Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe
-
Size
454KB
-
MD5
878a3e07e54382b2059a998baaec2dd0
-
SHA1
4d549a873687338ab5bb59188e4d51009957535a
-
SHA256
1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4
-
SHA512
cc0bdac47dba100c1ac5f36c5aedf57cec07839a242dc8f49af3d4e6c07adbe0c212f2d7b2f3549856f7e476dd4164a9d81863edbfcf7c717ca76681defe12e6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbePY:q7Tc2NYHUrAwfMp3CDPY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4264-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-1273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-1592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1824 jvdvp.exe 384 1bhtnh.exe 4504 vvdpv.exe 4736 dpjvv.exe 2208 bbtnhb.exe 5032 rlrffxl.exe 3296 pdppj.exe 5072 lxxlffx.exe 2776 djjvd.exe 4092 llrfrlx.exe 316 nbhtth.exe 1016 jjpjv.exe 3500 frxlfrf.exe 264 7lfxllf.exe 244 1bhbtb.exe 5108 ddjdv.exe 4532 rffrfxl.exe 3356 9hbnbb.exe 3520 tbhtnh.exe 2248 vjjjv.exe 2156 vpdvp.exe 1500 fxfxlxf.exe 1204 nbhbbn.exe 3908 bbnhbh.exe 1300 vjpdp.exe 3148 7jvpd.exe 4892 fxlfxrl.exe 1896 bhnbnh.exe 1360 tntnth.exe 3708 jdvvj.exe 2176 xllxlxr.exe 4120 3rlfrrf.exe 1584 hnnbnh.exe 2852 tnnnhb.exe 4588 pddvj.exe 1076 frxlrlr.exe 1536 tththb.exe 932 5bhbtn.exe 3392 vdjdp.exe 3416 rxfrlfr.exe 3164 lxxrrfx.exe 668 3tbnhb.exe 2256 hhthbh.exe 4376 5pjvp.exe 1464 frrfrlf.exe 3640 xrxlrxx.exe 4468 thtbtn.exe 1572 1nnbtt.exe 2340 5jjvj.exe 2276 llxrrll.exe 2848 frlxrfr.exe 4820 thhbnb.exe 4920 pjdvp.exe 3136 dvvjv.exe 3460 xxfxfrx.exe 1540 frrlxrl.exe 4356 bhnbbt.exe 2424 vpvvv.exe 1748 pvpjv.exe 4264 flrfxrf.exe 2136 lrrfxlf.exe 3716 btbtnh.exe 560 pddpd.exe 3580 vppjv.exe -
resource yara_rule behavioral2/memory/4264-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-829-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4264 wrote to memory of 1824 4264 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 82 PID 4264 wrote to memory of 1824 4264 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 82 PID 4264 wrote to memory of 1824 4264 1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe 82 PID 1824 wrote to memory of 384 1824 jvdvp.exe 83 PID 1824 wrote to memory of 384 1824 jvdvp.exe 83 PID 1824 wrote to memory of 384 1824 jvdvp.exe 83 PID 384 wrote to memory of 4504 384 1bhtnh.exe 84 PID 384 wrote to memory of 4504 384 1bhtnh.exe 84 PID 384 wrote to memory of 4504 384 1bhtnh.exe 84 PID 4504 wrote to memory of 4736 4504 vvdpv.exe 85 PID 4504 wrote to memory of 4736 4504 vvdpv.exe 85 PID 4504 wrote to memory of 4736 4504 vvdpv.exe 85 PID 4736 wrote to memory of 2208 4736 dpjvv.exe 86 PID 4736 wrote to memory of 2208 4736 dpjvv.exe 86 PID 4736 wrote to memory of 2208 4736 dpjvv.exe 86 PID 2208 wrote to memory of 5032 2208 bbtnhb.exe 87 PID 2208 wrote to memory of 5032 2208 bbtnhb.exe 87 PID 2208 wrote to memory of 5032 2208 bbtnhb.exe 87 PID 5032 wrote to memory of 3296 5032 rlrffxl.exe 88 PID 5032 wrote to memory of 3296 5032 rlrffxl.exe 88 PID 5032 wrote to memory of 3296 5032 rlrffxl.exe 88 PID 3296 wrote to memory of 5072 3296 pdppj.exe 89 PID 3296 wrote to memory of 5072 3296 pdppj.exe 89 PID 3296 wrote to memory of 5072 3296 pdppj.exe 89 PID 5072 wrote to memory of 2776 5072 lxxlffx.exe 90 PID 5072 wrote to memory of 2776 5072 lxxlffx.exe 90 PID 5072 wrote to memory of 2776 5072 lxxlffx.exe 90 PID 2776 wrote to memory of 4092 2776 djjvd.exe 91 PID 2776 wrote to memory of 4092 2776 djjvd.exe 91 PID 2776 wrote to memory of 4092 2776 djjvd.exe 91 PID 4092 wrote to memory of 316 4092 llrfrlx.exe 92 PID 4092 wrote to memory of 316 4092 llrfrlx.exe 92 PID 4092 wrote to memory of 316 4092 llrfrlx.exe 92 PID 316 wrote to memory of 1016 316 nbhtth.exe 93 PID 316 wrote to memory of 1016 316 nbhtth.exe 93 PID 316 wrote to memory of 1016 316 nbhtth.exe 93 PID 1016 wrote to memory of 3500 1016 jjpjv.exe 94 PID 1016 wrote to memory of 3500 1016 jjpjv.exe 94 PID 1016 wrote to memory of 3500 1016 jjpjv.exe 94 PID 3500 wrote to memory of 264 3500 frxlfrf.exe 95 PID 3500 wrote to memory of 264 3500 frxlfrf.exe 95 PID 3500 wrote to memory of 264 3500 frxlfrf.exe 95 PID 264 wrote to memory of 244 264 7lfxllf.exe 96 PID 264 wrote to memory of 244 264 7lfxllf.exe 96 PID 264 wrote to memory of 244 264 7lfxllf.exe 96 PID 244 wrote to memory of 5108 244 1bhbtb.exe 97 PID 244 wrote to memory of 5108 244 1bhbtb.exe 97 PID 244 wrote to memory of 5108 244 1bhbtb.exe 97 PID 5108 wrote to memory of 4532 5108 ddjdv.exe 98 PID 5108 wrote to memory of 4532 5108 ddjdv.exe 98 PID 5108 wrote to memory of 4532 5108 ddjdv.exe 98 PID 4532 wrote to memory of 3356 4532 rffrfxl.exe 99 PID 4532 wrote to memory of 3356 4532 rffrfxl.exe 99 PID 4532 wrote to memory of 3356 4532 rffrfxl.exe 99 PID 3356 wrote to memory of 3520 3356 9hbnbb.exe 100 PID 3356 wrote to memory of 3520 3356 9hbnbb.exe 100 PID 3356 wrote to memory of 3520 3356 9hbnbb.exe 100 PID 3520 wrote to memory of 2248 3520 tbhtnh.exe 101 PID 3520 wrote to memory of 2248 3520 tbhtnh.exe 101 PID 3520 wrote to memory of 2248 3520 tbhtnh.exe 101 PID 2248 wrote to memory of 2156 2248 vjjjv.exe 102 PID 2248 wrote to memory of 2156 2248 vjjjv.exe 102 PID 2248 wrote to memory of 2156 2248 vjjjv.exe 102 PID 2156 wrote to memory of 1500 2156 vpdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe"C:\Users\Admin\AppData\Local\Temp\1a2a0dfc0ff30b979161b12e9852d490c51c92bdc92b75e7e78af58be9fe81d4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\jvdvp.exec:\jvdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\1bhtnh.exec:\1bhtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\vvdpv.exec:\vvdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\dpjvv.exec:\dpjvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\bbtnhb.exec:\bbtnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\rlrffxl.exec:\rlrffxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\pdppj.exec:\pdppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\lxxlffx.exec:\lxxlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\djjvd.exec:\djjvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\llrfrlx.exec:\llrfrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\nbhtth.exec:\nbhtth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\jjpjv.exec:\jjpjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\frxlfrf.exec:\frxlfrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\7lfxllf.exec:\7lfxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\1bhbtb.exec:\1bhbtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\ddjdv.exec:\ddjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\rffrfxl.exec:\rffrfxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\9hbnbb.exec:\9hbnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\tbhtnh.exec:\tbhtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\vjjjv.exec:\vjjjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\vpdvp.exec:\vpdvp.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\fxfxlxf.exec:\fxfxlxf.exe23⤵
- Executes dropped EXE
PID:1500 -
\??\c:\nbhbbn.exec:\nbhbbn.exe24⤵
- Executes dropped EXE
PID:1204 -
\??\c:\bbnhbh.exec:\bbnhbh.exe25⤵
- Executes dropped EXE
PID:3908 -
\??\c:\vjpdp.exec:\vjpdp.exe26⤵
- Executes dropped EXE
PID:1300 -
\??\c:\7jvpd.exec:\7jvpd.exe27⤵
- Executes dropped EXE
PID:3148 -
\??\c:\fxlfxrl.exec:\fxlfxrl.exe28⤵
- Executes dropped EXE
PID:4892 -
\??\c:\bhnbnh.exec:\bhnbnh.exe29⤵
- Executes dropped EXE
PID:1896 -
\??\c:\tntnth.exec:\tntnth.exe30⤵
- Executes dropped EXE
PID:1360 -
\??\c:\jdvvj.exec:\jdvvj.exe31⤵
- Executes dropped EXE
PID:3708 -
\??\c:\xllxlxr.exec:\xllxlxr.exe32⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3rlfrrf.exec:\3rlfrrf.exe33⤵
- Executes dropped EXE
PID:4120 -
\??\c:\hnnbnh.exec:\hnnbnh.exe34⤵
- Executes dropped EXE
PID:1584 -
\??\c:\tnnnhb.exec:\tnnnhb.exe35⤵
- Executes dropped EXE
PID:2852 -
\??\c:\pddvj.exec:\pddvj.exe36⤵
- Executes dropped EXE
PID:4588 -
\??\c:\frxlrlr.exec:\frxlrlr.exe37⤵
- Executes dropped EXE
PID:1076 -
\??\c:\tththb.exec:\tththb.exe38⤵
- Executes dropped EXE
PID:1536 -
\??\c:\5bhbtn.exec:\5bhbtn.exe39⤵
- Executes dropped EXE
PID:932 -
\??\c:\vdjdp.exec:\vdjdp.exe40⤵
- Executes dropped EXE
PID:3392 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416 -
\??\c:\lxxrrfx.exec:\lxxrrfx.exe42⤵
- Executes dropped EXE
PID:3164 -
\??\c:\3tbnhb.exec:\3tbnhb.exe43⤵
- Executes dropped EXE
PID:668 -
\??\c:\hhthbh.exec:\hhthbh.exe44⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5pjvp.exec:\5pjvp.exe45⤵
- Executes dropped EXE
PID:4376 -
\??\c:\frrfrlf.exec:\frrfrlf.exe46⤵
- Executes dropped EXE
PID:1464 -
\??\c:\xrxlrxx.exec:\xrxlrxx.exe47⤵
- Executes dropped EXE
PID:3640 -
\??\c:\thtbtn.exec:\thtbtn.exe48⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1nnbtt.exec:\1nnbtt.exe49⤵
- Executes dropped EXE
PID:1572 -
\??\c:\5jjvj.exec:\5jjvj.exe50⤵
- Executes dropped EXE
PID:2340 -
\??\c:\llxrrll.exec:\llxrrll.exe51⤵
- Executes dropped EXE
PID:2276 -
\??\c:\frlxrfr.exec:\frlxrfr.exe52⤵
- Executes dropped EXE
PID:2848 -
\??\c:\thhbnb.exec:\thhbnb.exe53⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pjdvp.exec:\pjdvp.exe54⤵
- Executes dropped EXE
PID:4920 -
\??\c:\dvvjv.exec:\dvvjv.exe55⤵
- Executes dropped EXE
PID:3136 -
\??\c:\xxfxfrx.exec:\xxfxfrx.exe56⤵
- Executes dropped EXE
PID:3460 -
\??\c:\frrlxrl.exec:\frrlxrl.exe57⤵
- Executes dropped EXE
PID:1540 -
\??\c:\bhnbbt.exec:\bhnbbt.exe58⤵
- Executes dropped EXE
PID:4356 -
\??\c:\vpvvv.exec:\vpvvv.exe59⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pvpjv.exec:\pvpjv.exe60⤵
- Executes dropped EXE
PID:1748 -
\??\c:\flrfxrf.exec:\flrfxrf.exe61⤵
- Executes dropped EXE
PID:4264 -
\??\c:\lrrfxlf.exec:\lrrfxlf.exe62⤵
- Executes dropped EXE
PID:2136 -
\??\c:\btbtnh.exec:\btbtnh.exe63⤵
- Executes dropped EXE
PID:3716 -
\??\c:\pddpd.exec:\pddpd.exe64⤵
- Executes dropped EXE
PID:560 -
\??\c:\vppjv.exec:\vppjv.exe65⤵
- Executes dropped EXE
PID:3580 -
\??\c:\frlfllr.exec:\frlfllr.exe66⤵PID:4508
-
\??\c:\3tnhhb.exec:\3tnhhb.exe67⤵PID:5012
-
\??\c:\djppj.exec:\djppj.exe68⤵PID:708
-
\??\c:\7lfxrrl.exec:\7lfxrrl.exe69⤵PID:488
-
\??\c:\bnthtn.exec:\bnthtn.exe70⤵PID:2556
-
\??\c:\vjjvj.exec:\vjjvj.exe71⤵PID:4808
-
\??\c:\7rrlfxr.exec:\7rrlfxr.exe72⤵PID:5032
-
\??\c:\7nnhbt.exec:\7nnhbt.exe73⤵PID:3296
-
\??\c:\vjjdv.exec:\vjjdv.exe74⤵PID:3420
-
\??\c:\vjjjv.exec:\vjjjv.exe75⤵PID:3076
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe76⤵PID:1280
-
\??\c:\1pdvj.exec:\1pdvj.exe77⤵PID:3348
-
\??\c:\3xfxlxr.exec:\3xfxlxr.exe78⤵PID:1016
-
\??\c:\bnhbtn.exec:\bnhbtn.exe79⤵PID:3764
-
\??\c:\7ddpp.exec:\7ddpp.exe80⤵PID:1996
-
\??\c:\pvjpd.exec:\pvjpd.exe81⤵PID:2164
-
\??\c:\lffxrrf.exec:\lffxrrf.exe82⤵PID:3344
-
\??\c:\bhnbth.exec:\bhnbth.exe83⤵
- System Location Discovery: System Language Discovery
PID:4796 -
\??\c:\pvjvp.exec:\pvjvp.exe84⤵PID:1848
-
\??\c:\tnbnhb.exec:\tnbnhb.exe85⤵PID:1976
-
\??\c:\rxxfxrl.exec:\rxxfxrl.exe86⤵PID:3656
-
\??\c:\tthbtn.exec:\tthbtn.exe87⤵PID:4812
-
\??\c:\hnnhnn.exec:\hnnhnn.exe88⤵PID:4512
-
\??\c:\bntnhb.exec:\bntnhb.exe89⤵PID:1204
-
\??\c:\pjpjj.exec:\pjpjj.exe90⤵PID:3396
-
\??\c:\nhhhbb.exec:\nhhhbb.exe91⤵PID:3428
-
\??\c:\ppjvp.exec:\ppjvp.exe92⤵PID:2332
-
\??\c:\llrlflf.exec:\llrlflf.exe93⤵PID:5084
-
\??\c:\tbtnhb.exec:\tbtnhb.exe94⤵PID:1240
-
\??\c:\pjvjd.exec:\pjvjd.exe95⤵PID:2176
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe96⤵PID:4212
-
\??\c:\tbbtnh.exec:\tbbtnh.exe97⤵PID:1984
-
\??\c:\hntnbt.exec:\hntnbt.exe98⤵PID:4924
-
\??\c:\jvdvp.exec:\jvdvp.exe99⤵PID:2268
-
\??\c:\ffxxrrr.exec:\ffxxrrr.exe100⤵PID:1076
-
\??\c:\nhhtnh.exec:\nhhtnh.exe101⤵PID:980
-
\??\c:\5thbnn.exec:\5thbnn.exe102⤵PID:4460
-
\??\c:\vppjd.exec:\vppjd.exe103⤵PID:3376
-
\??\c:\5flxlfr.exec:\5flxlfr.exe104⤵PID:4704
-
\??\c:\9rlfxrl.exec:\9rlfxrl.exe105⤵PID:4080
-
\??\c:\hnhhht.exec:\hnhhht.exe106⤵PID:2256
-
\??\c:\pdjjj.exec:\pdjjj.exe107⤵PID:4524
-
\??\c:\lffxrll.exec:\lffxrll.exe108⤵PID:5064
-
\??\c:\9hbbtt.exec:\9hbbtt.exe109⤵PID:4684
-
\??\c:\7hntnh.exec:\7hntnh.exe110⤵PID:4792
-
\??\c:\jppjv.exec:\jppjv.exe111⤵PID:344
-
\??\c:\xllxlxl.exec:\xllxlxl.exe112⤵PID:4888
-
\??\c:\httbtb.exec:\httbtb.exe113⤵PID:2276
-
\??\c:\hhhhtb.exec:\hhhhtb.exe114⤵PID:4864
-
\??\c:\vjdvv.exec:\vjdvv.exe115⤵PID:1796
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe116⤵PID:5036
-
\??\c:\rlrllll.exec:\rlrllll.exe117⤵PID:1444
-
\??\c:\hbbnhb.exec:\hbbnhb.exe118⤵PID:3136
-
\??\c:\7djdd.exec:\7djdd.exe119⤵PID:3460
-
\??\c:\frxlxxx.exec:\frxlxxx.exe120⤵PID:2312
-
\??\c:\hbbhbh.exec:\hbbhbh.exe121⤵PID:2972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-