Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 15:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe
-
Size
455KB
-
MD5
8b20675963df36c04f1917d26c491614
-
SHA1
4cd4a85b76dcedfb3e1f6286cbd400b1cf1bc22f
-
SHA256
d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb
-
SHA512
6908029fa66341c70a58da031a2b75a7b1f1efb231702daa0cf54c892064093f4ed19fd7e4da0430603194a4b9edccf54a5b459a1b0de56ac28653cb1267463a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3576-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-1027-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-1286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1888 ppjdv.exe 4640 vjppj.exe 4496 jjppv.exe 3036 xxrlfxr.exe 2992 flxlllx.exe 2092 ffxrlrl.exe 5060 bthhhh.exe 2456 dvpjd.exe 4824 pppjj.exe 1312 lrlxlfr.exe 2704 jpppp.exe 516 htbthh.exe 1656 1rfxxlr.exe 2024 hhttnn.exe 708 htnbhb.exe 3956 pjdvp.exe 4128 7rfrffx.exe 1172 rrfxlfx.exe 1684 bbbbhh.exe 1120 vvvvv.exe 5028 ffrrrrr.exe 1176 dpdvp.exe 2480 lxrllff.exe 1804 7jjvp.exe 2352 bnhbtn.exe 2412 7lrfllr.exe 552 jvvjd.exe 3776 pvvvp.exe 3572 hbtnnh.exe 4948 tnnhhb.exe 1020 nhnnbn.exe 1352 bthbnn.exe 212 flffxxx.exe 3280 7btnhh.exe 3248 pjpvd.exe 2144 9lrxxxx.exe 4272 htbtth.exe 1688 jddpj.exe 4372 9xrxlll.exe 1404 nnnnbb.exe 1516 dvvdv.exe 2444 5xrfxrf.exe 1824 5bbbtt.exe 4772 jpdjp.exe 2308 lxffxxx.exe 3128 xlffffx.exe 3660 nnnhbb.exe 5024 1dvvp.exe 4572 flrlffx.exe 3788 tnnnhh.exe 3408 jjddd.exe 448 rflfffx.exe 3480 bbbbhh.exe 2408 9htnbn.exe 1624 ppvpp.exe 516 3lrrxxl.exe 32 hhthtn.exe 2452 3nthtb.exe 1584 9jjvp.exe 232 9lrlxfr.exe 5052 hnhhtt.exe 3992 5vjvp.exe 3508 lxfllrx.exe 4436 lrfxllx.exe -
resource yara_rule behavioral2/memory/3576-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-893-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3576 wrote to memory of 1888 3576 d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe 83 PID 3576 wrote to memory of 1888 3576 d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe 83 PID 3576 wrote to memory of 1888 3576 d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe 83 PID 1888 wrote to memory of 4640 1888 ppjdv.exe 84 PID 1888 wrote to memory of 4640 1888 ppjdv.exe 84 PID 1888 wrote to memory of 4640 1888 ppjdv.exe 84 PID 4640 wrote to memory of 4496 4640 vjppj.exe 85 PID 4640 wrote to memory of 4496 4640 vjppj.exe 85 PID 4640 wrote to memory of 4496 4640 vjppj.exe 85 PID 4496 wrote to memory of 3036 4496 jjppv.exe 86 PID 4496 wrote to memory of 3036 4496 jjppv.exe 86 PID 4496 wrote to memory of 3036 4496 jjppv.exe 86 PID 3036 wrote to memory of 2992 3036 xxrlfxr.exe 87 PID 3036 wrote to memory of 2992 3036 xxrlfxr.exe 87 PID 3036 wrote to memory of 2992 3036 xxrlfxr.exe 87 PID 2992 wrote to memory of 2092 2992 flxlllx.exe 88 PID 2992 wrote to memory of 2092 2992 flxlllx.exe 88 PID 2992 wrote to memory of 2092 2992 flxlllx.exe 88 PID 2092 wrote to memory of 5060 2092 ffxrlrl.exe 89 PID 2092 wrote to memory of 5060 2092 ffxrlrl.exe 89 PID 2092 wrote to memory of 5060 2092 ffxrlrl.exe 89 PID 5060 wrote to memory of 2456 5060 bthhhh.exe 90 PID 5060 wrote to memory of 2456 5060 bthhhh.exe 90 PID 5060 wrote to memory of 2456 5060 bthhhh.exe 90 PID 2456 wrote to memory of 4824 2456 dvpjd.exe 91 PID 2456 wrote to memory of 4824 2456 dvpjd.exe 91 PID 2456 wrote to memory of 4824 2456 dvpjd.exe 91 PID 4824 wrote to memory of 1312 4824 pppjj.exe 92 PID 4824 wrote to memory of 1312 4824 pppjj.exe 92 PID 4824 wrote to memory of 1312 4824 pppjj.exe 92 PID 1312 wrote to memory of 2704 1312 lrlxlfr.exe 93 PID 1312 wrote to memory of 2704 1312 lrlxlfr.exe 93 PID 1312 wrote to memory of 2704 1312 lrlxlfr.exe 93 PID 2704 wrote to memory of 516 2704 jpppp.exe 94 PID 2704 wrote to memory of 516 2704 jpppp.exe 94 PID 2704 wrote to memory of 516 2704 jpppp.exe 94 PID 516 wrote to memory of 1656 516 htbthh.exe 95 PID 516 wrote to memory of 1656 516 htbthh.exe 95 PID 516 wrote to memory of 1656 516 htbthh.exe 95 PID 1656 wrote to memory of 2024 1656 1rfxxlr.exe 96 PID 1656 wrote to memory of 2024 1656 1rfxxlr.exe 96 PID 1656 wrote to memory of 2024 1656 1rfxxlr.exe 96 PID 2024 wrote to memory of 708 2024 hhttnn.exe 97 PID 2024 wrote to memory of 708 2024 hhttnn.exe 97 PID 2024 wrote to memory of 708 2024 hhttnn.exe 97 PID 708 wrote to memory of 3956 708 htnbhb.exe 98 PID 708 wrote to memory of 3956 708 htnbhb.exe 98 PID 708 wrote to memory of 3956 708 htnbhb.exe 98 PID 3956 wrote to memory of 4128 3956 pjdvp.exe 99 PID 3956 wrote to memory of 4128 3956 pjdvp.exe 99 PID 3956 wrote to memory of 4128 3956 pjdvp.exe 99 PID 4128 wrote to memory of 1172 4128 7rfrffx.exe 100 PID 4128 wrote to memory of 1172 4128 7rfrffx.exe 100 PID 4128 wrote to memory of 1172 4128 7rfrffx.exe 100 PID 1172 wrote to memory of 1684 1172 rrfxlfx.exe 101 PID 1172 wrote to memory of 1684 1172 rrfxlfx.exe 101 PID 1172 wrote to memory of 1684 1172 rrfxlfx.exe 101 PID 1684 wrote to memory of 1120 1684 bbbbhh.exe 102 PID 1684 wrote to memory of 1120 1684 bbbbhh.exe 102 PID 1684 wrote to memory of 1120 1684 bbbbhh.exe 102 PID 1120 wrote to memory of 5028 1120 vvvvv.exe 103 PID 1120 wrote to memory of 5028 1120 vvvvv.exe 103 PID 1120 wrote to memory of 5028 1120 vvvvv.exe 103 PID 5028 wrote to memory of 1176 5028 ffrrrrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe"C:\Users\Admin\AppData\Local\Temp\d8b7c84fce5ecafc40e0d3f27958f4af51998543c46478efd4f63e801d5380cb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\ppjdv.exec:\ppjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\vjppj.exec:\vjppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\jjppv.exec:\jjppv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\flxlllx.exec:\flxlllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\ffxrlrl.exec:\ffxrlrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\bthhhh.exec:\bthhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\dvpjd.exec:\dvpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\pppjj.exec:\pppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\lrlxlfr.exec:\lrlxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\jpppp.exec:\jpppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\htbthh.exec:\htbthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\1rfxxlr.exec:\1rfxxlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\hhttnn.exec:\hhttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\htnbhb.exec:\htnbhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\pjdvp.exec:\pjdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\7rfrffx.exec:\7rfrffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\rrfxlfx.exec:\rrfxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\bbbbhh.exec:\bbbbhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\vvvvv.exec:\vvvvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\ffrrrrr.exec:\ffrrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\dpdvp.exec:\dpdvp.exe23⤵
- Executes dropped EXE
PID:1176 -
\??\c:\lxrllff.exec:\lxrllff.exe24⤵
- Executes dropped EXE
PID:2480 -
\??\c:\7jjvp.exec:\7jjvp.exe25⤵
- Executes dropped EXE
PID:1804 -
\??\c:\bnhbtn.exec:\bnhbtn.exe26⤵
- Executes dropped EXE
PID:2352 -
\??\c:\7lrfllr.exec:\7lrfllr.exe27⤵
- Executes dropped EXE
PID:2412 -
\??\c:\jvvjd.exec:\jvvjd.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:552 -
\??\c:\pvvvp.exec:\pvvvp.exe29⤵
- Executes dropped EXE
PID:3776 -
\??\c:\hbtnnh.exec:\hbtnnh.exe30⤵
- Executes dropped EXE
PID:3572 -
\??\c:\tnnhhb.exec:\tnnhhb.exe31⤵
- Executes dropped EXE
PID:4948 -
\??\c:\nhnnbn.exec:\nhnnbn.exe32⤵
- Executes dropped EXE
PID:1020 -
\??\c:\bthbnn.exec:\bthbnn.exe33⤵
- Executes dropped EXE
PID:1352 -
\??\c:\flffxxx.exec:\flffxxx.exe34⤵
- Executes dropped EXE
PID:212 -
\??\c:\7btnhh.exec:\7btnhh.exe35⤵
- Executes dropped EXE
PID:3280 -
\??\c:\pjpvd.exec:\pjpvd.exe36⤵
- Executes dropped EXE
PID:3248 -
\??\c:\9lrxxxx.exec:\9lrxxxx.exe37⤵
- Executes dropped EXE
PID:2144 -
\??\c:\htbtth.exec:\htbtth.exe38⤵
- Executes dropped EXE
PID:4272 -
\??\c:\jddpj.exec:\jddpj.exe39⤵
- Executes dropped EXE
PID:1688 -
\??\c:\9xrxlll.exec:\9xrxlll.exe40⤵
- Executes dropped EXE
PID:4372 -
\??\c:\nnnnbb.exec:\nnnnbb.exe41⤵
- Executes dropped EXE
PID:1404 -
\??\c:\dvvdv.exec:\dvvdv.exe42⤵
- Executes dropped EXE
PID:1516 -
\??\c:\5xrfxrf.exec:\5xrfxrf.exe43⤵
- Executes dropped EXE
PID:2444 -
\??\c:\5bbbtt.exec:\5bbbtt.exe44⤵
- Executes dropped EXE
PID:1824 -
\??\c:\jpdjp.exec:\jpdjp.exe45⤵
- Executes dropped EXE
PID:4772 -
\??\c:\lxffxxx.exec:\lxffxxx.exe46⤵
- Executes dropped EXE
PID:2308 -
\??\c:\xlffffx.exec:\xlffffx.exe47⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nnnhbb.exec:\nnnhbb.exe48⤵
- Executes dropped EXE
PID:3660 -
\??\c:\1dvvp.exec:\1dvvp.exe49⤵
- Executes dropped EXE
PID:5024 -
\??\c:\flrlffx.exec:\flrlffx.exe50⤵
- Executes dropped EXE
PID:4572 -
\??\c:\tnnnhh.exec:\tnnnhh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3788 -
\??\c:\jjddd.exec:\jjddd.exe52⤵
- Executes dropped EXE
PID:3408 -
\??\c:\rflfffx.exec:\rflfffx.exe53⤵
- Executes dropped EXE
PID:448 -
\??\c:\bbbbhh.exec:\bbbbhh.exe54⤵
- Executes dropped EXE
PID:3480 -
\??\c:\9htnbn.exec:\9htnbn.exe55⤵
- Executes dropped EXE
PID:2408 -
\??\c:\ppvpp.exec:\ppvpp.exe56⤵
- Executes dropped EXE
PID:1624 -
\??\c:\3lrrxxl.exec:\3lrrxxl.exe57⤵
- Executes dropped EXE
PID:516 -
\??\c:\hhthtn.exec:\hhthtn.exe58⤵
- Executes dropped EXE
PID:32 -
\??\c:\3nthtb.exec:\3nthtb.exe59⤵
- Executes dropped EXE
PID:2452 -
\??\c:\9jjvp.exec:\9jjvp.exe60⤵
- Executes dropped EXE
PID:1584 -
\??\c:\9lrlxfr.exec:\9lrlxfr.exe61⤵
- Executes dropped EXE
PID:232 -
\??\c:\hnhhtt.exec:\hnhhtt.exe62⤵
- Executes dropped EXE
PID:5052 -
\??\c:\5vjvp.exec:\5vjvp.exe63⤵
- Executes dropped EXE
PID:3992 -
\??\c:\lxfllrx.exec:\lxfllrx.exe64⤵
- Executes dropped EXE
PID:3508 -
\??\c:\lrfxllx.exec:\lrfxllx.exe65⤵
- Executes dropped EXE
PID:4436 -
\??\c:\ddddj.exec:\ddddj.exe66⤵PID:2380
-
\??\c:\1ffrxrx.exec:\1ffrxrx.exe67⤵PID:3744
-
\??\c:\5bhbbb.exec:\5bhbbb.exe68⤵PID:840
-
\??\c:\thtttt.exec:\thtttt.exe69⤵PID:1408
-
\??\c:\jppvp.exec:\jppvp.exe70⤵PID:3292
-
\??\c:\9xffxfr.exec:\9xffxfr.exe71⤵PID:2360
-
\??\c:\bnnbtt.exec:\bnnbtt.exe72⤵PID:5028
-
\??\c:\vvpdv.exec:\vvpdv.exe73⤵PID:3964
-
\??\c:\3dpjj.exec:\3dpjj.exe74⤵PID:856
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe75⤵PID:1176
-
\??\c:\tntnnn.exec:\tntnnn.exe76⤵PID:3228
-
\??\c:\dppjd.exec:\dppjd.exe77⤵PID:636
-
\??\c:\vvvpj.exec:\vvvpj.exe78⤵PID:3260
-
\??\c:\3lfxrrl.exec:\3lfxrrl.exe79⤵PID:3916
-
\??\c:\nhnbbt.exec:\nhnbbt.exe80⤵PID:5072
-
\??\c:\jpvjp.exec:\jpvjp.exe81⤵PID:2372
-
\??\c:\rlrrlrl.exec:\rlrrlrl.exe82⤵PID:4800
-
\??\c:\rlxrllf.exec:\rlxrllf.exe83⤵PID:736
-
\??\c:\hnnnnn.exec:\hnnnnn.exe84⤵PID:2780
-
\??\c:\jjjdp.exec:\jjjdp.exe85⤵PID:4716
-
\??\c:\djjjd.exec:\djjjd.exe86⤵PID:4560
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe87⤵PID:1540
-
\??\c:\nhhhbb.exec:\nhhhbb.exe88⤵PID:344
-
\??\c:\hhnhnn.exec:\hhnhnn.exe89⤵PID:3600
-
\??\c:\pdddv.exec:\pdddv.exe90⤵PID:1696
-
\??\c:\llrrrrx.exec:\llrrrrx.exe91⤵PID:4272
-
\??\c:\nnnhbt.exec:\nnnhbt.exe92⤵PID:5108
-
\??\c:\djvvv.exec:\djvvv.exe93⤵PID:4700
-
\??\c:\rxxrrxr.exec:\rxxrrxr.exe94⤵PID:3576
-
\??\c:\vpdpj.exec:\vpdpj.exe95⤵PID:2416
-
\??\c:\vjjdd.exec:\vjjdd.exe96⤵PID:1816
-
\??\c:\nhbthb.exec:\nhbthb.exe97⤵PID:4844
-
\??\c:\ntbbhh.exec:\ntbbhh.exe98⤵PID:2308
-
\??\c:\vddvp.exec:\vddvp.exe99⤵PID:1068
-
\??\c:\rlfrllx.exec:\rlfrllx.exe100⤵PID:2092
-
\??\c:\5hbtnt.exec:\5hbtnt.exe101⤵PID:1472
-
\??\c:\3pvpp.exec:\3pvpp.exe102⤵PID:936
-
\??\c:\3llxfxr.exec:\3llxfxr.exe103⤵PID:3304
-
\??\c:\rxllfff.exec:\rxllfff.exe104⤵PID:3788
-
\??\c:\3hhbbh.exec:\3hhbbh.exe105⤵PID:3272
-
\??\c:\pvpjj.exec:\pvpjj.exe106⤵PID:3900
-
\??\c:\7lrrrrr.exec:\7lrrrrr.exe107⤵PID:3696
-
\??\c:\nthbbb.exec:\nthbbb.exe108⤵PID:3480
-
\??\c:\nhthht.exec:\nhthht.exe109⤵PID:2864
-
\??\c:\vvddd.exec:\vvddd.exe110⤵PID:3396
-
\??\c:\5rxxrrr.exec:\5rxxrrr.exe111⤵PID:4004
-
\??\c:\frxxxfl.exec:\frxxxfl.exe112⤵PID:4596
-
\??\c:\tbthtn.exec:\tbthtn.exe113⤵PID:4876
-
\??\c:\5jdjv.exec:\5jdjv.exe114⤵PID:4396
-
\??\c:\rxrlfff.exec:\rxrlfff.exe115⤵PID:3264
-
\??\c:\nhhttt.exec:\nhhttt.exe116⤵PID:208
-
\??\c:\bthbht.exec:\bthbht.exe117⤵PID:4704
-
\??\c:\vpvpj.exec:\vpvpj.exe118⤵PID:5052
-
\??\c:\lffxlrl.exec:\lffxlrl.exe119⤵PID:4376
-
\??\c:\lrfxllx.exec:\lrfxllx.exe120⤵PID:1296
-
\??\c:\tbbbtb.exec:\tbbbtb.exe121⤵PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-