Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:18
Behavioral task
behavioral1
Sample
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe
-
Size
332KB
-
MD5
af511fab26b228f68b2248dc415371e9
-
SHA1
8298d872a4366cd07cd369b3deed183b950a81c5
-
SHA256
bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1
-
SHA512
dc34216b39376e02e7054c5f5130c3754a6064be334bd2555c7d3265a1524ac0913780285aa2e49c5082972774ab6f1d73aab24aa157a4711a768d368521becc
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbef:R4wFHoSHYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral1/memory/2992-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2900-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1368-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1784-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2368-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-58-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/2612-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2084-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2640-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2740-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2600-95-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2600-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-101-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/2284-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2284-105-0x0000000000430000-0x0000000000457000-memory.dmp family_blackmoon behavioral1/memory/1372-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1096-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/836-133-0x00000000002B0000-0x00000000002D7000-memory.dmp family_blackmoon behavioral1/memory/1148-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2704-161-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/3028-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1120-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2176-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1120-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1796-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-226-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/832-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1760-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/3048-250-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1748-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2028-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-275-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/884-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2348-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1572-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2856-349-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2620-371-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2668-377-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1900-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2052-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1652-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1612-500-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2320-573-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1580-579-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2728-607-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2724-659-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1996-666-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1620-676-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1848-812-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2632-883-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2412-1059-0x00000000003A0000-0x00000000003C7000-memory.dmp family_blackmoon behavioral1/memory/1428-6160-0x0000000076FE0000-0x00000000770DA000-memory.dmp family_blackmoon behavioral1/memory/1428-6676-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-7193-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-7710-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-8227-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-10038-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-10556-0x0000000076FE0000-0x00000000770DA000-memory.dmp family_blackmoon behavioral1/memory/1428-10555-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-12126-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-16004-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-22898-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon behavioral1/memory/1428-23462-0x00000000770E0000-0x00000000771FF000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2992 7lfxlfr.exe 1368 nhttbh.exe 1784 xfxfxlx.exe 2368 hthtbn.exe 2820 nnbnnb.exe 2084 pjdjv.exe 2612 xrfflrl.exe 2640 9ffllrx.exe 2740 fxxlfxl.exe 2600 hnbnnh.exe 2284 fxllxll.exe 1372 xxxrrlf.exe 1096 ddvdd.exe 836 bbbtnb.exe 1548 5ddvj.exe 1148 jjpdd.exe 2704 hbbbhn.exe 3028 ddjjd.exe 2304 vppvd.exe 2176 jjdjd.exe 2584 htnnhh.exe 2972 jdvjp.exe 1120 btthth.exe 1796 vvjjp.exe 3048 rrrffrf.exe 2248 7hbnbh.exe 832 1lxlfrx.exe 1760 hnnhht.exe 1668 1jdpj.exe 2028 3frlfxx.exe 1748 ppjpj.exe 1684 jppvd.exe 884 hnbtnh.exe 2348 vvjvv.exe 3068 lxrrrxl.exe 2380 3thhbh.exe 1572 djvpj.exe 2948 jddvd.exe 2864 xlffrxl.exe 264 ntbnbn.exe 2732 ppjvp.exe 2832 1jjvp.exe 2812 9lxflxr.exe 2856 bthnbh.exe 2804 jppdp.exe 2632 1rrxflr.exe 2264 9xrfllr.exe 2620 nnnbth.exe 2668 ththhh.exe 2600 jpjjd.exe 2108 9rrxffl.exe 624 1nhthn.exe 1588 bbthtn.exe 2672 jjvdp.exe 1900 xxxlfrf.exe 2008 xllxlrl.exe 2052 1tnbtn.exe 1832 dpdjv.exe 1652 fxrflxr.exe 1320 7rflrxf.exe 3012 5tthth.exe 2324 jdpdp.exe 2476 pddpp.exe 2488 xxxxrxx.exe -
resource yara_rule behavioral1/memory/2900-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000012281-5.dat upx behavioral1/memory/2992-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2900-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016d4f-17.dat upx behavioral1/files/0x0007000000016d58-27.dat upx behavioral1/memory/1368-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1784-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016da7-35.dat upx behavioral1/memory/2368-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0007000000016dd0-43.dat upx behavioral1/files/0x0007000000016de4-51.dat upx behavioral1/files/0x0007000000016de8-61.dat upx behavioral1/memory/2612-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2084-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0008000000016eb8-69.dat upx behavioral1/files/0x0008000000016edb-77.dat upx behavioral1/memory/2640-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2740-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018f65-85.dat upx behavioral1/files/0x000600000001904c-96.dat upx behavioral1/memory/2600-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2284-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00060000000190e1-106.dat upx behavioral1/files/0x00050000000191d2-114.dat upx behavioral1/memory/1096-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1372-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000191f6-125.dat upx behavioral1/memory/1096-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019217-135.dat upx behavioral1/files/0x0005000000019240-143.dat upx behavioral1/memory/1148-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019259-152.dat upx behavioral1/memory/1148-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000016d0d-162.dat upx behavioral1/files/0x0005000000019268-172.dat upx behavioral1/memory/3028-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001926c-180.dat upx behavioral1/files/0x0005000000019275-187.dat upx behavioral1/files/0x0005000000019278-194.dat upx behavioral1/memory/1120-203-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001929a-202.dat upx behavioral1/files/0x0005000000019319-211.dat upx behavioral1/memory/2176-210-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1120-209-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1796-218-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019365-219.dat upx behavioral1/files/0x0005000000019377-227.dat upx behavioral1/files/0x0005000000019387-234.dat upx behavioral1/memory/832-241-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193a4-242.dat upx behavioral1/memory/1760-249-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000193b3-251.dat upx behavioral1/files/0x00050000000193c1-258.dat upx behavioral1/files/0x0005000000019433-265.dat upx behavioral1/memory/1748-268-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2028-266-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019446-274.dat upx behavioral1/memory/884-287-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2348-293-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/3068-299-0x00000000001B0000-0x00000000001D7000-memory.dmp upx behavioral1/memory/2948-312-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1572-311-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2812-343-0x0000000000230000-0x0000000000257000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2992 2900 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 30 PID 2900 wrote to memory of 2992 2900 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 30 PID 2900 wrote to memory of 2992 2900 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 30 PID 2900 wrote to memory of 2992 2900 bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe 30 PID 2992 wrote to memory of 1368 2992 7lfxlfr.exe 31 PID 2992 wrote to memory of 1368 2992 7lfxlfr.exe 31 PID 2992 wrote to memory of 1368 2992 7lfxlfr.exe 31 PID 2992 wrote to memory of 1368 2992 7lfxlfr.exe 31 PID 1368 wrote to memory of 1784 1368 nhttbh.exe 32 PID 1368 wrote to memory of 1784 1368 nhttbh.exe 32 PID 1368 wrote to memory of 1784 1368 nhttbh.exe 32 PID 1368 wrote to memory of 1784 1368 nhttbh.exe 32 PID 1784 wrote to memory of 2368 1784 xfxfxlx.exe 33 PID 1784 wrote to memory of 2368 1784 xfxfxlx.exe 33 PID 1784 wrote to memory of 2368 1784 xfxfxlx.exe 33 PID 1784 wrote to memory of 2368 1784 xfxfxlx.exe 33 PID 2368 wrote to memory of 2820 2368 hthtbn.exe 34 PID 2368 wrote to memory of 2820 2368 hthtbn.exe 34 PID 2368 wrote to memory of 2820 2368 hthtbn.exe 34 PID 2368 wrote to memory of 2820 2368 hthtbn.exe 34 PID 2820 wrote to memory of 2084 2820 nnbnnb.exe 35 PID 2820 wrote to memory of 2084 2820 nnbnnb.exe 35 PID 2820 wrote to memory of 2084 2820 nnbnnb.exe 35 PID 2820 wrote to memory of 2084 2820 nnbnnb.exe 35 PID 2084 wrote to memory of 2612 2084 pjdjv.exe 36 PID 2084 wrote to memory of 2612 2084 pjdjv.exe 36 PID 2084 wrote to memory of 2612 2084 pjdjv.exe 36 PID 2084 wrote to memory of 2612 2084 pjdjv.exe 36 PID 2612 wrote to memory of 2640 2612 xrfflrl.exe 37 PID 2612 wrote to memory of 2640 2612 xrfflrl.exe 37 PID 2612 wrote to memory of 2640 2612 xrfflrl.exe 37 PID 2612 wrote to memory of 2640 2612 xrfflrl.exe 37 PID 2640 wrote to memory of 2740 2640 9ffllrx.exe 38 PID 2640 wrote to memory of 2740 2640 9ffllrx.exe 38 PID 2640 wrote to memory of 2740 2640 9ffllrx.exe 38 PID 2640 wrote to memory of 2740 2640 9ffllrx.exe 38 PID 2740 wrote to memory of 2600 2740 fxxlfxl.exe 39 PID 2740 wrote to memory of 2600 2740 fxxlfxl.exe 39 PID 2740 wrote to memory of 2600 2740 fxxlfxl.exe 39 PID 2740 wrote to memory of 2600 2740 fxxlfxl.exe 39 PID 2600 wrote to memory of 2284 2600 hnbnnh.exe 40 PID 2600 wrote to memory of 2284 2600 hnbnnh.exe 40 PID 2600 wrote to memory of 2284 2600 hnbnnh.exe 40 PID 2600 wrote to memory of 2284 2600 hnbnnh.exe 40 PID 2284 wrote to memory of 1372 2284 fxllxll.exe 41 PID 2284 wrote to memory of 1372 2284 fxllxll.exe 41 PID 2284 wrote to memory of 1372 2284 fxllxll.exe 41 PID 2284 wrote to memory of 1372 2284 fxllxll.exe 41 PID 1372 wrote to memory of 1096 1372 xxxrrlf.exe 42 PID 1372 wrote to memory of 1096 1372 xxxrrlf.exe 42 PID 1372 wrote to memory of 1096 1372 xxxrrlf.exe 42 PID 1372 wrote to memory of 1096 1372 xxxrrlf.exe 42 PID 1096 wrote to memory of 836 1096 ddvdd.exe 43 PID 1096 wrote to memory of 836 1096 ddvdd.exe 43 PID 1096 wrote to memory of 836 1096 ddvdd.exe 43 PID 1096 wrote to memory of 836 1096 ddvdd.exe 43 PID 836 wrote to memory of 1548 836 bbbtnb.exe 44 PID 836 wrote to memory of 1548 836 bbbtnb.exe 44 PID 836 wrote to memory of 1548 836 bbbtnb.exe 44 PID 836 wrote to memory of 1548 836 bbbtnb.exe 44 PID 1548 wrote to memory of 1148 1548 5ddvj.exe 45 PID 1548 wrote to memory of 1148 1548 5ddvj.exe 45 PID 1548 wrote to memory of 1148 1548 5ddvj.exe 45 PID 1548 wrote to memory of 1148 1548 5ddvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe"C:\Users\Admin\AppData\Local\Temp\bc7959899ee8359d56cabe0545bc6f131453f071b2326359d5e494cc898938d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\7lfxlfr.exec:\7lfxlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\nhttbh.exec:\nhttbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\xfxfxlx.exec:\xfxfxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hthtbn.exec:\hthtbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\nnbnnb.exec:\nnbnnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\pjdjv.exec:\pjdjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\xrfflrl.exec:\xrfflrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\9ffllrx.exec:\9ffllrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\fxxlfxl.exec:\fxxlfxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\hnbnnh.exec:\hnbnnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\fxllxll.exec:\fxllxll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\ddvdd.exec:\ddvdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\bbbtnb.exec:\bbbtnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\5ddvj.exec:\5ddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\jjpdd.exec:\jjpdd.exe17⤵
- Executes dropped EXE
PID:1148 -
\??\c:\hbbbhn.exec:\hbbbhn.exe18⤵
- Executes dropped EXE
PID:2704 -
\??\c:\ddjjd.exec:\ddjjd.exe19⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vppvd.exec:\vppvd.exe20⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jjdjd.exec:\jjdjd.exe21⤵
- Executes dropped EXE
PID:2176 -
\??\c:\htnnhh.exec:\htnnhh.exe22⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jdvjp.exec:\jdvjp.exe23⤵
- Executes dropped EXE
PID:2972 -
\??\c:\btthth.exec:\btthth.exe24⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vvjjp.exec:\vvjjp.exe25⤵
- Executes dropped EXE
PID:1796 -
\??\c:\rrrffrf.exec:\rrrffrf.exe26⤵
- Executes dropped EXE
PID:3048 -
\??\c:\7hbnbh.exec:\7hbnbh.exe27⤵
- Executes dropped EXE
PID:2248 -
\??\c:\1lxlfrx.exec:\1lxlfrx.exe28⤵
- Executes dropped EXE
PID:832 -
\??\c:\hnnhht.exec:\hnnhht.exe29⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1jdpj.exec:\1jdpj.exe30⤵
- Executes dropped EXE
PID:1668 -
\??\c:\3frlfxx.exec:\3frlfxx.exe31⤵
- Executes dropped EXE
PID:2028 -
\??\c:\ppjpj.exec:\ppjpj.exe32⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jppvd.exec:\jppvd.exe33⤵
- Executes dropped EXE
PID:1684 -
\??\c:\hnbtnh.exec:\hnbtnh.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\vvjvv.exec:\vvjvv.exe35⤵
- Executes dropped EXE
PID:2348 -
\??\c:\lxrrrxl.exec:\lxrrrxl.exe36⤵
- Executes dropped EXE
PID:3068 -
\??\c:\3thhbh.exec:\3thhbh.exe37⤵
- Executes dropped EXE
PID:2380 -
\??\c:\djvpj.exec:\djvpj.exe38⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jddvd.exec:\jddvd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\xlffrxl.exec:\xlffrxl.exe40⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ntbnbn.exec:\ntbnbn.exe41⤵
- Executes dropped EXE
PID:264 -
\??\c:\ppjvp.exec:\ppjvp.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1jjvp.exec:\1jjvp.exe43⤵
- Executes dropped EXE
PID:2832 -
\??\c:\9lxflxr.exec:\9lxflxr.exe44⤵
- Executes dropped EXE
PID:2812 -
\??\c:\bthnbh.exec:\bthnbh.exe45⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jppdp.exec:\jppdp.exe46⤵
- Executes dropped EXE
PID:2804 -
\??\c:\1rrxflr.exec:\1rrxflr.exe47⤵
- Executes dropped EXE
PID:2632 -
\??\c:\9xrfllr.exec:\9xrfllr.exe48⤵
- Executes dropped EXE
PID:2264 -
\??\c:\nnnbth.exec:\nnnbth.exe49⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ththhh.exec:\ththhh.exe50⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jpjjd.exec:\jpjjd.exe51⤵
- Executes dropped EXE
PID:2600 -
\??\c:\9rrxffl.exec:\9rrxffl.exe52⤵
- Executes dropped EXE
PID:2108 -
\??\c:\1nhthn.exec:\1nhthn.exe53⤵
- Executes dropped EXE
PID:624 -
\??\c:\bbthtn.exec:\bbthtn.exe54⤵
- Executes dropped EXE
PID:1588 -
\??\c:\jjvdp.exec:\jjvdp.exe55⤵
- Executes dropped EXE
PID:2672 -
\??\c:\xxxlfrf.exec:\xxxlfrf.exe56⤵
- Executes dropped EXE
PID:1900 -
\??\c:\xllxlrl.exec:\xllxlrl.exe57⤵
- Executes dropped EXE
PID:2008 -
\??\c:\1tnbtn.exec:\1tnbtn.exe58⤵
- Executes dropped EXE
PID:2052 -
\??\c:\dpdjv.exec:\dpdjv.exe59⤵
- Executes dropped EXE
PID:1832 -
\??\c:\fxrflxr.exec:\fxrflxr.exe60⤵
- Executes dropped EXE
PID:1652 -
\??\c:\7rflrxf.exec:\7rflrxf.exe61⤵
- Executes dropped EXE
PID:1320 -
\??\c:\5tthth.exec:\5tthth.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\jdpdp.exec:\jdpdp.exe63⤵
- Executes dropped EXE
PID:2324 -
\??\c:\pddpp.exec:\pddpp.exe64⤵
- Executes dropped EXE
PID:2476 -
\??\c:\xxxxrxx.exec:\xxxxrxx.exe65⤵
- Executes dropped EXE
PID:2488 -
\??\c:\hbttbt.exec:\hbttbt.exe66⤵PID:2188
-
\??\c:\nhtntb.exec:\nhtntb.exe67⤵PID:864
-
\??\c:\7pdjp.exec:\7pdjp.exe68⤵PID:2784
-
\??\c:\rffflrf.exec:\rffflrf.exe69⤵PID:2964
-
\??\c:\fxflrlr.exec:\fxflrlr.exe70⤵PID:1612
-
\??\c:\nbnhnn.exec:\nbnhnn.exe71⤵PID:1732
-
\??\c:\9jvdv.exec:\9jvdv.exe72⤵PID:1796
-
\??\c:\ddvjv.exec:\ddvjv.exe73⤵PID:1824
-
\??\c:\7lxllxr.exec:\7lxllxr.exe74⤵PID:1700
-
\??\c:\9thtbt.exec:\9thtbt.exe75⤵PID:688
-
\??\c:\5tnnbt.exec:\5tnnbt.exe76⤵PID:648
-
\??\c:\pjvjv.exec:\pjvjv.exe77⤵
- System Location Discovery: System Language Discovery
PID:1756 -
\??\c:\lfllxlr.exec:\lfllxlr.exe78⤵PID:2140
-
\??\c:\lffxxxl.exec:\lffxxxl.exe79⤵PID:2392
-
\??\c:\hbthnt.exec:\hbthnt.exe80⤵PID:2540
-
\??\c:\vddpj.exec:\vddpj.exe81⤵PID:2088
-
\??\c:\dppdj.exec:\dppdj.exe82⤵PID:1672
-
\??\c:\lfxrxrx.exec:\lfxrxrx.exe83⤵PID:1684
-
\??\c:\xxrllfx.exec:\xxrllfx.exe84⤵PID:884
-
\??\c:\bbntbn.exec:\bbntbn.exe85⤵PID:2988
-
\??\c:\jdppv.exec:\jdppv.exe86⤵PID:2164
-
\??\c:\9vpdd.exec:\9vpdd.exe87⤵PID:2320
-
\??\c:\flxxfxf.exec:\flxxfxf.exe88⤵PID:1580
-
\??\c:\nhthtb.exec:\nhthtb.exe89⤵PID:1788
-
\??\c:\pjjvj.exec:\pjjvj.exe90⤵PID:2696
-
\??\c:\dddpj.exec:\dddpj.exe91⤵PID:2748
-
\??\c:\9lxxflr.exec:\9lxxflr.exe92⤵PID:580
-
\??\c:\xrxrlxl.exec:\xrxrlxl.exe93⤵PID:2876
-
\??\c:\hhbtbn.exec:\hhbtbn.exe94⤵PID:2728
-
\??\c:\ppjvv.exec:\ppjvv.exe95⤵PID:2844
-
\??\c:\ddpjj.exec:\ddpjj.exe96⤵PID:2720
-
\??\c:\3rfrxlf.exec:\3rfrxlf.exe97⤵PID:2828
-
\??\c:\tthhnh.exec:\tthhnh.exe98⤵PID:2652
-
\??\c:\ttntth.exec:\ttntth.exe99⤵PID:2740
-
\??\c:\jdjpv.exec:\jdjpv.exe100⤵PID:2724
-
\??\c:\vpdjj.exec:\vpdjj.exe101⤵PID:3044
-
\??\c:\3xlrxfr.exec:\3xlrxfr.exe102⤵PID:2648
-
\??\c:\3nhnth.exec:\3nhnth.exe103⤵PID:2108
-
\??\c:\btnnbh.exec:\btnnbh.exe104⤵PID:624
-
\??\c:\jjdjv.exec:\jjdjv.exe105⤵PID:1996
-
\??\c:\ffrxlrf.exec:\ffrxlrf.exe106⤵PID:1620
-
\??\c:\fxrxllx.exec:\fxrxllx.exe107⤵PID:1548
-
\??\c:\9tbhbh.exec:\9tbhbh.exe108⤵PID:1872
-
\??\c:\3dvjv.exec:\3dvjv.exe109⤵PID:1736
-
\??\c:\jjjdv.exec:\jjjdv.exe110⤵PID:1836
-
\??\c:\rrxlrfl.exec:\rrxlrfl.exe111⤵PID:616
-
\??\c:\hbtbhn.exec:\hbtbhn.exe112⤵PID:3012
-
\??\c:\bbttnt.exec:\bbttnt.exe113⤵PID:808
-
\??\c:\1dddj.exec:\1dddj.exe114⤵PID:2244
-
\??\c:\xxxflff.exec:\xxxflff.exe115⤵PID:2292
-
\??\c:\fffrflx.exec:\fffrflx.exe116⤵PID:2960
-
\??\c:\bnbnnn.exec:\bnbnnn.exe117⤵PID:440
-
\??\c:\3dddj.exec:\3dddj.exe118⤵PID:3032
-
\??\c:\7dpvv.exec:\7dpvv.exe119⤵PID:2964
-
\??\c:\5xxlxfr.exec:\5xxlxfr.exe120⤵PID:2504
-
\??\c:\1rrlxrr.exec:\1rrlxrr.exe121⤵PID:2352
-
\??\c:\hhbthh.exec:\hhbthh.exe122⤵PID:1712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-