Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe
-
Size
454KB
-
MD5
3ac79e2af248cf49b6c11e25f7c1dbd3
-
SHA1
94d4b8fa5be6deee40987970cba0f3f4bed18180
-
SHA256
1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06
-
SHA512
95f2b7efe0eba2d28129d9e294ce3e9856e055ad42e9a8ee5b6a659af79dab8a06087427ec5d405415dfa4cc975241a2df22a0f97ff88e8e8dfacf60b4839f0e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2084-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2188-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2908-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-98-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2552-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1832-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2520-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1976-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1884-176-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/672-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-294-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2892-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2968-306-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2160-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-347-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1152-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-545-0x0000000001C60000-0x0000000001C8A000-memory.dmp family_blackmoon behavioral1/memory/1044-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2804-621-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1276-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1240-674-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2620-722-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2880-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2184-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-953-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1048-1303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2912-1366-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2964 vpjvd.exe 2248 vppdp.exe 2188 9vpdp.exe 2208 lfxfffx.exe 2640 rrlfxlf.exe 2908 xrrrxrf.exe 2540 7bhbbt.exe 2568 5pjpv.exe 2704 tbnbhb.exe 2552 jjvdp.exe 2984 1jddd.exe 1832 btbbnn.exe 1984 bttbbh.exe 1784 nnbthn.exe 2520 hbtbnb.exe 1664 jdvdp.exe 1976 9htnbb.exe 2732 jjdpj.exe 1884 nnhtht.exe 3004 dvdvv.exe 448 llfxlfx.exe 672 ttbttt.exe 276 fxlxffl.exe 2880 7bnttb.exe 900 bbtnnt.exe 2496 rxxrflf.exe 2776 bbhhtb.exe 1620 ffxlxfl.exe 2296 dvvvv.exe 572 9pdjd.exe 888 hbtbht.exe 1628 5pjvj.exe 3020 9rfllrx.exe 2968 btnnhh.exe 2892 5jvvd.exe 2160 jdjvv.exe 2132 rlflrrl.exe 2780 hbbnhb.exe 2792 7pvdv.exe 2688 lxrxlrf.exe 2832 xxrxfxl.exe 1276 nnnthh.exe 2556 dvvpv.exe 2648 xlflflf.exe 2548 hhtbnt.exe 2988 bbthtb.exe 2992 pjdjd.exe 852 5fllrlx.exe 1644 tnthtt.exe 2744 jvpvd.exe 756 ddvvv.exe 1996 lxrxlrx.exe 2944 1tbbtt.exe 1152 dvjdj.exe 2728 xrxxfrr.exe 2144 5fxrlfl.exe 2416 hhhthh.exe 2960 vvpvp.exe 2400 jdvvj.exe 1084 rfxfrrx.exe 684 btntnt.exe 2224 ppppd.exe 1964 7lxrxxx.exe 1572 9xfllrx.exe -
resource yara_rule behavioral1/memory/2084-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1832-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2520-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1884-176-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/276-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/672-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-292-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/1628-294-0x00000000003D0000-0x00000000003FA000-memory.dmp upx behavioral1/memory/2892-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/756-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1152-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1240-674-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2768-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-772-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-785-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-975-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/888-1116-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2812-1166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-1216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-1255-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1048-1303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1366-0x00000000001C0000-0x00000000001EA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lffffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2964 2084 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 31 PID 2084 wrote to memory of 2964 2084 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 31 PID 2084 wrote to memory of 2964 2084 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 31 PID 2084 wrote to memory of 2964 2084 1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe 31 PID 2964 wrote to memory of 2248 2964 vpjvd.exe 32 PID 2964 wrote to memory of 2248 2964 vpjvd.exe 32 PID 2964 wrote to memory of 2248 2964 vpjvd.exe 32 PID 2964 wrote to memory of 2248 2964 vpjvd.exe 32 PID 2248 wrote to memory of 2188 2248 vppdp.exe 33 PID 2248 wrote to memory of 2188 2248 vppdp.exe 33 PID 2248 wrote to memory of 2188 2248 vppdp.exe 33 PID 2248 wrote to memory of 2188 2248 vppdp.exe 33 PID 2188 wrote to memory of 2208 2188 9vpdp.exe 34 PID 2188 wrote to memory of 2208 2188 9vpdp.exe 34 PID 2188 wrote to memory of 2208 2188 9vpdp.exe 34 PID 2188 wrote to memory of 2208 2188 9vpdp.exe 34 PID 2208 wrote to memory of 2640 2208 lfxfffx.exe 35 PID 2208 wrote to memory of 2640 2208 lfxfffx.exe 35 PID 2208 wrote to memory of 2640 2208 lfxfffx.exe 35 PID 2208 wrote to memory of 2640 2208 lfxfffx.exe 35 PID 2640 wrote to memory of 2908 2640 rrlfxlf.exe 36 PID 2640 wrote to memory of 2908 2640 rrlfxlf.exe 36 PID 2640 wrote to memory of 2908 2640 rrlfxlf.exe 36 PID 2640 wrote to memory of 2908 2640 rrlfxlf.exe 36 PID 2908 wrote to memory of 2540 2908 xrrrxrf.exe 37 PID 2908 wrote to memory of 2540 2908 xrrrxrf.exe 37 PID 2908 wrote to memory of 2540 2908 xrrrxrf.exe 37 PID 2908 wrote to memory of 2540 2908 xrrrxrf.exe 37 PID 2540 wrote to memory of 2568 2540 7bhbbt.exe 38 PID 2540 wrote to memory of 2568 2540 7bhbbt.exe 38 PID 2540 wrote to memory of 2568 2540 7bhbbt.exe 38 PID 2540 wrote to memory of 2568 2540 7bhbbt.exe 38 PID 2568 wrote to memory of 2704 2568 5pjpv.exe 39 PID 2568 wrote to memory of 2704 2568 5pjpv.exe 39 PID 2568 wrote to memory of 2704 2568 5pjpv.exe 39 PID 2568 wrote to memory of 2704 2568 5pjpv.exe 39 PID 2704 wrote to memory of 2552 2704 tbnbhb.exe 40 PID 2704 wrote to memory of 2552 2704 tbnbhb.exe 40 PID 2704 wrote to memory of 2552 2704 tbnbhb.exe 40 PID 2704 wrote to memory of 2552 2704 tbnbhb.exe 40 PID 2552 wrote to memory of 2984 2552 jjvdp.exe 41 PID 2552 wrote to memory of 2984 2552 jjvdp.exe 41 PID 2552 wrote to memory of 2984 2552 jjvdp.exe 41 PID 2552 wrote to memory of 2984 2552 jjvdp.exe 41 PID 2984 wrote to memory of 1832 2984 1jddd.exe 42 PID 2984 wrote to memory of 1832 2984 1jddd.exe 42 PID 2984 wrote to memory of 1832 2984 1jddd.exe 42 PID 2984 wrote to memory of 1832 2984 1jddd.exe 42 PID 1832 wrote to memory of 1984 1832 btbbnn.exe 43 PID 1832 wrote to memory of 1984 1832 btbbnn.exe 43 PID 1832 wrote to memory of 1984 1832 btbbnn.exe 43 PID 1832 wrote to memory of 1984 1832 btbbnn.exe 43 PID 1984 wrote to memory of 1784 1984 bttbbh.exe 44 PID 1984 wrote to memory of 1784 1984 bttbbh.exe 44 PID 1984 wrote to memory of 1784 1984 bttbbh.exe 44 PID 1984 wrote to memory of 1784 1984 bttbbh.exe 44 PID 1784 wrote to memory of 2520 1784 nnbthn.exe 45 PID 1784 wrote to memory of 2520 1784 nnbthn.exe 45 PID 1784 wrote to memory of 2520 1784 nnbthn.exe 45 PID 1784 wrote to memory of 2520 1784 nnbthn.exe 45 PID 2520 wrote to memory of 1664 2520 hbtbnb.exe 46 PID 2520 wrote to memory of 1664 2520 hbtbnb.exe 46 PID 2520 wrote to memory of 1664 2520 hbtbnb.exe 46 PID 2520 wrote to memory of 1664 2520 hbtbnb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe"C:\Users\Admin\AppData\Local\Temp\1f77a6e57981d64395cf1dce3b1881cd198f47f01fc7bf13c4a572812310fe06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\vpjvd.exec:\vpjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\vppdp.exec:\vppdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\9vpdp.exec:\9vpdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\lfxfffx.exec:\lfxfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\rrlfxlf.exec:\rrlfxlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\xrrrxrf.exec:\xrrrxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\7bhbbt.exec:\7bhbbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\5pjpv.exec:\5pjpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\tbnbhb.exec:\tbnbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\jjvdp.exec:\jjvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\1jddd.exec:\1jddd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\btbbnn.exec:\btbbnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\bttbbh.exec:\bttbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\nnbthn.exec:\nnbthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hbtbnb.exec:\hbtbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\jdvdp.exec:\jdvdp.exe17⤵
- Executes dropped EXE
PID:1664 -
\??\c:\9htnbb.exec:\9htnbb.exe18⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jjdpj.exec:\jjdpj.exe19⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nnhtht.exec:\nnhtht.exe20⤵
- Executes dropped EXE
PID:1884 -
\??\c:\dvdvv.exec:\dvdvv.exe21⤵
- Executes dropped EXE
PID:3004 -
\??\c:\llfxlfx.exec:\llfxlfx.exe22⤵
- Executes dropped EXE
PID:448 -
\??\c:\ttbttt.exec:\ttbttt.exe23⤵
- Executes dropped EXE
PID:672 -
\??\c:\fxlxffl.exec:\fxlxffl.exe24⤵
- Executes dropped EXE
PID:276 -
\??\c:\7bnttb.exec:\7bnttb.exe25⤵
- Executes dropped EXE
PID:2880 -
\??\c:\bbtnnt.exec:\bbtnnt.exe26⤵
- Executes dropped EXE
PID:900 -
\??\c:\rxxrflf.exec:\rxxrflf.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\bbhhtb.exec:\bbhhtb.exe28⤵
- Executes dropped EXE
PID:2776 -
\??\c:\ffxlxfl.exec:\ffxlxfl.exe29⤵
- Executes dropped EXE
PID:1620 -
\??\c:\dvvvv.exec:\dvvvv.exe30⤵
- Executes dropped EXE
PID:2296 -
\??\c:\9pdjd.exec:\9pdjd.exe31⤵
- Executes dropped EXE
PID:572 -
\??\c:\hbtbht.exec:\hbtbht.exe32⤵
- Executes dropped EXE
PID:888 -
\??\c:\5pjvj.exec:\5pjvj.exe33⤵
- Executes dropped EXE
PID:1628 -
\??\c:\9rfllrx.exec:\9rfllrx.exe34⤵
- Executes dropped EXE
PID:3020 -
\??\c:\btnnhh.exec:\btnnhh.exe35⤵
- Executes dropped EXE
PID:2968 -
\??\c:\5jvvd.exec:\5jvvd.exe36⤵
- Executes dropped EXE
PID:2892 -
\??\c:\jdjvv.exec:\jdjvv.exe37⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rlflrrl.exec:\rlflrrl.exe38⤵
- Executes dropped EXE
PID:2132 -
\??\c:\hbbnhb.exec:\hbbnhb.exe39⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7pvdv.exec:\7pvdv.exe40⤵
- Executes dropped EXE
PID:2792 -
\??\c:\lxrxlrf.exec:\lxrxlrf.exe41⤵
- Executes dropped EXE
PID:2688 -
\??\c:\xxrxfxl.exec:\xxrxfxl.exe42⤵
- Executes dropped EXE
PID:2832 -
\??\c:\nnnthh.exec:\nnnthh.exe43⤵
- Executes dropped EXE
PID:1276 -
\??\c:\dvvpv.exec:\dvvpv.exe44⤵
- Executes dropped EXE
PID:2556 -
\??\c:\xlflflf.exec:\xlflflf.exe45⤵
- Executes dropped EXE
PID:2648 -
\??\c:\hhtbnt.exec:\hhtbnt.exe46⤵
- Executes dropped EXE
PID:2548 -
\??\c:\bbthtb.exec:\bbthtb.exe47⤵
- Executes dropped EXE
PID:2988 -
\??\c:\pjdjd.exec:\pjdjd.exe48⤵
- Executes dropped EXE
PID:2992 -
\??\c:\5fllrlx.exec:\5fllrlx.exe49⤵
- Executes dropped EXE
PID:852 -
\??\c:\tnthtt.exec:\tnthtt.exe50⤵
- Executes dropped EXE
PID:1644 -
\??\c:\jvpvd.exec:\jvpvd.exe51⤵
- Executes dropped EXE
PID:2744 -
\??\c:\ddvvv.exec:\ddvvv.exe52⤵
- Executes dropped EXE
PID:756 -
\??\c:\lxrxlrx.exec:\lxrxlrx.exe53⤵
- Executes dropped EXE
PID:1996 -
\??\c:\1tbbtt.exec:\1tbbtt.exe54⤵
- Executes dropped EXE
PID:2944 -
\??\c:\dvjdj.exec:\dvjdj.exe55⤵
- Executes dropped EXE
PID:1152 -
\??\c:\xrxxfrr.exec:\xrxxfrr.exe56⤵
- Executes dropped EXE
PID:2728 -
\??\c:\5fxrlfl.exec:\5fxrlfl.exe57⤵
- Executes dropped EXE
PID:2144 -
\??\c:\hhhthh.exec:\hhhthh.exe58⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vvpvp.exec:\vvpvp.exe59⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jdvvj.exec:\jdvvj.exe60⤵
- Executes dropped EXE
PID:2400 -
\??\c:\rfxfrrx.exec:\rfxfrrx.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\btntnt.exec:\btntnt.exe62⤵
- Executes dropped EXE
PID:684 -
\??\c:\ppppd.exec:\ppppd.exe63⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7lxrxxx.exec:\7lxrxxx.exe64⤵
- Executes dropped EXE
PID:1964 -
\??\c:\9xfllrx.exec:\9xfllrx.exe65⤵
- Executes dropped EXE
PID:1572 -
\??\c:\btbbnn.exec:\btbbnn.exe66⤵PID:396
-
\??\c:\jjdjp.exec:\jjdjp.exe67⤵PID:2424
-
\??\c:\pjddp.exec:\pjddp.exe68⤵PID:2496
-
\??\c:\7lfffxf.exec:\7lfffxf.exe69⤵
- System Location Discovery: System Language Discovery
PID:2308 -
\??\c:\hbhnbb.exec:\hbhnbb.exe70⤵PID:1528
-
\??\c:\hhbnbh.exec:\hhbnbh.exe71⤵PID:872
-
\??\c:\jjjdv.exec:\jjjdv.exe72⤵PID:1732
-
\??\c:\lffxrll.exec:\lffxrll.exe73⤵PID:572
-
\??\c:\1rlrflx.exec:\1rlrflx.exe74⤵PID:1044
-
\??\c:\5ntbhh.exec:\5ntbhh.exe75⤵PID:3008
-
\??\c:\ppjvd.exec:\ppjvd.exe76⤵PID:1576
-
\??\c:\dvvvd.exec:\dvvvd.exe77⤵PID:1552
-
\??\c:\1rllllx.exec:\1rllllx.exe78⤵PID:1712
-
\??\c:\bhbnnh.exec:\bhbnnh.exe79⤵PID:2856
-
\??\c:\3bntnt.exec:\3bntnt.exe80⤵PID:2160
-
\??\c:\vvpvj.exec:\vvpvj.exe81⤵PID:2132
-
\??\c:\lxrxllx.exec:\lxrxllx.exe82⤵PID:2780
-
\??\c:\llflxfr.exec:\llflxfr.exe83⤵PID:2804
-
\??\c:\1htbhn.exec:\1htbhn.exe84⤵PID:2688
-
\??\c:\dddjd.exec:\dddjd.exe85⤵PID:2832
-
\??\c:\dvjjp.exec:\dvjjp.exe86⤵PID:1276
-
\??\c:\llfrxfl.exec:\llfrxfl.exe87⤵PID:3032
-
\??\c:\9hbbbb.exec:\9hbbbb.exe88⤵PID:2604
-
\??\c:\pjvjv.exec:\pjvjv.exe89⤵PID:2844
-
\??\c:\lllrrrf.exec:\lllrrrf.exe90⤵PID:660
-
\??\c:\1fflllf.exec:\1fflllf.exe91⤵PID:2364
-
\??\c:\thttbb.exec:\thttbb.exe92⤵PID:1240
-
\??\c:\pjppj.exec:\pjppj.exe93⤵PID:2752
-
\??\c:\lfxrrrx.exec:\lfxrrrx.exe94⤵PID:2068
-
\??\c:\1rlxrll.exec:\1rlxrll.exe95⤵PID:1064
-
\??\c:\tththh.exec:\tththh.exe96⤵PID:1428
-
\??\c:\dppjp.exec:\dppjp.exe97⤵PID:2016
-
\??\c:\1ddjj.exec:\1ddjj.exe98⤵PID:2768
-
\??\c:\llflrlf.exec:\llflrlf.exe99⤵PID:2620
-
\??\c:\nbnntn.exec:\nbnntn.exe100⤵PID:2180
-
\??\c:\bhhnbn.exec:\bhhnbn.exe101⤵PID:2388
-
\??\c:\3pdvd.exec:\3pdvd.exe102⤵PID:956
-
\??\c:\xrrrxxx.exec:\xrrrxxx.exe103⤵
- System Location Discovery: System Language Discovery
PID:2136 -
\??\c:\frllrrx.exec:\frllrrx.exe104⤵PID:1604
-
\??\c:\htnnnt.exec:\htnnnt.exe105⤵PID:1396
-
\??\c:\9hhnnt.exec:\9hhnnt.exe106⤵PID:880
-
\??\c:\pvddv.exec:\pvddv.exe107⤵PID:992
-
\??\c:\5xrrrxx.exec:\5xrrrxx.exe108⤵PID:2880
-
\??\c:\lfllxxf.exec:\lfllxxf.exe109⤵PID:2184
-
\??\c:\thnthn.exec:\thnthn.exe110⤵PID:1532
-
\??\c:\jdpvv.exec:\jdpvv.exe111⤵PID:236
-
\??\c:\djvpv.exec:\djvpv.exe112⤵PID:2496
-
\??\c:\xxrlxxl.exec:\xxrlxxl.exe113⤵PID:2316
-
\??\c:\lxlrrxx.exec:\lxlrrxx.exe114⤵PID:496
-
\??\c:\thhhnh.exec:\thhhnh.exe115⤵PID:872
-
\??\c:\pdjdv.exec:\pdjdv.exe116⤵PID:1732
-
\??\c:\pjdvv.exec:\pjdvv.exe117⤵PID:876
-
\??\c:\xlfflrf.exec:\xlfflrf.exe118⤵PID:2276
-
\??\c:\hthnbt.exec:\hthnbt.exe119⤵PID:2320
-
\??\c:\hhtnth.exec:\hhtnth.exe120⤵PID:2324
-
\??\c:\vpvpp.exec:\vpvpp.exe121⤵PID:2204
-
\??\c:\dpdvv.exec:\dpdvv.exe122⤵PID:3064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-