Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
-
Size
454KB
-
MD5
0d90f5002420f598054cc3e18baa454c
-
SHA1
f7e0ebf970ba987751b48cb8f4d65e72f427a082
-
SHA256
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c
-
SHA512
dabeb9bab015eb810ffd40d16ed4bb431a89c699417e0e1a08479f1c641f963c7c91a96b2dc5dafa24957bf8210a00718360e1ec71b3d2c024f809b4943e4f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2896-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-670-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/68-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1604 dvvvv.exe 3416 flfxfxx.exe 1084 pjpjd.exe 4352 pjpjp.exe 3000 3pppj.exe 2420 tbhhbb.exe 972 djdvp.exe 1772 hhbnth.exe 2088 pddvp.exe 428 lflrrrf.exe 3708 ttnhtn.exe 5040 lxfxxrr.exe 2556 lllllfr.exe 1404 ntthbn.exe 3592 ddvvv.exe 1664 rllffff.exe 1576 tbhbtn.exe 4060 jvdvp.exe 3156 ppjdj.exe 3392 xfffxff.exe 2440 bhhbtn.exe 2320 vdvjd.exe 2452 frrlllf.exe 2732 fllxffr.exe 1720 hthtnh.exe 2008 jjppp.exe 1832 fxxrrrl.exe 384 bhbttn.exe 2660 djvdp.exe 3132 fxfffff.exe 4428 nhnnnn.exe 4936 ttbbbb.exe 2940 ddvdv.exe 1800 xxlffll.exe 1412 rfrrlll.exe 2932 nnttbb.exe 1556 jdjjj.exe 1548 jjddj.exe 768 rffffll.exe 4184 nhbbnn.exe 3424 vdppp.exe 2980 vpddd.exe 3420 3xffxll.exe 2384 5bnnnt.exe 4476 tbhhhn.exe 3308 jjddd.exe 700 fxxffrl.exe 1892 fxrxflx.exe 3648 bntnhb.exe 392 dvjjp.exe 1204 jpddp.exe 2896 rxxxxfr.exe 2020 1bnntt.exe 3328 pdjvj.exe 2060 rllfrll.exe 3088 lxlfxxx.exe 2820 hthhhh.exe 4648 ppppv.exe 3972 pjvvd.exe 1084 xxrrxfx.exe 4804 hbhntb.exe 1396 jdvvp.exe 3000 fffffll.exe 4256 bthhth.exe -
resource yara_rule behavioral2/memory/2896-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-853-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1604 2896 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 2896 wrote to memory of 1604 2896 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 2896 wrote to memory of 1604 2896 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 1604 wrote to memory of 3416 1604 dvvvv.exe 84 PID 1604 wrote to memory of 3416 1604 dvvvv.exe 84 PID 1604 wrote to memory of 3416 1604 dvvvv.exe 84 PID 3416 wrote to memory of 1084 3416 flfxfxx.exe 142 PID 3416 wrote to memory of 1084 3416 flfxfxx.exe 142 PID 3416 wrote to memory of 1084 3416 flfxfxx.exe 142 PID 1084 wrote to memory of 4352 1084 pjpjd.exe 86 PID 1084 wrote to memory of 4352 1084 pjpjd.exe 86 PID 1084 wrote to memory of 4352 1084 pjpjd.exe 86 PID 4352 wrote to memory of 3000 4352 pjpjp.exe 145 PID 4352 wrote to memory of 3000 4352 pjpjp.exe 145 PID 4352 wrote to memory of 3000 4352 pjpjp.exe 145 PID 3000 wrote to memory of 2420 3000 3pppj.exe 88 PID 3000 wrote to memory of 2420 3000 3pppj.exe 88 PID 3000 wrote to memory of 2420 3000 3pppj.exe 88 PID 2420 wrote to memory of 972 2420 tbhhbb.exe 89 PID 2420 wrote to memory of 972 2420 tbhhbb.exe 89 PID 2420 wrote to memory of 972 2420 tbhhbb.exe 89 PID 972 wrote to memory of 1772 972 djdvp.exe 90 PID 972 wrote to memory of 1772 972 djdvp.exe 90 PID 972 wrote to memory of 1772 972 djdvp.exe 90 PID 1772 wrote to memory of 2088 1772 hhbnth.exe 91 PID 1772 wrote to memory of 2088 1772 hhbnth.exe 91 PID 1772 wrote to memory of 2088 1772 hhbnth.exe 91 PID 2088 wrote to memory of 428 2088 pddvp.exe 92 PID 2088 wrote to memory of 428 2088 pddvp.exe 92 PID 2088 wrote to memory of 428 2088 pddvp.exe 92 PID 428 wrote to memory of 3708 428 lflrrrf.exe 93 PID 428 wrote to memory of 3708 428 lflrrrf.exe 93 PID 428 wrote to memory of 3708 428 lflrrrf.exe 93 PID 3708 wrote to memory of 5040 3708 ttnhtn.exe 94 PID 3708 wrote to memory of 5040 3708 ttnhtn.exe 94 PID 3708 wrote to memory of 5040 3708 ttnhtn.exe 94 PID 5040 wrote to memory of 2556 5040 lxfxxrr.exe 95 PID 5040 wrote to memory of 2556 5040 lxfxxrr.exe 95 PID 5040 wrote to memory of 2556 5040 lxfxxrr.exe 95 PID 2556 wrote to memory of 1404 2556 lllllfr.exe 96 PID 2556 wrote to memory of 1404 2556 lllllfr.exe 96 PID 2556 wrote to memory of 1404 2556 lllllfr.exe 96 PID 1404 wrote to memory of 3592 1404 ntthbn.exe 97 PID 1404 wrote to memory of 3592 1404 ntthbn.exe 97 PID 1404 wrote to memory of 3592 1404 ntthbn.exe 97 PID 3592 wrote to memory of 1664 3592 ddvvv.exe 98 PID 3592 wrote to memory of 1664 3592 ddvvv.exe 98 PID 3592 wrote to memory of 1664 3592 ddvvv.exe 98 PID 1664 wrote to memory of 1576 1664 rllffff.exe 99 PID 1664 wrote to memory of 1576 1664 rllffff.exe 99 PID 1664 wrote to memory of 1576 1664 rllffff.exe 99 PID 1576 wrote to memory of 4060 1576 tbhbtn.exe 100 PID 1576 wrote to memory of 4060 1576 tbhbtn.exe 100 PID 1576 wrote to memory of 4060 1576 tbhbtn.exe 100 PID 4060 wrote to memory of 3156 4060 jvdvp.exe 101 PID 4060 wrote to memory of 3156 4060 jvdvp.exe 101 PID 4060 wrote to memory of 3156 4060 jvdvp.exe 101 PID 3156 wrote to memory of 3392 3156 ppjdj.exe 102 PID 3156 wrote to memory of 3392 3156 ppjdj.exe 102 PID 3156 wrote to memory of 3392 3156 ppjdj.exe 102 PID 3392 wrote to memory of 2440 3392 xfffxff.exe 103 PID 3392 wrote to memory of 2440 3392 xfffxff.exe 103 PID 3392 wrote to memory of 2440 3392 xfffxff.exe 103 PID 2440 wrote to memory of 2320 2440 bhhbtn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\dvvvv.exec:\dvvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\flfxfxx.exec:\flfxfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\pjpjd.exec:\pjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjpjp.exec:\pjpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\3pppj.exec:\3pppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\tbhhbb.exec:\tbhhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\djdvp.exec:\djdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\hhbnth.exec:\hhbnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\pddvp.exec:\pddvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\lflrrrf.exec:\lflrrrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\ttnhtn.exec:\ttnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\lllllfr.exec:\lllllfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\ntthbn.exec:\ntthbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\ddvvv.exec:\ddvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\rllffff.exec:\rllffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\tbhbtn.exec:\tbhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\jvdvp.exec:\jvdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\ppjdj.exec:\ppjdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\xfffxff.exec:\xfffxff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\bhhbtn.exec:\bhhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\vdvjd.exec:\vdvjd.exe23⤵
- Executes dropped EXE
PID:2320 -
\??\c:\frrlllf.exec:\frrlllf.exe24⤵
- Executes dropped EXE
PID:2452 -
\??\c:\fllxffr.exec:\fllxffr.exe25⤵
- Executes dropped EXE
PID:2732 -
\??\c:\hthtnh.exec:\hthtnh.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jjppp.exec:\jjppp.exe27⤵
- Executes dropped EXE
PID:2008 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe28⤵
- Executes dropped EXE
PID:1832 -
\??\c:\bhbttn.exec:\bhbttn.exe29⤵
- Executes dropped EXE
PID:384 -
\??\c:\djvdp.exec:\djvdp.exe30⤵
- Executes dropped EXE
PID:2660 -
\??\c:\fxfffff.exec:\fxfffff.exe31⤵
- Executes dropped EXE
PID:3132 -
\??\c:\nhnnnn.exec:\nhnnnn.exe32⤵
- Executes dropped EXE
PID:4428 -
\??\c:\ttbbbb.exec:\ttbbbb.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4936 -
\??\c:\ddvdv.exec:\ddvdv.exe34⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xxlffll.exec:\xxlffll.exe35⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rfrrlll.exec:\rfrrlll.exe36⤵
- Executes dropped EXE
PID:1412 -
\??\c:\nnttbb.exec:\nnttbb.exe37⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jdjjj.exec:\jdjjj.exe38⤵
- Executes dropped EXE
PID:1556 -
\??\c:\jjddj.exec:\jjddj.exe39⤵
- Executes dropped EXE
PID:1548 -
\??\c:\rffffll.exec:\rffffll.exe40⤵
- Executes dropped EXE
PID:768 -
\??\c:\nhbbnn.exec:\nhbbnn.exe41⤵
- Executes dropped EXE
PID:4184 -
\??\c:\vdppp.exec:\vdppp.exe42⤵
- Executes dropped EXE
PID:3424 -
\??\c:\vpddd.exec:\vpddd.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3xffxll.exec:\3xffxll.exe44⤵
- Executes dropped EXE
PID:3420 -
\??\c:\5bnnnt.exec:\5bnnnt.exe45⤵
- Executes dropped EXE
PID:2384 -
\??\c:\tbhhhn.exec:\tbhhhn.exe46⤵
- Executes dropped EXE
PID:4476 -
\??\c:\jjddd.exec:\jjddd.exe47⤵
- Executes dropped EXE
PID:3308 -
\??\c:\fxxffrl.exec:\fxxffrl.exe48⤵
- Executes dropped EXE
PID:700 -
\??\c:\fxrxflx.exec:\fxrxflx.exe49⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bntnhb.exec:\bntnhb.exe50⤵
- Executes dropped EXE
PID:3648 -
\??\c:\dvjjp.exec:\dvjjp.exe51⤵
- Executes dropped EXE
PID:392 -
\??\c:\jpddp.exec:\jpddp.exe52⤵
- Executes dropped EXE
PID:1204 -
\??\c:\rxxxxfr.exec:\rxxxxfr.exe53⤵
- Executes dropped EXE
PID:2896 -
\??\c:\1bnntt.exec:\1bnntt.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\pdjvj.exec:\pdjvj.exe55⤵
- Executes dropped EXE
PID:3328 -
\??\c:\rllfrll.exec:\rllfrll.exe56⤵
- Executes dropped EXE
PID:2060 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe57⤵
- Executes dropped EXE
PID:3088 -
\??\c:\hthhhh.exec:\hthhhh.exe58⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ppppv.exec:\ppppv.exe59⤵
- Executes dropped EXE
PID:4648 -
\??\c:\pjvvd.exec:\pjvvd.exe60⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xxrrxfx.exec:\xxrrxfx.exe61⤵
- Executes dropped EXE
PID:1084 -
\??\c:\hbhntb.exec:\hbhntb.exe62⤵
- Executes dropped EXE
PID:4804 -
\??\c:\jdvvp.exec:\jdvvp.exe63⤵
- Executes dropped EXE
PID:1396 -
\??\c:\fffffll.exec:\fffffll.exe64⤵
- Executes dropped EXE
PID:3000 -
\??\c:\bthhth.exec:\bthhth.exe65⤵
- Executes dropped EXE
PID:4256 -
\??\c:\pvjjj.exec:\pvjjj.exe66⤵PID:3404
-
\??\c:\ddvdd.exec:\ddvdd.exe67⤵PID:4716
-
\??\c:\5xxfxxx.exec:\5xxfxxx.exe68⤵PID:2088
-
\??\c:\tthhnt.exec:\tthhnt.exe69⤵PID:812
-
\??\c:\3pvdd.exec:\3pvdd.exe70⤵PID:3856
-
\??\c:\fxfffll.exec:\fxfffll.exe71⤵PID:4420
-
\??\c:\9thhth.exec:\9thhth.exe72⤵PID:4696
-
\??\c:\vpjvp.exec:\vpjvp.exe73⤵PID:2964
-
\??\c:\xxfffff.exec:\xxfffff.exe74⤵PID:4168
-
\??\c:\7lxxflx.exec:\7lxxflx.exe75⤵PID:1584
-
\??\c:\ntttbb.exec:\ntttbb.exe76⤵PID:1200
-
\??\c:\dpvpj.exec:\dpvpj.exe77⤵
- System Location Discovery: System Language Discovery
PID:952 -
\??\c:\llxllxf.exec:\llxllxf.exe78⤵PID:1964
-
\??\c:\nntttb.exec:\nntttb.exe79⤵PID:448
-
\??\c:\pddvd.exec:\pddvd.exe80⤵PID:2524
-
\??\c:\xxrrxff.exec:\xxrrxff.exe81⤵PID:3956
-
\??\c:\vvvpj.exec:\vvvpj.exe82⤵PID:4280
-
\??\c:\ffllfll.exec:\ffllfll.exe83⤵PID:2732
-
\??\c:\nntnbt.exec:\nntnbt.exe84⤵PID:3976
-
\??\c:\vvpdd.exec:\vvpdd.exe85⤵PID:1848
-
\??\c:\nhhnnn.exec:\nhhnnn.exe86⤵PID:3184
-
\??\c:\jvjdj.exec:\jvjdj.exe87⤵PID:384
-
\??\c:\nbtttt.exec:\nbtttt.exe88⤵PID:2380
-
\??\c:\hbhbtt.exec:\hbhbtt.exe89⤵PID:1012
-
\??\c:\3bnttb.exec:\3bnttb.exe90⤵PID:4428
-
\??\c:\vpjjd.exec:\vpjjd.exe91⤵PID:2876
-
\??\c:\flxrxff.exec:\flxrxff.exe92⤵PID:3064
-
\??\c:\nnnbbb.exec:\nnnbbb.exe93⤵PID:4836
-
\??\c:\rlfxffl.exec:\rlfxffl.exe94⤵PID:4788
-
\??\c:\nthhhh.exec:\nthhhh.exe95⤵PID:2648
-
\??\c:\3ntttt.exec:\3ntttt.exe96⤵PID:1432
-
\??\c:\vpjpv.exec:\vpjpv.exe97⤵PID:3588
-
\??\c:\hhhbnt.exec:\hhhbnt.exe98⤵PID:4184
-
\??\c:\jdppd.exec:\jdppd.exe99⤵PID:4680
-
\??\c:\3jpvv.exec:\3jpvv.exe100⤵PID:3260
-
\??\c:\nhtnnt.exec:\nhtnnt.exe101⤵PID:2980
-
\??\c:\dvddp.exec:\dvddp.exe102⤵PID:3420
-
\??\c:\dvpjd.exec:\dvpjd.exe103⤵PID:2384
-
\??\c:\bttnhb.exec:\bttnhb.exe104⤵PID:1056
-
\??\c:\ddddv.exec:\ddddv.exe105⤵PID:3012
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe106⤵PID:700
-
\??\c:\frrrrxx.exec:\frrrrxx.exe107⤵PID:1608
-
\??\c:\5jppv.exec:\5jppv.exe108⤵PID:1716
-
\??\c:\xrxxfff.exec:\xrxxfff.exe109⤵PID:2728
-
\??\c:\ttnnnt.exec:\ttnnnt.exe110⤵PID:1112
-
\??\c:\jdjpp.exec:\jdjpp.exe111⤵PID:228
-
\??\c:\nthbtt.exec:\nthbtt.exe112⤵PID:1580
-
\??\c:\frxrlrr.exec:\frxrlrr.exe113⤵PID:1004
-
\??\c:\tbhnhh.exec:\tbhnhh.exe114⤵PID:3112
-
\??\c:\lfllxfx.exec:\lfllxfx.exe115⤵PID:2488
-
\??\c:\hnnnnb.exec:\hnnnnb.exe116⤵PID:5024
-
\??\c:\ddjpp.exec:\ddjpp.exe117⤵PID:848
-
\??\c:\fxfxlxr.exec:\fxfxlxr.exe118⤵PID:2996
-
\??\c:\thhtht.exec:\thhtht.exe119⤵PID:2788
-
\??\c:\3xfffll.exec:\3xfffll.exe120⤵PID:2984
-
\??\c:\fxllxxr.exec:\fxllxxr.exe121⤵PID:4648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-