Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 07:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe
-
Size
455KB
-
MD5
fc482c2a3abef95ea8d8110e693da394
-
SHA1
eca12f365a03c39dda4c216e7def8c336a59caa2
-
SHA256
1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15
-
SHA512
9df98d78ae2557df59a15ab440383057a5eeff06f8747665ea480c9da354d2ac661660cf5ac36b0b058608d4e9dde30a71ea0325f2aa6ee409a004bd0fc2da93
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRK:q7Tc2NYHUrAwfMp3CDRK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 56 IoCs
resource yara_rule behavioral1/memory/2168-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2884-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-68-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2732-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-87-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2840-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/676-124-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2840-131-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2392-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-144-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1004-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-172-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2176-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1948-198-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1604-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1652-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-256-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/3012-266-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3012-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-307-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2020-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-329-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2352-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-339-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2776-365-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2740-379-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2624-386-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1820-399-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2196-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-466-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2148-473-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2148-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-478-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2500-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2452-490-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2068-497-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1784-562-0x0000000001C50000-0x0000000001C7A000-memory.dmp family_blackmoon behavioral1/memory/1712-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2796-631-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2912-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/704-696-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/588-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1408-726-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/964-776-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2168 5tnnbn.exe 2488 vvppd.exe 2352 lfxlffr.exe 2884 vjpdv.exe 2024 5nhnbb.exe 2772 7vppd.exe 2692 jdddj.exe 2784 1dvjj.exe 2732 7dvjd.exe 2588 jjjpd.exe 3056 tnhnbh.exe 676 1vvdp.exe 2840 3bbtnn.exe 2392 ppvdj.exe 804 hbhthn.exe 1004 5rfrxlr.exe 1948 ddvjv.exe 1836 rlfrflf.exe 372 jjjpp.exe 2176 ffrxlrf.exe 2320 5nthnn.exe 1604 pjpvj.exe 1352 5jdjp.exe 1680 fflrrxr.exe 1652 vvpdv.exe 1636 rrrxlxl.exe 2268 7rllrxf.exe 3012 hbtbhh.exe 2344 pjdjv.exe 1964 hhbnbh.exe 1576 fffxlrl.exe 2020 hbnntb.exe 2292 vdvvp.exe 2488 rfxfxfr.exe 2352 1btnbb.exe 2676 dddpv.exe 2776 llflxfl.exe 2716 3nttht.exe 1628 btbnhb.exe 2892 pjdjp.exe 2756 lffrfxl.exe 2740 bbnbnb.exe 2624 nbthtb.exe 2800 vpjvj.exe 1820 7rrxflx.exe 944 tbhhnb.exe 2556 jpvjp.exe 1860 jpjdj.exe 2196 5lxfflx.exe 588 5bbhbh.exe 1732 vvjjp.exe 2820 jdvdj.exe 1408 xxxxffr.exe 2936 bttbnt.exe 2836 ppdjd.exe 2148 lfrlrxf.exe 2500 xrfflrl.exe 2452 btthbh.exe 2068 3jdpv.exe 2152 rlfrrlx.exe 1384 5thnht.exe 2988 vdjdv.exe 2092 rxrxlrf.exe 2036 1xxlrxf.exe -
resource yara_rule behavioral1/memory/2168-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2884-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-124-0x00000000005C0000-0x00000000005EA000-memory.dmp upx behavioral1/memory/2392-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-144-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1004-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1604-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-312-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2488-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-386-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1860-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1408-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-466-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2148-473-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2148-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-497-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/1784-562-0x0000000001C50000-0x0000000001C7A000-memory.dmp upx behavioral1/memory/1712-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-631-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2912-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/704-696-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/588-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/964-776-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1528-783-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2168 1972 1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe 30 PID 1972 wrote to memory of 2168 1972 1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe 30 PID 1972 wrote to memory of 2168 1972 1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe 30 PID 1972 wrote to memory of 2168 1972 1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe 30 PID 2168 wrote to memory of 2488 2168 5tnnbn.exe 31 PID 2168 wrote to memory of 2488 2168 5tnnbn.exe 31 PID 2168 wrote to memory of 2488 2168 5tnnbn.exe 31 PID 2168 wrote to memory of 2488 2168 5tnnbn.exe 31 PID 2488 wrote to memory of 2352 2488 vvppd.exe 32 PID 2488 wrote to memory of 2352 2488 vvppd.exe 32 PID 2488 wrote to memory of 2352 2488 vvppd.exe 32 PID 2488 wrote to memory of 2352 2488 vvppd.exe 32 PID 2352 wrote to memory of 2884 2352 lfxlffr.exe 33 PID 2352 wrote to memory of 2884 2352 lfxlffr.exe 33 PID 2352 wrote to memory of 2884 2352 lfxlffr.exe 33 PID 2352 wrote to memory of 2884 2352 lfxlffr.exe 33 PID 2884 wrote to memory of 2024 2884 vjpdv.exe 34 PID 2884 wrote to memory of 2024 2884 vjpdv.exe 34 PID 2884 wrote to memory of 2024 2884 vjpdv.exe 34 PID 2884 wrote to memory of 2024 2884 vjpdv.exe 34 PID 2024 wrote to memory of 2772 2024 5nhnbb.exe 35 PID 2024 wrote to memory of 2772 2024 5nhnbb.exe 35 PID 2024 wrote to memory of 2772 2024 5nhnbb.exe 35 PID 2024 wrote to memory of 2772 2024 5nhnbb.exe 35 PID 2772 wrote to memory of 2692 2772 7vppd.exe 36 PID 2772 wrote to memory of 2692 2772 7vppd.exe 36 PID 2772 wrote to memory of 2692 2772 7vppd.exe 36 PID 2772 wrote to memory of 2692 2772 7vppd.exe 36 PID 2692 wrote to memory of 2784 2692 jdddj.exe 37 PID 2692 wrote to memory of 2784 2692 jdddj.exe 37 PID 2692 wrote to memory of 2784 2692 jdddj.exe 37 PID 2692 wrote to memory of 2784 2692 jdddj.exe 37 PID 2784 wrote to memory of 2732 2784 1dvjj.exe 38 PID 2784 wrote to memory of 2732 2784 1dvjj.exe 38 PID 2784 wrote to memory of 2732 2784 1dvjj.exe 38 PID 2784 wrote to memory of 2732 2784 1dvjj.exe 38 PID 2732 wrote to memory of 2588 2732 7dvjd.exe 39 PID 2732 wrote to memory of 2588 2732 7dvjd.exe 39 PID 2732 wrote to memory of 2588 2732 7dvjd.exe 39 PID 2732 wrote to memory of 2588 2732 7dvjd.exe 39 PID 2588 wrote to memory of 3056 2588 jjjpd.exe 40 PID 2588 wrote to memory of 3056 2588 jjjpd.exe 40 PID 2588 wrote to memory of 3056 2588 jjjpd.exe 40 PID 2588 wrote to memory of 3056 2588 jjjpd.exe 40 PID 3056 wrote to memory of 676 3056 tnhnbh.exe 41 PID 3056 wrote to memory of 676 3056 tnhnbh.exe 41 PID 3056 wrote to memory of 676 3056 tnhnbh.exe 41 PID 3056 wrote to memory of 676 3056 tnhnbh.exe 41 PID 676 wrote to memory of 2840 676 1vvdp.exe 42 PID 676 wrote to memory of 2840 676 1vvdp.exe 42 PID 676 wrote to memory of 2840 676 1vvdp.exe 42 PID 676 wrote to memory of 2840 676 1vvdp.exe 42 PID 2840 wrote to memory of 2392 2840 3bbtnn.exe 43 PID 2840 wrote to memory of 2392 2840 3bbtnn.exe 43 PID 2840 wrote to memory of 2392 2840 3bbtnn.exe 43 PID 2840 wrote to memory of 2392 2840 3bbtnn.exe 43 PID 2392 wrote to memory of 804 2392 ppvdj.exe 44 PID 2392 wrote to memory of 804 2392 ppvdj.exe 44 PID 2392 wrote to memory of 804 2392 ppvdj.exe 44 PID 2392 wrote to memory of 804 2392 ppvdj.exe 44 PID 804 wrote to memory of 1004 804 hbhthn.exe 45 PID 804 wrote to memory of 1004 804 hbhthn.exe 45 PID 804 wrote to memory of 1004 804 hbhthn.exe 45 PID 804 wrote to memory of 1004 804 hbhthn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe"C:\Users\Admin\AppData\Local\Temp\1a29fcce26a658845ea38f24b7d67c40743e42bcc9451c490e9eb7ca98ffae15.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\5tnnbn.exec:\5tnnbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\vvppd.exec:\vvppd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\lfxlffr.exec:\lfxlffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\vjpdv.exec:\vjpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\5nhnbb.exec:\5nhnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\7vppd.exec:\7vppd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\jdddj.exec:\jdddj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\1dvjj.exec:\1dvjj.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\7dvjd.exec:\7dvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jjjpd.exec:\jjjpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\tnhnbh.exec:\tnhnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\1vvdp.exec:\1vvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\3bbtnn.exec:\3bbtnn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\ppvdj.exec:\ppvdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\hbhthn.exec:\hbhthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:804 -
\??\c:\5rfrxlr.exec:\5rfrxlr.exe17⤵
- Executes dropped EXE
PID:1004 -
\??\c:\ddvjv.exec:\ddvjv.exe18⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rlfrflf.exec:\rlfrflf.exe19⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jjjpp.exec:\jjjpp.exe20⤵
- Executes dropped EXE
PID:372 -
\??\c:\ffrxlrf.exec:\ffrxlrf.exe21⤵
- Executes dropped EXE
PID:2176 -
\??\c:\5nthnn.exec:\5nthnn.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
\??\c:\pjpvj.exec:\pjpvj.exe23⤵
- Executes dropped EXE
PID:1604 -
\??\c:\5jdjp.exec:\5jdjp.exe24⤵
- Executes dropped EXE
PID:1352 -
\??\c:\fflrrxr.exec:\fflrrxr.exe25⤵
- Executes dropped EXE
PID:1680 -
\??\c:\vvpdv.exec:\vvpdv.exe26⤵
- Executes dropped EXE
PID:1652 -
\??\c:\rrrxlxl.exec:\rrrxlxl.exe27⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7rllrxf.exec:\7rllrxf.exe28⤵
- Executes dropped EXE
PID:2268 -
\??\c:\hbtbhh.exec:\hbtbhh.exe29⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pjdjv.exec:\pjdjv.exe30⤵
- Executes dropped EXE
PID:2344 -
\??\c:\hhbnbh.exec:\hhbnbh.exe31⤵
- Executes dropped EXE
PID:1964 -
\??\c:\fffxlrl.exec:\fffxlrl.exe32⤵
- Executes dropped EXE
PID:1576 -
\??\c:\hbnntb.exec:\hbnntb.exe33⤵
- Executes dropped EXE
PID:2020 -
\??\c:\vdvvp.exec:\vdvvp.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
\??\c:\rfxfxfr.exec:\rfxfxfr.exe35⤵
- Executes dropped EXE
PID:2488 -
\??\c:\1btnbb.exec:\1btnbb.exe36⤵
- Executes dropped EXE
PID:2352 -
\??\c:\dddpv.exec:\dddpv.exe37⤵
- Executes dropped EXE
PID:2676 -
\??\c:\llflxfl.exec:\llflxfl.exe38⤵
- Executes dropped EXE
PID:2776 -
\??\c:\3nttht.exec:\3nttht.exe39⤵
- Executes dropped EXE
PID:2716 -
\??\c:\btbnhb.exec:\btbnhb.exe40⤵
- Executes dropped EXE
PID:1628 -
\??\c:\pjdjp.exec:\pjdjp.exe41⤵
- Executes dropped EXE
PID:2892 -
\??\c:\lffrfxl.exec:\lffrfxl.exe42⤵
- Executes dropped EXE
PID:2756 -
\??\c:\bbnbnb.exec:\bbnbnb.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\nbthtb.exec:\nbthtb.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\vpjvj.exec:\vpjvj.exe45⤵
- Executes dropped EXE
PID:2800 -
\??\c:\7rrxflx.exec:\7rrxflx.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
\??\c:\tbhhnb.exec:\tbhhnb.exe47⤵
- Executes dropped EXE
PID:944 -
\??\c:\jpvjp.exec:\jpvjp.exe48⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jpjdj.exec:\jpjdj.exe49⤵
- Executes dropped EXE
PID:1860 -
\??\c:\5lxfflx.exec:\5lxfflx.exe50⤵
- Executes dropped EXE
PID:2196 -
\??\c:\5bbhbh.exec:\5bbhbh.exe51⤵
- Executes dropped EXE
PID:588 -
\??\c:\vvjjp.exec:\vvjjp.exe52⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jdvdj.exec:\jdvdj.exe53⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xxxxffr.exec:\xxxxffr.exe54⤵
- Executes dropped EXE
PID:1408 -
\??\c:\bttbnt.exec:\bttbnt.exe55⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ppdjd.exec:\ppdjd.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lfrlrxf.exec:\lfrlrxf.exe57⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xrfflrl.exec:\xrfflrl.exe58⤵
- Executes dropped EXE
PID:2500 -
\??\c:\btthbh.exec:\btthbh.exe59⤵
- Executes dropped EXE
PID:2452 -
\??\c:\3jdpv.exec:\3jdpv.exe60⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rlfrrlx.exec:\rlfrrlx.exe61⤵
- Executes dropped EXE
PID:2152 -
\??\c:\5thnht.exec:\5thnht.exe62⤵
- Executes dropped EXE
PID:1384 -
\??\c:\vdjdv.exec:\vdjdv.exe63⤵
- Executes dropped EXE
PID:2988 -
\??\c:\rxrxlrf.exec:\rxrxlrf.exe64⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1xxlrxf.exec:\1xxlrxf.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\bbntnn.exec:\bbntnn.exe66⤵PID:2268
-
\??\c:\vjvpv.exec:\vjvpv.exe67⤵PID:2188
-
\??\c:\llffxff.exec:\llffxff.exe68⤵PID:2512
-
\??\c:\lffxlfr.exec:\lffxlfr.exe69⤵PID:1740
-
\??\c:\btntbh.exec:\btntbh.exe70⤵PID:1784
-
\??\c:\vpjpj.exec:\vpjpj.exe71⤵PID:1584
-
\??\c:\5rxxxxf.exec:\5rxxxxf.exe72⤵PID:2360
-
\??\c:\xlxrfrx.exec:\xlxrfrx.exe73⤵PID:2020
-
\??\c:\nnhthh.exec:\nnhthh.exe74⤵PID:2648
-
\??\c:\vpdjj.exec:\vpdjj.exe75⤵PID:1712
-
\??\c:\jdddj.exec:\jdddj.exe76⤵PID:2660
-
\??\c:\xxxxllr.exec:\xxxxllr.exe77⤵PID:2748
-
\??\c:\ntbtbt.exec:\ntbtbt.exe78⤵PID:2796
-
\??\c:\jjjpj.exec:\jjjpj.exe79⤵PID:2764
-
\??\c:\rrfxxxl.exec:\rrfxxxl.exe80⤵PID:2400
-
\??\c:\rlxfrrf.exec:\rlxfrrf.exe81⤵PID:2728
-
\??\c:\3bbnhh.exec:\3bbnhh.exe82⤵PID:2912
-
\??\c:\5vpvj.exec:\5vpvj.exe83⤵PID:2736
-
\??\c:\rrrxffr.exec:\rrrxffr.exe84⤵PID:2732
-
\??\c:\3hbbnn.exec:\3hbbnn.exe85⤵PID:3048
-
\??\c:\hhhthn.exec:\hhhthn.exe86⤵PID:2240
-
\??\c:\pjvdp.exec:\pjvdp.exe87⤵PID:788
-
\??\c:\fxfllrx.exec:\fxfllrx.exe88⤵PID:2636
-
\??\c:\lxffllr.exec:\lxffllr.exe89⤵PID:532
-
\??\c:\bnnthn.exec:\bnnthn.exe90⤵PID:1444
-
\??\c:\jdvjp.exec:\jdvjp.exe91⤵PID:776
-
\??\c:\lrrrffr.exec:\lrrrffr.exe92⤵PID:704
-
\??\c:\1rfxfxf.exec:\1rfxfxf.exe93⤵PID:588
-
\??\c:\btnthh.exec:\btnthh.exe94⤵PID:2316
-
\??\c:\9vpdd.exec:\9vpdd.exe95⤵PID:1936
-
\??\c:\lfrxflx.exec:\lfrxflx.exe96⤵PID:1408
-
\??\c:\ffflxrf.exec:\ffflxrf.exe97⤵PID:2936
-
\??\c:\nhbbnt.exec:\nhbbnt.exe98⤵PID:2264
-
\??\c:\pvvpj.exec:\pvvpj.exe99⤵PID:2932
-
\??\c:\xfflfxr.exec:\xfflfxr.exe100⤵PID:1372
-
\??\c:\rxrfrxf.exec:\rxrfrxf.exe101⤵PID:1340
-
\??\c:\bnhthh.exec:\bnhthh.exe102⤵PID:1056
-
\??\c:\9vvdd.exec:\9vvdd.exe103⤵PID:2080
-
\??\c:\1xrfllx.exec:\1xrfllx.exe104⤵PID:964
-
\??\c:\3xlfffr.exec:\3xlfffr.exe105⤵PID:1148
-
\??\c:\tbbttb.exec:\tbbttb.exe106⤵PID:1528
-
\??\c:\jdvvj.exec:\jdvvj.exe107⤵PID:2092
-
\??\c:\rxflxff.exec:\rxflxff.exe108⤵PID:2440
-
\??\c:\hhbhtb.exec:\hhbhtb.exe109⤵PID:2268
-
\??\c:\pjjvj.exec:\pjjvj.exe110⤵PID:2188
-
\??\c:\rxrfxrr.exec:\rxrfxrr.exe111⤵PID:2312
-
\??\c:\tttbnn.exec:\tttbnn.exe112⤵PID:2524
-
\??\c:\9fxxflx.exec:\9fxxflx.exe113⤵PID:2300
-
\??\c:\lrlrrfr.exec:\lrlrrfr.exe114⤵PID:2984
-
\??\c:\bbnnbb.exec:\bbnnbb.exe115⤵PID:2544
-
\??\c:\jpppd.exec:\jpppd.exe116⤵PID:2032
-
\??\c:\jdppp.exec:\jdppp.exe117⤵PID:2008
-
\??\c:\xrlrxfr.exec:\xrlrxfr.exe118⤵PID:2120
-
\??\c:\hntntb.exec:\hntntb.exe119⤵PID:2792
-
\??\c:\7vjpd.exec:\7vjpd.exe120⤵PID:2856
-
\??\c:\jdjjv.exec:\jdjjv.exe121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-