Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe
-
Size
456KB
-
MD5
ca41a6ba8b88115de9edc8593c45b12b
-
SHA1
329964ad38acd4b4e465737a02407c7090fd248e
-
SHA256
34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd
-
SHA512
0cf6041802c886295fd6f2617b61408859415d3bb36247395960373ada9622b6c6b6b67c68ad7fe2a3db6d3677ae62d53a864092fc9d4b5b178d0aa4f61072fa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR8:q7Tc2NYHUrAwfMp3CDR8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3872-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-1062-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-1282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1288 djpdv.exe 3712 xrxfxxr.exe 1168 7nnbnn.exe 4068 vjvpv.exe 1068 3rlxlfr.exe 1264 1jjdv.exe 4600 htbhtb.exe 3088 1rlfxrl.exe 2228 jjpjv.exe 4964 9jdvd.exe 852 7xxllfl.exe 4916 5hhthb.exe 5080 jdppp.exe 3176 1nnbbt.exe 3408 dvvpj.exe 1796 rxxlflf.exe 4192 1rxlrrr.exe 3380 dpjvp.exe 3040 ttthtn.exe 3052 hthbnn.exe 880 dvjdd.exe 1060 7xfxrrl.exe 2856 hnbnnh.exe 1000 nbhthb.exe 3984 bhnhtt.exe 384 vjpdv.exe 4640 bnttth.exe 820 tnnbbn.exe 4476 fllfxrl.exe 4352 llffxxr.exe 2584 jjjdp.exe 700 vjjdp.exe 4576 dppdp.exe 5084 djpdd.exe 2904 hbbbtt.exe 3032 pjpjd.exe 516 xrxrxrx.exe 3920 9tnhtt.exe 3732 djpjd.exe 2876 xflflff.exe 4792 ppdpj.exe 2108 fxllrll.exe 1088 bbnnbb.exe 4316 jvdvj.exe 3240 3llffxx.exe 1936 rflfxxx.exe 1288 httnnn.exe 2660 5jjjj.exe 2944 jpddp.exe 4204 lffrfxr.exe 4068 nhhbnn.exe 536 djpvp.exe 1560 rxrxfff.exe 4340 5bnhnn.exe 4600 jdvpj.exe 4872 xllfxxr.exe 3812 5hhttt.exe 4540 9vjdv.exe 1940 3pvpj.exe 2064 fflfxrr.exe 1500 ttnhbt.exe 732 jdjjj.exe 1984 lflfxxx.exe 1588 1rllfxr.exe -
resource yara_rule behavioral2/memory/3872-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-789-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3872 wrote to memory of 1288 3872 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 83 PID 3872 wrote to memory of 1288 3872 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 83 PID 3872 wrote to memory of 1288 3872 34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe 83 PID 1288 wrote to memory of 3712 1288 djpdv.exe 84 PID 1288 wrote to memory of 3712 1288 djpdv.exe 84 PID 1288 wrote to memory of 3712 1288 djpdv.exe 84 PID 3712 wrote to memory of 1168 3712 xrxfxxr.exe 85 PID 3712 wrote to memory of 1168 3712 xrxfxxr.exe 85 PID 3712 wrote to memory of 1168 3712 xrxfxxr.exe 85 PID 1168 wrote to memory of 4068 1168 7nnbnn.exe 86 PID 1168 wrote to memory of 4068 1168 7nnbnn.exe 86 PID 1168 wrote to memory of 4068 1168 7nnbnn.exe 86 PID 4068 wrote to memory of 1068 4068 vjvpv.exe 87 PID 4068 wrote to memory of 1068 4068 vjvpv.exe 87 PID 4068 wrote to memory of 1068 4068 vjvpv.exe 87 PID 1068 wrote to memory of 1264 1068 3rlxlfr.exe 88 PID 1068 wrote to memory of 1264 1068 3rlxlfr.exe 88 PID 1068 wrote to memory of 1264 1068 3rlxlfr.exe 88 PID 1264 wrote to memory of 4600 1264 1jjdv.exe 89 PID 1264 wrote to memory of 4600 1264 1jjdv.exe 89 PID 1264 wrote to memory of 4600 1264 1jjdv.exe 89 PID 4600 wrote to memory of 3088 4600 htbhtb.exe 90 PID 4600 wrote to memory of 3088 4600 htbhtb.exe 90 PID 4600 wrote to memory of 3088 4600 htbhtb.exe 90 PID 3088 wrote to memory of 2228 3088 1rlfxrl.exe 91 PID 3088 wrote to memory of 2228 3088 1rlfxrl.exe 91 PID 3088 wrote to memory of 2228 3088 1rlfxrl.exe 91 PID 2228 wrote to memory of 4964 2228 jjpjv.exe 92 PID 2228 wrote to memory of 4964 2228 jjpjv.exe 92 PID 2228 wrote to memory of 4964 2228 jjpjv.exe 92 PID 4964 wrote to memory of 852 4964 9jdvd.exe 93 PID 4964 wrote to memory of 852 4964 9jdvd.exe 93 PID 4964 wrote to memory of 852 4964 9jdvd.exe 93 PID 852 wrote to memory of 4916 852 7xxllfl.exe 94 PID 852 wrote to memory of 4916 852 7xxllfl.exe 94 PID 852 wrote to memory of 4916 852 7xxllfl.exe 94 PID 4916 wrote to memory of 5080 4916 5hhthb.exe 95 PID 4916 wrote to memory of 5080 4916 5hhthb.exe 95 PID 4916 wrote to memory of 5080 4916 5hhthb.exe 95 PID 5080 wrote to memory of 3176 5080 jdppp.exe 96 PID 5080 wrote to memory of 3176 5080 jdppp.exe 96 PID 5080 wrote to memory of 3176 5080 jdppp.exe 96 PID 3176 wrote to memory of 3408 3176 1nnbbt.exe 97 PID 3176 wrote to memory of 3408 3176 1nnbbt.exe 97 PID 3176 wrote to memory of 3408 3176 1nnbbt.exe 97 PID 3408 wrote to memory of 1796 3408 dvvpj.exe 98 PID 3408 wrote to memory of 1796 3408 dvvpj.exe 98 PID 3408 wrote to memory of 1796 3408 dvvpj.exe 98 PID 1796 wrote to memory of 4192 1796 rxxlflf.exe 99 PID 1796 wrote to memory of 4192 1796 rxxlflf.exe 99 PID 1796 wrote to memory of 4192 1796 rxxlflf.exe 99 PID 4192 wrote to memory of 3380 4192 1rxlrrr.exe 100 PID 4192 wrote to memory of 3380 4192 1rxlrrr.exe 100 PID 4192 wrote to memory of 3380 4192 1rxlrrr.exe 100 PID 3380 wrote to memory of 3040 3380 dpjvp.exe 101 PID 3380 wrote to memory of 3040 3380 dpjvp.exe 101 PID 3380 wrote to memory of 3040 3380 dpjvp.exe 101 PID 3040 wrote to memory of 3052 3040 ttthtn.exe 102 PID 3040 wrote to memory of 3052 3040 ttthtn.exe 102 PID 3040 wrote to memory of 3052 3040 ttthtn.exe 102 PID 3052 wrote to memory of 880 3052 hthbnn.exe 103 PID 3052 wrote to memory of 880 3052 hthbnn.exe 103 PID 3052 wrote to memory of 880 3052 hthbnn.exe 103 PID 880 wrote to memory of 1060 880 dvjdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe"C:\Users\Admin\AppData\Local\Temp\34c8dda5e55ca3f67b3daba03933f4115d474fb64a7eab5c2d5c2f282ad08dbd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\djpdv.exec:\djpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\xrxfxxr.exec:\xrxfxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\7nnbnn.exec:\7nnbnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\vjvpv.exec:\vjvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\3rlxlfr.exec:\3rlxlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\1jjdv.exec:\1jjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\htbhtb.exec:\htbhtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\1rlfxrl.exec:\1rlfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\jjpjv.exec:\jjpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\9jdvd.exec:\9jdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\7xxllfl.exec:\7xxllfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\5hhthb.exec:\5hhthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\jdppp.exec:\jdppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\1nnbbt.exec:\1nnbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\dvvpj.exec:\dvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\rxxlflf.exec:\rxxlflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\1rxlrrr.exec:\1rxlrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\dpjvp.exec:\dpjvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\ttthtn.exec:\ttthtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\hthbnn.exec:\hthbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\dvjdd.exec:\dvjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\7xfxrrl.exec:\7xfxrrl.exe23⤵
- Executes dropped EXE
PID:1060 -
\??\c:\hnbnnh.exec:\hnbnnh.exe24⤵
- Executes dropped EXE
PID:2856 -
\??\c:\nbhthb.exec:\nbhthb.exe25⤵
- Executes dropped EXE
PID:1000 -
\??\c:\bhnhtt.exec:\bhnhtt.exe26⤵
- Executes dropped EXE
PID:3984 -
\??\c:\vjpdv.exec:\vjpdv.exe27⤵
- Executes dropped EXE
PID:384 -
\??\c:\bnttth.exec:\bnttth.exe28⤵
- Executes dropped EXE
PID:4640 -
\??\c:\tnnbbn.exec:\tnnbbn.exe29⤵
- Executes dropped EXE
PID:820 -
\??\c:\fllfxrl.exec:\fllfxrl.exe30⤵
- Executes dropped EXE
PID:4476 -
\??\c:\llffxxr.exec:\llffxxr.exe31⤵
- Executes dropped EXE
PID:4352 -
\??\c:\jjjdp.exec:\jjjdp.exe32⤵
- Executes dropped EXE
PID:2584 -
\??\c:\vjjdp.exec:\vjjdp.exe33⤵
- Executes dropped EXE
PID:700 -
\??\c:\dppdp.exec:\dppdp.exe34⤵
- Executes dropped EXE
PID:4576 -
\??\c:\djpdd.exec:\djpdd.exe35⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hbbbtt.exec:\hbbbtt.exe36⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pjpjd.exec:\pjpjd.exe37⤵
- Executes dropped EXE
PID:3032 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe38⤵
- Executes dropped EXE
PID:516 -
\??\c:\9tnhtt.exec:\9tnhtt.exe39⤵
- Executes dropped EXE
PID:3920 -
\??\c:\djpjd.exec:\djpjd.exe40⤵
- Executes dropped EXE
PID:3732 -
\??\c:\xflflff.exec:\xflflff.exe41⤵
- Executes dropped EXE
PID:2876 -
\??\c:\ppdpj.exec:\ppdpj.exe42⤵
- Executes dropped EXE
PID:4792 -
\??\c:\fxllrll.exec:\fxllrll.exe43⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bbnnbb.exec:\bbnnbb.exe44⤵
- Executes dropped EXE
PID:1088 -
\??\c:\jvdvj.exec:\jvdvj.exe45⤵
- Executes dropped EXE
PID:4316 -
\??\c:\3llffxx.exec:\3llffxx.exe46⤵
- Executes dropped EXE
PID:3240 -
\??\c:\rflfxxx.exec:\rflfxxx.exe47⤵
- Executes dropped EXE
PID:1936 -
\??\c:\httnnn.exec:\httnnn.exe48⤵
- Executes dropped EXE
PID:1288 -
\??\c:\5jjjj.exec:\5jjjj.exe49⤵
- Executes dropped EXE
PID:2660 -
\??\c:\jpddp.exec:\jpddp.exe50⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lffrfxr.exec:\lffrfxr.exe51⤵
- Executes dropped EXE
PID:4204 -
\??\c:\nhhbnn.exec:\nhhbnn.exe52⤵
- Executes dropped EXE
PID:4068 -
\??\c:\djpvp.exec:\djpvp.exe53⤵
- Executes dropped EXE
PID:536 -
\??\c:\rxrxfff.exec:\rxrxfff.exe54⤵
- Executes dropped EXE
PID:1560 -
\??\c:\5bnhnn.exec:\5bnhnn.exe55⤵
- Executes dropped EXE
PID:4340 -
\??\c:\jdvpj.exec:\jdvpj.exe56⤵
- Executes dropped EXE
PID:4600 -
\??\c:\xllfxxr.exec:\xllfxxr.exe57⤵
- Executes dropped EXE
PID:4872 -
\??\c:\5hhttt.exec:\5hhttt.exe58⤵
- Executes dropped EXE
PID:3812 -
\??\c:\9vjdv.exec:\9vjdv.exe59⤵
- Executes dropped EXE
PID:4540 -
\??\c:\3pvpj.exec:\3pvpj.exe60⤵
- Executes dropped EXE
PID:1940 -
\??\c:\fflfxrr.exec:\fflfxrr.exe61⤵
- Executes dropped EXE
PID:2064 -
\??\c:\ttnhbt.exec:\ttnhbt.exe62⤵
- Executes dropped EXE
PID:1500 -
\??\c:\jdjjj.exec:\jdjjj.exe63⤵
- Executes dropped EXE
PID:732 -
\??\c:\lflfxxx.exec:\lflfxxx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\1rllfxr.exec:\1rllfxr.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\tntnhh.exec:\tntnhh.exe66⤵PID:1540
-
\??\c:\pjpvd.exec:\pjpvd.exe67⤵
- System Location Discovery: System Language Discovery
PID:3600 -
\??\c:\bnbtnn.exec:\bnbtnn.exe68⤵PID:4844
-
\??\c:\jjvdj.exec:\jjvdj.exe69⤵PID:3464
-
\??\c:\ffxxllf.exec:\ffxxllf.exe70⤵PID:2792
-
\??\c:\tbnhnh.exec:\tbnhnh.exe71⤵PID:1220
-
\??\c:\jdjjd.exec:\jdjjd.exe72⤵PID:816
-
\??\c:\1pjjj.exec:\1pjjj.exe73⤵PID:2132
-
\??\c:\rfllfff.exec:\rfllfff.exe74⤵PID:4716
-
\??\c:\ttbtnh.exec:\ttbtnh.exe75⤵PID:2980
-
\??\c:\vpjvv.exec:\vpjvv.exe76⤵
- System Location Discovery: System Language Discovery
PID:3312 -
\??\c:\rfrlffx.exec:\rfrlffx.exe77⤵PID:2268
-
\??\c:\hnbtnn.exec:\hnbtnn.exe78⤵PID:1000
-
\??\c:\3ttnnn.exec:\3ttnnn.exe79⤵PID:716
-
\??\c:\3jvjp.exec:\3jvjp.exe80⤵PID:3860
-
\??\c:\9rrlfff.exec:\9rrlfff.exe81⤵PID:384
-
\??\c:\5bhhbb.exec:\5bhhbb.exe82⤵PID:1884
-
\??\c:\dpvpd.exec:\dpvpd.exe83⤵PID:4852
-
\??\c:\frxrlll.exec:\frxrlll.exe84⤵PID:3472
-
\??\c:\xrxffxx.exec:\xrxffxx.exe85⤵PID:3336
-
\??\c:\httnbt.exec:\httnbt.exe86⤵PID:4800
-
\??\c:\vdppj.exec:\vdppj.exe87⤵PID:2480
-
\??\c:\flrlrrf.exec:\flrlrrf.exe88⤵PID:4060
-
\??\c:\bhttbh.exec:\bhttbh.exe89⤵PID:700
-
\??\c:\dvjdd.exec:\dvjdd.exe90⤵PID:1620
-
\??\c:\pdvpd.exec:\pdvpd.exe91⤵PID:940
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe92⤵PID:4804
-
\??\c:\1bthnn.exec:\1bthnn.exe93⤵PID:4608
-
\??\c:\7djdp.exec:\7djdp.exe94⤵PID:2656
-
\??\c:\rrxrllf.exec:\rrxrllf.exe95⤵PID:964
-
\??\c:\llxrrlf.exec:\llxrrlf.exe96⤵PID:1564
-
\??\c:\thhbtt.exec:\thhbtt.exe97⤵PID:1520
-
\??\c:\vdjdd.exec:\vdjdd.exe98⤵PID:1452
-
\??\c:\xllxxxr.exec:\xllxxxr.exe99⤵PID:552
-
\??\c:\hnhbtb.exec:\hnhbtb.exe100⤵PID:3084
-
\??\c:\3bbtnt.exec:\3bbtnt.exe101⤵
- System Location Discovery: System Language Discovery
PID:4320 -
\??\c:\jpdvp.exec:\jpdvp.exe102⤵PID:4180
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe103⤵PID:2320
-
\??\c:\nhnhbb.exec:\nhnhbb.exe104⤵PID:3784
-
\??\c:\vjpjp.exec:\vjpjp.exe105⤵PID:1288
-
\??\c:\vpdvd.exec:\vpdvd.exe106⤵
- System Location Discovery: System Language Discovery
PID:1872 -
\??\c:\xrrrffx.exec:\xrrrffx.exe107⤵PID:3904
-
\??\c:\nhhbth.exec:\nhhbth.exe108⤵PID:4052
-
\??\c:\htnhbb.exec:\htnhbb.exe109⤵PID:4100
-
\??\c:\jvdvp.exec:\jvdvp.exe110⤵PID:2796
-
\??\c:\rflxrll.exec:\rflxrll.exe111⤵PID:1264
-
\??\c:\9nbthb.exec:\9nbthb.exe112⤵PID:312
-
\??\c:\vdjdp.exec:\vdjdp.exe113⤵PID:3500
-
\??\c:\vjpjd.exec:\vjpjd.exe114⤵PID:4788
-
\??\c:\1rrlxrr.exec:\1rrlxrr.exe115⤵PID:3004
-
\??\c:\bbhhtt.exec:\bbhhtt.exe116⤵PID:3836
-
\??\c:\3nntnn.exec:\3nntnn.exe117⤵PID:1576
-
\??\c:\jjjjv.exec:\jjjjv.exe118⤵PID:4860
-
\??\c:\xlxrfff.exec:\xlxrfff.exe119⤵PID:1128
-
\??\c:\htbtnh.exec:\htbtnh.exe120⤵PID:1652
-
\??\c:\vdjjv.exec:\vdjjv.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-