Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe
-
Size
454KB
-
MD5
1f0826a932f50220d80b1b9cb06ddb01
-
SHA1
9e4909014c3388689442af213a693de08c687ab4
-
SHA256
345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba
-
SHA512
a86113efdc45bb5f63c46cd464abc9958c4d79687dd4d6bb91118eb6a044cde40a6a382152eaa03a9967b60f482725aae1d0ea996123157d9e21b3fca91705f0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2424-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2436-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1500-15-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2296-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1308-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2396-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-200-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1976-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-214-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/604-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/816-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/972-236-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/832-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1780-253-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1548-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1548-275-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1580-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/284-356-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2604-369-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2604-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2560-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/348-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1444-461-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2032-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2260-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2512-723-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/940-815-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1156-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2292-1042-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2296-1189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1500 pjdpv.exe 2436 5httbh.exe 2296 5dpvd.exe 3000 vdvvp.exe 1768 7ttbth.exe 2136 lrlxlxl.exe 3052 xlfrflx.exe 2756 3lxfrfl.exe 2620 5xrxxxl.exe 2696 vddvp.exe 2828 llfrflx.exe 2544 3nbhtt.exe 2540 vpdvd.exe 2692 vpvjv.exe 1532 jddjp.exe 1308 fxrflxf.exe 1796 hnthtb.exe 864 hhnbth.exe 2396 pvpdp.exe 1600 nttbth.exe 1920 pjpdj.exe 1976 5rfllxl.exe 2848 jjjpd.exe 604 9rlrflf.exe 972 5jjdp.exe 816 tbbhnb.exe 1780 7ppvp.exe 832 lflxflx.exe 1548 jvvvv.exe 2356 1llxxlr.exe 2120 pjjvd.exe 1508 rlrxrxf.exe 2116 9pjpv.exe 1580 bhhnht.exe 1944 hnhhnb.exe 2436 xfflrxl.exe 2944 5xrfrxl.exe 2964 5nnhnn.exe 2888 1vpdj.exe 284 rfxlfrr.exe 2688 1bbthn.exe 2604 nbhbhb.exe 2652 7pjjj.exe 2712 rxrfrff.exe 1928 hnhnht.exe 2620 ppjvp.exe 2536 3rxxllf.exe 2680 flflxrf.exe 2560 nnbtht.exe 2664 jjjvj.exe 2540 pvvjd.exe 348 llfrfrf.exe 1860 btnbhn.exe 1276 jjdpp.exe 876 ffxrffl.exe 1444 nhhtnn.exe 864 hhhnhn.exe 2032 pdvjj.exe 1968 lrrlfrl.exe 1772 nbtbtb.exe 1924 djpdv.exe 2824 ppdpp.exe 2860 llflxxr.exe 2848 bhbntb.exe -
resource yara_rule behavioral1/memory/2424-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2296-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-90-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2828-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1308-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2396-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1976-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-214-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/604-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/816-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/832-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1780-253-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1548-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2540-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1444-461-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2032-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/380-520-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/940-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2260-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-723-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1824-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-816-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/940-815-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1156-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1500-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-933-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2292-1042-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2436-1171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-1266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/348-1291-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 1500 2424 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 28 PID 2424 wrote to memory of 1500 2424 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 28 PID 2424 wrote to memory of 1500 2424 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 28 PID 2424 wrote to memory of 1500 2424 345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe 28 PID 1500 wrote to memory of 2436 1500 pjdpv.exe 29 PID 1500 wrote to memory of 2436 1500 pjdpv.exe 29 PID 1500 wrote to memory of 2436 1500 pjdpv.exe 29 PID 1500 wrote to memory of 2436 1500 pjdpv.exe 29 PID 2436 wrote to memory of 2296 2436 5httbh.exe 30 PID 2436 wrote to memory of 2296 2436 5httbh.exe 30 PID 2436 wrote to memory of 2296 2436 5httbh.exe 30 PID 2436 wrote to memory of 2296 2436 5httbh.exe 30 PID 2296 wrote to memory of 3000 2296 5dpvd.exe 31 PID 2296 wrote to memory of 3000 2296 5dpvd.exe 31 PID 2296 wrote to memory of 3000 2296 5dpvd.exe 31 PID 2296 wrote to memory of 3000 2296 5dpvd.exe 31 PID 3000 wrote to memory of 1768 3000 vdvvp.exe 32 PID 3000 wrote to memory of 1768 3000 vdvvp.exe 32 PID 3000 wrote to memory of 1768 3000 vdvvp.exe 32 PID 3000 wrote to memory of 1768 3000 vdvvp.exe 32 PID 1768 wrote to memory of 2136 1768 7ttbth.exe 33 PID 1768 wrote to memory of 2136 1768 7ttbth.exe 33 PID 1768 wrote to memory of 2136 1768 7ttbth.exe 33 PID 1768 wrote to memory of 2136 1768 7ttbth.exe 33 PID 2136 wrote to memory of 3052 2136 lrlxlxl.exe 34 PID 2136 wrote to memory of 3052 2136 lrlxlxl.exe 34 PID 2136 wrote to memory of 3052 2136 lrlxlxl.exe 34 PID 2136 wrote to memory of 3052 2136 lrlxlxl.exe 34 PID 3052 wrote to memory of 2756 3052 xlfrflx.exe 35 PID 3052 wrote to memory of 2756 3052 xlfrflx.exe 35 PID 3052 wrote to memory of 2756 3052 xlfrflx.exe 35 PID 3052 wrote to memory of 2756 3052 xlfrflx.exe 35 PID 2756 wrote to memory of 2620 2756 3lxfrfl.exe 36 PID 2756 wrote to memory of 2620 2756 3lxfrfl.exe 36 PID 2756 wrote to memory of 2620 2756 3lxfrfl.exe 36 PID 2756 wrote to memory of 2620 2756 3lxfrfl.exe 36 PID 2620 wrote to memory of 2696 2620 5xrxxxl.exe 37 PID 2620 wrote to memory of 2696 2620 5xrxxxl.exe 37 PID 2620 wrote to memory of 2696 2620 5xrxxxl.exe 37 PID 2620 wrote to memory of 2696 2620 5xrxxxl.exe 37 PID 2696 wrote to memory of 2828 2696 vddvp.exe 38 PID 2696 wrote to memory of 2828 2696 vddvp.exe 38 PID 2696 wrote to memory of 2828 2696 vddvp.exe 38 PID 2696 wrote to memory of 2828 2696 vddvp.exe 38 PID 2828 wrote to memory of 2544 2828 llfrflx.exe 39 PID 2828 wrote to memory of 2544 2828 llfrflx.exe 39 PID 2828 wrote to memory of 2544 2828 llfrflx.exe 39 PID 2828 wrote to memory of 2544 2828 llfrflx.exe 39 PID 2544 wrote to memory of 2540 2544 3nbhtt.exe 40 PID 2544 wrote to memory of 2540 2544 3nbhtt.exe 40 PID 2544 wrote to memory of 2540 2544 3nbhtt.exe 40 PID 2544 wrote to memory of 2540 2544 3nbhtt.exe 40 PID 2540 wrote to memory of 2692 2540 vpdvd.exe 41 PID 2540 wrote to memory of 2692 2540 vpdvd.exe 41 PID 2540 wrote to memory of 2692 2540 vpdvd.exe 41 PID 2540 wrote to memory of 2692 2540 vpdvd.exe 41 PID 2692 wrote to memory of 1532 2692 vpvjv.exe 42 PID 2692 wrote to memory of 1532 2692 vpvjv.exe 42 PID 2692 wrote to memory of 1532 2692 vpvjv.exe 42 PID 2692 wrote to memory of 1532 2692 vpvjv.exe 42 PID 1532 wrote to memory of 1308 1532 jddjp.exe 43 PID 1532 wrote to memory of 1308 1532 jddjp.exe 43 PID 1532 wrote to memory of 1308 1532 jddjp.exe 43 PID 1532 wrote to memory of 1308 1532 jddjp.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe"C:\Users\Admin\AppData\Local\Temp\345aee94f13ed096488f49cf62fa962cf54346432c80fa99056374660a28baba.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\pjdpv.exec:\pjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\5httbh.exec:\5httbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\5dpvd.exec:\5dpvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\vdvvp.exec:\vdvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\7ttbth.exec:\7ttbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\lrlxlxl.exec:\lrlxlxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\xlfrflx.exec:\xlfrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\3lxfrfl.exec:\3lxfrfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\5xrxxxl.exec:\5xrxxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\vddvp.exec:\vddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\llfrflx.exec:\llfrflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\3nbhtt.exec:\3nbhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\vpdvd.exec:\vpdvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vpvjv.exec:\vpvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\jddjp.exec:\jddjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\fxrflxf.exec:\fxrflxf.exe17⤵
- Executes dropped EXE
PID:1308 -
\??\c:\hnthtb.exec:\hnthtb.exe18⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hhnbth.exec:\hhnbth.exe19⤵
- Executes dropped EXE
PID:864 -
\??\c:\pvpdp.exec:\pvpdp.exe20⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nttbth.exec:\nttbth.exe21⤵
- Executes dropped EXE
PID:1600 -
\??\c:\pjpdj.exec:\pjpdj.exe22⤵
- Executes dropped EXE
PID:1920 -
\??\c:\5rfllxl.exec:\5rfllxl.exe23⤵
- Executes dropped EXE
PID:1976 -
\??\c:\jjjpd.exec:\jjjpd.exe24⤵
- Executes dropped EXE
PID:2848 -
\??\c:\9rlrflf.exec:\9rlrflf.exe25⤵
- Executes dropped EXE
PID:604 -
\??\c:\5jjdp.exec:\5jjdp.exe26⤵
- Executes dropped EXE
PID:972 -
\??\c:\tbbhnb.exec:\tbbhnb.exe27⤵
- Executes dropped EXE
PID:816 -
\??\c:\7ppvp.exec:\7ppvp.exe28⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lflxflx.exec:\lflxflx.exe29⤵
- Executes dropped EXE
PID:832 -
\??\c:\jvvvv.exec:\jvvvv.exe30⤵
- Executes dropped EXE
PID:1548 -
\??\c:\1llxxlr.exec:\1llxxlr.exe31⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pjjvd.exec:\pjjvd.exe32⤵
- Executes dropped EXE
PID:2120 -
\??\c:\rlrxrxf.exec:\rlrxrxf.exe33⤵
- Executes dropped EXE
PID:1508 -
\??\c:\9pjpv.exec:\9pjpv.exe34⤵
- Executes dropped EXE
PID:2116 -
\??\c:\bhhnht.exec:\bhhnht.exe35⤵
- Executes dropped EXE
PID:1580 -
\??\c:\hnhhnb.exec:\hnhhnb.exe36⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xfflrxl.exec:\xfflrxl.exe37⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5xrfrxl.exec:\5xrfrxl.exe38⤵
- Executes dropped EXE
PID:2944 -
\??\c:\5nnhnn.exec:\5nnhnn.exe39⤵
- Executes dropped EXE
PID:2964 -
\??\c:\1vpdj.exec:\1vpdj.exe40⤵
- Executes dropped EXE
PID:2888 -
\??\c:\rfxlfrr.exec:\rfxlfrr.exe41⤵
- Executes dropped EXE
PID:284 -
\??\c:\1bbthn.exec:\1bbthn.exe42⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nbhbhb.exec:\nbhbhb.exe43⤵
- Executes dropped EXE
PID:2604 -
\??\c:\7pjjj.exec:\7pjjj.exe44⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rxrfrff.exec:\rxrfrff.exe45⤵
- Executes dropped EXE
PID:2712 -
\??\c:\hnhnht.exec:\hnhnht.exe46⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ppjvp.exec:\ppjvp.exe47⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3rxxllf.exec:\3rxxllf.exe48⤵
- Executes dropped EXE
PID:2536 -
\??\c:\flflxrf.exec:\flflxrf.exe49⤵
- Executes dropped EXE
PID:2680 -
\??\c:\nnbtht.exec:\nnbtht.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\jjjvj.exec:\jjjvj.exe51⤵
- Executes dropped EXE
PID:2664 -
\??\c:\pvvjd.exec:\pvvjd.exe52⤵
- Executes dropped EXE
PID:2540 -
\??\c:\llfrfrf.exec:\llfrfrf.exe53⤵
- Executes dropped EXE
PID:348 -
\??\c:\btnbhn.exec:\btnbhn.exe54⤵
- Executes dropped EXE
PID:1860 -
\??\c:\jjdpp.exec:\jjdpp.exe55⤵
- Executes dropped EXE
PID:1276 -
\??\c:\ffxrffl.exec:\ffxrffl.exe56⤵
- Executes dropped EXE
PID:876 -
\??\c:\nhhtnn.exec:\nhhtnn.exe57⤵
- Executes dropped EXE
PID:1444 -
\??\c:\hhhnhn.exec:\hhhnhn.exe58⤵
- Executes dropped EXE
PID:864 -
\??\c:\pdvjj.exec:\pdvjj.exe59⤵
- Executes dropped EXE
PID:2032 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe60⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nbtbtb.exec:\nbtbtb.exe61⤵
- Executes dropped EXE
PID:1772 -
\??\c:\djpdv.exec:\djpdv.exe62⤵
- Executes dropped EXE
PID:1924 -
\??\c:\ppdpp.exec:\ppdpp.exe63⤵
- Executes dropped EXE
PID:2824 -
\??\c:\llflxxr.exec:\llflxxr.exe64⤵
- Executes dropped EXE
PID:2860 -
\??\c:\bhbntb.exec:\bhbntb.exe65⤵
- Executes dropped EXE
PID:2848 -
\??\c:\vdpdd.exec:\vdpdd.exe66⤵PID:380
-
\??\c:\lllxrfr.exec:\lllxrfr.exe67⤵PID:940
-
\??\c:\lrlfxff.exec:\lrlfxff.exe68⤵PID:716
-
\??\c:\tbhtnb.exec:\tbhtnb.exe69⤵PID:340
-
\??\c:\jpjvv.exec:\jpjvv.exe70⤵PID:1712
-
\??\c:\vvvdp.exec:\vvvdp.exe71⤵PID:920
-
\??\c:\llfxllf.exec:\llfxllf.exe72⤵PID:1036
-
\??\c:\bhtnnh.exec:\bhtnnh.exe73⤵PID:2388
-
\??\c:\ppjjv.exec:\ppjjv.exe74⤵PID:568
-
\??\c:\jjjpp.exec:\jjjpp.exe75⤵PID:1640
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe76⤵PID:2244
-
\??\c:\ntnntt.exec:\ntnntt.exe77⤵PID:1508
-
\??\c:\hnbntn.exec:\hnbntn.exe78⤵PID:2164
-
\??\c:\djjjv.exec:\djjjv.exe79⤵PID:1580
-
\??\c:\llrxlxx.exec:\llrxlxx.exe80⤵PID:1044
-
\??\c:\1ntthn.exec:\1ntthn.exe81⤵PID:2260
-
\??\c:\9vvjv.exec:\9vvjv.exe82⤵PID:1312
-
\??\c:\lrllrxf.exec:\lrllrxf.exe83⤵PID:3008
-
\??\c:\9flxrff.exec:\9flxrff.exe84⤵PID:3060
-
\??\c:\1nntnt.exec:\1nntnt.exe85⤵PID:3032
-
\??\c:\1vvjp.exec:\1vvjp.exe86⤵PID:908
-
\??\c:\vpdjp.exec:\vpdjp.exe87⤵PID:2192
-
\??\c:\llffrfl.exec:\llffrfl.exe88⤵PID:2340
-
\??\c:\7hbhtt.exec:\7hbhtt.exe89⤵PID:2772
-
\??\c:\jdvjp.exec:\jdvjp.exe90⤵PID:2504
-
\??\c:\1fflxlr.exec:\1fflxlr.exe91⤵PID:2532
-
\??\c:\ffxfxfr.exec:\ffxfxfr.exe92⤵PID:2700
-
\??\c:\3nhbtt.exec:\3nhbtt.exe93⤵PID:2828
-
\??\c:\dvvvj.exec:\dvvvj.exe94⤵PID:2616
-
\??\c:\3rrxlxx.exec:\3rrxlxx.exe95⤵PID:2512
-
\??\c:\llfrxxr.exec:\llfrxxr.exe96⤵PID:384
-
\??\c:\hhnnhn.exec:\hhnnhn.exe97⤵PID:2692
-
\??\c:\jpdpp.exec:\jpdpp.exe98⤵PID:1532
-
\??\c:\rxrlrff.exec:\rxrlrff.exe99⤵PID:1432
-
\??\c:\xxrflxl.exec:\xxrflxl.exe100⤵PID:1748
-
\??\c:\tbthtt.exec:\tbthtt.exe101⤵PID:1824
-
\??\c:\jjjpv.exec:\jjjpv.exe102⤵PID:1784
-
\??\c:\fffrfrl.exec:\fffrfrl.exe103⤵PID:2312
-
\??\c:\lrlxxlx.exec:\lrlxxlx.exe104⤵PID:1716
-
\??\c:\7hhnth.exec:\7hhnth.exe105⤵PID:1992
-
\??\c:\dpdvp.exec:\dpdvp.exe106⤵PID:2792
-
\??\c:\dvjpv.exec:\dvjpv.exe107⤵PID:2484
-
\??\c:\1lxllxr.exec:\1lxllxr.exe108⤵PID:1976
-
\??\c:\nnbhnn.exec:\nnbhnn.exe109⤵PID:2352
-
\??\c:\vvpvv.exec:\vvpvv.exe110⤵PID:2860
-
\??\c:\7llrflf.exec:\7llrflf.exe111⤵PID:1764
-
\??\c:\bbnnbn.exec:\bbnnbn.exe112⤵PID:968
-
\??\c:\tnhnbb.exec:\tnhnbb.exe113⤵PID:940
-
\??\c:\vvvjd.exec:\vvvjd.exe114⤵PID:1320
-
\??\c:\xfflxfx.exec:\xfflxfx.exe115⤵PID:1676
-
\??\c:\nnbhnt.exec:\nnbhnt.exe116⤵PID:1156
-
\??\c:\nhnbht.exec:\nhnbht.exe117⤵PID:320
-
\??\c:\pjjvp.exec:\pjjvp.exe118⤵PID:2928
-
\??\c:\1jvjj.exec:\1jvjj.exe119⤵PID:1636
-
\??\c:\fxrrxlr.exec:\fxrrxlr.exe120⤵PID:3024
-
\??\c:\nnhtbh.exec:\nnhtbh.exe121⤵PID:1640
-
\??\c:\7nnnnh.exec:\7nnnnh.exe122⤵PID:1512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-