Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe
-
Size
453KB
-
MD5
6c2363aa38f236c0cf59842c9dc4add1
-
SHA1
b7137d103c69091fe2a0b124af8bf2599c5adad6
-
SHA256
44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c
-
SHA512
fa1317022d9d692f16720c8d32e4005a2e569ae61b0ac0912c94c35ed70c6940c6f79f6cd2cb153418f83787c97160888c9d4cc5c1ba79fe54b4d6a116189855
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1816-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-828-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-1257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-1366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-1406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1208 3vvpj.exe 4456 pjjdv.exe 4240 llrllff.exe 1672 bhhhhb.exe 2928 7lrrfff.exe 3944 jvpjd.exe 2756 9bnhbh.exe 2640 tntnbt.exe 1240 5ththn.exe 1380 lrflrxr.exe 2320 btbtnn.exe 3564 9jvpp.exe 348 9ffxrrl.exe 5096 xrrlfff.exe 2120 ppjdd.exe 2156 xfffffx.exe 2772 dddvp.exe 3612 djddv.exe 2636 9lrxxff.exe 5020 bhnnbt.exe 3796 fffffll.exe 3568 thhnnt.exe 4916 5pdvd.exe 1332 lflfxxx.exe 4592 rfxxrrr.exe 2592 djppp.exe 2072 pppdp.exe 4120 hbhbhb.exe 3224 7ffxrxr.exe 4568 frfffrr.exe 2444 fxffxff.exe 2124 dpvjp.exe 4508 tnbtbb.exe 3828 pjvpp.exe 4252 xxfffll.exe 1628 nhtnnn.exe 2632 djvjv.exe 224 ppjdp.exe 2688 frxrllx.exe 640 thbttn.exe 4680 vpvpp.exe 1512 flffxxx.exe 2388 tthhbb.exe 2080 jdddv.exe 2504 flxxlfl.exe 4432 5hnhbt.exe 1976 nhhbhb.exe 3420 vvvvd.exe 5028 lllfxxr.exe 1920 tthhhh.exe 4212 jvddv.exe 4392 lfrrxfl.exe 2880 thnhbb.exe 1244 dvddj.exe 1648 fflfrfl.exe 1488 btbtnh.exe 2928 ntbttn.exe 1656 9vvjd.exe 2536 rrfxxxr.exe 4840 ddddd.exe 1228 pvdvd.exe 1172 xrrrlll.exe 1740 bbhbhb.exe 2424 dvdvv.exe -
resource yara_rule behavioral2/memory/1816-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-1257-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfffrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 1208 1816 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 82 PID 1816 wrote to memory of 1208 1816 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 82 PID 1816 wrote to memory of 1208 1816 44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe 82 PID 1208 wrote to memory of 4456 1208 3vvpj.exe 83 PID 1208 wrote to memory of 4456 1208 3vvpj.exe 83 PID 1208 wrote to memory of 4456 1208 3vvpj.exe 83 PID 4456 wrote to memory of 4240 4456 pjjdv.exe 84 PID 4456 wrote to memory of 4240 4456 pjjdv.exe 84 PID 4456 wrote to memory of 4240 4456 pjjdv.exe 84 PID 4240 wrote to memory of 1672 4240 llrllff.exe 85 PID 4240 wrote to memory of 1672 4240 llrllff.exe 85 PID 4240 wrote to memory of 1672 4240 llrllff.exe 85 PID 1672 wrote to memory of 2928 1672 bhhhhb.exe 86 PID 1672 wrote to memory of 2928 1672 bhhhhb.exe 86 PID 1672 wrote to memory of 2928 1672 bhhhhb.exe 86 PID 2928 wrote to memory of 3944 2928 7lrrfff.exe 87 PID 2928 wrote to memory of 3944 2928 7lrrfff.exe 87 PID 2928 wrote to memory of 3944 2928 7lrrfff.exe 87 PID 3944 wrote to memory of 2756 3944 jvpjd.exe 88 PID 3944 wrote to memory of 2756 3944 jvpjd.exe 88 PID 3944 wrote to memory of 2756 3944 jvpjd.exe 88 PID 2756 wrote to memory of 2640 2756 9bnhbh.exe 89 PID 2756 wrote to memory of 2640 2756 9bnhbh.exe 89 PID 2756 wrote to memory of 2640 2756 9bnhbh.exe 89 PID 2640 wrote to memory of 1240 2640 tntnbt.exe 90 PID 2640 wrote to memory of 1240 2640 tntnbt.exe 90 PID 2640 wrote to memory of 1240 2640 tntnbt.exe 90 PID 1240 wrote to memory of 1380 1240 5ththn.exe 91 PID 1240 wrote to memory of 1380 1240 5ththn.exe 91 PID 1240 wrote to memory of 1380 1240 5ththn.exe 91 PID 1380 wrote to memory of 2320 1380 lrflrxr.exe 92 PID 1380 wrote to memory of 2320 1380 lrflrxr.exe 92 PID 1380 wrote to memory of 2320 1380 lrflrxr.exe 92 PID 2320 wrote to memory of 3564 2320 btbtnn.exe 93 PID 2320 wrote to memory of 3564 2320 btbtnn.exe 93 PID 2320 wrote to memory of 3564 2320 btbtnn.exe 93 PID 3564 wrote to memory of 348 3564 9jvpp.exe 94 PID 3564 wrote to memory of 348 3564 9jvpp.exe 94 PID 3564 wrote to memory of 348 3564 9jvpp.exe 94 PID 348 wrote to memory of 5096 348 9ffxrrl.exe 95 PID 348 wrote to memory of 5096 348 9ffxrrl.exe 95 PID 348 wrote to memory of 5096 348 9ffxrrl.exe 95 PID 5096 wrote to memory of 2120 5096 xrrlfff.exe 96 PID 5096 wrote to memory of 2120 5096 xrrlfff.exe 96 PID 5096 wrote to memory of 2120 5096 xrrlfff.exe 96 PID 2120 wrote to memory of 2156 2120 ppjdd.exe 97 PID 2120 wrote to memory of 2156 2120 ppjdd.exe 97 PID 2120 wrote to memory of 2156 2120 ppjdd.exe 97 PID 2156 wrote to memory of 2772 2156 xfffffx.exe 98 PID 2156 wrote to memory of 2772 2156 xfffffx.exe 98 PID 2156 wrote to memory of 2772 2156 xfffffx.exe 98 PID 2772 wrote to memory of 3612 2772 dddvp.exe 99 PID 2772 wrote to memory of 3612 2772 dddvp.exe 99 PID 2772 wrote to memory of 3612 2772 dddvp.exe 99 PID 3612 wrote to memory of 2636 3612 djddv.exe 100 PID 3612 wrote to memory of 2636 3612 djddv.exe 100 PID 3612 wrote to memory of 2636 3612 djddv.exe 100 PID 2636 wrote to memory of 5020 2636 9lrxxff.exe 101 PID 2636 wrote to memory of 5020 2636 9lrxxff.exe 101 PID 2636 wrote to memory of 5020 2636 9lrxxff.exe 101 PID 5020 wrote to memory of 3796 5020 bhnnbt.exe 102 PID 5020 wrote to memory of 3796 5020 bhnnbt.exe 102 PID 5020 wrote to memory of 3796 5020 bhnnbt.exe 102 PID 3796 wrote to memory of 3568 3796 fffffll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe"C:\Users\Admin\AppData\Local\Temp\44087ae08415466e0fa3644f6126d3c4521e1487121256311c742b410f9b583c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\3vvpj.exec:\3vvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\pjjdv.exec:\pjjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\llrllff.exec:\llrllff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\bhhhhb.exec:\bhhhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\7lrrfff.exec:\7lrrfff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jvpjd.exec:\jvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\9bnhbh.exec:\9bnhbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\tntnbt.exec:\tntnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\5ththn.exec:\5ththn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
\??\c:\lrflrxr.exec:\lrflrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\btbtnn.exec:\btbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\9jvpp.exec:\9jvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\9ffxrrl.exec:\9ffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\xrrlfff.exec:\xrrlfff.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\ppjdd.exec:\ppjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\xfffffx.exec:\xfffffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\dddvp.exec:\dddvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\djddv.exec:\djddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\9lrxxff.exec:\9lrxxff.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\bhnnbt.exec:\bhnnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\fffffll.exec:\fffffll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\thhnnt.exec:\thhnnt.exe23⤵
- Executes dropped EXE
PID:3568 -
\??\c:\5pdvd.exec:\5pdvd.exe24⤵
- Executes dropped EXE
PID:4916 -
\??\c:\lflfxxx.exec:\lflfxxx.exe25⤵
- Executes dropped EXE
PID:1332 -
\??\c:\rfxxrrr.exec:\rfxxrrr.exe26⤵
- Executes dropped EXE
PID:4592 -
\??\c:\djppp.exec:\djppp.exe27⤵
- Executes dropped EXE
PID:2592 -
\??\c:\pppdp.exec:\pppdp.exe28⤵
- Executes dropped EXE
PID:2072 -
\??\c:\hbhbhb.exec:\hbhbhb.exe29⤵
- Executes dropped EXE
PID:4120 -
\??\c:\7ffxrxr.exec:\7ffxrxr.exe30⤵
- Executes dropped EXE
PID:3224 -
\??\c:\frfffrr.exec:\frfffrr.exe31⤵
- Executes dropped EXE
PID:4568 -
\??\c:\fxffxff.exec:\fxffxff.exe32⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dpvjp.exec:\dpvjp.exe33⤵
- Executes dropped EXE
PID:2124 -
\??\c:\tnbtbb.exec:\tnbtbb.exe34⤵
- Executes dropped EXE
PID:4508 -
\??\c:\pjvpp.exec:\pjvpp.exe35⤵
- Executes dropped EXE
PID:3828 -
\??\c:\xxfffll.exec:\xxfffll.exe36⤵
- Executes dropped EXE
PID:4252 -
\??\c:\nhtnnn.exec:\nhtnnn.exe37⤵
- Executes dropped EXE
PID:1628 -
\??\c:\djvjv.exec:\djvjv.exe38⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ppjdp.exec:\ppjdp.exe39⤵
- Executes dropped EXE
PID:224 -
\??\c:\frxrllx.exec:\frxrllx.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\thbttn.exec:\thbttn.exe41⤵
- Executes dropped EXE
PID:640 -
\??\c:\vpvpp.exec:\vpvpp.exe42⤵
- Executes dropped EXE
PID:4680 -
\??\c:\flffxxx.exec:\flffxxx.exe43⤵
- Executes dropped EXE
PID:1512 -
\??\c:\tthhbb.exec:\tthhbb.exe44⤵
- Executes dropped EXE
PID:2388 -
\??\c:\jdddv.exec:\jdddv.exe45⤵
- Executes dropped EXE
PID:2080 -
\??\c:\flxxlfl.exec:\flxxlfl.exe46⤵
- Executes dropped EXE
PID:2504 -
\??\c:\5hnhbt.exec:\5hnhbt.exe47⤵
- Executes dropped EXE
PID:4432 -
\??\c:\nhhbhb.exec:\nhhbhb.exe48⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vvvvd.exec:\vvvvd.exe49⤵
- Executes dropped EXE
PID:3420 -
\??\c:\lllfxxr.exec:\lllfxxr.exe50⤵
- Executes dropped EXE
PID:5028 -
\??\c:\tthhhh.exec:\tthhhh.exe51⤵
- Executes dropped EXE
PID:1920 -
\??\c:\jvddv.exec:\jvddv.exe52⤵
- Executes dropped EXE
PID:4212 -
\??\c:\lfrrxfl.exec:\lfrrxfl.exe53⤵
- Executes dropped EXE
PID:4392 -
\??\c:\thnhbb.exec:\thnhbb.exe54⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dvddj.exec:\dvddj.exe55⤵
- Executes dropped EXE
PID:1244 -
\??\c:\fflfrfl.exec:\fflfrfl.exe56⤵
- Executes dropped EXE
PID:1648 -
\??\c:\btbtnh.exec:\btbtnh.exe57⤵
- Executes dropped EXE
PID:1488 -
\??\c:\ntbttn.exec:\ntbttn.exe58⤵
- Executes dropped EXE
PID:2928 -
\??\c:\9vvjd.exec:\9vvjd.exe59⤵
- Executes dropped EXE
PID:1656 -
\??\c:\rrfxxxr.exec:\rrfxxxr.exe60⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ddddd.exec:\ddddd.exe61⤵
- Executes dropped EXE
PID:4840 -
\??\c:\pvdvd.exec:\pvdvd.exe62⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xrrrlll.exec:\xrrrlll.exe63⤵
- Executes dropped EXE
PID:1172 -
\??\c:\bbhbhb.exec:\bbhbhb.exe64⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dvdvv.exec:\dvdvv.exe65⤵
- Executes dropped EXE
PID:2424 -
\??\c:\rrrlfff.exec:\rrrlfff.exe66⤵PID:4504
-
\??\c:\hnnhbb.exec:\hnnhbb.exe67⤵
- System Location Discovery: System Language Discovery
PID:4976 -
\??\c:\3ddvp.exec:\3ddvp.exe68⤵PID:2400
-
\??\c:\lxffffx.exec:\lxffffx.exe69⤵PID:3284
-
\??\c:\bbbbth.exec:\bbbbth.exe70⤵PID:3564
-
\??\c:\nnbtnh.exec:\nnbtnh.exe71⤵PID:808
-
\??\c:\vddvv.exec:\vddvv.exe72⤵PID:744
-
\??\c:\lfxlxxl.exec:\lfxlxxl.exe73⤵PID:3600
-
\??\c:\tnhbbh.exec:\tnhbbh.exe74⤵PID:1636
-
\??\c:\pjjpp.exec:\pjjpp.exe75⤵PID:1768
-
\??\c:\pjvpp.exec:\pjvpp.exe76⤵PID:1452
-
\??\c:\lflfllf.exec:\lflfllf.exe77⤵PID:4104
-
\??\c:\btbnhb.exec:\btbnhb.exe78⤵PID:3056
-
\??\c:\9jpjj.exec:\9jpjj.exe79⤵PID:3036
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe80⤵PID:3396
-
\??\c:\5xfxllr.exec:\5xfxllr.exe81⤵PID:3612
-
\??\c:\btbhhh.exec:\btbhhh.exe82⤵PID:1108
-
\??\c:\vppjd.exec:\vppjd.exe83⤵PID:2588
-
\??\c:\lrrrflx.exec:\lrrrflx.exe84⤵PID:3368
-
\??\c:\tnnhtt.exec:\tnnhtt.exe85⤵PID:1180
-
\??\c:\7dvvp.exec:\7dvvp.exe86⤵PID:624
-
\??\c:\vvjjp.exec:\vvjjp.exe87⤵PID:4916
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe88⤵PID:2076
-
\??\c:\nbnhnn.exec:\nbnhnn.exe89⤵PID:2540
-
\??\c:\7ddvp.exec:\7ddvp.exe90⤵
- System Location Discovery: System Language Discovery
PID:3868 -
\??\c:\llrrlfx.exec:\llrrlfx.exe91⤵PID:2592
-
\??\c:\bhhbtt.exec:\bhhbtt.exe92⤵PID:3928
-
\??\c:\pdddv.exec:\pdddv.exe93⤵PID:1872
-
\??\c:\fllfxfx.exec:\fllfxfx.exe94⤵PID:1304
-
\??\c:\3xrrllx.exec:\3xrrllx.exe95⤵PID:5100
-
\??\c:\hbbbtb.exec:\hbbbtb.exe96⤵PID:4732
-
\??\c:\ddjdd.exec:\ddjdd.exe97⤵PID:4888
-
\??\c:\xrfflrr.exec:\xrfflrr.exe98⤵PID:5060
-
\??\c:\bbnnnn.exec:\bbnnnn.exe99⤵PID:3488
-
\??\c:\ddvpp.exec:\ddvpp.exe100⤵PID:2952
-
\??\c:\lrxfxfx.exec:\lrxfxfx.exe101⤵PID:1984
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe102⤵PID:1404
-
\??\c:\bbbbtt.exec:\bbbbtt.exe103⤵PID:544
-
\??\c:\5vvpp.exec:\5vvpp.exe104⤵PID:1288
-
\??\c:\ffrlfxx.exec:\ffrlfxx.exe105⤵PID:1912
-
\??\c:\rfxfxrr.exec:\rfxfxrr.exe106⤵
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\9tbtnn.exec:\9tbtnn.exe107⤵PID:748
-
\??\c:\jjjjd.exec:\jjjjd.exe108⤵PID:4296
-
\??\c:\xfrlfxx.exec:\xfrlfxx.exe109⤵PID:3492
-
\??\c:\3rxxxxx.exec:\3rxxxxx.exe110⤵PID:1908
-
\??\c:\bttttb.exec:\bttttb.exe111⤵PID:1512
-
\??\c:\pdddd.exec:\pdddd.exe112⤵PID:2388
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe113⤵PID:3588
-
\??\c:\fxffllf.exec:\fxffllf.exe114⤵PID:4872
-
\??\c:\7thbht.exec:\7thbht.exe115⤵PID:4432
-
\??\c:\3vjjd.exec:\3vjjd.exe116⤵PID:1748
-
\??\c:\1jvdv.exec:\1jvdv.exe117⤵PID:4236
-
\??\c:\llffllr.exec:\llffllr.exe118⤵PID:3008
-
\??\c:\bbbbtt.exec:\bbbbtt.exe119⤵PID:1960
-
\??\c:\9jvpj.exec:\9jvpj.exe120⤵PID:4240
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe121⤵PID:2980
-
\??\c:\5tbbtn.exec:\5tbbtn.exe122⤵PID:2940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-