Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe
-
Size
456KB
-
MD5
64cf39043c649fcb11e32e277aaabc67
-
SHA1
a1296103b288ed3cf90efae6e3300c2d3f6d8711
-
SHA256
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379
-
SHA512
b733860546a9a7e2f98acf82363c4f6283e8a60e8c3170d482e3c647b9716f04013f417cc65c5c39eb7d185dae2d27975bf1c8f20617ae01e5736e76d5033656
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2316-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-66-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2208-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1212-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-104-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2124-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/660-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1868-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1048-194-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1704-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-214-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2060-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1220-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2344-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1512-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1224-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1708-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-380-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1264-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2520-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-523-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1912-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-587-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2220-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-684-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2788-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-709-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/1548-725-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/944-737-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2064 1xxflrx.exe 2840 jdjjp.exe 3000 3lffrrf.exe 2612 vvvpd.exe 1992 llflxfr.exe 2588 lllrxfl.exe 2208 bhbnbh.exe 1212 xrffrlf.exe 2212 vvpjp.exe 2124 3jdpd.exe 660 ffrlxxl.exe 2848 dddpd.exe 2940 1thhhh.exe 2756 pjdjj.exe 2216 pppjv.exe 760 7hbnbh.exe 1820 jdvjp.exe 1308 nnhntb.exe 1868 1fxlfrr.exe 1048 7nbtbt.exe 1704 lfxfrlx.exe 1220 7bnbnh.exe 2060 3rxxxlr.exe 1376 bttbhn.exe 2364 btttnn.exe 1648 tbthbh.exe 2344 dvjdp.exe 1748 3nhnbn.exe 972 xlllrff.exe 2056 jddjp.exe 1512 frlrflf.exe 1856 hhtthn.exe 2836 ffrxflf.exe 2812 ffrrflr.exe 1224 5ttntt.exe 2712 dvvdj.exe 1708 rfflxxr.exe 2792 bhbhbn.exe 2680 jpdjp.exe 2644 fxlfrff.exe 2288 hhbnbh.exe 2796 7thntb.exe 2236 dpjpv.exe 2080 xxrxlxx.exe 2540 nnhnhb.exe 2052 9jvdj.exe 1264 jdpdj.exe 2900 llfrxxr.exe 1880 bhnnnt.exe 2920 dvpdj.exe 2096 7xlfffl.exe 2216 3nhhbt.exe 2972 vddvp.exe 1488 1fxxlrx.exe 936 tnhhtb.exe 2416 vpdvd.exe 2468 ddvdp.exe 708 3frlrlx.exe 1864 9thntb.exe 2520 9vppv.exe 1620 1lfxlrr.exe 1092 bbntbb.exe 1668 vvpvj.exe 1912 frllrrf.exe -
resource yara_rule behavioral1/memory/2316-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-66-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2208-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/660-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1048-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1648-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/972-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1224-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1708-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-380-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1264-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-422-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2972-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1864-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1912-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-587-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2740-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2220-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2256-713-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1548-725-0x00000000002A0000-0x00000000002CA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2064 2316 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 30 PID 2316 wrote to memory of 2064 2316 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 30 PID 2316 wrote to memory of 2064 2316 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 30 PID 2316 wrote to memory of 2064 2316 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 30 PID 2064 wrote to memory of 2840 2064 1xxflrx.exe 31 PID 2064 wrote to memory of 2840 2064 1xxflrx.exe 31 PID 2064 wrote to memory of 2840 2064 1xxflrx.exe 31 PID 2064 wrote to memory of 2840 2064 1xxflrx.exe 31 PID 2840 wrote to memory of 3000 2840 jdjjp.exe 32 PID 2840 wrote to memory of 3000 2840 jdjjp.exe 32 PID 2840 wrote to memory of 3000 2840 jdjjp.exe 32 PID 2840 wrote to memory of 3000 2840 jdjjp.exe 32 PID 3000 wrote to memory of 2612 3000 3lffrrf.exe 33 PID 3000 wrote to memory of 2612 3000 3lffrrf.exe 33 PID 3000 wrote to memory of 2612 3000 3lffrrf.exe 33 PID 3000 wrote to memory of 2612 3000 3lffrrf.exe 33 PID 2612 wrote to memory of 1992 2612 vvvpd.exe 34 PID 2612 wrote to memory of 1992 2612 vvvpd.exe 34 PID 2612 wrote to memory of 1992 2612 vvvpd.exe 34 PID 2612 wrote to memory of 1992 2612 vvvpd.exe 34 PID 1992 wrote to memory of 2588 1992 llflxfr.exe 35 PID 1992 wrote to memory of 2588 1992 llflxfr.exe 35 PID 1992 wrote to memory of 2588 1992 llflxfr.exe 35 PID 1992 wrote to memory of 2588 1992 llflxfr.exe 35 PID 2588 wrote to memory of 2208 2588 lllrxfl.exe 36 PID 2588 wrote to memory of 2208 2588 lllrxfl.exe 36 PID 2588 wrote to memory of 2208 2588 lllrxfl.exe 36 PID 2588 wrote to memory of 2208 2588 lllrxfl.exe 36 PID 2208 wrote to memory of 1212 2208 bhbnbh.exe 37 PID 2208 wrote to memory of 1212 2208 bhbnbh.exe 37 PID 2208 wrote to memory of 1212 2208 bhbnbh.exe 37 PID 2208 wrote to memory of 1212 2208 bhbnbh.exe 37 PID 1212 wrote to memory of 2212 1212 xrffrlf.exe 38 PID 1212 wrote to memory of 2212 1212 xrffrlf.exe 38 PID 1212 wrote to memory of 2212 1212 xrffrlf.exe 38 PID 1212 wrote to memory of 2212 1212 xrffrlf.exe 38 PID 2212 wrote to memory of 2124 2212 vvpjp.exe 39 PID 2212 wrote to memory of 2124 2212 vvpjp.exe 39 PID 2212 wrote to memory of 2124 2212 vvpjp.exe 39 PID 2212 wrote to memory of 2124 2212 vvpjp.exe 39 PID 2124 wrote to memory of 660 2124 3jdpd.exe 40 PID 2124 wrote to memory of 660 2124 3jdpd.exe 40 PID 2124 wrote to memory of 660 2124 3jdpd.exe 40 PID 2124 wrote to memory of 660 2124 3jdpd.exe 40 PID 660 wrote to memory of 2848 660 ffrlxxl.exe 41 PID 660 wrote to memory of 2848 660 ffrlxxl.exe 41 PID 660 wrote to memory of 2848 660 ffrlxxl.exe 41 PID 660 wrote to memory of 2848 660 ffrlxxl.exe 41 PID 2848 wrote to memory of 2940 2848 dddpd.exe 42 PID 2848 wrote to memory of 2940 2848 dddpd.exe 42 PID 2848 wrote to memory of 2940 2848 dddpd.exe 42 PID 2848 wrote to memory of 2940 2848 dddpd.exe 42 PID 2940 wrote to memory of 2756 2940 1thhhh.exe 43 PID 2940 wrote to memory of 2756 2940 1thhhh.exe 43 PID 2940 wrote to memory of 2756 2940 1thhhh.exe 43 PID 2940 wrote to memory of 2756 2940 1thhhh.exe 43 PID 2756 wrote to memory of 2216 2756 pjdjj.exe 44 PID 2756 wrote to memory of 2216 2756 pjdjj.exe 44 PID 2756 wrote to memory of 2216 2756 pjdjj.exe 44 PID 2756 wrote to memory of 2216 2756 pjdjj.exe 44 PID 2216 wrote to memory of 760 2216 pppjv.exe 45 PID 2216 wrote to memory of 760 2216 pppjv.exe 45 PID 2216 wrote to memory of 760 2216 pppjv.exe 45 PID 2216 wrote to memory of 760 2216 pppjv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe"C:\Users\Admin\AppData\Local\Temp\bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\1xxflrx.exec:\1xxflrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\jdjjp.exec:\jdjjp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\3lffrrf.exec:\3lffrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\vvvpd.exec:\vvvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\llflxfr.exec:\llflxfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\lllrxfl.exec:\lllrxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\bhbnbh.exec:\bhbnbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xrffrlf.exec:\xrffrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\vvpjp.exec:\vvpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\3jdpd.exec:\3jdpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\ffrlxxl.exec:\ffrlxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\dddpd.exec:\dddpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\1thhhh.exec:\1thhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\pjdjj.exec:\pjdjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pppjv.exec:\pppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\7hbnbh.exec:\7hbnbh.exe17⤵
- Executes dropped EXE
PID:760 -
\??\c:\jdvjp.exec:\jdvjp.exe18⤵
- Executes dropped EXE
PID:1820 -
\??\c:\nnhntb.exec:\nnhntb.exe19⤵
- Executes dropped EXE
PID:1308 -
\??\c:\1fxlfrr.exec:\1fxlfrr.exe20⤵
- Executes dropped EXE
PID:1868 -
\??\c:\7nbtbt.exec:\7nbtbt.exe21⤵
- Executes dropped EXE
PID:1048 -
\??\c:\lfxfrlx.exec:\lfxfrlx.exe22⤵
- Executes dropped EXE
PID:1704 -
\??\c:\7bnbnh.exec:\7bnbnh.exe23⤵
- Executes dropped EXE
PID:1220 -
\??\c:\3rxxxlr.exec:\3rxxxlr.exe24⤵
- Executes dropped EXE
PID:2060 -
\??\c:\bttbhn.exec:\bttbhn.exe25⤵
- Executes dropped EXE
PID:1376 -
\??\c:\btttnn.exec:\btttnn.exe26⤵
- Executes dropped EXE
PID:2364 -
\??\c:\tbthbh.exec:\tbthbh.exe27⤵
- Executes dropped EXE
PID:1648 -
\??\c:\dvjdp.exec:\dvjdp.exe28⤵
- Executes dropped EXE
PID:2344 -
\??\c:\3nhnbn.exec:\3nhnbn.exe29⤵
- Executes dropped EXE
PID:1748 -
\??\c:\xlllrff.exec:\xlllrff.exe30⤵
- Executes dropped EXE
PID:972 -
\??\c:\jddjp.exec:\jddjp.exe31⤵
- Executes dropped EXE
PID:2056 -
\??\c:\frlrflf.exec:\frlrflf.exe32⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hhtthn.exec:\hhtthn.exe33⤵
- Executes dropped EXE
PID:1856 -
\??\c:\ffrxflf.exec:\ffrxflf.exe34⤵
- Executes dropped EXE
PID:2836 -
\??\c:\ffrrflr.exec:\ffrrflr.exe35⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5ttntt.exec:\5ttntt.exe36⤵
- Executes dropped EXE
PID:1224 -
\??\c:\dvvdj.exec:\dvvdj.exe37⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rfflxxr.exec:\rfflxxr.exe38⤵
- Executes dropped EXE
PID:1708 -
\??\c:\bhbhbn.exec:\bhbhbn.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\jpdjp.exec:\jpdjp.exe40⤵
- Executes dropped EXE
PID:2680 -
\??\c:\fxlfrff.exec:\fxlfrff.exe41⤵
- Executes dropped EXE
PID:2644 -
\??\c:\hhbnbh.exec:\hhbnbh.exe42⤵
- Executes dropped EXE
PID:2288 -
\??\c:\7thntb.exec:\7thntb.exe43⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dpjpv.exec:\dpjpv.exe44⤵
- Executes dropped EXE
PID:2236 -
\??\c:\xxrxlxx.exec:\xxrxlxx.exe45⤵
- Executes dropped EXE
PID:2080 -
\??\c:\nnhnhb.exec:\nnhnhb.exe46⤵
- Executes dropped EXE
PID:2540 -
\??\c:\9jvdj.exec:\9jvdj.exe47⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jdpdj.exec:\jdpdj.exe48⤵
- Executes dropped EXE
PID:1264 -
\??\c:\llfrxxr.exec:\llfrxxr.exe49⤵
- Executes dropped EXE
PID:2900 -
\??\c:\bhnnnt.exec:\bhnnnt.exe50⤵
- Executes dropped EXE
PID:1880 -
\??\c:\dvpdj.exec:\dvpdj.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\7xlfffl.exec:\7xlfffl.exe52⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3nhhbt.exec:\3nhhbt.exe53⤵
- Executes dropped EXE
PID:2216 -
\??\c:\vddvp.exec:\vddvp.exe54⤵
- Executes dropped EXE
PID:2972 -
\??\c:\1fxxlrx.exec:\1fxxlrx.exe55⤵
- Executes dropped EXE
PID:1488 -
\??\c:\tnhhtb.exec:\tnhhtb.exe56⤵
- Executes dropped EXE
PID:936 -
\??\c:\vpdvd.exec:\vpdvd.exe57⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ddvdp.exec:\ddvdp.exe58⤵
- Executes dropped EXE
PID:2468 -
\??\c:\3frlrlx.exec:\3frlrlx.exe59⤵
- Executes dropped EXE
PID:708 -
\??\c:\9thntb.exec:\9thntb.exe60⤵
- Executes dropped EXE
PID:1864 -
\??\c:\9vppv.exec:\9vppv.exe61⤵
- Executes dropped EXE
PID:2520 -
\??\c:\1lfxlrr.exec:\1lfxlrr.exe62⤵
- Executes dropped EXE
PID:1620 -
\??\c:\bbntbb.exec:\bbntbb.exe63⤵
- Executes dropped EXE
PID:1092 -
\??\c:\vvpvj.exec:\vvpvj.exe64⤵
- Executes dropped EXE
PID:1668 -
\??\c:\frllrrf.exec:\frllrrf.exe65⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lffllrf.exec:\lffllrf.exe66⤵PID:1124
-
\??\c:\bbthnt.exec:\bbthnt.exe67⤵PID:2192
-
\??\c:\dvddj.exec:\dvddj.exe68⤵PID:2484
-
\??\c:\vpvjp.exec:\vpvjp.exe69⤵PID:576
-
\??\c:\rrlrxfr.exec:\rrlrxfr.exe70⤵PID:1420
-
\??\c:\tnhhnh.exec:\tnhhnh.exe71⤵PID:300
-
\??\c:\jdpvp.exec:\jdpvp.exe72⤵PID:2032
-
\??\c:\dvvvv.exec:\dvvvv.exe73⤵PID:1724
-
\??\c:\9lfflxf.exec:\9lfflxf.exe74⤵PID:2380
-
\??\c:\bttbth.exec:\bttbth.exe75⤵PID:2880
-
\??\c:\5dppv.exec:\5dppv.exe76⤵PID:2728
-
\??\c:\7dvjd.exec:\7dvjd.exe77⤵PID:2176
-
\??\c:\xxxxxxr.exec:\xxxxxxr.exe78⤵PID:1716
-
\??\c:\btnthn.exec:\btnthn.exe79⤵
- System Location Discovery: System Language Discovery
PID:2852 -
\??\c:\bttbhn.exec:\bttbhn.exe80⤵PID:2740
-
\??\c:\pdvdp.exec:\pdvdp.exe81⤵PID:2692
-
\??\c:\llfrrxr.exec:\llfrrxr.exe82⤵PID:2608
-
\??\c:\rrfrflr.exec:\rrfrflr.exe83⤵PID:2700
-
\??\c:\tnbhtt.exec:\tnbhtt.exe84⤵PID:2188
-
\??\c:\vddjp.exec:\vddjp.exe85⤵PID:2288
-
\??\c:\llflxlx.exec:\llflxlx.exe86⤵PID:2220
-
\??\c:\7lfrxfl.exec:\7lfrxfl.exe87⤵PID:2516
-
\??\c:\nhhbhn.exec:\nhhbhn.exe88⤵PID:2168
-
\??\c:\vppjd.exec:\vppjd.exe89⤵PID:2968
-
\??\c:\ffflxxl.exec:\ffflxxl.exe90⤵PID:1336
-
\??\c:\fxlfllr.exec:\fxlfllr.exe91⤵PID:2788
-
\??\c:\vvpvj.exec:\vvpvj.exe92⤵PID:2940
-
\??\c:\xrfrllr.exec:\xrfrllr.exe93⤵PID:2636
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe94⤵PID:2256
-
\??\c:\tbtnbn.exec:\tbtnbn.exe95⤵PID:1548
-
\??\c:\jjddj.exec:\jjddj.exe96⤵PID:1776
-
\??\c:\flllflf.exec:\flllflf.exe97⤵PID:944
-
\??\c:\5bhhnb.exec:\5bhhnb.exe98⤵PID:3024
-
\??\c:\vpjvj.exec:\vpjvj.exe99⤵PID:2088
-
\??\c:\rlflxxl.exec:\rlflxxl.exe100⤵
- System Location Discovery: System Language Discovery
PID:1484 -
\??\c:\rrrxrxr.exec:\rrrxrxr.exe101⤵PID:1048
-
\??\c:\nbhttn.exec:\nbhttn.exe102⤵PID:2296
-
\??\c:\ppjvj.exec:\ppjvj.exe103⤵PID:1704
-
\??\c:\rlxfffx.exec:\rlxfffx.exe104⤵PID:2520
-
\??\c:\fxfrfrf.exec:\fxfrfrf.exe105⤵PID:1636
-
\??\c:\nnhbhn.exec:\nnhbhn.exe106⤵PID:1092
-
\??\c:\vpjvd.exec:\vpjvd.exe107⤵PID:2476
-
\??\c:\3frrrxx.exec:\3frrrxx.exe108⤵PID:892
-
\??\c:\5rfxllr.exec:\5rfxllr.exe109⤵PID:1124
-
\??\c:\ttnthh.exec:\ttnthh.exe110⤵PID:2192
-
\??\c:\3jvvp.exec:\3jvvp.exe111⤵PID:1736
-
\??\c:\xrrrfrf.exec:\xrrrfrf.exe112⤵PID:2140
-
\??\c:\hhbbhh.exec:\hhbbhh.exe113⤵PID:1720
-
\??\c:\5bnbnb.exec:\5bnbnb.exe114⤵PID:1828
-
\??\c:\djvpp.exec:\djvpp.exe115⤵PID:2492
-
\??\c:\rlflrfr.exec:\rlflrfr.exe116⤵PID:1972
-
\??\c:\dvjjv.exec:\dvjjv.exe117⤵PID:2820
-
\??\c:\pjvpv.exec:\pjvpv.exe118⤵PID:2736
-
\??\c:\rfxxlrf.exec:\rfxxlrf.exe119⤵PID:2840
-
\??\c:\bbbhtb.exec:\bbbhtb.exe120⤵PID:1572
-
\??\c:\7httbb.exec:\7httbb.exe121⤵PID:1224
-
\??\c:\5pvpd.exec:\5pvpd.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-