Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe
-
Size
454KB
-
MD5
dd5f3562e096ce311223bfa4e024dbd6
-
SHA1
62b4b9bbcceba5841787aed711f98208c9845152
-
SHA256
f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74
-
SHA512
c8dd9e4601f3e44c2eb6a07d9bccfbee3e97096233a7000704aca4bdf26a6a8c29c6cd12e985b10c4599ce03067fa6d27c5cfd23eb6ae450330ff04240465409
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2376-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-14-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2956-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2764-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2720-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-127-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2440-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1256-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1860-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/844-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-285-0x0000000076E20000-0x0000000076F1A000-memory.dmp family_blackmoon behavioral1/memory/2712-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-284-0x0000000076D00000-0x0000000076E1F000-memory.dmp family_blackmoon behavioral1/memory/2784-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-367-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2592-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-379-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2824-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-462-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2396-504-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-532-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/580-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-574-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2240-621-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1640-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-682-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2376 vvjdp.exe 2956 xfxlfxx.exe 2688 ddpvj.exe 2764 7nbtbh.exe 2720 dvdjv.exe 2572 3hntbh.exe 3032 dvjvj.exe 1036 btnbbn.exe 2912 jdvdp.exe 3004 9nntbh.exe 2368 djvvd.exe 288 ttnbnn.exe 2440 vddpj.exe 1516 tnbnbh.exe 2652 3jvdv.exe 1636 nnbbbh.exe 2012 5jddj.exe 2972 7bnntt.exe 1364 jdjvv.exe 1256 hbtnbb.exe 2112 pjvvj.exe 2160 hntnnt.exe 876 pppjd.exe 2952 lfflrlx.exe 1860 bnhbbt.exe 844 tbtnhn.exe 2088 9pjdp.exe 2172 tnhnbh.exe 2864 vpddd.exe 2452 ppjpj.exe 2836 3pppv.exe 2784 lfxfrxr.exe 2792 jjpjv.exe 2580 ppjvj.exe 2764 lffflxx.exe 2556 btbtbb.exe 2720 jjdpj.exe 2604 rxxrfrl.exe 1532 hhtbbb.exe 1952 9hbtbh.exe 1488 vdpdp.exe 2592 xxrxlrl.exe 2540 tnbhtt.exe 1580 pvvjv.exe 1632 1lxfrxf.exe 1756 hbnbhn.exe 2348 pvpvj.exe 2824 llfllrx.exe 960 tnhntt.exe 708 tbthbh.exe 1764 vvpjv.exe 2532 xxxrlrx.exe 1140 bhtbbh.exe 2364 7tbhbh.exe 1256 jdvdp.exe 2980 frlxrrx.exe 1972 hhbthn.exe 984 jdpvd.exe 1772 fxxlrxl.exe 2396 1lxrxxf.exe 2524 3bthnn.exe 1860 vvppj.exe 1000 xxrxlrf.exe 3056 xfxlfrx.exe -
resource yara_rule behavioral1/memory/2376-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2380-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1036-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1636-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1256-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1860-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/844-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2172-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-379-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1632-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/580-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-574-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2892-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1640-669-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2376 2380 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 30 PID 2380 wrote to memory of 2376 2380 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 30 PID 2380 wrote to memory of 2376 2380 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 30 PID 2380 wrote to memory of 2376 2380 f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe 30 PID 2376 wrote to memory of 2956 2376 vvjdp.exe 31 PID 2376 wrote to memory of 2956 2376 vvjdp.exe 31 PID 2376 wrote to memory of 2956 2376 vvjdp.exe 31 PID 2376 wrote to memory of 2956 2376 vvjdp.exe 31 PID 2956 wrote to memory of 2688 2956 xfxlfxx.exe 32 PID 2956 wrote to memory of 2688 2956 xfxlfxx.exe 32 PID 2956 wrote to memory of 2688 2956 xfxlfxx.exe 32 PID 2956 wrote to memory of 2688 2956 xfxlfxx.exe 32 PID 2688 wrote to memory of 2764 2688 ddpvj.exe 33 PID 2688 wrote to memory of 2764 2688 ddpvj.exe 33 PID 2688 wrote to memory of 2764 2688 ddpvj.exe 33 PID 2688 wrote to memory of 2764 2688 ddpvj.exe 33 PID 2764 wrote to memory of 2720 2764 7nbtbh.exe 34 PID 2764 wrote to memory of 2720 2764 7nbtbh.exe 34 PID 2764 wrote to memory of 2720 2764 7nbtbh.exe 34 PID 2764 wrote to memory of 2720 2764 7nbtbh.exe 34 PID 2720 wrote to memory of 2572 2720 dvdjv.exe 35 PID 2720 wrote to memory of 2572 2720 dvdjv.exe 35 PID 2720 wrote to memory of 2572 2720 dvdjv.exe 35 PID 2720 wrote to memory of 2572 2720 dvdjv.exe 35 PID 2572 wrote to memory of 3032 2572 3hntbh.exe 36 PID 2572 wrote to memory of 3032 2572 3hntbh.exe 36 PID 2572 wrote to memory of 3032 2572 3hntbh.exe 36 PID 2572 wrote to memory of 3032 2572 3hntbh.exe 36 PID 3032 wrote to memory of 1036 3032 dvjvj.exe 37 PID 3032 wrote to memory of 1036 3032 dvjvj.exe 37 PID 3032 wrote to memory of 1036 3032 dvjvj.exe 37 PID 3032 wrote to memory of 1036 3032 dvjvj.exe 37 PID 1036 wrote to memory of 2912 1036 btnbbn.exe 38 PID 1036 wrote to memory of 2912 1036 btnbbn.exe 38 PID 1036 wrote to memory of 2912 1036 btnbbn.exe 38 PID 1036 wrote to memory of 2912 1036 btnbbn.exe 38 PID 2912 wrote to memory of 3004 2912 jdvdp.exe 39 PID 2912 wrote to memory of 3004 2912 jdvdp.exe 39 PID 2912 wrote to memory of 3004 2912 jdvdp.exe 39 PID 2912 wrote to memory of 3004 2912 jdvdp.exe 39 PID 3004 wrote to memory of 2368 3004 9nntbh.exe 40 PID 3004 wrote to memory of 2368 3004 9nntbh.exe 40 PID 3004 wrote to memory of 2368 3004 9nntbh.exe 40 PID 3004 wrote to memory of 2368 3004 9nntbh.exe 40 PID 2368 wrote to memory of 288 2368 djvvd.exe 41 PID 2368 wrote to memory of 288 2368 djvvd.exe 41 PID 2368 wrote to memory of 288 2368 djvvd.exe 41 PID 2368 wrote to memory of 288 2368 djvvd.exe 41 PID 288 wrote to memory of 2440 288 ttnbnn.exe 42 PID 288 wrote to memory of 2440 288 ttnbnn.exe 42 PID 288 wrote to memory of 2440 288 ttnbnn.exe 42 PID 288 wrote to memory of 2440 288 ttnbnn.exe 42 PID 2440 wrote to memory of 1516 2440 vddpj.exe 43 PID 2440 wrote to memory of 1516 2440 vddpj.exe 43 PID 2440 wrote to memory of 1516 2440 vddpj.exe 43 PID 2440 wrote to memory of 1516 2440 vddpj.exe 43 PID 1516 wrote to memory of 2652 1516 tnbnbh.exe 44 PID 1516 wrote to memory of 2652 1516 tnbnbh.exe 44 PID 1516 wrote to memory of 2652 1516 tnbnbh.exe 44 PID 1516 wrote to memory of 2652 1516 tnbnbh.exe 44 PID 2652 wrote to memory of 1636 2652 3jvdv.exe 45 PID 2652 wrote to memory of 1636 2652 3jvdv.exe 45 PID 2652 wrote to memory of 1636 2652 3jvdv.exe 45 PID 2652 wrote to memory of 1636 2652 3jvdv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe"C:\Users\Admin\AppData\Local\Temp\f6772efe0a295f7478fe48eee0c761950bcbcdc6c71dcea258725a8555d59a74.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vvjdp.exec:\vvjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xfxlfxx.exec:\xfxlfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\ddpvj.exec:\ddpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\7nbtbh.exec:\7nbtbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\dvdjv.exec:\dvdjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\3hntbh.exec:\3hntbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\dvjvj.exec:\dvjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\btnbbn.exec:\btnbbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\jdvdp.exec:\jdvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\9nntbh.exec:\9nntbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\djvvd.exec:\djvvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\ttnbnn.exec:\ttnbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288 -
\??\c:\vddpj.exec:\vddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\tnbnbh.exec:\tnbnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\3jvdv.exec:\3jvdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\nnbbbh.exec:\nnbbbh.exe17⤵
- Executes dropped EXE
PID:1636 -
\??\c:\5jddj.exec:\5jddj.exe18⤵
- Executes dropped EXE
PID:2012 -
\??\c:\7bnntt.exec:\7bnntt.exe19⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jdjvv.exec:\jdjvv.exe20⤵
- Executes dropped EXE
PID:1364 -
\??\c:\hbtnbb.exec:\hbtnbb.exe21⤵
- Executes dropped EXE
PID:1256 -
\??\c:\pjvvj.exec:\pjvvj.exe22⤵
- Executes dropped EXE
PID:2112 -
\??\c:\hntnnt.exec:\hntnnt.exe23⤵
- Executes dropped EXE
PID:2160 -
\??\c:\pppjd.exec:\pppjd.exe24⤵
- Executes dropped EXE
PID:876 -
\??\c:\lfflrlx.exec:\lfflrlx.exe25⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bnhbbt.exec:\bnhbbt.exe26⤵
- Executes dropped EXE
PID:1860 -
\??\c:\tbtnhn.exec:\tbtnhn.exe27⤵
- Executes dropped EXE
PID:844 -
\??\c:\9pjdp.exec:\9pjdp.exe28⤵
- Executes dropped EXE
PID:2088 -
\??\c:\tnhnbh.exec:\tnhnbh.exe29⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vpddd.exec:\vpddd.exe30⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ppjpj.exec:\ppjpj.exe31⤵
- Executes dropped EXE
PID:2452 -
\??\c:\vjpdj.exec:\vjpdj.exe32⤵PID:2712
-
\??\c:\3pppv.exec:\3pppv.exe33⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lfxfrxr.exec:\lfxfrxr.exe34⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jjpjv.exec:\jjpjv.exe35⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ppjvj.exec:\ppjvj.exe36⤵
- Executes dropped EXE
PID:2580 -
\??\c:\lffflxx.exec:\lffflxx.exe37⤵
- Executes dropped EXE
PID:2764 -
\??\c:\btbtbb.exec:\btbtbb.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jjdpj.exec:\jjdpj.exe39⤵
- Executes dropped EXE
PID:2720 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\hhtbbb.exec:\hhtbbb.exe41⤵
- Executes dropped EXE
PID:1532 -
\??\c:\9hbtbh.exec:\9hbtbh.exe42⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vdpdp.exec:\vdpdp.exe43⤵
- Executes dropped EXE
PID:1488 -
\??\c:\xxrxlrl.exec:\xxrxlrl.exe44⤵
- Executes dropped EXE
PID:2592 -
\??\c:\tnbhtt.exec:\tnbhtt.exe45⤵
- Executes dropped EXE
PID:2540 -
\??\c:\pvvjv.exec:\pvvjv.exe46⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1lxfrxf.exec:\1lxfrxf.exe47⤵
- Executes dropped EXE
PID:1632 -
\??\c:\hbnbhn.exec:\hbnbhn.exe48⤵
- Executes dropped EXE
PID:1756 -
\??\c:\pvpvj.exec:\pvpvj.exe49⤵
- Executes dropped EXE
PID:2348 -
\??\c:\llfllrx.exec:\llfllrx.exe50⤵
- Executes dropped EXE
PID:2824 -
\??\c:\tnhntt.exec:\tnhntt.exe51⤵
- Executes dropped EXE
PID:960 -
\??\c:\tbthbh.exec:\tbthbh.exe52⤵
- Executes dropped EXE
PID:708 -
\??\c:\vvpjv.exec:\vvpjv.exe53⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xxxrlrx.exec:\xxxrlrx.exe54⤵
- Executes dropped EXE
PID:2532 -
\??\c:\bhtbbh.exec:\bhtbbh.exe55⤵
- Executes dropped EXE
PID:1140 -
\??\c:\7tbhbh.exec:\7tbhbh.exe56⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jdvdp.exec:\jdvdp.exe57⤵
- Executes dropped EXE
PID:1256 -
\??\c:\frlxrrx.exec:\frlxrrx.exe58⤵
- Executes dropped EXE
PID:2980 -
\??\c:\hhbthn.exec:\hhbthn.exe59⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jdpvd.exec:\jdpvd.exe60⤵
- Executes dropped EXE
PID:984 -
\??\c:\fxxlrxl.exec:\fxxlrxl.exe61⤵
- Executes dropped EXE
PID:1772 -
\??\c:\1lxrxxf.exec:\1lxrxxf.exe62⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3bthnn.exec:\3bthnn.exe63⤵
- Executes dropped EXE
PID:2524 -
\??\c:\vvppj.exec:\vvppj.exe64⤵
- Executes dropped EXE
PID:1860 -
\??\c:\xxrxlrf.exec:\xxrxlrf.exe65⤵
- Executes dropped EXE
PID:1000 -
\??\c:\xfxlfrx.exec:\xfxlfrx.exe66⤵
- Executes dropped EXE
PID:3056 -
\??\c:\tnhnbb.exec:\tnhnbb.exe67⤵PID:580
-
\??\c:\tbthbn.exec:\tbthbn.exe68⤵PID:2312
-
\??\c:\rlxlrrf.exec:\rlxlrrf.exe69⤵PID:1964
-
\??\c:\ttntnt.exec:\ttntnt.exe70⤵PID:2684
-
\??\c:\jjdjd.exec:\jjdjd.exe71⤵PID:1564
-
\??\c:\jjdjv.exec:\jjdjv.exe72⤵PID:2756
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe73⤵PID:1572
-
\??\c:\nnhhnh.exec:\nnhhnh.exe74⤵PID:2688
-
\??\c:\dvppp.exec:\dvppp.exe75⤵PID:2692
-
\??\c:\xxxlfrf.exec:\xxxlfrf.exe76⤵PID:2728
-
\??\c:\5xlxllr.exec:\5xlxllr.exe77⤵PID:632
-
\??\c:\nnhhtb.exec:\nnhhtb.exe78⤵PID:848
-
\??\c:\pppdj.exec:\pppdj.exe79⤵PID:2240
-
\??\c:\fxlfxrx.exec:\fxlfxrx.exe80⤵PID:2880
-
\??\c:\fffrffr.exec:\fffrffr.exe81⤵PID:2892
-
\??\c:\tnhbnn.exec:\tnhbnn.exe82⤵PID:2232
-
\??\c:\jdjpv.exec:\jdjpv.exe83⤵PID:2888
-
\??\c:\dpdjd.exec:\dpdjd.exe84⤵PID:1168
-
\??\c:\btbhtb.exec:\btbhtb.exe85⤵PID:288
-
\??\c:\hbbhtt.exec:\hbbhtt.exe86⤵PID:988
-
\??\c:\3dpjp.exec:\3dpjp.exe87⤵PID:1640
-
\??\c:\ffxrffx.exec:\ffxrffx.exe88⤵PID:872
-
\??\c:\1nthth.exec:\1nthth.exe89⤵PID:1700
-
\??\c:\5vdjv.exec:\5vdjv.exe90⤵PID:2272
-
\??\c:\xrflrrf.exec:\xrflrrf.exe91⤵PID:820
-
\??\c:\1fxlrfr.exec:\1fxlrfr.exe92⤵PID:264
-
\??\c:\3thttn.exec:\3thttn.exe93⤵PID:2168
-
\??\c:\1pvvp.exec:\1pvvp.exe94⤵PID:2024
-
\??\c:\xfxfxfr.exec:\xfxfxfr.exe95⤵PID:2080
-
\??\c:\lxrrllf.exec:\lxrrllf.exe96⤵PID:1944
-
\??\c:\tnnbtb.exec:\tnnbtb.exe97⤵PID:1056
-
\??\c:\dvjpv.exec:\dvjpv.exe98⤵PID:2980
-
\??\c:\jdvvd.exec:\jdvvd.exe99⤵PID:1608
-
\??\c:\xxllrxf.exec:\xxllrxf.exe100⤵PID:696
-
\??\c:\nhhbnn.exec:\nhhbnn.exe101⤵PID:1752
-
\??\c:\3vpvd.exec:\3vpvd.exe102⤵PID:2396
-
\??\c:\jjjpv.exec:\jjjpv.exe103⤵PID:760
-
\??\c:\flfrffl.exec:\flfrffl.exe104⤵PID:2000
-
\??\c:\1btthb.exec:\1btthb.exe105⤵PID:2992
-
\??\c:\bbbthn.exec:\bbbthn.exe106⤵PID:3060
-
\??\c:\vpjjj.exec:\vpjjj.exe107⤵PID:1968
-
\??\c:\xlflrxl.exec:\xlflrxl.exe108⤵PID:2456
-
\??\c:\dvpvv.exec:\dvpvv.exe109⤵PID:2760
-
\??\c:\pppdp.exec:\pppdp.exe110⤵PID:1716
-
\??\c:\ffffrrx.exec:\ffffrrx.exe111⤵PID:2948
-
\??\c:\hbnnhh.exec:\hbnnhh.exe112⤵PID:2768
-
\??\c:\dvjjp.exec:\dvjjp.exe113⤵PID:2784
-
\??\c:\ffxrrxr.exec:\ffxrrxr.exe114⤵PID:2116
-
\??\c:\1bthbb.exec:\1bthbb.exe115⤵PID:1744
-
\??\c:\jdvdj.exec:\jdvdj.exe116⤵PID:2568
-
\??\c:\ffxlrxl.exec:\ffxlrxl.exe117⤵PID:2676
-
\??\c:\9llrffl.exec:\9llrffl.exe118⤵PID:1912
-
\??\c:\tnnbhn.exec:\tnnbhn.exe119⤵PID:576
-
\??\c:\vvvdj.exec:\vvvdj.exe120⤵PID:2908
-
\??\c:\fxrxlxr.exec:\fxrxlxr.exe121⤵PID:2656
-
\??\c:\fffxxll.exec:\fffxxll.exe122⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-