Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe
-
Size
455KB
-
MD5
b96f5b25dd88c51b30f0bb97e63b3ead
-
SHA1
03a8910cca8726b168d2b9e91bc5336d013eb03b
-
SHA256
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1
-
SHA512
f124a1b246c29aeda0bf27a13ac57f023c857297222ee0bdf68cc1bde6c7208182490b94034a55d052eb643acae57fecbb387c1a871c648dce72e0252c96aa02
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/316-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-44-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2332-64-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1264-83-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/3032-97-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3032-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1472-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1084-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1104-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/688-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-279-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/872-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2476-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-367-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2768-381-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2164-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2020-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-719-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1352-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-842-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2576-1009-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2932 vpjpd.exe 2356 5tnthn.exe 2688 pdpvv.exe 2744 rfrlrrx.exe 2952 jdpvj.exe 2332 tthnbh.exe 2624 jjdjp.exe 1264 xxxlflx.exe 2672 pjddj.exe 3032 7jjdv.exe 984 3rflxfr.exe 1472 3rlrffl.exe 3000 bbtbhh.exe 1280 vpddp.exe 1916 dpjdp.exe 2656 hhttbb.exe 2360 lfrrffl.exe 1752 nhtthn.exe 2052 xfrffrl.exe 540 nnbhnt.exe 804 xlxrflr.exe 2232 7bthhh.exe 1084 pdvvd.exe 1740 rfxfrrf.exe 2140 dpjvd.exe 688 7xrxlrx.exe 1104 rlrlllr.exe 2036 vjvvj.exe 348 ddvvj.exe 1052 tthnbb.exe 872 btntnn.exe 316 nbnbnt.exe 2524 jdjpd.exe 2932 lfflxfr.exe 2204 ntnbnt.exe 2476 jjdpj.exe 2808 dvjjp.exe 2744 xrffllx.exe 2860 hbtbtt.exe 2880 3vjjv.exe 2732 3jvpv.exe 2592 lfxxxxl.exe 2668 9tthtb.exe 2768 jjdpv.exe 2164 5vddj.exe 1848 xrlrrxx.exe 1412 nhnnbb.exe 2696 jjjvj.exe 1248 flffrxf.exe 288 9fxflxf.exe 1952 nhbhnt.exe 1940 hnhbtb.exe 1992 ppjjd.exe 1836 lfrxflr.exe 1352 rrfflrf.exe 2284 ttbhbh.exe 476 vvjpv.exe 2448 5pjvj.exe 2236 xrfflrx.exe 1608 hbhhnn.exe 2556 pdvjv.exe 1792 vvjdd.exe 1084 ffxxflr.exe 1380 htnnbt.exe -
resource yara_rule behavioral1/memory/316-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1264-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1472-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-134-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2360-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/688-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1992-457-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/1352-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/752-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2020-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/476-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-897-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-970-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-1004-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-1009-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2876-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/352-1106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1676-1111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-1124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-1182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-1187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-1200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-1225-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 316 wrote to memory of 2932 316 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 30 PID 316 wrote to memory of 2932 316 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 30 PID 316 wrote to memory of 2932 316 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 30 PID 316 wrote to memory of 2932 316 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 30 PID 2932 wrote to memory of 2356 2932 vpjpd.exe 31 PID 2932 wrote to memory of 2356 2932 vpjpd.exe 31 PID 2932 wrote to memory of 2356 2932 vpjpd.exe 31 PID 2932 wrote to memory of 2356 2932 vpjpd.exe 31 PID 2356 wrote to memory of 2688 2356 5tnthn.exe 32 PID 2356 wrote to memory of 2688 2356 5tnthn.exe 32 PID 2356 wrote to memory of 2688 2356 5tnthn.exe 32 PID 2356 wrote to memory of 2688 2356 5tnthn.exe 32 PID 2688 wrote to memory of 2744 2688 pdpvv.exe 33 PID 2688 wrote to memory of 2744 2688 pdpvv.exe 33 PID 2688 wrote to memory of 2744 2688 pdpvv.exe 33 PID 2688 wrote to memory of 2744 2688 pdpvv.exe 33 PID 2744 wrote to memory of 2952 2744 rfrlrrx.exe 34 PID 2744 wrote to memory of 2952 2744 rfrlrrx.exe 34 PID 2744 wrote to memory of 2952 2744 rfrlrrx.exe 34 PID 2744 wrote to memory of 2952 2744 rfrlrrx.exe 34 PID 2952 wrote to memory of 2332 2952 jdpvj.exe 35 PID 2952 wrote to memory of 2332 2952 jdpvj.exe 35 PID 2952 wrote to memory of 2332 2952 jdpvj.exe 35 PID 2952 wrote to memory of 2332 2952 jdpvj.exe 35 PID 2332 wrote to memory of 2624 2332 tthnbh.exe 36 PID 2332 wrote to memory of 2624 2332 tthnbh.exe 36 PID 2332 wrote to memory of 2624 2332 tthnbh.exe 36 PID 2332 wrote to memory of 2624 2332 tthnbh.exe 36 PID 2624 wrote to memory of 1264 2624 jjdjp.exe 37 PID 2624 wrote to memory of 1264 2624 jjdjp.exe 37 PID 2624 wrote to memory of 1264 2624 jjdjp.exe 37 PID 2624 wrote to memory of 1264 2624 jjdjp.exe 37 PID 1264 wrote to memory of 2672 1264 xxxlflx.exe 38 PID 1264 wrote to memory of 2672 1264 xxxlflx.exe 38 PID 1264 wrote to memory of 2672 1264 xxxlflx.exe 38 PID 1264 wrote to memory of 2672 1264 xxxlflx.exe 38 PID 2672 wrote to memory of 3032 2672 pjddj.exe 39 PID 2672 wrote to memory of 3032 2672 pjddj.exe 39 PID 2672 wrote to memory of 3032 2672 pjddj.exe 39 PID 2672 wrote to memory of 3032 2672 pjddj.exe 39 PID 3032 wrote to memory of 984 3032 7jjdv.exe 40 PID 3032 wrote to memory of 984 3032 7jjdv.exe 40 PID 3032 wrote to memory of 984 3032 7jjdv.exe 40 PID 3032 wrote to memory of 984 3032 7jjdv.exe 40 PID 984 wrote to memory of 1472 984 3rflxfr.exe 41 PID 984 wrote to memory of 1472 984 3rflxfr.exe 41 PID 984 wrote to memory of 1472 984 3rflxfr.exe 41 PID 984 wrote to memory of 1472 984 3rflxfr.exe 41 PID 1472 wrote to memory of 3000 1472 3rlrffl.exe 42 PID 1472 wrote to memory of 3000 1472 3rlrffl.exe 42 PID 1472 wrote to memory of 3000 1472 3rlrffl.exe 42 PID 1472 wrote to memory of 3000 1472 3rlrffl.exe 42 PID 3000 wrote to memory of 1280 3000 bbtbhh.exe 43 PID 3000 wrote to memory of 1280 3000 bbtbhh.exe 43 PID 3000 wrote to memory of 1280 3000 bbtbhh.exe 43 PID 3000 wrote to memory of 1280 3000 bbtbhh.exe 43 PID 1280 wrote to memory of 1916 1280 vpddp.exe 44 PID 1280 wrote to memory of 1916 1280 vpddp.exe 44 PID 1280 wrote to memory of 1916 1280 vpddp.exe 44 PID 1280 wrote to memory of 1916 1280 vpddp.exe 44 PID 1916 wrote to memory of 2656 1916 dpjdp.exe 45 PID 1916 wrote to memory of 2656 1916 dpjdp.exe 45 PID 1916 wrote to memory of 2656 1916 dpjdp.exe 45 PID 1916 wrote to memory of 2656 1916 dpjdp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe"C:\Users\Admin\AppData\Local\Temp\2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\vpjpd.exec:\vpjpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\5tnthn.exec:\5tnthn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\pdpvv.exec:\pdpvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\rfrlrrx.exec:\rfrlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\jdpvj.exec:\jdpvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\tthnbh.exec:\tthnbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\jjdjp.exec:\jjdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\xxxlflx.exec:\xxxlflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\pjddj.exec:\pjddj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\7jjdv.exec:\7jjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\3rflxfr.exec:\3rflxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:984 -
\??\c:\3rlrffl.exec:\3rlrffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\bbtbhh.exec:\bbtbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\vpddp.exec:\vpddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\dpjdp.exec:\dpjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\hhttbb.exec:\hhttbb.exe17⤵
- Executes dropped EXE
PID:2656 -
\??\c:\lfrrffl.exec:\lfrrffl.exe18⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nhtthn.exec:\nhtthn.exe19⤵
- Executes dropped EXE
PID:1752 -
\??\c:\xfrffrl.exec:\xfrffrl.exe20⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nnbhnt.exec:\nnbhnt.exe21⤵
- Executes dropped EXE
PID:540 -
\??\c:\xlxrflr.exec:\xlxrflr.exe22⤵
- Executes dropped EXE
PID:804 -
\??\c:\7bthhh.exec:\7bthhh.exe23⤵
- Executes dropped EXE
PID:2232 -
\??\c:\pdvvd.exec:\pdvvd.exe24⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rfxfrrf.exec:\rfxfrrf.exe25⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dpjvd.exec:\dpjvd.exe26⤵
- Executes dropped EXE
PID:2140 -
\??\c:\7xrxlrx.exec:\7xrxlrx.exe27⤵
- Executes dropped EXE
PID:688 -
\??\c:\rlrlllr.exec:\rlrlllr.exe28⤵
- Executes dropped EXE
PID:1104 -
\??\c:\vjvvj.exec:\vjvvj.exe29⤵
- Executes dropped EXE
PID:2036 -
\??\c:\ddvvj.exec:\ddvvj.exe30⤵
- Executes dropped EXE
PID:348 -
\??\c:\tthnbb.exec:\tthnbb.exe31⤵
- Executes dropped EXE
PID:1052 -
\??\c:\btntnn.exec:\btntnn.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\nbnbnt.exec:\nbnbnt.exe33⤵
- Executes dropped EXE
PID:316 -
\??\c:\jdjpd.exec:\jdjpd.exe34⤵
- Executes dropped EXE
PID:2524 -
\??\c:\lfflxfr.exec:\lfflxfr.exe35⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ntnbnt.exec:\ntnbnt.exe36⤵
- Executes dropped EXE
PID:2204 -
\??\c:\jjdpj.exec:\jjdpj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476 -
\??\c:\dvjjp.exec:\dvjjp.exe38⤵
- Executes dropped EXE
PID:2808 -
\??\c:\xrffllx.exec:\xrffllx.exe39⤵
- Executes dropped EXE
PID:2744 -
\??\c:\hbtbtt.exec:\hbtbtt.exe40⤵
- Executes dropped EXE
PID:2860 -
\??\c:\3vjjv.exec:\3vjjv.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\3jvpv.exec:\3jvpv.exe42⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lfxxxxl.exec:\lfxxxxl.exe43⤵
- Executes dropped EXE
PID:2592 -
\??\c:\9tthtb.exec:\9tthtb.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\jjdpv.exec:\jjdpv.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\5vddj.exec:\5vddj.exe46⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xrlrrxx.exec:\xrlrrxx.exe47⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nhnnbb.exec:\nhnnbb.exe48⤵
- Executes dropped EXE
PID:1412 -
\??\c:\jjjvj.exec:\jjjvj.exe49⤵
- Executes dropped EXE
PID:2696 -
\??\c:\flffrxf.exec:\flffrxf.exe50⤵
- Executes dropped EXE
PID:1248 -
\??\c:\9fxflxf.exec:\9fxflxf.exe51⤵
- Executes dropped EXE
PID:288 -
\??\c:\nhbhnt.exec:\nhbhnt.exe52⤵
- Executes dropped EXE
PID:1952 -
\??\c:\hnhbtb.exec:\hnhbtb.exe53⤵
- Executes dropped EXE
PID:1940 -
\??\c:\ppjjd.exec:\ppjjd.exe54⤵
- Executes dropped EXE
PID:1992 -
\??\c:\lfrxflr.exec:\lfrxflr.exe55⤵
- Executes dropped EXE
PID:1836 -
\??\c:\rrfflrf.exec:\rrfflrf.exe56⤵
- Executes dropped EXE
PID:1352 -
\??\c:\ttbhbh.exec:\ttbhbh.exe57⤵
- Executes dropped EXE
PID:2284 -
\??\c:\vvjpv.exec:\vvjpv.exe58⤵
- Executes dropped EXE
PID:476 -
\??\c:\5pjvj.exec:\5pjvj.exe59⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xrfflrx.exec:\xrfflrx.exe60⤵
- Executes dropped EXE
PID:2236 -
\??\c:\hbhhnn.exec:\hbhhnn.exe61⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pdvjv.exec:\pdvjv.exe62⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vvjdd.exec:\vvjdd.exe63⤵
- Executes dropped EXE
PID:1792 -
\??\c:\ffxxflr.exec:\ffxxflr.exe64⤵
- Executes dropped EXE
PID:1084 -
\??\c:\htnnbt.exec:\htnnbt.exe65⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bntnnn.exec:\bntnnn.exe66⤵PID:756
-
\??\c:\jjddj.exec:\jjddj.exe67⤵PID:2636
-
\??\c:\xrllrrf.exec:\xrllrrf.exe68⤵PID:752
-
\??\c:\llflxlf.exec:\llflxlf.exe69⤵PID:2504
-
\??\c:\hbnthn.exec:\hbnthn.exe70⤵PID:2036
-
\??\c:\pdppv.exec:\pdppv.exe71⤵PID:2468
-
\??\c:\pdvvd.exec:\pdvvd.exe72⤵PID:1732
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe73⤵PID:2680
-
\??\c:\bbttbt.exec:\bbttbt.exe74⤵PID:2532
-
\??\c:\vppdj.exec:\vppdj.exe75⤵PID:2020
-
\??\c:\ddvjv.exec:\ddvjv.exe76⤵PID:316
-
\??\c:\fxllrlr.exec:\fxllrlr.exe77⤵PID:2312
-
\??\c:\1lflxff.exec:\1lflxff.exe78⤵PID:2776
-
\??\c:\5btbnb.exec:\5btbnb.exe79⤵PID:2204
-
\??\c:\1vddd.exec:\1vddd.exe80⤵PID:2800
-
\??\c:\jdvvd.exec:\jdvvd.exe81⤵PID:2788
-
\??\c:\xlflxll.exec:\xlflxll.exe82⤵PID:2604
-
\??\c:\tnhhnt.exec:\tnhhnt.exe83⤵PID:2852
-
\??\c:\bttbnt.exec:\bttbnt.exe84⤵PID:2620
-
\??\c:\3vddp.exec:\3vddp.exe85⤵PID:2624
-
\??\c:\xxrrxxl.exec:\xxrrxxl.exe86⤵PID:2628
-
\??\c:\3lrfrrr.exec:\3lrfrrr.exe87⤵PID:1688
-
\??\c:\nnbbbb.exec:\nnbbbb.exe88⤵PID:3024
-
\??\c:\vpdpv.exec:\vpdpv.exe89⤵PID:988
-
\??\c:\jjdpd.exec:\jjdpd.exe90⤵PID:2124
-
\??\c:\rlffflr.exec:\rlffflr.exe91⤵PID:668
-
\??\c:\bttbnn.exec:\bttbnn.exe92⤵PID:1920
-
\??\c:\1bnntt.exec:\1bnntt.exe93⤵PID:1648
-
\??\c:\1vjjp.exec:\1vjjp.exe94⤵PID:2364
-
\??\c:\jvjdd.exec:\jvjdd.exe95⤵PID:2000
-
\??\c:\frllrxf.exec:\frllrxf.exe96⤵PID:2004
-
\??\c:\7tnttb.exec:\7tnttb.exe97⤵PID:1916
-
\??\c:\hhthnt.exec:\hhthnt.exe98⤵PID:2200
-
\??\c:\7jpjj.exec:\7jpjj.exe99⤵PID:1156
-
\??\c:\xrfrflx.exec:\xrfrflx.exe100⤵PID:1352
-
\??\c:\1xfflll.exec:\1xfflll.exe101⤵PID:908
-
\??\c:\nhntbt.exec:\nhntbt.exe102⤵PID:476
-
\??\c:\ppjvj.exec:\ppjvj.exe103⤵PID:2052
-
\??\c:\dvjpj.exec:\dvjpj.exe104⤵PID:2236
-
\??\c:\rllrffr.exec:\rllrffr.exe105⤵PID:1136
-
\??\c:\httbbb.exec:\httbbb.exe106⤵PID:2316
-
\??\c:\tthhhh.exec:\tthhhh.exe107⤵PID:2464
-
\??\c:\vvjdj.exec:\vvjdj.exe108⤵PID:2212
-
\??\c:\llffrrl.exec:\llffrrl.exe109⤵PID:2216
-
\??\c:\rlllrxx.exec:\rlllrxx.exe110⤵PID:756
-
\??\c:\hththh.exec:\hththh.exe111⤵PID:2936
-
\??\c:\ppjpd.exec:\ppjpd.exe112⤵PID:2528
-
\??\c:\jdppj.exec:\jdppj.exe113⤵PID:2096
-
\??\c:\rlfrxfr.exec:\rlfrxfr.exe114⤵PID:836
-
\??\c:\9htthh.exec:\9htthh.exe115⤵PID:1728
-
\??\c:\7nhntb.exec:\7nhntb.exe116⤵PID:2548
-
\??\c:\3dpdj.exec:\3dpdj.exe117⤵PID:1292
-
\??\c:\ppjvj.exec:\ppjvj.exe118⤵PID:2064
-
\??\c:\ffrfrxf.exec:\ffrfrxf.exe119⤵PID:1908
-
\??\c:\nhhhnn.exec:\nhhhnn.exe120⤵PID:3044
-
\??\c:\vpjjp.exec:\vpjjp.exe121⤵PID:2312
-
\??\c:\dpjdj.exec:\dpjdj.exe122⤵PID:2776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-