Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 19:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe
-
Size
454KB
-
MD5
2c730cd47a602fc4d13a2686a9dd5bd9
-
SHA1
be734adb93753935dca282c4fd06dd90c4fbfb60
-
SHA256
0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0
-
SHA512
00a5897997e1432b76af169e9d9f65311a001155cac62670992a4424fb6035a9474a6065b5ea1a5d7383ac04d8080cb3cd2c50754a17bc2daf194bc43db8ed7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7W:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2488-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-1331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-1424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-1563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2024 lxlffff.exe 1236 dddvv.exe 2368 btbbbb.exe 3896 thhnbh.exe 3776 fflfflr.exe 4900 vjvvv.exe 1112 ppvvj.exe 4228 ppddj.exe 3532 rfrllll.exe 4036 lrffflr.exe 1884 rrlxrfr.exe 660 lxlllrr.exe 3184 bbnnnt.exe 4788 3hnnhn.exe 2576 fxfffll.exe 1080 bbbhhh.exe 1756 jpdvj.exe 212 7xfxflr.exe 3720 7jjjv.exe 2124 jpjdd.exe 4076 bthbtb.exe 3652 xrrllfx.exe 2320 ntbbht.exe 3000 tnbbnn.exe 4780 3pvvd.exe 2860 3bhhhn.exe 4772 flfxrff.exe 4864 ttbbbh.exe 5112 llllflr.exe 4396 vppvj.exe 5040 7flxrxx.exe 3472 jdjjj.exe 64 5rrlffx.exe 4192 bttbbb.exe 3528 vdjjd.exe 4040 vvdvp.exe 4204 3xxrlff.exe 1492 thhbtt.exe 4744 vddvj.exe 1676 fflxrrl.exe 3336 nhtntt.exe 2440 nhnnhn.exe 5092 vvppv.exe 3580 fflfxfx.exe 4896 5lrxffr.exe 3968 btnnbb.exe 3288 vpdvp.exe 3740 pjvpj.exe 1812 xxffllr.exe 3984 hhbhnn.exe 4548 jdjjd.exe 4284 xflfxrl.exe 4968 tnttth.exe 2232 hhbbbb.exe 3724 ddvvd.exe 840 3xxrffr.exe 1952 5bnhhh.exe 3944 1btttn.exe 1036 djddv.exe 2952 7fffxxx.exe 808 9fffflr.exe 512 tnhbth.exe 4304 ppdjj.exe 4420 7vdvp.exe -
resource yara_rule behavioral2/memory/2488-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-1331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-1386-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2024 2488 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 2488 wrote to memory of 2024 2488 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 2488 wrote to memory of 2024 2488 0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe 82 PID 2024 wrote to memory of 1236 2024 lxlffff.exe 83 PID 2024 wrote to memory of 1236 2024 lxlffff.exe 83 PID 2024 wrote to memory of 1236 2024 lxlffff.exe 83 PID 1236 wrote to memory of 2368 1236 dddvv.exe 84 PID 1236 wrote to memory of 2368 1236 dddvv.exe 84 PID 1236 wrote to memory of 2368 1236 dddvv.exe 84 PID 2368 wrote to memory of 3896 2368 btbbbb.exe 85 PID 2368 wrote to memory of 3896 2368 btbbbb.exe 85 PID 2368 wrote to memory of 3896 2368 btbbbb.exe 85 PID 3896 wrote to memory of 3776 3896 thhnbh.exe 86 PID 3896 wrote to memory of 3776 3896 thhnbh.exe 86 PID 3896 wrote to memory of 3776 3896 thhnbh.exe 86 PID 3776 wrote to memory of 4900 3776 fflfflr.exe 87 PID 3776 wrote to memory of 4900 3776 fflfflr.exe 87 PID 3776 wrote to memory of 4900 3776 fflfflr.exe 87 PID 4900 wrote to memory of 1112 4900 vjvvv.exe 88 PID 4900 wrote to memory of 1112 4900 vjvvv.exe 88 PID 4900 wrote to memory of 1112 4900 vjvvv.exe 88 PID 1112 wrote to memory of 4228 1112 ppvvj.exe 89 PID 1112 wrote to memory of 4228 1112 ppvvj.exe 89 PID 1112 wrote to memory of 4228 1112 ppvvj.exe 89 PID 4228 wrote to memory of 3532 4228 ppddj.exe 90 PID 4228 wrote to memory of 3532 4228 ppddj.exe 90 PID 4228 wrote to memory of 3532 4228 ppddj.exe 90 PID 3532 wrote to memory of 4036 3532 rfrllll.exe 91 PID 3532 wrote to memory of 4036 3532 rfrllll.exe 91 PID 3532 wrote to memory of 4036 3532 rfrllll.exe 91 PID 4036 wrote to memory of 1884 4036 lrffflr.exe 92 PID 4036 wrote to memory of 1884 4036 lrffflr.exe 92 PID 4036 wrote to memory of 1884 4036 lrffflr.exe 92 PID 1884 wrote to memory of 660 1884 rrlxrfr.exe 93 PID 1884 wrote to memory of 660 1884 rrlxrfr.exe 93 PID 1884 wrote to memory of 660 1884 rrlxrfr.exe 93 PID 660 wrote to memory of 3184 660 lxlllrr.exe 94 PID 660 wrote to memory of 3184 660 lxlllrr.exe 94 PID 660 wrote to memory of 3184 660 lxlllrr.exe 94 PID 3184 wrote to memory of 4788 3184 bbnnnt.exe 95 PID 3184 wrote to memory of 4788 3184 bbnnnt.exe 95 PID 3184 wrote to memory of 4788 3184 bbnnnt.exe 95 PID 4788 wrote to memory of 2576 4788 3hnnhn.exe 96 PID 4788 wrote to memory of 2576 4788 3hnnhn.exe 96 PID 4788 wrote to memory of 2576 4788 3hnnhn.exe 96 PID 2576 wrote to memory of 1080 2576 fxfffll.exe 97 PID 2576 wrote to memory of 1080 2576 fxfffll.exe 97 PID 2576 wrote to memory of 1080 2576 fxfffll.exe 97 PID 1080 wrote to memory of 1756 1080 bbbhhh.exe 98 PID 1080 wrote to memory of 1756 1080 bbbhhh.exe 98 PID 1080 wrote to memory of 1756 1080 bbbhhh.exe 98 PID 1756 wrote to memory of 212 1756 jpdvj.exe 99 PID 1756 wrote to memory of 212 1756 jpdvj.exe 99 PID 1756 wrote to memory of 212 1756 jpdvj.exe 99 PID 212 wrote to memory of 3720 212 7xfxflr.exe 100 PID 212 wrote to memory of 3720 212 7xfxflr.exe 100 PID 212 wrote to memory of 3720 212 7xfxflr.exe 100 PID 3720 wrote to memory of 2124 3720 7jjjv.exe 101 PID 3720 wrote to memory of 2124 3720 7jjjv.exe 101 PID 3720 wrote to memory of 2124 3720 7jjjv.exe 101 PID 2124 wrote to memory of 4076 2124 jpjdd.exe 102 PID 2124 wrote to memory of 4076 2124 jpjdd.exe 102 PID 2124 wrote to memory of 4076 2124 jpjdd.exe 102 PID 4076 wrote to memory of 3652 4076 bthbtb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"C:\Users\Admin\AppData\Local\Temp\0887a98ad2e4c9016dc70d1946340294c1837e2a666407f17e3cc5c918980ea0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\lxlffff.exec:\lxlffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\dddvv.exec:\dddvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\btbbbb.exec:\btbbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\thhnbh.exec:\thhnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\fflfflr.exec:\fflfflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\vjvvv.exec:\vjvvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\ppvvj.exec:\ppvvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\ppddj.exec:\ppddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\rfrllll.exec:\rfrllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\lrffflr.exec:\lrffflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\rrlxrfr.exec:\rrlxrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\lxlllrr.exec:\lxlllrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\bbnnnt.exec:\bbnnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\3hnnhn.exec:\3hnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\fxfffll.exec:\fxfffll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\bbbhhh.exec:\bbbhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\jpdvj.exec:\jpdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\7xfxflr.exec:\7xfxflr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\7jjjv.exec:\7jjjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\jpjdd.exec:\jpjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\bthbtb.exec:\bthbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\xrrllfx.exec:\xrrllfx.exe23⤵
- Executes dropped EXE
PID:3652 -
\??\c:\ntbbht.exec:\ntbbht.exe24⤵
- Executes dropped EXE
PID:2320 -
\??\c:\tnbbnn.exec:\tnbbnn.exe25⤵
- Executes dropped EXE
PID:3000 -
\??\c:\3pvvd.exec:\3pvvd.exe26⤵
- Executes dropped EXE
PID:4780 -
\??\c:\3bhhhn.exec:\3bhhhn.exe27⤵
- Executes dropped EXE
PID:2860 -
\??\c:\flfxrff.exec:\flfxrff.exe28⤵
- Executes dropped EXE
PID:4772 -
\??\c:\ttbbbh.exec:\ttbbbh.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\llllflr.exec:\llllflr.exe30⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vppvj.exec:\vppvj.exe31⤵
- Executes dropped EXE
PID:4396 -
\??\c:\7flxrxx.exec:\7flxrxx.exe32⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jdjjj.exec:\jdjjj.exe33⤵
- Executes dropped EXE
PID:3472 -
\??\c:\5rrlffx.exec:\5rrlffx.exe34⤵
- Executes dropped EXE
PID:64 -
\??\c:\bttbbb.exec:\bttbbb.exe35⤵
- Executes dropped EXE
PID:4192 -
\??\c:\vdjjd.exec:\vdjjd.exe36⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vvdvp.exec:\vvdvp.exe37⤵
- Executes dropped EXE
PID:4040 -
\??\c:\3xxrlff.exec:\3xxrlff.exe38⤵
- Executes dropped EXE
PID:4204 -
\??\c:\thhbtt.exec:\thhbtt.exe39⤵
- Executes dropped EXE
PID:1492 -
\??\c:\vddvj.exec:\vddvj.exe40⤵
- Executes dropped EXE
PID:4744 -
\??\c:\fflxrrl.exec:\fflxrrl.exe41⤵
- Executes dropped EXE
PID:1676 -
\??\c:\nhtntt.exec:\nhtntt.exe42⤵
- Executes dropped EXE
PID:3336 -
\??\c:\nhnnhn.exec:\nhnnhn.exe43⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvppv.exec:\vvppv.exe44⤵
- Executes dropped EXE
PID:5092 -
\??\c:\fflfxfx.exec:\fflfxfx.exe45⤵
- Executes dropped EXE
PID:3580 -
\??\c:\5lrxffr.exec:\5lrxffr.exe46⤵
- Executes dropped EXE
PID:4896 -
\??\c:\btnnbb.exec:\btnnbb.exe47⤵
- Executes dropped EXE
PID:3968 -
\??\c:\vpdvp.exec:\vpdvp.exe48⤵
- Executes dropped EXE
PID:3288 -
\??\c:\pjvpj.exec:\pjvpj.exe49⤵
- Executes dropped EXE
PID:3740 -
\??\c:\xxffllr.exec:\xxffllr.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\hhbhnn.exec:\hhbhnn.exe51⤵
- Executes dropped EXE
PID:3984 -
\??\c:\jdjjd.exec:\jdjjd.exe52⤵
- Executes dropped EXE
PID:4548 -
\??\c:\xflfxrl.exec:\xflfxrl.exe53⤵
- Executes dropped EXE
PID:4284 -
\??\c:\tnttth.exec:\tnttth.exe54⤵
- Executes dropped EXE
PID:4968 -
\??\c:\hhbbbb.exec:\hhbbbb.exe55⤵
- Executes dropped EXE
PID:2232 -
\??\c:\ddvvd.exec:\ddvvd.exe56⤵
- Executes dropped EXE
PID:3724 -
\??\c:\3xxrffr.exec:\3xxrffr.exe57⤵
- Executes dropped EXE
PID:840 -
\??\c:\5bnhhh.exec:\5bnhhh.exe58⤵
- Executes dropped EXE
PID:1952 -
\??\c:\1btttn.exec:\1btttn.exe59⤵
- Executes dropped EXE
PID:3944 -
\??\c:\djddv.exec:\djddv.exe60⤵
- Executes dropped EXE
PID:1036 -
\??\c:\7fffxxx.exec:\7fffxxx.exe61⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9fffflr.exec:\9fffflr.exe62⤵
- Executes dropped EXE
PID:808 -
\??\c:\tnhbth.exec:\tnhbth.exe63⤵
- Executes dropped EXE
PID:512 -
\??\c:\ppdjj.exec:\ppdjj.exe64⤵
- Executes dropped EXE
PID:4304 -
\??\c:\7vdvp.exec:\7vdvp.exe65⤵
- Executes dropped EXE
PID:4420 -
\??\c:\rlrllfl.exec:\rlrllfl.exe66⤵PID:3532
-
\??\c:\hthbbb.exec:\hthbbb.exe67⤵PID:1060
-
\??\c:\3jjvj.exec:\3jjvj.exe68⤵PID:984
-
\??\c:\xxfxxxx.exec:\xxfxxxx.exe69⤵PID:2848
-
\??\c:\rxffxxx.exec:\rxffxxx.exe70⤵PID:3648
-
\??\c:\nbhbtn.exec:\nbhbtn.exe71⤵PID:3204
-
\??\c:\vpvvp.exec:\vpvvp.exe72⤵PID:4812
-
\??\c:\nbhthb.exec:\nbhthb.exe73⤵PID:2920
-
\??\c:\nnbhbb.exec:\nnbhbb.exe74⤵PID:608
-
\??\c:\dvddv.exec:\dvddv.exe75⤵PID:216
-
\??\c:\9rffllx.exec:\9rffllx.exe76⤵PID:1896
-
\??\c:\1nnnhh.exec:\1nnnhh.exe77⤵PID:2928
-
\??\c:\7vdvd.exec:\7vdvd.exe78⤵PID:1860
-
\??\c:\jdpjd.exec:\jdpjd.exe79⤵PID:4992
-
\??\c:\ffffxrx.exec:\ffffxrx.exe80⤵PID:212
-
\??\c:\tntthh.exec:\tntthh.exe81⤵PID:2732
-
\??\c:\5pjdj.exec:\5pjdj.exe82⤵PID:3704
-
\??\c:\fxrlllf.exec:\fxrlllf.exe83⤵PID:5036
-
\??\c:\btbbhh.exec:\btbbhh.exe84⤵PID:2660
-
\??\c:\tbnntb.exec:\tbnntb.exe85⤵PID:1368
-
\??\c:\jpdpj.exec:\jpdpj.exe86⤵PID:2828
-
\??\c:\xllxrlf.exec:\xllxrlf.exe87⤵PID:4448
-
\??\c:\btnbnb.exec:\btnbnb.exe88⤵PID:3000
-
\??\c:\9ppjv.exec:\9ppjv.exe89⤵PID:3232
-
\??\c:\ffllflx.exec:\ffllflx.exe90⤵PID:5028
-
\??\c:\bttnhh.exec:\bttnhh.exe91⤵PID:4888
-
\??\c:\hhttbb.exec:\hhttbb.exe92⤵PID:912
-
\??\c:\jjpjd.exec:\jjpjd.exe93⤵PID:1200
-
\??\c:\ffffxlf.exec:\ffffxlf.exe94⤵PID:4644
-
\??\c:\flffxff.exec:\flffxff.exe95⤵PID:2228
-
\??\c:\7btthn.exec:\7btthn.exe96⤵PID:4876
-
\??\c:\vpddv.exec:\vpddv.exe97⤵PID:4476
-
\??\c:\3flxfxr.exec:\3flxfxr.exe98⤵PID:2724
-
\??\c:\ffllllf.exec:\ffllllf.exe99⤵PID:3920
-
\??\c:\9bbbbb.exec:\9bbbbb.exe100⤵PID:2060
-
\??\c:\5jvvp.exec:\5jvvp.exe101⤵PID:4216
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe102⤵PID:2720
-
\??\c:\rxlfffx.exec:\rxlfffx.exe103⤵PID:3960
-
\??\c:\hbtnnn.exec:\hbtnnn.exe104⤵PID:3456
-
\??\c:\7dddv.exec:\7dddv.exe105⤵PID:4012
-
\??\c:\frxlffx.exec:\frxlffx.exe106⤵PID:4656
-
\??\c:\tbttbh.exec:\tbttbh.exe107⤵PID:2700
-
\??\c:\pjdvj.exec:\pjdvj.exe108⤵PID:2012
-
\??\c:\rxlfxxx.exec:\rxlfxxx.exe109⤵PID:4536
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe110⤵PID:1680
-
\??\c:\btbttt.exec:\btbttt.exe111⤵PID:856
-
\??\c:\dvvjv.exec:\dvvjv.exe112⤵PID:1324
-
\??\c:\rlrlllr.exec:\rlrlllr.exe113⤵PID:2932
-
\??\c:\xxfffff.exec:\xxfffff.exe114⤵PID:776
-
\??\c:\tbhbtn.exec:\tbhbtn.exe115⤵PID:264
-
\??\c:\dvppp.exec:\dvppp.exe116⤵PID:2548
-
\??\c:\5frlxrl.exec:\5frlxrl.exe117⤵PID:2180
-
\??\c:\thtnbt.exec:\thtnbt.exe118⤵PID:4264
-
\??\c:\1dpjd.exec:\1dpjd.exe119⤵PID:2488
-
\??\c:\rllflfx.exec:\rllflfx.exe120⤵PID:388
-
\??\c:\5fxxlff.exec:\5fxxlff.exe121⤵PID:2468
-
\??\c:\nbhhhn.exec:\nbhhhn.exe122⤵PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-