Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe
-
Size
456KB
-
MD5
0a927fafad5fbddf055102fe023f18b0
-
SHA1
a8f0d3d23fb2835153ee76c6fb32d82ac8c3f595
-
SHA256
bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7
-
SHA512
0519bd3e527655fde86485cfc728ba6b5d89b19f39e5c4448519d6d48caf4ea1ec0184641d20845cdd2449ce971c1decc62dabf8ac5f722b8a84404e05ab73bb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRj:q7Tc2NYHUrAwfMp3CDRj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4668-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/424-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-1212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-1327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-1801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3332 vvpvj.exe 2740 rrlxrlr.exe 3348 thbnht.exe 608 jjdvp.exe 1696 frfrfxx.exe 4388 lfxxrxr.exe 1452 ddjvp.exe 2364 7ttnbb.exe 4212 1jvpv.exe 4556 nhnhth.exe 4620 jvdpj.exe 1528 ppvjv.exe 3200 jdjdv.exe 2852 llrfrlf.exe 1928 bbtnbb.exe 4024 lfxlfxr.exe 2756 rxffxxx.exe 4008 hnthhb.exe 3056 pvppj.exe 2020 rlfxrrr.exe 3552 1ddvp.exe 388 xlrfrxr.exe 3280 jdjpp.exe 732 bbhbtn.exe 3592 ddpdv.exe 1852 bbnnhb.exe 3416 rlllfff.exe 216 ddppp.exe 5016 pvdvd.exe 1312 dddvp.exe 1836 5rfxrxx.exe 4040 rflfrrl.exe 1880 ttbtnh.exe 3536 jppjj.exe 4152 rlrrfff.exe 764 9dpjj.exe 1288 frxrrrr.exe 3872 5nnhtt.exe 3212 vdjdv.exe 1124 frrlfxr.exe 652 hntnhb.exe 1160 jvddp.exe 4712 xffrlfx.exe 4144 bnthbt.exe 1468 pjdvv.exe 4224 jvdpd.exe 3132 rfffxrr.exe 4480 tnbttn.exe 1360 nhthhb.exe 5000 djdvd.exe 4340 xrlflrl.exe 3148 xrlxrlf.exe 4296 bttnhb.exe 1100 jjpdp.exe 3848 vvjjv.exe 1968 3fxlffx.exe 1116 nnhthb.exe 1196 hthttn.exe 1948 9vdpp.exe 4232 lffrlfl.exe 2948 bntnbb.exe 3632 dvdjv.exe 3628 rxfrlfr.exe 2520 5bbthh.exe -
resource yara_rule behavioral2/memory/4668-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/424-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-821-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-927-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-946-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4668 wrote to memory of 3332 4668 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 83 PID 4668 wrote to memory of 3332 4668 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 83 PID 4668 wrote to memory of 3332 4668 bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe 83 PID 3332 wrote to memory of 2740 3332 vvpvj.exe 84 PID 3332 wrote to memory of 2740 3332 vvpvj.exe 84 PID 3332 wrote to memory of 2740 3332 vvpvj.exe 84 PID 2740 wrote to memory of 3348 2740 rrlxrlr.exe 85 PID 2740 wrote to memory of 3348 2740 rrlxrlr.exe 85 PID 2740 wrote to memory of 3348 2740 rrlxrlr.exe 85 PID 3348 wrote to memory of 608 3348 thbnht.exe 86 PID 3348 wrote to memory of 608 3348 thbnht.exe 86 PID 3348 wrote to memory of 608 3348 thbnht.exe 86 PID 608 wrote to memory of 1696 608 jjdvp.exe 87 PID 608 wrote to memory of 1696 608 jjdvp.exe 87 PID 608 wrote to memory of 1696 608 jjdvp.exe 87 PID 1696 wrote to memory of 4388 1696 frfrfxx.exe 88 PID 1696 wrote to memory of 4388 1696 frfrfxx.exe 88 PID 1696 wrote to memory of 4388 1696 frfrfxx.exe 88 PID 4388 wrote to memory of 1452 4388 lfxxrxr.exe 89 PID 4388 wrote to memory of 1452 4388 lfxxrxr.exe 89 PID 4388 wrote to memory of 1452 4388 lfxxrxr.exe 89 PID 1452 wrote to memory of 2364 1452 ddjvp.exe 90 PID 1452 wrote to memory of 2364 1452 ddjvp.exe 90 PID 1452 wrote to memory of 2364 1452 ddjvp.exe 90 PID 2364 wrote to memory of 4212 2364 7ttnbb.exe 91 PID 2364 wrote to memory of 4212 2364 7ttnbb.exe 91 PID 2364 wrote to memory of 4212 2364 7ttnbb.exe 91 PID 4212 wrote to memory of 4556 4212 1jvpv.exe 92 PID 4212 wrote to memory of 4556 4212 1jvpv.exe 92 PID 4212 wrote to memory of 4556 4212 1jvpv.exe 92 PID 4556 wrote to memory of 4620 4556 nhnhth.exe 93 PID 4556 wrote to memory of 4620 4556 nhnhth.exe 93 PID 4556 wrote to memory of 4620 4556 nhnhth.exe 93 PID 4620 wrote to memory of 1528 4620 jvdpj.exe 94 PID 4620 wrote to memory of 1528 4620 jvdpj.exe 94 PID 4620 wrote to memory of 1528 4620 jvdpj.exe 94 PID 1528 wrote to memory of 3200 1528 ppvjv.exe 95 PID 1528 wrote to memory of 3200 1528 ppvjv.exe 95 PID 1528 wrote to memory of 3200 1528 ppvjv.exe 95 PID 3200 wrote to memory of 2852 3200 jdjdv.exe 96 PID 3200 wrote to memory of 2852 3200 jdjdv.exe 96 PID 3200 wrote to memory of 2852 3200 jdjdv.exe 96 PID 2852 wrote to memory of 1928 2852 llrfrlf.exe 97 PID 2852 wrote to memory of 1928 2852 llrfrlf.exe 97 PID 2852 wrote to memory of 1928 2852 llrfrlf.exe 97 PID 1928 wrote to memory of 4024 1928 bbtnbb.exe 98 PID 1928 wrote to memory of 4024 1928 bbtnbb.exe 98 PID 1928 wrote to memory of 4024 1928 bbtnbb.exe 98 PID 4024 wrote to memory of 2756 4024 lfxlfxr.exe 99 PID 4024 wrote to memory of 2756 4024 lfxlfxr.exe 99 PID 4024 wrote to memory of 2756 4024 lfxlfxr.exe 99 PID 2756 wrote to memory of 4008 2756 rxffxxx.exe 100 PID 2756 wrote to memory of 4008 2756 rxffxxx.exe 100 PID 2756 wrote to memory of 4008 2756 rxffxxx.exe 100 PID 4008 wrote to memory of 3056 4008 hnthhb.exe 101 PID 4008 wrote to memory of 3056 4008 hnthhb.exe 101 PID 4008 wrote to memory of 3056 4008 hnthhb.exe 101 PID 3056 wrote to memory of 2020 3056 pvppj.exe 102 PID 3056 wrote to memory of 2020 3056 pvppj.exe 102 PID 3056 wrote to memory of 2020 3056 pvppj.exe 102 PID 2020 wrote to memory of 3552 2020 rlfxrrr.exe 103 PID 2020 wrote to memory of 3552 2020 rlfxrrr.exe 103 PID 2020 wrote to memory of 3552 2020 rlfxrrr.exe 103 PID 3552 wrote to memory of 388 3552 1ddvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe"C:\Users\Admin\AppData\Local\Temp\bcb1dba7e922fae3636f9691fda4a84b542592493944573196145784f6dcbeb7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\vvpvj.exec:\vvpvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\rrlxrlr.exec:\rrlxrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\thbnht.exec:\thbnht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\jjdvp.exec:\jjdvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
\??\c:\frfrfxx.exec:\frfrfxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\lfxxrxr.exec:\lfxxrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\ddjvp.exec:\ddjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\7ttnbb.exec:\7ttnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\1jvpv.exec:\1jvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\nhnhth.exec:\nhnhth.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\jvdpj.exec:\jvdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\ppvjv.exec:\ppvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\jdjdv.exec:\jdjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\llrfrlf.exec:\llrfrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bbtnbb.exec:\bbtnbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\lfxlfxr.exec:\lfxlfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\rxffxxx.exec:\rxffxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\hnthhb.exec:\hnthhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\pvppj.exec:\pvppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\1ddvp.exec:\1ddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\xlrfrxr.exec:\xlrfrxr.exe23⤵
- Executes dropped EXE
PID:388 -
\??\c:\jdjpp.exec:\jdjpp.exe24⤵
- Executes dropped EXE
PID:3280 -
\??\c:\bbhbtn.exec:\bbhbtn.exe25⤵
- Executes dropped EXE
PID:732 -
\??\c:\ddpdv.exec:\ddpdv.exe26⤵
- Executes dropped EXE
PID:3592 -
\??\c:\bbnnhb.exec:\bbnnhb.exe27⤵
- Executes dropped EXE
PID:1852 -
\??\c:\rlllfff.exec:\rlllfff.exe28⤵
- Executes dropped EXE
PID:3416 -
\??\c:\ddppp.exec:\ddppp.exe29⤵
- Executes dropped EXE
PID:216 -
\??\c:\pvdvd.exec:\pvdvd.exe30⤵
- Executes dropped EXE
PID:5016 -
\??\c:\dddvp.exec:\dddvp.exe31⤵
- Executes dropped EXE
PID:1312 -
\??\c:\5rfxrxx.exec:\5rfxrxx.exe32⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rflfrrl.exec:\rflfrrl.exe33⤵
- Executes dropped EXE
PID:4040 -
\??\c:\ttbtnh.exec:\ttbtnh.exe34⤵
- Executes dropped EXE
PID:1880 -
\??\c:\jppjj.exec:\jppjj.exe35⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rlrrfff.exec:\rlrrfff.exe36⤵
- Executes dropped EXE
PID:4152 -
\??\c:\9dpjj.exec:\9dpjj.exe37⤵
- Executes dropped EXE
PID:764 -
\??\c:\frxrrrr.exec:\frxrrrr.exe38⤵
- Executes dropped EXE
PID:1288 -
\??\c:\5nnhtt.exec:\5nnhtt.exe39⤵
- Executes dropped EXE
PID:3872 -
\??\c:\vdjdv.exec:\vdjdv.exe40⤵
- Executes dropped EXE
PID:3212 -
\??\c:\frrlfxr.exec:\frrlfxr.exe41⤵
- Executes dropped EXE
PID:1124 -
\??\c:\hntnhb.exec:\hntnhb.exe42⤵
- Executes dropped EXE
PID:652 -
\??\c:\jvddp.exec:\jvddp.exe43⤵
- Executes dropped EXE
PID:1160 -
\??\c:\xffrlfx.exec:\xffrlfx.exe44⤵
- Executes dropped EXE
PID:4712 -
\??\c:\bnthbt.exec:\bnthbt.exe45⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pjdvv.exec:\pjdvv.exe46⤵
- Executes dropped EXE
PID:1468 -
\??\c:\jvdpd.exec:\jvdpd.exe47⤵
- Executes dropped EXE
PID:4224 -
\??\c:\rfffxrr.exec:\rfffxrr.exe48⤵
- Executes dropped EXE
PID:3132 -
\??\c:\tnbttn.exec:\tnbttn.exe49⤵
- Executes dropped EXE
PID:4480 -
\??\c:\nhthhb.exec:\nhthhb.exe50⤵
- Executes dropped EXE
PID:1360 -
\??\c:\djdvd.exec:\djdvd.exe51⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xrlflrl.exec:\xrlflrl.exe52⤵
- Executes dropped EXE
PID:4340 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe53⤵
- Executes dropped EXE
PID:3148 -
\??\c:\bttnhb.exec:\bttnhb.exe54⤵
- Executes dropped EXE
PID:4296 -
\??\c:\jjpdp.exec:\jjpdp.exe55⤵
- Executes dropped EXE
PID:1100 -
\??\c:\vvjjv.exec:\vvjjv.exe56⤵
- Executes dropped EXE
PID:3848 -
\??\c:\3fxlffx.exec:\3fxlffx.exe57⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nnhthb.exec:\nnhthb.exe58⤵
- Executes dropped EXE
PID:1116 -
\??\c:\hthttn.exec:\hthttn.exe59⤵
- Executes dropped EXE
PID:1196 -
\??\c:\9vdpp.exec:\9vdpp.exe60⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lffrlfl.exec:\lffrlfl.exe61⤵
- Executes dropped EXE
PID:4232 -
\??\c:\bntnbb.exec:\bntnbb.exe62⤵
- Executes dropped EXE
PID:2948 -
\??\c:\dvdjv.exec:\dvdjv.exe63⤵
- Executes dropped EXE
PID:3632 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628 -
\??\c:\5bbthh.exec:\5bbthh.exe65⤵
- Executes dropped EXE
PID:2520 -
\??\c:\ttbnhb.exec:\ttbnhb.exe66⤵PID:2424
-
\??\c:\5pjvv.exec:\5pjvv.exe67⤵PID:2728
-
\??\c:\1lffxxr.exec:\1lffxxr.exe68⤵PID:4880
-
\??\c:\1hbnhb.exec:\1hbnhb.exe69⤵PID:2168
-
\??\c:\nbttnb.exec:\nbttnb.exe70⤵PID:4664
-
\??\c:\vdjvj.exec:\vdjvj.exe71⤵PID:3200
-
\??\c:\7lxrrrr.exec:\7lxrrrr.exe72⤵PID:4996
-
\??\c:\nbhnnh.exec:\nbhnnh.exe73⤵PID:4868
-
\??\c:\5hhbnh.exec:\5hhbnh.exe74⤵PID:4744
-
\??\c:\jvdpd.exec:\jvdpd.exe75⤵PID:3052
-
\??\c:\lrxxlff.exec:\lrxxlff.exe76⤵PID:2756
-
\??\c:\bnhbnh.exec:\bnhbnh.exe77⤵PID:4008
-
\??\c:\5djdj.exec:\5djdj.exe78⤵PID:2524
-
\??\c:\9ffxlfx.exec:\9ffxlfx.exe79⤵PID:2908
-
\??\c:\tnthnh.exec:\tnthnh.exe80⤵PID:424
-
\??\c:\vvdvp.exec:\vvdvp.exe81⤵PID:4872
-
\??\c:\1ppvj.exec:\1ppvj.exe82⤵PID:4000
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe83⤵PID:4588
-
\??\c:\bthbbt.exec:\bthbbt.exe84⤵PID:1108
-
\??\c:\djvjj.exec:\djvjj.exe85⤵PID:732
-
\??\c:\lflffxx.exec:\lflffxx.exe86⤵PID:4800
-
\??\c:\xrxrllf.exec:\xrxrllf.exe87⤵PID:1796
-
\??\c:\9htnbt.exec:\9htnbt.exe88⤵PID:3168
-
\??\c:\jjdpp.exec:\jjdpp.exe89⤵PID:2112
-
\??\c:\pjdpv.exec:\pjdpv.exe90⤵PID:2272
-
\??\c:\lxfrflx.exec:\lxfrflx.exe91⤵PID:912
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe92⤵PID:1492
-
\??\c:\thnhhb.exec:\thnhhb.exe93⤵PID:1272
-
\??\c:\1pvpd.exec:\1pvpd.exe94⤵PID:4392
-
\??\c:\lxrrfrx.exec:\lxrrfrx.exe95⤵PID:2232
-
\??\c:\frrfrlf.exec:\frrfrlf.exe96⤵PID:2864
-
\??\c:\tbhbtt.exec:\tbhbtt.exe97⤵PID:4120
-
\??\c:\5vvdv.exec:\5vvdv.exe98⤵PID:2972
-
\??\c:\lxxrllf.exec:\lxxrllf.exe99⤵PID:4572
-
\??\c:\xffrlfx.exec:\xffrlfx.exe100⤵PID:3236
-
\??\c:\hnbttn.exec:\hnbttn.exe101⤵PID:408
-
\??\c:\jjjvj.exec:\jjjvj.exe102⤵PID:3872
-
\??\c:\lffrrlr.exec:\lffrrlr.exe103⤵PID:4004
-
\??\c:\ffrllff.exec:\ffrllff.exe104⤵PID:1456
-
\??\c:\vpvpj.exec:\vpvpj.exe105⤵PID:884
-
\??\c:\9vdvj.exec:\9vdvj.exe106⤵PID:2180
-
\??\c:\xrxrlff.exec:\xrxrlff.exe107⤵PID:792
-
\??\c:\nnnbtn.exec:\nnnbtn.exe108⤵PID:4692
-
\??\c:\bnnbnt.exec:\bnnbnt.exe109⤵PID:364
-
\??\c:\ppdvd.exec:\ppdvd.exe110⤵PID:428
-
\??\c:\frxxlll.exec:\frxxlll.exe111⤵PID:4600
-
\??\c:\ttbnbt.exec:\ttbnbt.exe112⤵PID:4464
-
\??\c:\vpvvp.exec:\vpvvp.exe113⤵PID:3328
-
\??\c:\vddvd.exec:\vddvd.exe114⤵PID:2848
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe115⤵PID:2576
-
\??\c:\lflfrrl.exec:\lflfrrl.exe116⤵PID:4568
-
\??\c:\bhhbtn.exec:\bhhbtn.exe117⤵PID:720
-
\??\c:\ppjvd.exec:\ppjvd.exe118⤵PID:4972
-
\??\c:\5lfxllx.exec:\5lfxllx.exe119⤵PID:4616
-
\??\c:\hthbbt.exec:\hthbbt.exe120⤵PID:2172
-
\??\c:\nhhhtb.exec:\nhhhtb.exe121⤵PID:2896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-