Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe
-
Size
454KB
-
MD5
a4319609f28b9d61afba64238ae38020
-
SHA1
3e997874e47f6c90dce9e409d5c928199734ce41
-
SHA256
1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8
-
SHA512
a8e277f5e23510603da42044d17865e94e6351299917b67f15af91c45a0eecf456595b60cf29778209b4bc0b9a1a56657383b20f6b4fa990e3fa213c62816cd5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3060-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-839-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-1145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3768 pdppp.exe 2276 pvdvp.exe 5072 5jjjj.exe 3440 08604.exe 2900 tttnnn.exe 532 08826.exe 2200 8026622.exe 4448 vpppv.exe 1016 xrxrrrr.exe 4768 828288.exe 3300 7xxxffl.exe 2668 866000.exe 1152 dpddv.exe 3696 tnnhbt.exe 1988 48604.exe 3384 pvvpj.exe 3032 jpjpv.exe 1552 vpvjv.exe 660 hbtnbb.exe 2464 s4424.exe 4864 xllffxl.exe 4408 vvvvp.exe 3748 64422.exe 1640 4448604.exe 2248 htnbtn.exe 1240 fxxlxlf.exe 3332 g8842.exe 4784 1tbnbt.exe 396 20042.exe 528 4408486.exe 928 nnnhbt.exe 4304 xllxlxr.exe 2820 bbbthh.exe 1732 lxxlrlf.exe 1860 48826.exe 4040 04426.exe 3084 80260.exe 1080 000040.exe 4648 04288.exe 2412 llfxxxx.exe 4820 7jppv.exe 5076 68280.exe 3960 60200.exe 4592 rrxffxx.exe 4912 6488266.exe 3212 2622600.exe 1688 rlrlxxr.exe 2208 606044.exe 2028 2628666.exe 976 24826.exe 1968 i866004.exe 1376 3nhhbn.exe 2040 jdppd.exe 3428 lrxrrrr.exe 3292 7hhhbb.exe 1084 tnnhbt.exe 5036 84604.exe 1852 g4480.exe 2332 7bhbbb.exe 1600 w62226.exe 3260 80420.exe 2240 22606.exe 732 60882.exe 4884 fxxlfxr.exe -
resource yara_rule behavioral2/memory/3060-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-836-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2848266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4282008.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4408486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 200206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6060084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 884860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268222.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3768 3060 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 85 PID 3060 wrote to memory of 3768 3060 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 85 PID 3060 wrote to memory of 3768 3060 1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe 85 PID 3768 wrote to memory of 2276 3768 pdppp.exe 86 PID 3768 wrote to memory of 2276 3768 pdppp.exe 86 PID 3768 wrote to memory of 2276 3768 pdppp.exe 86 PID 2276 wrote to memory of 5072 2276 pvdvp.exe 87 PID 2276 wrote to memory of 5072 2276 pvdvp.exe 87 PID 2276 wrote to memory of 5072 2276 pvdvp.exe 87 PID 5072 wrote to memory of 3440 5072 5jjjj.exe 88 PID 5072 wrote to memory of 3440 5072 5jjjj.exe 88 PID 5072 wrote to memory of 3440 5072 5jjjj.exe 88 PID 3440 wrote to memory of 2900 3440 08604.exe 89 PID 3440 wrote to memory of 2900 3440 08604.exe 89 PID 3440 wrote to memory of 2900 3440 08604.exe 89 PID 2900 wrote to memory of 532 2900 tttnnn.exe 90 PID 2900 wrote to memory of 532 2900 tttnnn.exe 90 PID 2900 wrote to memory of 532 2900 tttnnn.exe 90 PID 532 wrote to memory of 2200 532 08826.exe 91 PID 532 wrote to memory of 2200 532 08826.exe 91 PID 532 wrote to memory of 2200 532 08826.exe 91 PID 2200 wrote to memory of 4448 2200 8026622.exe 92 PID 2200 wrote to memory of 4448 2200 8026622.exe 92 PID 2200 wrote to memory of 4448 2200 8026622.exe 92 PID 4448 wrote to memory of 1016 4448 vpppv.exe 93 PID 4448 wrote to memory of 1016 4448 vpppv.exe 93 PID 4448 wrote to memory of 1016 4448 vpppv.exe 93 PID 1016 wrote to memory of 4768 1016 xrxrrrr.exe 94 PID 1016 wrote to memory of 4768 1016 xrxrrrr.exe 94 PID 1016 wrote to memory of 4768 1016 xrxrrrr.exe 94 PID 4768 wrote to memory of 3300 4768 828288.exe 95 PID 4768 wrote to memory of 3300 4768 828288.exe 95 PID 4768 wrote to memory of 3300 4768 828288.exe 95 PID 3300 wrote to memory of 2668 3300 7xxxffl.exe 96 PID 3300 wrote to memory of 2668 3300 7xxxffl.exe 96 PID 3300 wrote to memory of 2668 3300 7xxxffl.exe 96 PID 2668 wrote to memory of 1152 2668 866000.exe 97 PID 2668 wrote to memory of 1152 2668 866000.exe 97 PID 2668 wrote to memory of 1152 2668 866000.exe 97 PID 1152 wrote to memory of 3696 1152 dpddv.exe 98 PID 1152 wrote to memory of 3696 1152 dpddv.exe 98 PID 1152 wrote to memory of 3696 1152 dpddv.exe 98 PID 3696 wrote to memory of 1988 3696 tnnhbt.exe 99 PID 3696 wrote to memory of 1988 3696 tnnhbt.exe 99 PID 3696 wrote to memory of 1988 3696 tnnhbt.exe 99 PID 1988 wrote to memory of 3384 1988 48604.exe 100 PID 1988 wrote to memory of 3384 1988 48604.exe 100 PID 1988 wrote to memory of 3384 1988 48604.exe 100 PID 3384 wrote to memory of 3032 3384 pvvpj.exe 101 PID 3384 wrote to memory of 3032 3384 pvvpj.exe 101 PID 3384 wrote to memory of 3032 3384 pvvpj.exe 101 PID 3032 wrote to memory of 1552 3032 jpjpv.exe 102 PID 3032 wrote to memory of 1552 3032 jpjpv.exe 102 PID 3032 wrote to memory of 1552 3032 jpjpv.exe 102 PID 1552 wrote to memory of 660 1552 vpvjv.exe 103 PID 1552 wrote to memory of 660 1552 vpvjv.exe 103 PID 1552 wrote to memory of 660 1552 vpvjv.exe 103 PID 660 wrote to memory of 2464 660 hbtnbb.exe 104 PID 660 wrote to memory of 2464 660 hbtnbb.exe 104 PID 660 wrote to memory of 2464 660 hbtnbb.exe 104 PID 2464 wrote to memory of 4864 2464 s4424.exe 105 PID 2464 wrote to memory of 4864 2464 s4424.exe 105 PID 2464 wrote to memory of 4864 2464 s4424.exe 105 PID 4864 wrote to memory of 4408 4864 xllffxl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe"C:\Users\Admin\AppData\Local\Temp\1044b54a9a76bb5011e457f9d0b3aa2c14648dca8e06209c579c388fbaa708a8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\pdppp.exec:\pdppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\pvdvp.exec:\pvdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\5jjjj.exec:\5jjjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\08604.exec:\08604.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\tttnnn.exec:\tttnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\08826.exec:\08826.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\8026622.exec:\8026622.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\vpppv.exec:\vpppv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\828288.exec:\828288.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\7xxxffl.exec:\7xxxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\866000.exec:\866000.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\dpddv.exec:\dpddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\tnnhbt.exec:\tnnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\48604.exec:\48604.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\pvvpj.exec:\pvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\jpjpv.exec:\jpjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\vpvjv.exec:\vpvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\hbtnbb.exec:\hbtnbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\s4424.exec:\s4424.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\xllffxl.exec:\xllffxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\vvvvp.exec:\vvvvp.exe23⤵
- Executes dropped EXE
PID:4408 -
\??\c:\64422.exec:\64422.exe24⤵
- Executes dropped EXE
PID:3748 -
\??\c:\4448604.exec:\4448604.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\htnbtn.exec:\htnbtn.exe26⤵
- Executes dropped EXE
PID:2248 -
\??\c:\fxxlxlf.exec:\fxxlxlf.exe27⤵
- Executes dropped EXE
PID:1240 -
\??\c:\g8842.exec:\g8842.exe28⤵
- Executes dropped EXE
PID:3332 -
\??\c:\1tbnbt.exec:\1tbnbt.exe29⤵
- Executes dropped EXE
PID:4784 -
\??\c:\20042.exec:\20042.exe30⤵
- Executes dropped EXE
PID:396 -
\??\c:\4408486.exec:\4408486.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528 -
\??\c:\nnnhbt.exec:\nnnhbt.exe32⤵
- Executes dropped EXE
PID:928 -
\??\c:\xllxlxr.exec:\xllxlxr.exe33⤵
- Executes dropped EXE
PID:4304 -
\??\c:\bbbthh.exec:\bbbthh.exe34⤵
- Executes dropped EXE
PID:2820 -
\??\c:\lxxlrlf.exec:\lxxlrlf.exe35⤵
- Executes dropped EXE
PID:1732 -
\??\c:\48826.exec:\48826.exe36⤵
- Executes dropped EXE
PID:1860 -
\??\c:\04426.exec:\04426.exe37⤵
- Executes dropped EXE
PID:4040 -
\??\c:\80260.exec:\80260.exe38⤵
- Executes dropped EXE
PID:3084 -
\??\c:\000040.exec:\000040.exe39⤵
- Executes dropped EXE
PID:1080 -
\??\c:\04288.exec:\04288.exe40⤵
- Executes dropped EXE
PID:4648 -
\??\c:\llfxxxx.exec:\llfxxxx.exe41⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7jppv.exec:\7jppv.exe42⤵
- Executes dropped EXE
PID:4820 -
\??\c:\68280.exec:\68280.exe43⤵
- Executes dropped EXE
PID:5076 -
\??\c:\60200.exec:\60200.exe44⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rrxffxx.exec:\rrxffxx.exe45⤵
- Executes dropped EXE
PID:4592 -
\??\c:\6488266.exec:\6488266.exe46⤵
- Executes dropped EXE
PID:4912 -
\??\c:\2622600.exec:\2622600.exe47⤵
- Executes dropped EXE
PID:3212 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe48⤵
- Executes dropped EXE
PID:1688 -
\??\c:\606044.exec:\606044.exe49⤵
- Executes dropped EXE
PID:2208 -
\??\c:\2628666.exec:\2628666.exe50⤵
- Executes dropped EXE
PID:2028 -
\??\c:\24826.exec:\24826.exe51⤵
- Executes dropped EXE
PID:976 -
\??\c:\i866004.exec:\i866004.exe52⤵
- Executes dropped EXE
PID:1968 -
\??\c:\3nhhbn.exec:\3nhhbn.exe53⤵
- Executes dropped EXE
PID:1376 -
\??\c:\jdppd.exec:\jdppd.exe54⤵
- Executes dropped EXE
PID:2040 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe55⤵
- Executes dropped EXE
PID:3428 -
\??\c:\7hhhbb.exec:\7hhhbb.exe56⤵
- Executes dropped EXE
PID:3292 -
\??\c:\tnnhbt.exec:\tnnhbt.exe57⤵
- Executes dropped EXE
PID:1084 -
\??\c:\84604.exec:\84604.exe58⤵
- Executes dropped EXE
PID:5036 -
\??\c:\g4480.exec:\g4480.exe59⤵
- Executes dropped EXE
PID:1852 -
\??\c:\7bhbbb.exec:\7bhbbb.exe60⤵
- Executes dropped EXE
PID:2332 -
\??\c:\w62226.exec:\w62226.exe61⤵
- Executes dropped EXE
PID:1600 -
\??\c:\80420.exec:\80420.exe62⤵
- Executes dropped EXE
PID:3260 -
\??\c:\22606.exec:\22606.exe63⤵
- Executes dropped EXE
PID:2240 -
\??\c:\60882.exec:\60882.exe64⤵
- Executes dropped EXE
PID:732 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe65⤵
- Executes dropped EXE
PID:4884 -
\??\c:\20248.exec:\20248.exe66⤵PID:4428
-
\??\c:\ffrflfx.exec:\ffrflfx.exe67⤵PID:1176
-
\??\c:\bnbttt.exec:\bnbttt.exe68⤵PID:5052
-
\??\c:\1jdpd.exec:\1jdpd.exe69⤵PID:3704
-
\??\c:\82824.exec:\82824.exe70⤵PID:4400
-
\??\c:\82844.exec:\82844.exe71⤵PID:1380
-
\??\c:\8842042.exec:\8842042.exe72⤵PID:864
-
\??\c:\60004.exec:\60004.exe73⤵PID:1720
-
\??\c:\4440482.exec:\4440482.exe74⤵PID:3052
-
\??\c:\0448608.exec:\0448608.exe75⤵PID:3352
-
\??\c:\xllxlfr.exec:\xllxlfr.exe76⤵PID:2104
-
\??\c:\8804864.exec:\8804864.exe77⤵PID:2464
-
\??\c:\222644.exec:\222644.exe78⤵PID:4088
-
\??\c:\nhbtht.exec:\nhbtht.exe79⤵PID:388
-
\??\c:\o664848.exec:\o664848.exe80⤵PID:1048
-
\??\c:\5llffxx.exec:\5llffxx.exe81⤵PID:332
-
\??\c:\44486.exec:\44486.exe82⤵PID:4064
-
\??\c:\9frflfx.exec:\9frflfx.exe83⤵PID:2268
-
\??\c:\488204.exec:\488204.exe84⤵PID:2608
-
\??\c:\286048.exec:\286048.exe85⤵PID:1164
-
\??\c:\tbthtn.exec:\tbthtn.exe86⤵PID:4900
-
\??\c:\28802.exec:\28802.exe87⤵PID:3332
-
\??\c:\8666882.exec:\8666882.exe88⤵PID:4784
-
\??\c:\42048.exec:\42048.exe89⤵PID:2348
-
\??\c:\k84826.exec:\k84826.exe90⤵PID:4460
-
\??\c:\rxrfrfx.exec:\rxrfrfx.exe91⤵PID:3996
-
\??\c:\6862004.exec:\6862004.exe92⤵PID:928
-
\??\c:\rffxxrl.exec:\rffxxrl.exe93⤵PID:3200
-
\??\c:\5xlrlfx.exec:\5xlrlfx.exe94⤵PID:4972
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe95⤵PID:2444
-
\??\c:\tnhbtn.exec:\tnhbtn.exe96⤵PID:2124
-
\??\c:\406082.exec:\406082.exe97⤵PID:1920
-
\??\c:\hbhbtt.exec:\hbhbtt.exe98⤵PID:4780
-
\??\c:\6880444.exec:\6880444.exe99⤵PID:1208
-
\??\c:\lllxrxx.exec:\lllxrxx.exe100⤵PID:4472
-
\??\c:\dvpdp.exec:\dvpdp.exe101⤵PID:3988
-
\??\c:\248884.exec:\248884.exe102⤵PID:960
-
\??\c:\ppdvp.exec:\ppdvp.exe103⤵PID:4844
-
\??\c:\206022.exec:\206022.exe104⤵PID:4356
-
\??\c:\jvddp.exec:\jvddp.exe105⤵PID:3828
-
\??\c:\djjvv.exec:\djjvv.exe106⤵PID:2956
-
\??\c:\6484226.exec:\6484226.exe107⤵PID:1172
-
\??\c:\040482.exec:\040482.exe108⤵PID:3212
-
\??\c:\pvvpj.exec:\pvvpj.exe109⤵PID:3048
-
\??\c:\nhtnnh.exec:\nhtnnh.exe110⤵PID:1840
-
\??\c:\q28608.exec:\q28608.exe111⤵PID:2180
-
\??\c:\fxrrffl.exec:\fxrrffl.exe112⤵PID:3808
-
\??\c:\dvjjv.exec:\dvjjv.exe113⤵PID:1968
-
\??\c:\862060.exec:\862060.exe114⤵PID:3404
-
\??\c:\266082.exec:\266082.exe115⤵PID:4788
-
\??\c:\nhbtnn.exec:\nhbtnn.exe116⤵PID:4540
-
\??\c:\hnnhtn.exec:\hnnhtn.exe117⤵PID:4984
-
\??\c:\6060084.exec:\6060084.exe118⤵
- System Location Discovery: System Language Discovery
PID:208 -
\??\c:\462004.exec:\462004.exe119⤵PID:532
-
\??\c:\rxrlllf.exec:\rxrlllf.exe120⤵
- System Location Discovery: System Language Discovery
PID:2796 -
\??\c:\7jpjd.exec:\7jpjd.exe121⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-