Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe
-
Size
456KB
-
MD5
51248d1bd3c1c6c61876e486b9401c40
-
SHA1
b3ddaf132f731146e62041b8b41451399098e88c
-
SHA256
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0
-
SHA512
d13a0048ba54e7f560446a68bf1b23bbceb7b2cfce6c06b54fb5afdda39ac7ea7b3a80eaedcbad9223ffea2753bc877d4947924ab4be626364396c9571416657
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTU0:q7Tc2NYHUrAwfMp3CDg0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2096-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2084-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-55-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2632-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2684-100-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1396-144-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1736-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-164-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1840-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-202-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/940-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-259-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1508-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1596-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2416-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-375-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2652-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1640-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1372-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-430-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1980-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2748-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-635-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2408-648-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1640-686-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2348-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-709-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2948-909-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2732-918-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2680-959-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1924-997-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2708-1030-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2240-1095-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2096 ddpvd.exe 2084 llrrxff.exe 2560 ppvvd.exe 2204 9dpvd.exe 2820 ffrfrrr.exe 2960 pvdvd.exe 2192 xxrxxfr.exe 2632 jjdjj.exe 2824 lxfxxxf.exe 2684 pjvvd.exe 3036 xxllllr.exe 1796 pjddv.exe 784 5fxlxfr.exe 1396 fflfrrx.exe 1736 lrrxfrx.exe 1488 dddpd.exe 1840 llxxffr.exe 2472 ppdpj.exe 2920 nbnnbn.exe 2788 rrxflrx.exe 1064 lrrxlrx.exe 940 rrfrffr.exe 1588 frffllr.exe 2924 vjvdp.exe 1448 xfrrxlr.exe 2240 pjjjp.exe 3056 llrrflf.exe 328 jpdjd.exe 1508 3ddjj.exe 1644 hhnnbb.exe 1596 djjpd.exe 1680 9hhhtb.exe 2416 9ttthn.exe 1708 frllrxf.exe 2200 9xlrlrf.exe 2344 bhhhtb.exe 2752 7ddjv.exe 2712 pvppv.exe 2152 xfrrflr.exe 2792 5nhnbh.exe 2860 tbtthn.exe 2776 jpppd.exe 2660 rxffllx.exe 2652 llrrxxf.exe 3028 ntbbhn.exe 1640 jvjjj.exe 1096 rrffffl.exe 2512 bhtthb.exe 1372 ttbbbb.exe 2228 1pjdj.exe 1252 xxlrfll.exe 1768 xxffrxf.exe 1728 htbbht.exe 1980 jdjpp.exe 1784 vpdjp.exe 2076 9rlrflr.exe 2028 ttnntb.exe 2332 9dvdp.exe 652 jddpj.exe 1656 rrrrxfl.exe 2504 5nhhtt.exe 2376 hbhnbb.exe 1648 djpjj.exe 1552 9lxxffl.exe -
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2684-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-125-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1488-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1840-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-402-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1096-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1372-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-471-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2240-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-686-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2348-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-1095-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/328-1098-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2096 2252 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 30 PID 2252 wrote to memory of 2096 2252 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 30 PID 2252 wrote to memory of 2096 2252 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 30 PID 2252 wrote to memory of 2096 2252 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 30 PID 2096 wrote to memory of 2084 2096 ddpvd.exe 31 PID 2096 wrote to memory of 2084 2096 ddpvd.exe 31 PID 2096 wrote to memory of 2084 2096 ddpvd.exe 31 PID 2096 wrote to memory of 2084 2096 ddpvd.exe 31 PID 2084 wrote to memory of 2560 2084 llrrxff.exe 32 PID 2084 wrote to memory of 2560 2084 llrrxff.exe 32 PID 2084 wrote to memory of 2560 2084 llrrxff.exe 32 PID 2084 wrote to memory of 2560 2084 llrrxff.exe 32 PID 2560 wrote to memory of 2204 2560 ppvvd.exe 33 PID 2560 wrote to memory of 2204 2560 ppvvd.exe 33 PID 2560 wrote to memory of 2204 2560 ppvvd.exe 33 PID 2560 wrote to memory of 2204 2560 ppvvd.exe 33 PID 2204 wrote to memory of 2820 2204 9dpvd.exe 34 PID 2204 wrote to memory of 2820 2204 9dpvd.exe 34 PID 2204 wrote to memory of 2820 2204 9dpvd.exe 34 PID 2204 wrote to memory of 2820 2204 9dpvd.exe 34 PID 2820 wrote to memory of 2960 2820 ffrfrrr.exe 35 PID 2820 wrote to memory of 2960 2820 ffrfrrr.exe 35 PID 2820 wrote to memory of 2960 2820 ffrfrrr.exe 35 PID 2820 wrote to memory of 2960 2820 ffrfrrr.exe 35 PID 2960 wrote to memory of 2192 2960 pvdvd.exe 36 PID 2960 wrote to memory of 2192 2960 pvdvd.exe 36 PID 2960 wrote to memory of 2192 2960 pvdvd.exe 36 PID 2960 wrote to memory of 2192 2960 pvdvd.exe 36 PID 2192 wrote to memory of 2632 2192 xxrxxfr.exe 37 PID 2192 wrote to memory of 2632 2192 xxrxxfr.exe 37 PID 2192 wrote to memory of 2632 2192 xxrxxfr.exe 37 PID 2192 wrote to memory of 2632 2192 xxrxxfr.exe 37 PID 2632 wrote to memory of 2824 2632 jjdjj.exe 38 PID 2632 wrote to memory of 2824 2632 jjdjj.exe 38 PID 2632 wrote to memory of 2824 2632 jjdjj.exe 38 PID 2632 wrote to memory of 2824 2632 jjdjj.exe 38 PID 2824 wrote to memory of 2684 2824 lxfxxxf.exe 39 PID 2824 wrote to memory of 2684 2824 lxfxxxf.exe 39 PID 2824 wrote to memory of 2684 2824 lxfxxxf.exe 39 PID 2824 wrote to memory of 2684 2824 lxfxxxf.exe 39 PID 2684 wrote to memory of 3036 2684 pjvvd.exe 40 PID 2684 wrote to memory of 3036 2684 pjvvd.exe 40 PID 2684 wrote to memory of 3036 2684 pjvvd.exe 40 PID 2684 wrote to memory of 3036 2684 pjvvd.exe 40 PID 3036 wrote to memory of 1796 3036 xxllllr.exe 41 PID 3036 wrote to memory of 1796 3036 xxllllr.exe 41 PID 3036 wrote to memory of 1796 3036 xxllllr.exe 41 PID 3036 wrote to memory of 1796 3036 xxllllr.exe 41 PID 1796 wrote to memory of 784 1796 pjddv.exe 42 PID 1796 wrote to memory of 784 1796 pjddv.exe 42 PID 1796 wrote to memory of 784 1796 pjddv.exe 42 PID 1796 wrote to memory of 784 1796 pjddv.exe 42 PID 784 wrote to memory of 1396 784 5fxlxfr.exe 43 PID 784 wrote to memory of 1396 784 5fxlxfr.exe 43 PID 784 wrote to memory of 1396 784 5fxlxfr.exe 43 PID 784 wrote to memory of 1396 784 5fxlxfr.exe 43 PID 1396 wrote to memory of 1736 1396 fflfrrx.exe 44 PID 1396 wrote to memory of 1736 1396 fflfrrx.exe 44 PID 1396 wrote to memory of 1736 1396 fflfrrx.exe 44 PID 1396 wrote to memory of 1736 1396 fflfrrx.exe 44 PID 1736 wrote to memory of 1488 1736 lrrxfrx.exe 45 PID 1736 wrote to memory of 1488 1736 lrrxfrx.exe 45 PID 1736 wrote to memory of 1488 1736 lrrxfrx.exe 45 PID 1736 wrote to memory of 1488 1736 lrrxfrx.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe"C:\Users\Admin\AppData\Local\Temp\602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\ddpvd.exec:\ddpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\llrrxff.exec:\llrrxff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\ppvvd.exec:\ppvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\9dpvd.exec:\9dpvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\ffrfrrr.exec:\ffrfrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\pvdvd.exec:\pvdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\xxrxxfr.exec:\xxrxxfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\jjdjj.exec:\jjdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\lxfxxxf.exec:\lxfxxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\pjvvd.exec:\pjvvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xxllllr.exec:\xxllllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\pjddv.exec:\pjddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\5fxlxfr.exec:\5fxlxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\fflfrrx.exec:\fflfrrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\lrrxfrx.exec:\lrrxfrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\dddpd.exec:\dddpd.exe17⤵
- Executes dropped EXE
PID:1488 -
\??\c:\llxxffr.exec:\llxxffr.exe18⤵
- Executes dropped EXE
PID:1840 -
\??\c:\ppdpj.exec:\ppdpj.exe19⤵
- Executes dropped EXE
PID:2472 -
\??\c:\nbnnbn.exec:\nbnnbn.exe20⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rrxflrx.exec:\rrxflrx.exe21⤵
- Executes dropped EXE
PID:2788 -
\??\c:\lrrxlrx.exec:\lrrxlrx.exe22⤵
- Executes dropped EXE
PID:1064 -
\??\c:\rrfrffr.exec:\rrfrffr.exe23⤵
- Executes dropped EXE
PID:940 -
\??\c:\frffllr.exec:\frffllr.exe24⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vjvdp.exec:\vjvdp.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
\??\c:\xfrrxlr.exec:\xfrrxlr.exe26⤵
- Executes dropped EXE
PID:1448 -
\??\c:\pjjjp.exec:\pjjjp.exe27⤵
- Executes dropped EXE
PID:2240 -
\??\c:\llrrflf.exec:\llrrflf.exe28⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jpdjd.exec:\jpdjd.exe29⤵
- Executes dropped EXE
PID:328 -
\??\c:\3ddjj.exec:\3ddjj.exe30⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hhnnbb.exec:\hhnnbb.exe31⤵
- Executes dropped EXE
PID:1644 -
\??\c:\djjpd.exec:\djjpd.exe32⤵
- Executes dropped EXE
PID:1596 -
\??\c:\9hhhtb.exec:\9hhhtb.exe33⤵
- Executes dropped EXE
PID:1680 -
\??\c:\9ttthn.exec:\9ttthn.exe34⤵
- Executes dropped EXE
PID:2416 -
\??\c:\frllrxf.exec:\frllrxf.exe35⤵
- Executes dropped EXE
PID:1708 -
\??\c:\9xlrlrf.exec:\9xlrlrf.exe36⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bhhhtb.exec:\bhhhtb.exe37⤵
- Executes dropped EXE
PID:2344 -
\??\c:\7ddjv.exec:\7ddjv.exe38⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pvppv.exec:\pvppv.exe39⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xfrrflr.exec:\xfrrflr.exe40⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5nhnbh.exec:\5nhnbh.exe41⤵
- Executes dropped EXE
PID:2792 -
\??\c:\tbtthn.exec:\tbtthn.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jpppd.exec:\jpppd.exe43⤵
- Executes dropped EXE
PID:2776 -
\??\c:\rxffllx.exec:\rxffllx.exe44⤵
- Executes dropped EXE
PID:2660 -
\??\c:\llrrxxf.exec:\llrrxxf.exe45⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ntbbhn.exec:\ntbbhn.exe46⤵
- Executes dropped EXE
PID:3028 -
\??\c:\jvjjj.exec:\jvjjj.exe47⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rrffffl.exec:\rrffffl.exe48⤵
- Executes dropped EXE
PID:1096 -
\??\c:\bhtthb.exec:\bhtthb.exe49⤵
- Executes dropped EXE
PID:2512 -
\??\c:\ttbbbb.exec:\ttbbbb.exe50⤵
- Executes dropped EXE
PID:1372 -
\??\c:\1pjdj.exec:\1pjdj.exe51⤵
- Executes dropped EXE
PID:2228 -
\??\c:\xxlrfll.exec:\xxlrfll.exe52⤵
- Executes dropped EXE
PID:1252 -
\??\c:\xxffrxf.exec:\xxffrxf.exe53⤵
- Executes dropped EXE
PID:1768 -
\??\c:\htbbht.exec:\htbbht.exe54⤵
- Executes dropped EXE
PID:1728 -
\??\c:\jdjpp.exec:\jdjpp.exe55⤵
- Executes dropped EXE
PID:1980 -
\??\c:\vpdjp.exec:\vpdjp.exe56⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9rlrflr.exec:\9rlrflr.exe57⤵
- Executes dropped EXE
PID:2076 -
\??\c:\ttnntb.exec:\ttnntb.exe58⤵
- Executes dropped EXE
PID:2028 -
\??\c:\9dvdp.exec:\9dvdp.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\jddpj.exec:\jddpj.exe60⤵
- Executes dropped EXE
PID:652 -
\??\c:\rrrrxfl.exec:\rrrrxfl.exe61⤵
- Executes dropped EXE
PID:1656 -
\??\c:\5nhhtt.exec:\5nhhtt.exe62⤵
- Executes dropped EXE
PID:2504 -
\??\c:\hbhnbb.exec:\hbhnbb.exe63⤵
- Executes dropped EXE
PID:2376 -
\??\c:\djpjj.exec:\djpjj.exe64⤵
- Executes dropped EXE
PID:1648 -
\??\c:\9lxxffl.exec:\9lxxffl.exe65⤵
- Executes dropped EXE
PID:1552 -
\??\c:\xxllflx.exec:\xxllflx.exe66⤵PID:1000
-
\??\c:\bhnntt.exec:\bhnntt.exe67⤵PID:920
-
\??\c:\ddjpv.exec:\ddjpv.exe68⤵PID:2996
-
\??\c:\9pdjj.exec:\9pdjj.exe69⤵PID:2240
-
\??\c:\llrrrll.exec:\llrrrll.exe70⤵PID:2000
-
\??\c:\7hhntt.exec:\7hhntt.exe71⤵PID:2572
-
\??\c:\jjjpd.exec:\jjjpd.exe72⤵PID:1988
-
\??\c:\vvjpd.exec:\vvjpd.exe73⤵PID:2012
-
\??\c:\frfflll.exec:\frfflll.exe74⤵PID:2172
-
\??\c:\htnttt.exec:\htnttt.exe75⤵PID:1908
-
\??\c:\nntbhn.exec:\nntbhn.exe76⤵PID:2360
-
\??\c:\pvddd.exec:\pvddd.exe77⤵PID:1716
-
\??\c:\9rflrrr.exec:\9rflrrr.exe78⤵PID:2552
-
\??\c:\rrrxxxx.exec:\rrrxxxx.exe79⤵PID:2436
-
\??\c:\tbhbtt.exec:\tbhbtt.exe80⤵PID:2748
-
\??\c:\djjjv.exec:\djjjv.exe81⤵
- System Location Discovery: System Language Discovery
PID:2800 -
\??\c:\jdpjj.exec:\jdpjj.exe82⤵PID:2832
-
\??\c:\rrxrllr.exec:\rrxrllr.exe83⤵PID:2944
-
\??\c:\tbhntb.exec:\tbhntb.exe84⤵PID:2644
-
\??\c:\dppvd.exec:\dppvd.exe85⤵PID:2408
-
\??\c:\ppdpv.exec:\ppdpv.exe86⤵PID:2656
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe87⤵PID:2624
-
\??\c:\hbhhnn.exec:\hbhhnn.exe88⤵PID:2608
-
\??\c:\jjppp.exec:\jjppp.exe89⤵PID:2388
-
\??\c:\ddjjp.exec:\ddjjp.exe90⤵PID:1592
-
\??\c:\ffflxxf.exec:\ffflxxf.exe91⤵PID:1640
-
\??\c:\nnhbbh.exec:\nnhbbh.exe92⤵PID:1096
-
\??\c:\5thntt.exec:\5thntt.exe93⤵PID:2348
-
\??\c:\7djdd.exec:\7djdd.exe94⤵PID:1372
-
\??\c:\3fllrxx.exec:\3fllrxx.exe95⤵PID:2228
-
\??\c:\nhnbbn.exec:\nhnbbn.exe96⤵PID:468
-
\??\c:\bbhtnh.exec:\bbhtnh.exe97⤵PID:1768
-
\??\c:\vdpvv.exec:\vdpvv.exe98⤵PID:1172
-
\??\c:\xrrllrr.exec:\xrrllrr.exe99⤵PID:1496
-
\??\c:\tntbnn.exec:\tntbnn.exe100⤵PID:2596
-
\??\c:\hhhhnt.exec:\hhhhnt.exe101⤵PID:2588
-
\??\c:\pjdvp.exec:\pjdvp.exe102⤵PID:2956
-
\??\c:\llfffxf.exec:\llfffxf.exe103⤵PID:408
-
\??\c:\rrfxffl.exec:\rrfxffl.exe104⤵PID:2696
-
\??\c:\3nhnnt.exec:\3nhnnt.exe105⤵PID:2428
-
\??\c:\dvddd.exec:\dvddd.exe106⤵PID:2260
-
\??\c:\fflrxxf.exec:\fflrxxf.exe107⤵PID:1720
-
\??\c:\fxxrfxf.exec:\fxxrfxf.exe108⤵PID:576
-
\??\c:\tthhtt.exec:\tthhtt.exe109⤵PID:1564
-
\??\c:\5jpvd.exec:\5jpvd.exe110⤵PID:2168
-
\??\c:\ddddj.exec:\ddddj.exe111⤵
- System Location Discovery: System Language Discovery
PID:2040 -
\??\c:\xxfflxf.exec:\xxfflxf.exe112⤵PID:1940
-
\??\c:\tbnnnn.exec:\tbnnnn.exe113⤵PID:2492
-
\??\c:\nhnhbb.exec:\nhnhbb.exe114⤵PID:2452
-
\??\c:\jjjjp.exec:\jjjjp.exe115⤵PID:2688
-
\??\c:\xrllllr.exec:\xrllllr.exe116⤵PID:1508
-
\??\c:\rlrlllx.exec:\rlrlllx.exe117⤵PID:2264
-
\??\c:\tnnntt.exec:\tnnntt.exe118⤵PID:2100
-
\??\c:\djpvj.exec:\djpvj.exe119⤵PID:2364
-
\??\c:\rlllrrr.exec:\rlllrrr.exe120⤵PID:1620
-
\??\c:\ffrxffr.exec:\ffrxffr.exe121⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-