Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe
-
Size
456KB
-
MD5
ca41a6ba8b88115de9edc8593c45b12b
-
SHA1
329964ad38acd4b4e465737a02407c7090fd248e
-
SHA256
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd
-
SHA512
0cf6041802c886295fd6f2617b61408859415d3bb36247395960373ada9622b6c6b6b67c68ad7fe2a3db6d3677ae62d53a864092fc9d4b5b178d0aa4f61072fa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR8:q7Tc2NYHUrAwfMp3CDR8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2332-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2368-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-46-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1200-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/408-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2956-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-302-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/708-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2712-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2500-419-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1928-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-469-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2140-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1680-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2448-540-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2764-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2296-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2852-713-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3044-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 pjvdj.exe 2368 nhbhtb.exe 2936 rlrlrlr.exe 2736 tnhhtt.exe 2924 fxffffl.exe 2880 3htthn.exe 2284 9fxfrxr.exe 2772 hbtbhn.exe 2620 9xlrrrr.exe 1292 lxxxlff.exe 1984 dddjv.exe 2036 9btbbh.exe 1348 9dvvd.exe 2040 3rflfrl.exe 1200 ddpdv.exe 348 rrrrflf.exe 2808 ttbtnh.exe 2152 vdjjv.exe 2200 lfxxlxf.exe 2956 dpdvp.exe 408 xrffrrx.exe 1656 bbtbbb.exe 1300 dvpvd.exe 2796 1xlxlrx.exe 2784 tntnhh.exe 1464 tnbhbt.exe 2436 1frlrrf.exe 2280 nnhttb.exe 1564 jvjdj.exe 2052 hbttbb.exe 884 djdvj.exe 2112 5rllxxr.exe 1516 rrllrrx.exe 2148 ppvvj.exe 2532 7rflfrx.exe 2788 thnhtt.exe 708 5bntnn.exe 2912 3pdpj.exe 2736 5fxflxf.exe 2712 fxllrrx.exe 3020 7thhnt.exe 2880 jvdjp.exe 2632 3dvvj.exe 2600 xlfrxxf.exe 2676 3tnbbh.exe 824 nbttbb.exe 2932 dpddv.exe 2024 lfxxfll.exe 1984 ffxfrrx.exe 2036 7bbbnt.exe 2500 tthhnt.exe 1928 vjdvv.exe 1884 rlxxffr.exe 1360 fxllxxf.exe 348 3thhnn.exe 2168 dddpv.exe 2972 1pjjj.exe 2432 lxlrxxl.exe 2140 hhbhtb.exe 840 9tnnhb.exe 1556 jdjdp.exe 1856 5fffxfl.exe 1772 hbnhtt.exe 1532 thttbb.exe -
resource yara_rule behavioral1/memory/2332-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2368-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-46-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2736-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1200-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2956-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-262-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2280-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-280-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/884-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2712-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2500-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-469-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2140-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1680-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/796-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-713-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3000-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3044-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1772-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-966-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-1045-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-1163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-1285-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flllxf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2524 2332 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 31 PID 2332 wrote to memory of 2524 2332 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 31 PID 2332 wrote to memory of 2524 2332 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 31 PID 2332 wrote to memory of 2524 2332 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 31 PID 2524 wrote to memory of 2368 2524 pjvdj.exe 32 PID 2524 wrote to memory of 2368 2524 pjvdj.exe 32 PID 2524 wrote to memory of 2368 2524 pjvdj.exe 32 PID 2524 wrote to memory of 2368 2524 pjvdj.exe 32 PID 2368 wrote to memory of 2936 2368 nhbhtb.exe 33 PID 2368 wrote to memory of 2936 2368 nhbhtb.exe 33 PID 2368 wrote to memory of 2936 2368 nhbhtb.exe 33 PID 2368 wrote to memory of 2936 2368 nhbhtb.exe 33 PID 2936 wrote to memory of 2736 2936 rlrlrlr.exe 34 PID 2936 wrote to memory of 2736 2936 rlrlrlr.exe 34 PID 2936 wrote to memory of 2736 2936 rlrlrlr.exe 34 PID 2936 wrote to memory of 2736 2936 rlrlrlr.exe 34 PID 2736 wrote to memory of 2924 2736 tnhhtt.exe 35 PID 2736 wrote to memory of 2924 2736 tnhhtt.exe 35 PID 2736 wrote to memory of 2924 2736 tnhhtt.exe 35 PID 2736 wrote to memory of 2924 2736 tnhhtt.exe 35 PID 2924 wrote to memory of 2880 2924 fxffffl.exe 36 PID 2924 wrote to memory of 2880 2924 fxffffl.exe 36 PID 2924 wrote to memory of 2880 2924 fxffffl.exe 36 PID 2924 wrote to memory of 2880 2924 fxffffl.exe 36 PID 2880 wrote to memory of 2284 2880 3htthn.exe 37 PID 2880 wrote to memory of 2284 2880 3htthn.exe 37 PID 2880 wrote to memory of 2284 2880 3htthn.exe 37 PID 2880 wrote to memory of 2284 2880 3htthn.exe 37 PID 2284 wrote to memory of 2772 2284 9fxfrxr.exe 38 PID 2284 wrote to memory of 2772 2284 9fxfrxr.exe 38 PID 2284 wrote to memory of 2772 2284 9fxfrxr.exe 38 PID 2284 wrote to memory of 2772 2284 9fxfrxr.exe 38 PID 2772 wrote to memory of 2620 2772 hbtbhn.exe 39 PID 2772 wrote to memory of 2620 2772 hbtbhn.exe 39 PID 2772 wrote to memory of 2620 2772 hbtbhn.exe 39 PID 2772 wrote to memory of 2620 2772 hbtbhn.exe 39 PID 2620 wrote to memory of 1292 2620 9xlrrrr.exe 40 PID 2620 wrote to memory of 1292 2620 9xlrrrr.exe 40 PID 2620 wrote to memory of 1292 2620 9xlrrrr.exe 40 PID 2620 wrote to memory of 1292 2620 9xlrrrr.exe 40 PID 1292 wrote to memory of 1984 1292 lxxxlff.exe 41 PID 1292 wrote to memory of 1984 1292 lxxxlff.exe 41 PID 1292 wrote to memory of 1984 1292 lxxxlff.exe 41 PID 1292 wrote to memory of 1984 1292 lxxxlff.exe 41 PID 1984 wrote to memory of 2036 1984 dddjv.exe 42 PID 1984 wrote to memory of 2036 1984 dddjv.exe 42 PID 1984 wrote to memory of 2036 1984 dddjv.exe 42 PID 1984 wrote to memory of 2036 1984 dddjv.exe 42 PID 2036 wrote to memory of 1348 2036 9btbbh.exe 43 PID 2036 wrote to memory of 1348 2036 9btbbh.exe 43 PID 2036 wrote to memory of 1348 2036 9btbbh.exe 43 PID 2036 wrote to memory of 1348 2036 9btbbh.exe 43 PID 1348 wrote to memory of 2040 1348 9dvvd.exe 44 PID 1348 wrote to memory of 2040 1348 9dvvd.exe 44 PID 1348 wrote to memory of 2040 1348 9dvvd.exe 44 PID 1348 wrote to memory of 2040 1348 9dvvd.exe 44 PID 2040 wrote to memory of 1200 2040 3rflfrl.exe 45 PID 2040 wrote to memory of 1200 2040 3rflfrl.exe 45 PID 2040 wrote to memory of 1200 2040 3rflfrl.exe 45 PID 2040 wrote to memory of 1200 2040 3rflfrl.exe 45 PID 1200 wrote to memory of 348 1200 ddpdv.exe 46 PID 1200 wrote to memory of 348 1200 ddpdv.exe 46 PID 1200 wrote to memory of 348 1200 ddpdv.exe 46 PID 1200 wrote to memory of 348 1200 ddpdv.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe"C:\Users\Admin\AppData\Local\Temp\34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\pjvdj.exec:\pjvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\nhbhtb.exec:\nhbhtb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\tnhhtt.exec:\tnhhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\fxffffl.exec:\fxffffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\3htthn.exec:\3htthn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\9fxfrxr.exec:\9fxfrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\hbtbhn.exec:\hbtbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\9xlrrrr.exec:\9xlrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\lxxxlff.exec:\lxxxlff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\dddjv.exec:\dddjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\9btbbh.exec:\9btbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\9dvvd.exec:\9dvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\3rflfrl.exec:\3rflfrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\ddpdv.exec:\ddpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\rrrrflf.exec:\rrrrflf.exe17⤵
- Executes dropped EXE
PID:348 -
\??\c:\ttbtnh.exec:\ttbtnh.exe18⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vdjjv.exec:\vdjjv.exe19⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lfxxlxf.exec:\lfxxlxf.exe20⤵
- Executes dropped EXE
PID:2200 -
\??\c:\dpdvp.exec:\dpdvp.exe21⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xrffrrx.exec:\xrffrrx.exe22⤵
- Executes dropped EXE
PID:408 -
\??\c:\bbtbbb.exec:\bbtbbb.exe23⤵
- Executes dropped EXE
PID:1656 -
\??\c:\dvpvd.exec:\dvpvd.exe24⤵
- Executes dropped EXE
PID:1300 -
\??\c:\1xlxlrx.exec:\1xlxlrx.exe25⤵
- Executes dropped EXE
PID:2796 -
\??\c:\tntnhh.exec:\tntnhh.exe26⤵
- Executes dropped EXE
PID:2784 -
\??\c:\tnbhbt.exec:\tnbhbt.exe27⤵
- Executes dropped EXE
PID:1464 -
\??\c:\1frlrrf.exec:\1frlrrf.exe28⤵
- Executes dropped EXE
PID:2436 -
\??\c:\nnhttb.exec:\nnhttb.exe29⤵
- Executes dropped EXE
PID:2280 -
\??\c:\jvjdj.exec:\jvjdj.exe30⤵
- Executes dropped EXE
PID:1564 -
\??\c:\hbttbb.exec:\hbttbb.exe31⤵
- Executes dropped EXE
PID:2052 -
\??\c:\djdvj.exec:\djdvj.exe32⤵
- Executes dropped EXE
PID:884 -
\??\c:\5rllxxr.exec:\5rllxxr.exe33⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rrllrrx.exec:\rrllrrx.exe34⤵
- Executes dropped EXE
PID:1516 -
\??\c:\ppvvj.exec:\ppvvj.exe35⤵
- Executes dropped EXE
PID:2148 -
\??\c:\7rflfrx.exec:\7rflfrx.exe36⤵
- Executes dropped EXE
PID:2532 -
\??\c:\thnhtt.exec:\thnhtt.exe37⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5bntnn.exec:\5bntnn.exe38⤵
- Executes dropped EXE
PID:708 -
\??\c:\3pdpj.exec:\3pdpj.exe39⤵
- Executes dropped EXE
PID:2912 -
\??\c:\5fxflxf.exec:\5fxflxf.exe40⤵
- Executes dropped EXE
PID:2736 -
\??\c:\fxllrrx.exec:\fxllrrx.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
\??\c:\7thhnt.exec:\7thhnt.exe42⤵
- Executes dropped EXE
PID:3020 -
\??\c:\jvdjp.exec:\jvdjp.exe43⤵
- Executes dropped EXE
PID:2880 -
\??\c:\3dvvj.exec:\3dvvj.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\xlfrxxf.exec:\xlfrxxf.exe45⤵
- Executes dropped EXE
PID:2600 -
\??\c:\3tnbbh.exec:\3tnbbh.exe46⤵
- Executes dropped EXE
PID:2676 -
\??\c:\nbttbb.exec:\nbttbb.exe47⤵
- Executes dropped EXE
PID:824 -
\??\c:\dpddv.exec:\dpddv.exe48⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lfxxfll.exec:\lfxxfll.exe49⤵
- Executes dropped EXE
PID:2024 -
\??\c:\ffxfrrx.exec:\ffxfrrx.exe50⤵
- Executes dropped EXE
PID:1984 -
\??\c:\7bbbnt.exec:\7bbbnt.exe51⤵
- Executes dropped EXE
PID:2036 -
\??\c:\tthhnt.exec:\tthhnt.exe52⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vjdvv.exec:\vjdvv.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\rlxxffr.exec:\rlxxffr.exe54⤵
- Executes dropped EXE
PID:1884 -
\??\c:\fxllxxf.exec:\fxllxxf.exe55⤵
- Executes dropped EXE
PID:1360 -
\??\c:\3thhnn.exec:\3thhnn.exe56⤵
- Executes dropped EXE
PID:348 -
\??\c:\dddpv.exec:\dddpv.exe57⤵
- Executes dropped EXE
PID:2168 -
\??\c:\1pjjj.exec:\1pjjj.exe58⤵
- Executes dropped EXE
PID:2972 -
\??\c:\lxlrxxl.exec:\lxlrxxl.exe59⤵
- Executes dropped EXE
PID:2432 -
\??\c:\hhbhtb.exec:\hhbhtb.exe60⤵
- Executes dropped EXE
PID:2140 -
\??\c:\9tnnhb.exec:\9tnnhb.exe61⤵
- Executes dropped EXE
PID:840 -
\??\c:\jdjdp.exec:\jdjdp.exe62⤵
- Executes dropped EXE
PID:1556 -
\??\c:\5fffxfl.exec:\5fffxfl.exe63⤵
- Executes dropped EXE
PID:1856 -
\??\c:\hbnhtt.exec:\hbnhtt.exe64⤵
- Executes dropped EXE
PID:1772 -
\??\c:\thttbb.exec:\thttbb.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\1dddp.exec:\1dddp.exe66⤵PID:308
-
\??\c:\lfrrflr.exec:\lfrrflr.exe67⤵PID:2448
-
\??\c:\rrflxrr.exec:\rrflxrr.exe68⤵PID:1724
-
\??\c:\thbhnn.exec:\thbhnn.exe69⤵PID:1680
-
\??\c:\1vvpd.exec:\1vvpd.exe70⤵PID:3052
-
\??\c:\jjvvp.exec:\jjvvp.exe71⤵PID:796
-
\??\c:\1xlxfll.exec:\1xlxfll.exe72⤵PID:2280
-
\??\c:\hthttt.exec:\hthttt.exe73⤵PID:2196
-
\??\c:\vvjdj.exec:\vvjdj.exe74⤵
- System Location Discovery: System Language Discovery
PID:580 -
\??\c:\jvjpj.exec:\jvjpj.exe75⤵PID:756
-
\??\c:\xrfrxfx.exec:\xrfrxfx.exe76⤵PID:2460
-
\??\c:\rlxrxfl.exec:\rlxrxfl.exe77⤵
- System Location Discovery: System Language Discovery
PID:2408 -
\??\c:\ttthhh.exec:\ttthhh.exe78⤵PID:1608
-
\??\c:\3pjvd.exec:\3pjvd.exe79⤵PID:2376
-
\??\c:\lxllrrf.exec:\lxllrrf.exe80⤵PID:1876
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe81⤵PID:1552
-
\??\c:\btnnbb.exec:\btnnbb.exe82⤵PID:2764
-
\??\c:\3vjjp.exec:\3vjjp.exe83⤵PID:2900
-
\??\c:\ppjjj.exec:\ppjjj.exe84⤵PID:2296
-
\??\c:\rlxfxfl.exec:\rlxfxfl.exe85⤵PID:2740
-
\??\c:\3nnnnn.exec:\3nnnnn.exe86⤵PID:2692
-
\??\c:\bnttnn.exec:\bnttnn.exe87⤵PID:2392
-
\??\c:\1djjp.exec:\1djjp.exe88⤵PID:2880
-
\??\c:\3xrrxlx.exec:\3xrrxlx.exe89⤵PID:2652
-
\??\c:\5rfllrf.exec:\5rfllrf.exe90⤵PID:2600
-
\??\c:\tnhnnn.exec:\tnhnnn.exe91⤵PID:476
-
\??\c:\5vvdv.exec:\5vvdv.exe92⤵PID:824
-
\??\c:\vppdj.exec:\vppdj.exe93⤵PID:1828
-
\??\c:\lfxxxxx.exec:\lfxxxxx.exe94⤵PID:1824
-
\??\c:\nhtthb.exec:\nhtthb.exe95⤵PID:2424
-
\??\c:\9dpvd.exec:\9dpvd.exe96⤵PID:2144
-
\??\c:\dvvjj.exec:\dvvjj.exe97⤵PID:1008
-
\??\c:\rlrxllf.exec:\rlrxllf.exe98⤵PID:2852
-
\??\c:\bhnhtn.exec:\bhnhtn.exe99⤵PID:1628
-
\??\c:\1nhhtb.exec:\1nhhtb.exe100⤵PID:2980
-
\??\c:\jdjvd.exec:\jdjvd.exe101⤵PID:3000
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe102⤵PID:2152
-
\??\c:\7fxxlfl.exec:\7fxxlfl.exe103⤵PID:2972
-
\??\c:\hhbhbh.exec:\hhbhbh.exe104⤵PID:2700
-
\??\c:\dvppd.exec:\dvppd.exe105⤵PID:2140
-
\??\c:\jdvvd.exec:\jdvvd.exe106⤵PID:3044
-
\??\c:\3xffxrf.exec:\3xffxrf.exe107⤵PID:1392
-
\??\c:\bttthh.exec:\bttthh.exe108⤵PID:1932
-
\??\c:\bnbbbh.exec:\bnbbbh.exe109⤵PID:1772
-
\??\c:\ppjpd.exec:\ppjpd.exe110⤵PID:1532
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe111⤵PID:892
-
\??\c:\7rrllrx.exec:\7rrllrx.exe112⤵PID:2796
-
\??\c:\7htbtb.exec:\7htbtb.exe113⤵PID:1476
-
\??\c:\5dpdp.exec:\5dpdp.exe114⤵PID:1212
-
\??\c:\7pdjj.exec:\7pdjj.exe115⤵PID:356
-
\??\c:\fxflxrx.exec:\fxflxrx.exe116⤵PID:2092
-
\??\c:\htnnhn.exec:\htnnhn.exe117⤵PID:1840
-
\??\c:\bbnhnn.exec:\bbnhnn.exe118⤵PID:316
-
\??\c:\jdvvv.exec:\jdvvv.exe119⤵PID:2052
-
\??\c:\rfxrfff.exec:\rfxrfff.exe120⤵PID:884
-
\??\c:\ffxflrf.exec:\ffxflrf.exe121⤵PID:980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-