c8ea9644b3332db6363b262714ad2b1a9e3bdd6cc3f0a81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2012-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2496-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-184-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2780-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1940-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1192-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-259-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2464-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1752-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/760-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/464-446-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/760-459-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/536-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-534-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1600-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/608-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1932-589-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2424-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-643-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2324-690-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-718-0x0000000001C80000-0x0000000001CAA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2064 7jvdj.exe 1764 dpjjj.exe 2496 lfrxfff.exe 2044 bnbbnn.exe 2224 jdvvd.exe 2744 9fxxlrx.exe 2740 tnhntb.exe 2896 vjvvv.exe 2784 rlxfllr.exe 2700 nnnbnh.exe 2652 9dpjj.exe 2244 frxllxf.exe 1668 tntntn.exe 264 pvddd.exe 636 lllfflx.exe 2808 nbhbbb.exe 1184 jjvdp.exe 1548 hnhtnt.exe 1408 vppvd.exe 2780 hbtbht.exe 1940 pjjpd.exe 2284 1lfrxlx.exe 2300 5ttbbh.exe 1144 ddvdv.exe 1780 1lxflxf.exe 1576 tbbhbh.exe 1308 xrlfrxf.exe 1192 nnntnt.exe 2464 1pjvd.exe 1076 flrrlff.exe 1752 9jdjv.exe 1588 lfflrxr.exe 2396 1vpvj.exe 1996 dvpdp.exe 3064 5rrxfrx.exe 2332 thnbhh.exe 2356 1vpjp.exe 1644 llflxxl.exe 2412 hhbnbn.exe 2596 bbtbnn.exe 2552 1vpvd.exe 2924 flflrxl.exe 2876 hbthth.exe 2632 jppjv.exe 2700 jpjpv.exe 2620 3lfrflr.exe 2032 9hhnnn.exe 2840 dvpdp.exe 692 9rflxxl.exe 1760 bhbnbn.exe 756 btttbt.exe 760 7vdvv.exe 464 rrlrfrx.exe 2576 3nnbhh.exe 1200 hhthbh.exe 2984 vpjpj.exe 2328 9xrrflr.exe 1980 nthnbb.exe 2184 tnthnt.exe 1956 vjvvp.exe 536 9frrxfr.exe 1924 7rfxffx.exe 1312 1tnnbh.exe 444 jjdpd.exe -
resource yara_rule behavioral1/memory/2012-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2496-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1548-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1996-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1644-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/760-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-534-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1600-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/608-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-752-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2064 2012 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 30 PID 2012 wrote to memory of 2064 2012 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 30 PID 2012 wrote to memory of 2064 2012 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 30 PID 2012 wrote to memory of 2064 2012 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 30 PID 2064 wrote to memory of 1764 2064 7jvdj.exe 31 PID 2064 wrote to memory of 1764 2064 7jvdj.exe 31 PID 2064 wrote to memory of 1764 2064 7jvdj.exe 31 PID 2064 wrote to memory of 1764 2064 7jvdj.exe 31 PID 1764 wrote to memory of 2496 1764 dpjjj.exe 32 PID 1764 wrote to memory of 2496 1764 dpjjj.exe 32 PID 1764 wrote to memory of 2496 1764 dpjjj.exe 32 PID 1764 wrote to memory of 2496 1764 dpjjj.exe 32 PID 2496 wrote to memory of 2044 2496 lfrxfff.exe 33 PID 2496 wrote to memory of 2044 2496 lfrxfff.exe 33 PID 2496 wrote to memory of 2044 2496 lfrxfff.exe 33 PID 2496 wrote to memory of 2044 2496 lfrxfff.exe 33 PID 2044 wrote to memory of 2224 2044 bnbbnn.exe 34 PID 2044 wrote to memory of 2224 2044 bnbbnn.exe 34 PID 2044 wrote to memory of 2224 2044 bnbbnn.exe 34 PID 2044 wrote to memory of 2224 2044 bnbbnn.exe 34 PID 2224 wrote to memory of 2744 2224 jdvvd.exe 35 PID 2224 wrote to memory of 2744 2224 jdvvd.exe 35 PID 2224 wrote to memory of 2744 2224 jdvvd.exe 35 PID 2224 wrote to memory of 2744 2224 jdvvd.exe 35 PID 2744 wrote to memory of 2740 2744 9fxxlrx.exe 36 PID 2744 wrote to memory of 2740 2744 9fxxlrx.exe 36 PID 2744 wrote to memory of 2740 2744 9fxxlrx.exe 36 PID 2744 wrote to memory of 2740 2744 9fxxlrx.exe 36 PID 2740 wrote to memory of 2896 2740 tnhntb.exe 37 PID 2740 wrote to memory of 2896 2740 tnhntb.exe 37 PID 2740 wrote to memory of 2896 2740 tnhntb.exe 37 PID 2740 wrote to memory of 2896 2740 tnhntb.exe 37 PID 2896 wrote to memory of 2784 2896 vjvvv.exe 38 PID 2896 wrote to memory of 2784 2896 vjvvv.exe 38 PID 2896 wrote to memory of 2784 2896 vjvvv.exe 38 PID 2896 wrote to memory of 2784 2896 vjvvv.exe 38 PID 2784 wrote to memory of 2700 2784 rlxfllr.exe 39 PID 2784 wrote to memory of 2700 2784 rlxfllr.exe 39 PID 2784 wrote to memory of 2700 2784 rlxfllr.exe 39 PID 2784 wrote to memory of 2700 2784 rlxfllr.exe 39 PID 2700 wrote to memory of 2652 2700 nnnbnh.exe 40 PID 2700 wrote to memory of 2652 2700 nnnbnh.exe 40 PID 2700 wrote to memory of 2652 2700 nnnbnh.exe 40 PID 2700 wrote to memory of 2652 2700 nnnbnh.exe 40 PID 2652 wrote to memory of 2244 2652 9dpjj.exe 41 PID 2652 wrote to memory of 2244 2652 9dpjj.exe 41 PID 2652 wrote to memory of 2244 2652 9dpjj.exe 41 PID 2652 wrote to memory of 2244 2652 9dpjj.exe 41 PID 2244 wrote to memory of 1668 2244 frxllxf.exe 42 PID 2244 wrote to memory of 1668 2244 frxllxf.exe 42 PID 2244 wrote to memory of 1668 2244 frxllxf.exe 42 PID 2244 wrote to memory of 1668 2244 frxllxf.exe 42 PID 1668 wrote to memory of 264 1668 tntntn.exe 43 PID 1668 wrote to memory of 264 1668 tntntn.exe 43 PID 1668 wrote to memory of 264 1668 tntntn.exe 43 PID 1668 wrote to memory of 264 1668 tntntn.exe 43 PID 264 wrote to memory of 636 264 pvddd.exe 44 PID 264 wrote to memory of 636 264 pvddd.exe 44 PID 264 wrote to memory of 636 264 pvddd.exe 44 PID 264 wrote to memory of 636 264 pvddd.exe 44 PID 636 wrote to memory of 2808 636 lllfflx.exe 45 PID 636 wrote to memory of 2808 636 lllfflx.exe 45 PID 636 wrote to memory of 2808 636 lllfflx.exe 45 PID 636 wrote to memory of 2808 636 lllfflx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\7jvdj.exec:\7jvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\dpjjj.exec:\dpjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\lfrxfff.exec:\lfrxfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\bnbbnn.exec:\bnbbnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\jdvvd.exec:\jdvvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\9fxxlrx.exec:\9fxxlrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\tnhntb.exec:\tnhntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\vjvvv.exec:\vjvvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\rlxfllr.exec:\rlxfllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\nnnbnh.exec:\nnnbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9dpjj.exec:\9dpjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\frxllxf.exec:\frxllxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\tntntn.exec:\tntntn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\pvddd.exec:\pvddd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\lllfflx.exec:\lllfflx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\nbhbbb.exec:\nbhbbb.exe17⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jjvdp.exec:\jjvdp.exe18⤵
- Executes dropped EXE
PID:1184 -
\??\c:\hnhtnt.exec:\hnhtnt.exe19⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vppvd.exec:\vppvd.exe20⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hbtbht.exec:\hbtbht.exe21⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pjjpd.exec:\pjjpd.exe22⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1lfrxlx.exec:\1lfrxlx.exe23⤵
- Executes dropped EXE
PID:2284 -
\??\c:\5ttbbh.exec:\5ttbbh.exe24⤵
- Executes dropped EXE
PID:2300 -
\??\c:\ddvdv.exec:\ddvdv.exe25⤵
- Executes dropped EXE
PID:1144 -
\??\c:\1lxflxf.exec:\1lxflxf.exe26⤵
- Executes dropped EXE
PID:1780 -
\??\c:\tbbhbh.exec:\tbbhbh.exe27⤵
- Executes dropped EXE
PID:1576 -
\??\c:\xrlfrxf.exec:\xrlfrxf.exe28⤵
- Executes dropped EXE
PID:1308 -
\??\c:\nnntnt.exec:\nnntnt.exe29⤵
- Executes dropped EXE
PID:1192 -
\??\c:\1pjvd.exec:\1pjvd.exe30⤵
- Executes dropped EXE
PID:2464 -
\??\c:\flrrlff.exec:\flrrlff.exe31⤵
- Executes dropped EXE
PID:1076 -
\??\c:\9jdjv.exec:\9jdjv.exe32⤵
- Executes dropped EXE
PID:1752 -
\??\c:\lfflrxr.exec:\lfflrxr.exe33⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1vpvj.exec:\1vpvj.exe34⤵
- Executes dropped EXE
PID:2396 -
\??\c:\dvpdp.exec:\dvpdp.exe35⤵
- Executes dropped EXE
PID:1996 -
\??\c:\5rrxfrx.exec:\5rrxfrx.exe36⤵
- Executes dropped EXE
PID:3064 -
\??\c:\thnbhh.exec:\thnbhh.exe37⤵
- Executes dropped EXE
PID:2332 -
\??\c:\1vpjp.exec:\1vpjp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\llflxxl.exec:\llflxxl.exe39⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hhbnbn.exec:\hhbnbn.exe40⤵
- Executes dropped EXE
PID:2412 -
\??\c:\bbtbnn.exec:\bbtbnn.exe41⤵
- Executes dropped EXE
PID:2596 -
\??\c:\1vpvd.exec:\1vpvd.exe42⤵
- Executes dropped EXE
PID:2552 -
\??\c:\flflrxl.exec:\flflrxl.exe43⤵
- Executes dropped EXE
PID:2924 -
\??\c:\hbthth.exec:\hbthth.exe44⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jppjv.exec:\jppjv.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jpjpv.exec:\jpjpv.exe46⤵
- Executes dropped EXE
PID:2700 -
\??\c:\3lfrflr.exec:\3lfrflr.exe47⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9hhnnn.exec:\9hhnnn.exe48⤵
- Executes dropped EXE
PID:2032 -
\??\c:\dvpdp.exec:\dvpdp.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\9rflxxl.exec:\9rflxxl.exe50⤵
- Executes dropped EXE
PID:692 -
\??\c:\bhbnbn.exec:\bhbnbn.exe51⤵
- Executes dropped EXE
PID:1760 -
\??\c:\btttbt.exec:\btttbt.exe52⤵
- Executes dropped EXE
PID:756 -
\??\c:\7vdvv.exec:\7vdvv.exe53⤵
- Executes dropped EXE
PID:760 -
\??\c:\rrlrfrx.exec:\rrlrfrx.exe54⤵
- Executes dropped EXE
PID:464 -
\??\c:\3nnbhh.exec:\3nnbhh.exe55⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hhthbh.exec:\hhthbh.exe56⤵
- Executes dropped EXE
PID:1200 -
\??\c:\vpjpj.exec:\vpjpj.exe57⤵
- Executes dropped EXE
PID:2984 -
\??\c:\9xrrflr.exec:\9xrrflr.exe58⤵
- Executes dropped EXE
PID:2328 -
\??\c:\nthnbb.exec:\nthnbb.exe59⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tnthnt.exec:\tnthnt.exe60⤵
- Executes dropped EXE
PID:2184 -
\??\c:\vjvvp.exec:\vjvvp.exe61⤵
- Executes dropped EXE
PID:1956 -
\??\c:\9frrxfr.exec:\9frrxfr.exe62⤵
- Executes dropped EXE
PID:536 -
\??\c:\7rfxffx.exec:\7rfxffx.exe63⤵
- Executes dropped EXE
PID:1924 -
\??\c:\1tnnbh.exec:\1tnnbh.exe64⤵
- Executes dropped EXE
PID:1312 -
\??\c:\jjdpd.exec:\jjdpd.exe65⤵
- Executes dropped EXE
PID:444 -
\??\c:\xrfflll.exec:\xrfflll.exe66⤵PID:2164
-
\??\c:\rxrlrrx.exec:\rxrlrrx.exe67⤵PID:2176
-
\??\c:\3bhhtb.exec:\3bhhtb.exe68⤵PID:1600
-
\??\c:\1pdjv.exec:\1pdjv.exe69⤵PID:2288
-
\??\c:\djjdv.exec:\djjdv.exe70⤵PID:2056
-
\??\c:\ffxlffx.exec:\ffxlffx.exe71⤵PID:1060
-
\??\c:\tnbhbh.exec:\tnbhbh.exe72⤵PID:608
-
\??\c:\hbtbhn.exec:\hbtbhn.exe73⤵PID:2200
-
\??\c:\jdvpv.exec:\jdvpv.exe74⤵PID:1560
-
\??\c:\xrxflxl.exec:\xrxflxl.exe75⤵PID:1932
-
\??\c:\fxlxflf.exec:\fxlxflf.exe76⤵PID:1944
-
\??\c:\ttnbnn.exec:\ttnbnn.exe77⤵PID:2532
-
\??\c:\dpjpp.exec:\dpjpp.exe78⤵PID:2260
-
\??\c:\1pppd.exec:\1pppd.exe79⤵PID:2424
-
\??\c:\llfrflx.exec:\llfrflx.exe80⤵PID:2776
-
\??\c:\5hhntt.exec:\5hhntt.exe81⤵PID:2716
-
\??\c:\5pdjp.exec:\5pdjp.exe82⤵PID:3000
-
\??\c:\3jvjp.exec:\3jvjp.exe83⤵PID:3028
-
\??\c:\fxrxllf.exec:\fxrxllf.exe84⤵PID:2552
-
\??\c:\bnbhnn.exec:\bnbhnn.exe85⤵PID:2924
-
\??\c:\hhhtnn.exec:\hhhtnn.exe86⤵PID:2624
-
\??\c:\ddvjv.exec:\ddvjv.exe87⤵PID:2632
-
\??\c:\pvvdp.exec:\pvvdp.exe88⤵PID:2636
-
\??\c:\rllrrll.exec:\rllrrll.exe89⤵PID:2620
-
\??\c:\3nbhhb.exec:\3nbhhb.exe90⤵PID:2324
-
\??\c:\nhbbnt.exec:\nhbbnt.exe91⤵PID:2812
-
\??\c:\dvjvj.exec:\dvjvj.exe92⤵PID:784
-
\??\c:\fxrfrfr.exec:\fxrfrfr.exe93⤵PID:1760
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe94⤵PID:2808
-
\??\c:\nnntnt.exec:\nnntnt.exe95⤵PID:480
-
\??\c:\nnhnbh.exec:\nnhnbh.exe96⤵PID:1184
-
\??\c:\ddvjp.exec:\ddvjp.exe97⤵PID:1548
-
\??\c:\7llrfrf.exec:\7llrfrf.exe98⤵PID:2964
-
\??\c:\xrxlrxf.exec:\xrxlrxf.exe99⤵PID:284
-
\??\c:\tnhtbb.exec:\tnhtbb.exe100⤵PID:2148
-
\??\c:\vpdjv.exec:\vpdjv.exe101⤵PID:1940
-
\??\c:\3dvpd.exec:\3dvpd.exe102⤵PID:2544
-
\??\c:\9rfxffl.exec:\9rfxffl.exe103⤵PID:1860
-
\??\c:\xxflxfl.exec:\xxflxfl.exe104⤵PID:840
-
\??\c:\htthtt.exec:\htthtt.exe105⤵PID:928
-
\??\c:\jddpp.exec:\jddpp.exe106⤵PID:1108
-
\??\c:\jdjjj.exec:\jdjjj.exe107⤵PID:2368
-
\??\c:\1xrrrfl.exec:\1xrrrfl.exe108⤵PID:2468
-
\??\c:\hhhnhn.exec:\hhhnhn.exe109⤵PID:1040
-
\??\c:\bbthbb.exec:\bbthbb.exe110⤵PID:1192
-
\??\c:\vvvvd.exec:\vvvvd.exe111⤵PID:2288
-
\??\c:\jdvdp.exec:\jdvdp.exe112⤵PID:2236
-
\??\c:\3xffrrx.exec:\3xffrrx.exe113⤵PID:1076
-
\??\c:\tnbhtb.exec:\tnbhtb.exe114⤵PID:2220
-
\??\c:\7hhntb.exec:\7hhntb.exe115⤵PID:2188
-
\??\c:\jvpvd.exec:\jvpvd.exe116⤵PID:1044
-
\??\c:\llxfrxr.exec:\llxfrxr.exe117⤵PID:3060
-
\??\c:\rlflfxl.exec:\rlflfxl.exe118⤵PID:1764
-
\??\c:\3nnbbn.exec:\3nnbbn.exe119⤵PID:2372
-
\??\c:\nhtbhh.exec:\nhtbhh.exe120⤵PID:2304
-
\??\c:\jdjpv.exec:\jdjpv.exe121⤵PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-