Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 00:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe
-
Size
454KB
-
MD5
d399fec59036c3243272d5111689a68a
-
SHA1
719026f8e5441555cd2f2979c4618a79dde49350
-
SHA256
7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2
-
SHA512
7c4859c5b44146c74c431451f1a2c4fe66290bb9271437e534f33ead8e933af2cc007b2b7f263a7386684fda9ce37908b157c3aaa8a1b28b6b84dba184604000
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeK:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/1852-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-26-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/880-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3068-83-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3068-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2560-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-103-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2112-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/576-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-156-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1564-207-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2056-188-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1508-243-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-233-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1640-258-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/2116-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-285-0x0000000076F20000-0x000000007703F000-memory.dmp family_blackmoon behavioral1/memory/2996-286-0x0000000076E20000-0x0000000076F1A000-memory.dmp family_blackmoon behavioral1/memory/1648-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-315-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2836-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-444-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-468-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1856-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3044-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-655-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/320-668-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-858-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2632-897-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2920-919-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1464-971-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-1170-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2080 pjpjj.exe 880 lfrxrrx.exe 2940 vdvdj.exe 2668 9frrffr.exe 2848 frrrffl.exe 2692 pdjvv.exe 2904 lffxlxr.exe 3068 jdvjd.exe 2560 rrlxrlx.exe 2680 ttnbnb.exe 2112 xxrllfl.exe 2776 hbnthh.exe 792 jvjpp.exe 576 fxlrffr.exe 2788 nbnntt.exe 1364 9vvjv.exe 1880 3lffrfl.exe 2600 3bnnbb.exe 3028 vvjjd.exe 2056 vpjpv.exe 2444 hnhtbn.exe 1564 bbtbhn.exe 1512 dvjpj.exe 1640 nbnthh.exe 1688 dvppj.exe 1508 pvvdv.exe 2116 frfxxrr.exe 624 1pvpv.exe 1016 xlrrlfr.exe 892 7tnttb.exe 2996 xrflxfr.exe 1648 pjddp.exe 2500 lxrrxlf.exe 2248 bbntbh.exe 2704 dpjjp.exe 2856 fxlrffx.exe 2428 hhbhnt.exe 2836 pjvdj.exe 2744 7jvdp.exe 2832 lfxfxxr.exe 2820 7tnnnn.exe 2576 thtttt.exe 3044 vppvj.exe 2224 jdvdp.exe 1800 5xxxllx.exe 2796 5nttbb.exe 2776 jjvjv.exe 1660 djddv.exe 2780 xxrxllx.exe 2764 thtntt.exe 1144 pjdjv.exe 2936 pjjpd.exe 1980 rrxxffr.exe 1700 nthhtb.exe 2200 vvjpd.exe 1952 vpvpv.exe 2168 5xlxffr.exe 2392 7nhttb.exe 860 7ppdv.exe 688 lllxrxf.exe 1856 ffxflrf.exe 2148 hbthtb.exe 968 jdvpv.exe 2524 ppjvj.exe -
resource yara_rule behavioral1/memory/1852-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-26-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/880-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/576-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-243-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1688-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2116-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-281-0x0000000000430000-0x000000000045A000-memory.dmp upx behavioral1/memory/2996-285-0x0000000076F20000-0x000000007703F000-memory.dmp upx behavioral1/memory/1648-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-655-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2620-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-781-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-897-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/576-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-984-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-991-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-1183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-1203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-1242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-1247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-1296-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2080 1852 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 31 PID 1852 wrote to memory of 2080 1852 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 31 PID 1852 wrote to memory of 2080 1852 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 31 PID 1852 wrote to memory of 2080 1852 7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe 31 PID 2080 wrote to memory of 880 2080 pjpjj.exe 32 PID 2080 wrote to memory of 880 2080 pjpjj.exe 32 PID 2080 wrote to memory of 880 2080 pjpjj.exe 32 PID 2080 wrote to memory of 880 2080 pjpjj.exe 32 PID 880 wrote to memory of 2940 880 lfrxrrx.exe 33 PID 880 wrote to memory of 2940 880 lfrxrrx.exe 33 PID 880 wrote to memory of 2940 880 lfrxrrx.exe 33 PID 880 wrote to memory of 2940 880 lfrxrrx.exe 33 PID 2940 wrote to memory of 2668 2940 vdvdj.exe 34 PID 2940 wrote to memory of 2668 2940 vdvdj.exe 34 PID 2940 wrote to memory of 2668 2940 vdvdj.exe 34 PID 2940 wrote to memory of 2668 2940 vdvdj.exe 34 PID 2668 wrote to memory of 2848 2668 9frrffr.exe 35 PID 2668 wrote to memory of 2848 2668 9frrffr.exe 35 PID 2668 wrote to memory of 2848 2668 9frrffr.exe 35 PID 2668 wrote to memory of 2848 2668 9frrffr.exe 35 PID 2848 wrote to memory of 2692 2848 frrrffl.exe 36 PID 2848 wrote to memory of 2692 2848 frrrffl.exe 36 PID 2848 wrote to memory of 2692 2848 frrrffl.exe 36 PID 2848 wrote to memory of 2692 2848 frrrffl.exe 36 PID 2692 wrote to memory of 2904 2692 pdjvv.exe 37 PID 2692 wrote to memory of 2904 2692 pdjvv.exe 37 PID 2692 wrote to memory of 2904 2692 pdjvv.exe 37 PID 2692 wrote to memory of 2904 2692 pdjvv.exe 37 PID 2904 wrote to memory of 3068 2904 lffxlxr.exe 38 PID 2904 wrote to memory of 3068 2904 lffxlxr.exe 38 PID 2904 wrote to memory of 3068 2904 lffxlxr.exe 38 PID 2904 wrote to memory of 3068 2904 lffxlxr.exe 38 PID 3068 wrote to memory of 2560 3068 jdvjd.exe 39 PID 3068 wrote to memory of 2560 3068 jdvjd.exe 39 PID 3068 wrote to memory of 2560 3068 jdvjd.exe 39 PID 3068 wrote to memory of 2560 3068 jdvjd.exe 39 PID 2560 wrote to memory of 2680 2560 rrlxrlx.exe 40 PID 2560 wrote to memory of 2680 2560 rrlxrlx.exe 40 PID 2560 wrote to memory of 2680 2560 rrlxrlx.exe 40 PID 2560 wrote to memory of 2680 2560 rrlxrlx.exe 40 PID 2680 wrote to memory of 2112 2680 ttnbnb.exe 41 PID 2680 wrote to memory of 2112 2680 ttnbnb.exe 41 PID 2680 wrote to memory of 2112 2680 ttnbnb.exe 41 PID 2680 wrote to memory of 2112 2680 ttnbnb.exe 41 PID 2112 wrote to memory of 2776 2112 xxrllfl.exe 42 PID 2112 wrote to memory of 2776 2112 xxrllfl.exe 42 PID 2112 wrote to memory of 2776 2112 xxrllfl.exe 42 PID 2112 wrote to memory of 2776 2112 xxrllfl.exe 42 PID 2776 wrote to memory of 792 2776 hbnthh.exe 43 PID 2776 wrote to memory of 792 2776 hbnthh.exe 43 PID 2776 wrote to memory of 792 2776 hbnthh.exe 43 PID 2776 wrote to memory of 792 2776 hbnthh.exe 43 PID 792 wrote to memory of 576 792 jvjpp.exe 44 PID 792 wrote to memory of 576 792 jvjpp.exe 44 PID 792 wrote to memory of 576 792 jvjpp.exe 44 PID 792 wrote to memory of 576 792 jvjpp.exe 44 PID 576 wrote to memory of 2788 576 fxlrffr.exe 45 PID 576 wrote to memory of 2788 576 fxlrffr.exe 45 PID 576 wrote to memory of 2788 576 fxlrffr.exe 45 PID 576 wrote to memory of 2788 576 fxlrffr.exe 45 PID 2788 wrote to memory of 1364 2788 nbnntt.exe 46 PID 2788 wrote to memory of 1364 2788 nbnntt.exe 46 PID 2788 wrote to memory of 1364 2788 nbnntt.exe 46 PID 2788 wrote to memory of 1364 2788 nbnntt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe"C:\Users\Admin\AppData\Local\Temp\7974f80215b2d65bdb2e0e0ed0b98b753bb3fc2a91350d71a9d01eb0b210b4d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\pjpjj.exec:\pjpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\lfrxrrx.exec:\lfrxrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\vdvdj.exec:\vdvdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\9frrffr.exec:\9frrffr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\frrrffl.exec:\frrrffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\pdjvv.exec:\pdjvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\lffxlxr.exec:\lffxlxr.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\jdvjd.exec:\jdvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\rrlxrlx.exec:\rrlxrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\ttnbnb.exec:\ttnbnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\xxrllfl.exec:\xxrllfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\hbnthh.exec:\hbnthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\jvjpp.exec:\jvjpp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792 -
\??\c:\fxlrffr.exec:\fxlrffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
\??\c:\nbnntt.exec:\nbnntt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\9vvjv.exec:\9vvjv.exe17⤵
- Executes dropped EXE
PID:1364 -
\??\c:\3lffrfl.exec:\3lffrfl.exe18⤵
- Executes dropped EXE
PID:1880 -
\??\c:\3bnnbb.exec:\3bnnbb.exe19⤵
- Executes dropped EXE
PID:2600 -
\??\c:\vvjjd.exec:\vvjjd.exe20⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vpjpv.exec:\vpjpv.exe21⤵
- Executes dropped EXE
PID:2056 -
\??\c:\hnhtbn.exec:\hnhtbn.exe22⤵
- Executes dropped EXE
PID:2444 -
\??\c:\bbtbhn.exec:\bbtbhn.exe23⤵
- Executes dropped EXE
PID:1564 -
\??\c:\dvjpj.exec:\dvjpj.exe24⤵
- Executes dropped EXE
PID:1512 -
\??\c:\nbnthh.exec:\nbnthh.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\dvppj.exec:\dvppj.exe26⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pvvdv.exec:\pvvdv.exe27⤵
- Executes dropped EXE
PID:1508 -
\??\c:\frfxxrr.exec:\frfxxrr.exe28⤵
- Executes dropped EXE
PID:2116 -
\??\c:\1pvpv.exec:\1pvpv.exe29⤵
- Executes dropped EXE
PID:624 -
\??\c:\xlrrlfr.exec:\xlrrlfr.exe30⤵
- Executes dropped EXE
PID:1016 -
\??\c:\7tnttb.exec:\7tnttb.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\xrflxfr.exec:\xrflxfr.exe32⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3tbhnn.exec:\3tbhnn.exe33⤵PID:1764
-
\??\c:\pjddp.exec:\pjddp.exe34⤵
- Executes dropped EXE
PID:1648 -
\??\c:\lxrrxlf.exec:\lxrrxlf.exe35⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bbntbh.exec:\bbntbh.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dpjjp.exec:\dpjjp.exe37⤵
- Executes dropped EXE
PID:2704 -
\??\c:\fxlrffx.exec:\fxlrffx.exe38⤵
- Executes dropped EXE
PID:2856 -
\??\c:\hhbhnt.exec:\hhbhnt.exe39⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pjvdj.exec:\pjvdj.exe40⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7jvdp.exec:\7jvdp.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\lfxfxxr.exec:\lfxfxxr.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\7tnnnn.exec:\7tnnnn.exe43⤵
- Executes dropped EXE
PID:2820 -
\??\c:\thtttt.exec:\thtttt.exe44⤵
- Executes dropped EXE
PID:2576 -
\??\c:\vppvj.exec:\vppvj.exe45⤵
- Executes dropped EXE
PID:3044 -
\??\c:\jdvdp.exec:\jdvdp.exe46⤵
- Executes dropped EXE
PID:2224 -
\??\c:\5xxxllx.exec:\5xxxllx.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
\??\c:\5nttbb.exec:\5nttbb.exe48⤵
- Executes dropped EXE
PID:2796 -
\??\c:\jjvjv.exec:\jjvjv.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\djddv.exec:\djddv.exe50⤵
- Executes dropped EXE
PID:1660 -
\??\c:\xxrxllx.exec:\xxrxllx.exe51⤵
- Executes dropped EXE
PID:2780 -
\??\c:\thtntt.exec:\thtntt.exe52⤵
- Executes dropped EXE
PID:2764 -
\??\c:\pjdjv.exec:\pjdjv.exe53⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pjjpd.exec:\pjjpd.exe54⤵
- Executes dropped EXE
PID:2936 -
\??\c:\rrxxffr.exec:\rrxxffr.exe55⤵
- Executes dropped EXE
PID:1980 -
\??\c:\nthhtb.exec:\nthhtb.exe56⤵
- Executes dropped EXE
PID:1700 -
\??\c:\vvjpd.exec:\vvjpd.exe57⤵
- Executes dropped EXE
PID:2200 -
\??\c:\vpvpv.exec:\vpvpv.exe58⤵
- Executes dropped EXE
PID:1952 -
\??\c:\5xlxffr.exec:\5xlxffr.exe59⤵
- Executes dropped EXE
PID:2168 -
\??\c:\7nhttb.exec:\7nhttb.exe60⤵
- Executes dropped EXE
PID:2392 -
\??\c:\7ppdv.exec:\7ppdv.exe61⤵
- Executes dropped EXE
PID:860 -
\??\c:\lllxrxf.exec:\lllxrxf.exe62⤵
- Executes dropped EXE
PID:688 -
\??\c:\ffxflrf.exec:\ffxflrf.exe63⤵
- Executes dropped EXE
PID:1856 -
\??\c:\hbthtb.exec:\hbthtb.exe64⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jdvpv.exec:\jdvpv.exe65⤵
- Executes dropped EXE
PID:968 -
\??\c:\ppjvj.exec:\ppjvj.exe66⤵
- Executes dropped EXE
PID:2524 -
\??\c:\fxrxflx.exec:\fxrxflx.exe67⤵PID:1212
-
\??\c:\7nhttb.exec:\7nhttb.exe68⤵PID:1424
-
\??\c:\9nhbhn.exec:\9nhbhn.exe69⤵PID:2252
-
\??\c:\5jjpd.exec:\5jjpd.exe70⤵PID:2440
-
\??\c:\1xxlxfr.exec:\1xxlxfr.exe71⤵PID:2292
-
\??\c:\9fxfxfl.exec:\9fxfxfl.exe72⤵PID:768
-
\??\c:\bbtbnt.exec:\bbtbnt.exe73⤵PID:2076
-
\??\c:\jdpvj.exec:\jdpvj.exe74⤵PID:2360
-
\??\c:\flfrffx.exec:\flfrffx.exe75⤵PID:1540
-
\??\c:\bnthhh.exec:\bnthhh.exe76⤵PID:2036
-
\??\c:\vpdvd.exec:\vpdvd.exe77⤵PID:2896
-
\??\c:\7jddj.exec:\7jddj.exe78⤵PID:2940
-
\??\c:\1lfxllx.exec:\1lfxllx.exe79⤵PID:2816
-
\??\c:\bhhnnb.exec:\bhhnnb.exe80⤵PID:2868
-
\??\c:\nnhnbh.exec:\nnhnbh.exe81⤵PID:2808
-
\??\c:\9vppv.exec:\9vppv.exe82⤵
- System Location Discovery: System Language Discovery
PID:2812 -
\??\c:\5lxxxrx.exec:\5lxxxrx.exe83⤵PID:2904
-
\??\c:\3xxlflx.exec:\3xxlflx.exe84⤵PID:2760
-
\??\c:\bbtbhn.exec:\bbtbhn.exe85⤵PID:2556
-
\??\c:\dvdvv.exec:\dvdvv.exe86⤵PID:1056
-
\??\c:\pjjvd.exec:\pjjvd.exe87⤵PID:2612
-
\??\c:\lllrxfr.exec:\lllrxfr.exe88⤵PID:3044
-
\??\c:\nbnntt.exec:\nbnntt.exe89⤵PID:1480
-
\??\c:\pjvdd.exec:\pjvdd.exe90⤵PID:2328
-
\??\c:\5jddd.exec:\5jddd.exe91⤵PID:320
-
\??\c:\xlflxxf.exec:\xlflxxf.exe92⤵PID:2800
-
\??\c:\hhhhhb.exec:\hhhhhb.exe93⤵PID:2912
-
\??\c:\nhhhnt.exec:\nhhhnt.exe94⤵PID:2620
-
\??\c:\9jvvd.exec:\9jvvd.exe95⤵PID:1976
-
\??\c:\pppjp.exec:\pppjp.exe96⤵PID:1464
-
\??\c:\llxlrlr.exec:\llxlrlr.exe97⤵PID:1160
-
\??\c:\bnttbb.exec:\bnttbb.exe98⤵PID:872
-
\??\c:\vjpjd.exec:\vjpjd.exe99⤵PID:2384
-
\??\c:\dddjd.exec:\dddjd.exe100⤵PID:708
-
\??\c:\3xrffrf.exec:\3xrffrf.exe101⤵PID:2456
-
\??\c:\hhhhtb.exec:\hhhhtb.exe102⤵PID:2504
-
\??\c:\pjvdp.exec:\pjvdp.exe103⤵PID:2484
-
\??\c:\fxxrllx.exec:\fxxrllx.exe104⤵PID:2004
-
\??\c:\rlxfrrl.exec:\rlxfrrl.exe105⤵PID:1512
-
\??\c:\thhnnt.exec:\thhnnt.exe106⤵PID:1588
-
\??\c:\vpdjp.exec:\vpdjp.exe107⤵PID:1956
-
\??\c:\rrlfllr.exec:\rrlfllr.exe108⤵PID:2124
-
\??\c:\lfflxxl.exec:\lfflxxl.exe109⤵PID:2424
-
\??\c:\9tbtbt.exec:\9tbtbt.exe110⤵PID:1472
-
\??\c:\dvvvd.exec:\dvvvd.exe111⤵PID:3020
-
\??\c:\vdvdj.exec:\vdvdj.exe112⤵PID:676
-
\??\c:\3rxrrxf.exec:\3rxrrxf.exe113⤵PID:2052
-
\??\c:\btntnb.exec:\btntnb.exe114⤵PID:2380
-
\??\c:\hhthbh.exec:\hhthbh.exe115⤵PID:1628
-
\??\c:\pjpvj.exec:\pjpvj.exe116⤵PID:2080
-
\??\c:\llrxfrf.exec:\llrxfrf.exe117⤵PID:2468
-
\??\c:\lfxfrxl.exec:\lfxfrxl.exe118⤵PID:2344
-
\??\c:\nhbbnn.exec:\nhbbnn.exe119⤵PID:2500
-
\??\c:\vpjjj.exec:\vpjjj.exe120⤵PID:2248
-
\??\c:\9dvjj.exec:\9dvjj.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-