Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
-
Size
454KB
-
MD5
0d90f5002420f598054cc3e18baa454c
-
SHA1
f7e0ebf970ba987751b48cb8f4d65e72f427a082
-
SHA256
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c
-
SHA512
dabeb9bab015eb810ffd40d16ed4bb431a89c699417e0e1a08479f1c641f963c7c91a96b2dc5dafa24957bf8210a00718360e1ec71b3d2c024f809b4943e4f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 39 IoCs
resource yara_rule behavioral1/memory/2652-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2776-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2856-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2600-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1120-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2040-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2204-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/876-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/640-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-306-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2716-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1924-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/628-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1620-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-739-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1572-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1900-1002-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1028-1100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-1118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2372 ntnhhh.exe 2776 nnnbnh.exe 1924 jjjvp.exe 2588 ffxflrf.exe 2736 1jdpj.exe 2572 vjvvp.exe 2236 vddvd.exe 316 frxfxlr.exe 1632 7jpvv.exe 2140 nnnhtb.exe 2808 dddvv.exe 1088 lrfxffx.exe 284 7vvdp.exe 2856 llfrlrr.exe 2600 fflfxrl.exe 1120 hhhthh.exe 2040 vdppp.exe 1936 ttbhbh.exe 2132 ffrfffr.exe 2204 pddjp.exe 840 rxxlfrr.exe 876 ppvjv.exe 1752 frlrfrf.exe 1340 jdvdp.exe 1980 vvvjj.exe 2124 tbhbth.exe 2176 xffxlrl.exe 1248 ppjdv.exe 1736 ffrxflf.exe 640 9vjjd.exe 1616 xrxfxfx.exe 3020 pppdp.exe 2788 5rxlxrx.exe 1680 jjpvj.exe 2716 3lrfxff.exe 2844 bbnnhn.exe 2828 pvjdd.exe 1924 dddpd.exe 2616 lfxfxfx.exe 2732 nttnhh.exe 796 jvvvd.exe 1360 xfrrxxl.exe 2236 tnhhhb.exe 2440 jdddj.exe 628 ddvdj.exe 2148 9rrlrrx.exe 2140 nnhbth.exe 2008 ppjdp.exe 1620 xlxxflf.exe 1296 hbnhht.exe 1044 5nhntt.exe 264 5ddjv.exe 2120 xlfrfrx.exe 2600 3bttnt.exe 1120 dvjpv.exe 1688 vppdp.exe 600 xrflflr.exe 2336 nbbntb.exe 1792 5jvdp.exe 1368 3llrlrl.exe 2532 9hbnbt.exe 988 rlxfllx.exe 1852 rlffxxf.exe 2548 tnbhtt.exe -
resource yara_rule behavioral1/memory/2652-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2776-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-17-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1924-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2572-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2600-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2040-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2204-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/876-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/640-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3020-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/628-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2804-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-704-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/592-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-739-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1768-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-885-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-971-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1900-1002-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1648-1029-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-1100-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2772-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/328-1213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1380-1220-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2372 2652 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2652 wrote to memory of 2372 2652 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2652 wrote to memory of 2372 2652 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2652 wrote to memory of 2372 2652 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2372 wrote to memory of 2776 2372 ntnhhh.exe 31 PID 2372 wrote to memory of 2776 2372 ntnhhh.exe 31 PID 2372 wrote to memory of 2776 2372 ntnhhh.exe 31 PID 2372 wrote to memory of 2776 2372 ntnhhh.exe 31 PID 2776 wrote to memory of 1924 2776 nnnbnh.exe 32 PID 2776 wrote to memory of 1924 2776 nnnbnh.exe 32 PID 2776 wrote to memory of 1924 2776 nnnbnh.exe 32 PID 2776 wrote to memory of 1924 2776 nnnbnh.exe 32 PID 1924 wrote to memory of 2588 1924 jjjvp.exe 33 PID 1924 wrote to memory of 2588 1924 jjjvp.exe 33 PID 1924 wrote to memory of 2588 1924 jjjvp.exe 33 PID 1924 wrote to memory of 2588 1924 jjjvp.exe 33 PID 2588 wrote to memory of 2736 2588 ffxflrf.exe 34 PID 2588 wrote to memory of 2736 2588 ffxflrf.exe 34 PID 2588 wrote to memory of 2736 2588 ffxflrf.exe 34 PID 2588 wrote to memory of 2736 2588 ffxflrf.exe 34 PID 2736 wrote to memory of 2572 2736 1jdpj.exe 35 PID 2736 wrote to memory of 2572 2736 1jdpj.exe 35 PID 2736 wrote to memory of 2572 2736 1jdpj.exe 35 PID 2736 wrote to memory of 2572 2736 1jdpj.exe 35 PID 2572 wrote to memory of 2236 2572 vjvvp.exe 36 PID 2572 wrote to memory of 2236 2572 vjvvp.exe 36 PID 2572 wrote to memory of 2236 2572 vjvvp.exe 36 PID 2572 wrote to memory of 2236 2572 vjvvp.exe 36 PID 2236 wrote to memory of 316 2236 vddvd.exe 37 PID 2236 wrote to memory of 316 2236 vddvd.exe 37 PID 2236 wrote to memory of 316 2236 vddvd.exe 37 PID 2236 wrote to memory of 316 2236 vddvd.exe 37 PID 316 wrote to memory of 1632 316 frxfxlr.exe 38 PID 316 wrote to memory of 1632 316 frxfxlr.exe 38 PID 316 wrote to memory of 1632 316 frxfxlr.exe 38 PID 316 wrote to memory of 1632 316 frxfxlr.exe 38 PID 1632 wrote to memory of 2140 1632 7jpvv.exe 39 PID 1632 wrote to memory of 2140 1632 7jpvv.exe 39 PID 1632 wrote to memory of 2140 1632 7jpvv.exe 39 PID 1632 wrote to memory of 2140 1632 7jpvv.exe 39 PID 2140 wrote to memory of 2808 2140 nnnhtb.exe 40 PID 2140 wrote to memory of 2808 2140 nnnhtb.exe 40 PID 2140 wrote to memory of 2808 2140 nnnhtb.exe 40 PID 2140 wrote to memory of 2808 2140 nnnhtb.exe 40 PID 2808 wrote to memory of 1088 2808 dddvv.exe 41 PID 2808 wrote to memory of 1088 2808 dddvv.exe 41 PID 2808 wrote to memory of 1088 2808 dddvv.exe 41 PID 2808 wrote to memory of 1088 2808 dddvv.exe 41 PID 1088 wrote to memory of 284 1088 lrfxffx.exe 42 PID 1088 wrote to memory of 284 1088 lrfxffx.exe 42 PID 1088 wrote to memory of 284 1088 lrfxffx.exe 42 PID 1088 wrote to memory of 284 1088 lrfxffx.exe 42 PID 284 wrote to memory of 2856 284 7vvdp.exe 43 PID 284 wrote to memory of 2856 284 7vvdp.exe 43 PID 284 wrote to memory of 2856 284 7vvdp.exe 43 PID 284 wrote to memory of 2856 284 7vvdp.exe 43 PID 2856 wrote to memory of 2600 2856 llfrlrr.exe 44 PID 2856 wrote to memory of 2600 2856 llfrlrr.exe 44 PID 2856 wrote to memory of 2600 2856 llfrlrr.exe 44 PID 2856 wrote to memory of 2600 2856 llfrlrr.exe 44 PID 2600 wrote to memory of 1120 2600 fflfxrl.exe 45 PID 2600 wrote to memory of 1120 2600 fflfxrl.exe 45 PID 2600 wrote to memory of 1120 2600 fflfxrl.exe 45 PID 2600 wrote to memory of 1120 2600 fflfxrl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\ntnhhh.exec:\ntnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\nnnbnh.exec:\nnnbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\jjjvp.exec:\jjjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\ffxflrf.exec:\ffxflrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\1jdpj.exec:\1jdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\vjvvp.exec:\vjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vddvd.exec:\vddvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\frxfxlr.exec:\frxfxlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\7jpvv.exec:\7jpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\nnnhtb.exec:\nnnhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\dddvv.exec:\dddvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\lrfxffx.exec:\lrfxffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\7vvdp.exec:\7vvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:284 -
\??\c:\llfrlrr.exec:\llfrlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\fflfxrl.exec:\fflfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\hhhthh.exec:\hhhthh.exe17⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vdppp.exec:\vdppp.exe18⤵
- Executes dropped EXE
PID:2040 -
\??\c:\ttbhbh.exec:\ttbhbh.exe19⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ffrfffr.exec:\ffrfffr.exe20⤵
- Executes dropped EXE
PID:2132 -
\??\c:\pddjp.exec:\pddjp.exe21⤵
- Executes dropped EXE
PID:2204 -
\??\c:\rxxlfrr.exec:\rxxlfrr.exe22⤵
- Executes dropped EXE
PID:840 -
\??\c:\ppvjv.exec:\ppvjv.exe23⤵
- Executes dropped EXE
PID:876 -
\??\c:\frlrfrf.exec:\frlrfrf.exe24⤵
- Executes dropped EXE
PID:1752 -
\??\c:\jdvdp.exec:\jdvdp.exe25⤵
- Executes dropped EXE
PID:1340 -
\??\c:\vvvjj.exec:\vvvjj.exe26⤵
- Executes dropped EXE
PID:1980 -
\??\c:\tbhbth.exec:\tbhbth.exe27⤵
- Executes dropped EXE
PID:2124 -
\??\c:\xffxlrl.exec:\xffxlrl.exe28⤵
- Executes dropped EXE
PID:2176 -
\??\c:\ppjdv.exec:\ppjdv.exe29⤵
- Executes dropped EXE
PID:1248 -
\??\c:\ffrxflf.exec:\ffrxflf.exe30⤵
- Executes dropped EXE
PID:1736 -
\??\c:\9vjjd.exec:\9vjjd.exe31⤵
- Executes dropped EXE
PID:640 -
\??\c:\xrxfxfx.exec:\xrxfxfx.exe32⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pppdp.exec:\pppdp.exe33⤵
- Executes dropped EXE
PID:3020 -
\??\c:\5rxlxrx.exec:\5rxlxrx.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jjpvj.exec:\jjpvj.exe35⤵
- Executes dropped EXE
PID:1680 -
\??\c:\3lrfxff.exec:\3lrfxff.exe36⤵
- Executes dropped EXE
PID:2716 -
\??\c:\bbnnhn.exec:\bbnnhn.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\pvjdd.exec:\pvjdd.exe38⤵
- Executes dropped EXE
PID:2828 -
\??\c:\dddpd.exec:\dddpd.exe39⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe40⤵
- Executes dropped EXE
PID:2616 -
\??\c:\nttnhh.exec:\nttnhh.exe41⤵
- Executes dropped EXE
PID:2732 -
\??\c:\jvvvd.exec:\jvvvd.exe42⤵
- Executes dropped EXE
PID:796 -
\??\c:\xfrrxxl.exec:\xfrrxxl.exe43⤵
- Executes dropped EXE
PID:1360 -
\??\c:\tnhhhb.exec:\tnhhhb.exe44⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jdddj.exec:\jdddj.exe45⤵
- Executes dropped EXE
PID:2440 -
\??\c:\ddvdj.exec:\ddvdj.exe46⤵
- Executes dropped EXE
PID:628 -
\??\c:\9rrlrrx.exec:\9rrlrrx.exe47⤵
- Executes dropped EXE
PID:2148 -
\??\c:\nnhbth.exec:\nnhbth.exe48⤵
- Executes dropped EXE
PID:2140 -
\??\c:\ppjdp.exec:\ppjdp.exe49⤵
- Executes dropped EXE
PID:2008 -
\??\c:\xlxxflf.exec:\xlxxflf.exe50⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hbnhht.exec:\hbnhht.exe51⤵
- Executes dropped EXE
PID:1296 -
\??\c:\5nhntt.exec:\5nhntt.exe52⤵
- Executes dropped EXE
PID:1044 -
\??\c:\5ddjv.exec:\5ddjv.exe53⤵
- Executes dropped EXE
PID:264 -
\??\c:\xlfrfrx.exec:\xlfrfrx.exe54⤵
- Executes dropped EXE
PID:2120 -
\??\c:\3bttnt.exec:\3bttnt.exe55⤵
- Executes dropped EXE
PID:2600 -
\??\c:\dvjpv.exec:\dvjpv.exe56⤵
- Executes dropped EXE
PID:1120 -
\??\c:\vppdp.exec:\vppdp.exe57⤵
- Executes dropped EXE
PID:1688 -
\??\c:\xrflflr.exec:\xrflflr.exe58⤵
- Executes dropped EXE
PID:600 -
\??\c:\nbbntb.exec:\nbbntb.exe59⤵
- Executes dropped EXE
PID:2336 -
\??\c:\5jvdp.exec:\5jvdp.exe60⤵
- Executes dropped EXE
PID:1792 -
\??\c:\3llrlrl.exec:\3llrlrl.exe61⤵
- Executes dropped EXE
PID:1368 -
\??\c:\9hbnbt.exec:\9hbnbt.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\rlxfllx.exec:\rlxfllx.exe63⤵
- Executes dropped EXE
PID:988 -
\??\c:\rlffxxf.exec:\rlffxxf.exe64⤵
- Executes dropped EXE
PID:1852 -
\??\c:\tnbhtt.exec:\tnbhtt.exe65⤵
- Executes dropped EXE
PID:2548 -
\??\c:\pppvj.exec:\pppvj.exe66⤵PID:1376
-
\??\c:\5rlrxfr.exec:\5rlrxfr.exe67⤵PID:1984
-
\??\c:\nththh.exec:\nththh.exe68⤵PID:1592
-
\??\c:\jjddp.exec:\jjddp.exe69⤵PID:3000
-
\??\c:\vvvdj.exec:\vvvdj.exe70⤵PID:2268
-
\??\c:\bhbthn.exec:\bhbthn.exe71⤵PID:3012
-
\??\c:\pvvpd.exec:\pvvpd.exe72⤵PID:2020
-
\??\c:\vpjdd.exec:\vpjdd.exe73⤵PID:1736
-
\??\c:\5flrflf.exec:\5flrflf.exe74⤵PID:2492
-
\??\c:\3htnht.exec:\3htnht.exe75⤵PID:2212
-
\??\c:\vvvjd.exec:\vvvjd.exe76⤵PID:1844
-
\??\c:\7llrxxf.exec:\7llrxxf.exe77⤵PID:1564
-
\??\c:\tnnbtb.exec:\tnnbtb.exe78⤵PID:2780
-
\??\c:\dvpdp.exec:\dvpdp.exe79⤵PID:2720
-
\??\c:\ddjjd.exec:\ddjjd.exe80⤵PID:1776
-
\??\c:\lrlrffr.exec:\lrlrffr.exe81⤵PID:2696
-
\??\c:\bhhnbh.exec:\bhhnbh.exe82⤵PID:2596
-
\??\c:\vvpvp.exec:\vvpvp.exe83⤵PID:2228
-
\??\c:\1rxlrxl.exec:\1rxlrxl.exe84⤵PID:2556
-
\??\c:\7ttbnb.exec:\7ttbnb.exe85⤵PID:2592
-
\??\c:\nbtbhb.exec:\nbtbhb.exe86⤵PID:2208
-
\??\c:\vvpvp.exec:\vvpvp.exe87⤵PID:1000
-
\??\c:\lrflxxf.exec:\lrflxxf.exe88⤵PID:2092
-
\??\c:\ttnbnt.exec:\ttnbnt.exe89⤵PID:1048
-
\??\c:\dddvj.exec:\dddvj.exe90⤵PID:2544
-
\??\c:\lllxxlr.exec:\lllxxlr.exe91⤵PID:2436
-
\??\c:\9lxfrxx.exec:\9lxfrxx.exe92⤵PID:648
-
\??\c:\ttbhbn.exec:\ttbhbn.exe93⤵PID:2860
-
\??\c:\1dvvp.exec:\1dvvp.exe94⤵PID:2664
-
\??\c:\lrrrrff.exec:\lrrrrff.exe95⤵PID:2804
-
\??\c:\nhbtnb.exec:\nhbtnb.exe96⤵PID:2620
-
\??\c:\7hnthn.exec:\7hnthn.exe97⤵PID:1052
-
\??\c:\pvjvp.exec:\pvjvp.exe98⤵PID:3048
-
\??\c:\xxrfxfx.exec:\xxrfxfx.exe99⤵PID:1624
-
\??\c:\bhhnht.exec:\bhhnht.exe100⤵PID:592
-
\??\c:\vjvjd.exec:\vjvjd.exe101⤵PID:1532
-
\??\c:\hhbnhn.exec:\hhbnhn.exe102⤵PID:2340
-
\??\c:\3vpvj.exec:\3vpvj.exe103⤵PID:2360
-
\??\c:\7lflxfl.exec:\7lflxfl.exe104⤵PID:968
-
\??\c:\5flxfrr.exec:\5flxfrr.exe105⤵PID:1768
-
\??\c:\hbtnbt.exec:\hbtnbt.exe106⤵PID:916
-
\??\c:\vdddv.exec:\vdddv.exe107⤵PID:1836
-
\??\c:\xffrlxx.exec:\xffrlxx.exe108⤵PID:1764
-
\??\c:\1tttht.exec:\1tttht.exe109⤵PID:792
-
\??\c:\vvpvd.exec:\vvpvd.exe110⤵PID:1160
-
\??\c:\jjdpp.exec:\jjdpp.exe111⤵PID:1968
-
\??\c:\xlrrrff.exec:\xlrrrff.exe112⤵PID:2660
-
\??\c:\tbthbn.exec:\tbthbn.exe113⤵PID:3000
-
\??\c:\pjjpj.exec:\pjjpj.exe114⤵PID:1944
-
\??\c:\3vppj.exec:\3vppj.exe115⤵PID:884
-
\??\c:\rxfrlrl.exec:\rxfrlrl.exe116⤵PID:1788
-
\??\c:\bbbnhn.exec:\bbbnhn.exe117⤵PID:1800
-
\??\c:\vvvjd.exec:\vvvjd.exe118⤵PID:1744
-
\??\c:\lllrfrl.exec:\lllrfrl.exe119⤵PID:1616
-
\??\c:\flffffr.exec:\flffffr.exe120⤵PID:2692
-
\??\c:\ttnhbh.exec:\ttnhbh.exe121⤵PID:2668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-