Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 11:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe
-
Size
456KB
-
MD5
0a927fafad5fbddf055102fe023f18b0
-
SHA1
a8f0d3d23fb2835153ee76c6fb32d82ac8c3f595
-
SHA256
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7
-
SHA512
0519bd3e527655fde86485cfc728ba6b5d89b19f39e5c4448519d6d48caf4ea1ec0184641d20845cdd2449ce971c1decc62dabf8ac5f722b8a84404e05ab73bb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRj:q7Tc2NYHUrAwfMp3CDRj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/668-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-166-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/1652-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-218-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1212-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1388-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1056-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-306-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/2736-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2316-400-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/668-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-453-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/868-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-665-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2904-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-771-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1488-816-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1488-815-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2896-954-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2860-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-1160-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2432-1193-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-1298-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2376 llrxllr.exe 2116 9hbbth.exe 2556 xlxflrf.exe 2216 bthnbh.exe 2848 llxlrfr.exe 2740 hbtbbh.exe 2884 xrlrflx.exe 2796 9nbbhn.exe 1984 lllxflx.exe 2656 1vjvp.exe 2188 7xrrlxl.exe 668 hhhhtb.exe 2136 jjjjv.exe 1336 thtnnh.exe 2808 dvvdp.exe 2960 tnhbnt.exe 1852 jddjv.exe 1752 nbhhtt.exe 3016 jddjd.exe 1652 xrrxflx.exe 1616 ttbbtb.exe 576 jpdjj.exe 2568 fxlfxxf.exe 1212 7jjvv.exe 1388 1frxlrr.exe 1684 7htthn.exe 3068 1dvdj.exe 2804 9jjjv.exe 2400 rrlxlxl.exe 1056 jdppv.exe 2456 xrxxfxx.exe 2500 pjvjp.exe 1592 9xrxrxl.exe 2512 bnhnbt.exe 2516 pppvd.exe 2492 pjdjp.exe 628 rlffffr.exe 2844 hbnbtt.exe 2736 5thnhn.exe 2856 vddpd.exe 2744 lfxlflx.exe 2756 tnbhtb.exe 2748 hthnhh.exe 2632 ddpdp.exe 1052 vpddj.exe 2656 rfxrffr.exe 2316 7nbbnt.exe 668 nnnthh.exe 112 9pddj.exe 2812 3xffxxf.exe 2936 xxffrxl.exe 2820 tnbbhn.exe 2960 pjdvj.exe 1152 pdvdp.exe 1852 rxrxflf.exe 2988 hntntn.exe 2332 hnhnbh.exe 2140 vpdvd.exe 1660 ppjvd.exe 1616 1lxfrxr.exe 904 btbthn.exe 1904 bthhnt.exe 952 1pjvv.exe 1624 vvjdp.exe -
resource yara_rule behavioral1/memory/1956-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-218-0x00000000002C0000-0x00000000002EA000-memory.dmp upx behavioral1/memory/1212-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-306-0x00000000001C0000-0x00000000001EA000-memory.dmp upx behavioral1/memory/2516-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/668-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-771-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/920-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-815-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1056-823-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-961-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/440-1053-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2768-1120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-1167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-1193-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1052-1194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-1243-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lxxxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2376 1956 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 30 PID 1956 wrote to memory of 2376 1956 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 30 PID 1956 wrote to memory of 2376 1956 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 30 PID 1956 wrote to memory of 2376 1956 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 30 PID 2376 wrote to memory of 2116 2376 llrxllr.exe 31 PID 2376 wrote to memory of 2116 2376 llrxllr.exe 31 PID 2376 wrote to memory of 2116 2376 llrxllr.exe 31 PID 2376 wrote to memory of 2116 2376 llrxllr.exe 31 PID 2116 wrote to memory of 2556 2116 9hbbth.exe 32 PID 2116 wrote to memory of 2556 2116 9hbbth.exe 32 PID 2116 wrote to memory of 2556 2116 9hbbth.exe 32 PID 2116 wrote to memory of 2556 2116 9hbbth.exe 32 PID 2556 wrote to memory of 2216 2556 xlxflrf.exe 33 PID 2556 wrote to memory of 2216 2556 xlxflrf.exe 33 PID 2556 wrote to memory of 2216 2556 xlxflrf.exe 33 PID 2556 wrote to memory of 2216 2556 xlxflrf.exe 33 PID 2216 wrote to memory of 2848 2216 bthnbh.exe 34 PID 2216 wrote to memory of 2848 2216 bthnbh.exe 34 PID 2216 wrote to memory of 2848 2216 bthnbh.exe 34 PID 2216 wrote to memory of 2848 2216 bthnbh.exe 34 PID 2848 wrote to memory of 2740 2848 llxlrfr.exe 35 PID 2848 wrote to memory of 2740 2848 llxlrfr.exe 35 PID 2848 wrote to memory of 2740 2848 llxlrfr.exe 35 PID 2848 wrote to memory of 2740 2848 llxlrfr.exe 35 PID 2740 wrote to memory of 2884 2740 hbtbbh.exe 36 PID 2740 wrote to memory of 2884 2740 hbtbbh.exe 36 PID 2740 wrote to memory of 2884 2740 hbtbbh.exe 36 PID 2740 wrote to memory of 2884 2740 hbtbbh.exe 36 PID 2884 wrote to memory of 2796 2884 xrlrflx.exe 37 PID 2884 wrote to memory of 2796 2884 xrlrflx.exe 37 PID 2884 wrote to memory of 2796 2884 xrlrflx.exe 37 PID 2884 wrote to memory of 2796 2884 xrlrflx.exe 37 PID 2796 wrote to memory of 1984 2796 9nbbhn.exe 38 PID 2796 wrote to memory of 1984 2796 9nbbhn.exe 38 PID 2796 wrote to memory of 1984 2796 9nbbhn.exe 38 PID 2796 wrote to memory of 1984 2796 9nbbhn.exe 38 PID 1984 wrote to memory of 2656 1984 lllxflx.exe 39 PID 1984 wrote to memory of 2656 1984 lllxflx.exe 39 PID 1984 wrote to memory of 2656 1984 lllxflx.exe 39 PID 1984 wrote to memory of 2656 1984 lllxflx.exe 39 PID 2656 wrote to memory of 2188 2656 1vjvp.exe 40 PID 2656 wrote to memory of 2188 2656 1vjvp.exe 40 PID 2656 wrote to memory of 2188 2656 1vjvp.exe 40 PID 2656 wrote to memory of 2188 2656 1vjvp.exe 40 PID 2188 wrote to memory of 668 2188 7xrrlxl.exe 41 PID 2188 wrote to memory of 668 2188 7xrrlxl.exe 41 PID 2188 wrote to memory of 668 2188 7xrrlxl.exe 41 PID 2188 wrote to memory of 668 2188 7xrrlxl.exe 41 PID 668 wrote to memory of 2136 668 hhhhtb.exe 42 PID 668 wrote to memory of 2136 668 hhhhtb.exe 42 PID 668 wrote to memory of 2136 668 hhhhtb.exe 42 PID 668 wrote to memory of 2136 668 hhhhtb.exe 42 PID 2136 wrote to memory of 1336 2136 jjjjv.exe 43 PID 2136 wrote to memory of 1336 2136 jjjjv.exe 43 PID 2136 wrote to memory of 1336 2136 jjjjv.exe 43 PID 2136 wrote to memory of 1336 2136 jjjjv.exe 43 PID 1336 wrote to memory of 2808 1336 thtnnh.exe 44 PID 1336 wrote to memory of 2808 1336 thtnnh.exe 44 PID 1336 wrote to memory of 2808 1336 thtnnh.exe 44 PID 1336 wrote to memory of 2808 1336 thtnnh.exe 44 PID 2808 wrote to memory of 2960 2808 dvvdp.exe 45 PID 2808 wrote to memory of 2960 2808 dvvdp.exe 45 PID 2808 wrote to memory of 2960 2808 dvvdp.exe 45 PID 2808 wrote to memory of 2960 2808 dvvdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe"C:\Users\Admin\AppData\Local\Temp\bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\llrxllr.exec:\llrxllr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\9hbbth.exec:\9hbbth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\xlxflrf.exec:\xlxflrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\bthnbh.exec:\bthnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\llxlrfr.exec:\llxlrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\hbtbbh.exec:\hbtbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\xrlrflx.exec:\xrlrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\9nbbhn.exec:\9nbbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\lllxflx.exec:\lllxflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\1vjvp.exec:\1vjvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\7xrrlxl.exec:\7xrrlxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\hhhhtb.exec:\hhhhtb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\jjjjv.exec:\jjjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\thtnnh.exec:\thtnnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\dvvdp.exec:\dvvdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\tnhbnt.exec:\tnhbnt.exe17⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jddjv.exec:\jddjv.exe18⤵
- Executes dropped EXE
PID:1852 -
\??\c:\nbhhtt.exec:\nbhhtt.exe19⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jddjd.exec:\jddjd.exe20⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xrrxflx.exec:\xrrxflx.exe21⤵
- Executes dropped EXE
PID:1652 -
\??\c:\ttbbtb.exec:\ttbbtb.exe22⤵
- Executes dropped EXE
PID:1616 -
\??\c:\jpdjj.exec:\jpdjj.exe23⤵
- Executes dropped EXE
PID:576 -
\??\c:\fxlfxxf.exec:\fxlfxxf.exe24⤵
- Executes dropped EXE
PID:2568 -
\??\c:\7jjvv.exec:\7jjvv.exe25⤵
- Executes dropped EXE
PID:1212 -
\??\c:\1frxlrr.exec:\1frxlrr.exe26⤵
- Executes dropped EXE
PID:1388 -
\??\c:\7htthn.exec:\7htthn.exe27⤵
- Executes dropped EXE
PID:1684 -
\??\c:\1dvdj.exec:\1dvdj.exe28⤵
- Executes dropped EXE
PID:3068 -
\??\c:\9jjjv.exec:\9jjjv.exe29⤵
- Executes dropped EXE
PID:2804 -
\??\c:\rrlxlxl.exec:\rrlxlxl.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\jdppv.exec:\jdppv.exe31⤵
- Executes dropped EXE
PID:1056 -
\??\c:\xrxxfxx.exec:\xrxxfxx.exe32⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pjvjp.exec:\pjvjp.exe33⤵
- Executes dropped EXE
PID:2500 -
\??\c:\9xrxrxl.exec:\9xrxrxl.exe34⤵
- Executes dropped EXE
PID:1592 -
\??\c:\bnhnbt.exec:\bnhnbt.exe35⤵
- Executes dropped EXE
PID:2512 -
\??\c:\pppvd.exec:\pppvd.exe36⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pjdjp.exec:\pjdjp.exe37⤵
- Executes dropped EXE
PID:2492 -
\??\c:\rlffffr.exec:\rlffffr.exe38⤵
- Executes dropped EXE
PID:628 -
\??\c:\hbnbtt.exec:\hbnbtt.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\5thnhn.exec:\5thnhn.exe40⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vddpd.exec:\vddpd.exe41⤵
- Executes dropped EXE
PID:2856 -
\??\c:\lfxlflx.exec:\lfxlflx.exe42⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tnbhtb.exec:\tnbhtb.exe43⤵
- Executes dropped EXE
PID:2756 -
\??\c:\hthnhh.exec:\hthnhh.exe44⤵
- Executes dropped EXE
PID:2748 -
\??\c:\ddpdp.exec:\ddpdp.exe45⤵
- Executes dropped EXE
PID:2632 -
\??\c:\vpddj.exec:\vpddj.exe46⤵
- Executes dropped EXE
PID:1052 -
\??\c:\rfxrffr.exec:\rfxrffr.exe47⤵
- Executes dropped EXE
PID:2656 -
\??\c:\7nbbnt.exec:\7nbbnt.exe48⤵
- Executes dropped EXE
PID:2316 -
\??\c:\nnnthh.exec:\nnnthh.exe49⤵
- Executes dropped EXE
PID:668 -
\??\c:\9pddj.exec:\9pddj.exe50⤵
- Executes dropped EXE
PID:112 -
\??\c:\3xffxxf.exec:\3xffxxf.exe51⤵
- Executes dropped EXE
PID:2812 -
\??\c:\xxffrxl.exec:\xxffrxl.exe52⤵
- Executes dropped EXE
PID:2936 -
\??\c:\tnbbhn.exec:\tnbbhn.exe53⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pjdvj.exec:\pjdvj.exe54⤵
- Executes dropped EXE
PID:2960 -
\??\c:\pdvdp.exec:\pdvdp.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\rxrxflf.exec:\rxrxflf.exe56⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hntntn.exec:\hntntn.exe57⤵
- Executes dropped EXE
PID:2988 -
\??\c:\hnhnbh.exec:\hnhnbh.exe58⤵
- Executes dropped EXE
PID:2332 -
\??\c:\vpdvd.exec:\vpdvd.exe59⤵
- Executes dropped EXE
PID:2140 -
\??\c:\ppjvd.exec:\ppjvd.exe60⤵
- Executes dropped EXE
PID:1660 -
\??\c:\1lxfrxr.exec:\1lxfrxr.exe61⤵
- Executes dropped EXE
PID:1616 -
\??\c:\btbthn.exec:\btbthn.exe62⤵
- Executes dropped EXE
PID:904 -
\??\c:\bthhnt.exec:\bthhnt.exe63⤵
- Executes dropped EXE
PID:1904 -
\??\c:\1pjvv.exec:\1pjvv.exe64⤵
- Executes dropped EXE
PID:952 -
\??\c:\vvjdp.exec:\vvjdp.exe65⤵
- Executes dropped EXE
PID:1624 -
\??\c:\llfrllx.exec:\llfrllx.exe66⤵PID:1328
-
\??\c:\1nbtbb.exec:\1nbtbb.exe67⤵PID:1684
-
\??\c:\jvppd.exec:\jvppd.exe68⤵PID:2256
-
\??\c:\jdvdd.exec:\jdvdd.exe69⤵PID:868
-
\??\c:\5xlrffl.exec:\5xlrffl.exe70⤵PID:2308
-
\??\c:\tnbbnt.exec:\tnbbnt.exe71⤵PID:1764
-
\??\c:\djjpj.exec:\djjpj.exe72⤵PID:1504
-
\??\c:\xrffllx.exec:\xrffllx.exe73⤵PID:1924
-
\??\c:\rfflrrf.exec:\rfflrrf.exe74⤵PID:2092
-
\??\c:\5hbhnt.exec:\5hbhnt.exe75⤵PID:1588
-
\??\c:\ddvdd.exec:\ddvdd.exe76⤵PID:2924
-
\??\c:\vjvvp.exec:\vjvvp.exe77⤵PID:2116
-
\??\c:\rrrxflr.exec:\rrrxflr.exe78⤵PID:1048
-
\??\c:\nbbnnb.exec:\nbbnnb.exe79⤵
- System Location Discovery: System Language Discovery
PID:292 -
\??\c:\5vjjv.exec:\5vjjv.exe80⤵PID:2424
-
\??\c:\1vpdj.exec:\1vpdj.exe81⤵PID:2876
-
\??\c:\ffrxlxr.exec:\ffrxlxr.exe82⤵PID:2836
-
\??\c:\9nbhnt.exec:\9nbhnt.exe83⤵PID:2932
-
\??\c:\1nhhnt.exec:\1nhhnt.exe84⤵PID:2592
-
\??\c:\vvpvv.exec:\vvpvv.exe85⤵PID:3056
-
\??\c:\7frrflr.exec:\7frrflr.exe86⤵PID:2580
-
\??\c:\lflllrf.exec:\lflllrf.exe87⤵PID:2748
-
\??\c:\bnhhnn.exec:\bnhhnn.exe88⤵PID:1984
-
\??\c:\dpdvd.exec:\dpdvd.exe89⤵PID:2588
-
\??\c:\5vpvj.exec:\5vpvj.exe90⤵PID:2800
-
\??\c:\rlxxflf.exec:\rlxxflf.exe91⤵PID:2896
-
\??\c:\5ntbnn.exec:\5ntbnn.exe92⤵PID:2904
-
\??\c:\ttbhnh.exec:\ttbhnh.exe93⤵PID:2136
-
\??\c:\vdvjd.exec:\vdvjd.exe94⤵PID:2900
-
\??\c:\9xxxxxf.exec:\9xxxxxf.exe95⤵PID:2004
-
\??\c:\xrxflrl.exec:\xrxflrl.exe96⤵PID:1972
-
\??\c:\bthbhb.exec:\bthbhb.exe97⤵PID:1620
-
\??\c:\pjvjv.exec:\pjvjv.exe98⤵PID:3000
-
\??\c:\1vddd.exec:\1vddd.exe99⤵PID:1752
-
\??\c:\frfrxfl.exec:\frfrxfl.exe100⤵PID:2996
-
\??\c:\bnhhnn.exec:\bnhhnn.exe101⤵PID:2080
-
\??\c:\9hhhhn.exec:\9hhhhn.exe102⤵PID:1652
-
\??\c:\jdppp.exec:\jdppp.exe103⤵PID:1580
-
\??\c:\jdvpp.exec:\jdvpp.exe104⤵PID:2144
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe105⤵PID:440
-
\??\c:\1htttb.exec:\1htttb.exe106⤵PID:3024
-
\??\c:\7thhhn.exec:\7thhhn.exe107⤵PID:1576
-
\??\c:\vdvdj.exec:\vdvdj.exe108⤵PID:920
-
\??\c:\rrffllr.exec:\rrffllr.exe109⤵PID:1556
-
\??\c:\frlrxrx.exec:\frlrxrx.exe110⤵PID:2448
-
\??\c:\hhbbbb.exec:\hhbbbb.exe111⤵PID:1940
-
\??\c:\htnbbb.exec:\htnbbb.exe112⤵PID:3068
-
\??\c:\ddjdj.exec:\ddjdj.exe113⤵PID:1488
-
\??\c:\ffxflrr.exec:\ffxflrr.exe114⤵PID:1076
-
\??\c:\hbnbnh.exec:\hbnbnh.exe115⤵PID:1056
-
\??\c:\tnbhth.exec:\tnbhth.exe116⤵PID:2248
-
\??\c:\pjdjp.exec:\pjdjp.exe117⤵PID:2664
-
\??\c:\fxfxxfr.exec:\fxfxxfr.exe118⤵PID:1716
-
\??\c:\rflrrrx.exec:\rflrrrx.exe119⤵PID:1572
-
\??\c:\9htbnt.exec:\9htbnt.exe120⤵PID:2924
-
\??\c:\thnhtt.exec:\thnhtt.exe121⤵PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-