Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
-
Size
454KB
-
MD5
0d90f5002420f598054cc3e18baa454c
-
SHA1
f7e0ebf970ba987751b48cb8f4d65e72f427a082
-
SHA256
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c
-
SHA512
dabeb9bab015eb810ffd40d16ed4bb431a89c699417e0e1a08479f1c641f963c7c91a96b2dc5dafa24957bf8210a00718360e1ec71b3d2c024f809b4943e4f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 42 IoCs
resource yara_rule behavioral1/memory/2904-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3004-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2840-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2944-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-147-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2844-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2324-299-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2952-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2300-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-401-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1752-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-439-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1524-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-459-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/948-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1704-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3020-654-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1928-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/276-968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-995-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/884-1086-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-1326-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1752-1755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3004 hbnnbt.exe 1632 bhbhnt.exe 2196 jpvdv.exe 2340 rlxxlrf.exe 2840 nnnbnb.exe 2944 rllxlrf.exe 2808 ffxlffl.exe 2828 3fllrfl.exe 2604 fxrfxff.exe 2680 vvpvj.exe 2552 pppdv.exe 2508 5frxfrf.exe 2008 dppvj.exe 1888 xllrflr.exe 1448 btbtbb.exe 1588 hbtthh.exe 1812 pdjpd.exe 1684 dvpvd.exe 2844 jdppv.exe 1620 9hbhbh.exe 2916 9ddvd.exe 1300 3lxfrfl.exe 2664 vjdpp.exe 988 ttntth.exe 1552 jppjp.exe 1668 btbhnt.exe 2964 dvpjp.exe 2484 thnhbb.exe 2280 bnbnhb.exe 2124 ppjdp.exe 1480 bhbtnt.exe 2988 lrlrllr.exe 2324 9nhnbh.exe 2928 7ddpp.exe 580 9rxxxlx.exe 2312 tnbhnb.exe 1700 vppdp.exe 2952 jdvdp.exe 2896 fffrffr.exe 2856 tthbhh.exe 2300 pjvjv.exe 2640 jdvdp.exe 2828 rlfrllx.exe 2716 hhthnt.exe 3024 tnhntb.exe 2296 9vpdj.exe 1716 fxxfrxr.exe 2140 rflrlrx.exe 2008 tththn.exe 1960 dpvvd.exe 1932 llffrlf.exe 1796 nthhbb.exe 1752 hbbhtt.exe 1920 3pvjj.exe 816 rrllffl.exe 1524 hhthtt.exe 2468 7hbbbh.exe 2168 pjdjv.exe 2824 3lffxxl.exe 948 llxlrrx.exe 2460 hbtntn.exe 1156 vpjpv.exe 404 jvvvp.exe 1952 frllxxl.exe -
resource yara_rule behavioral1/memory/2904-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-51-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2944-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-145-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2844-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2324-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2300-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1660-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1508-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1040-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1804-715-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-754-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/404-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1740-918-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-929-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1928-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-954-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/276-968-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-995-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-1087-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1600-1118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2852-1161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-1265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-1382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1752-1755-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 3004 2904 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2904 wrote to memory of 3004 2904 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2904 wrote to memory of 3004 2904 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 2904 wrote to memory of 3004 2904 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 30 PID 3004 wrote to memory of 1632 3004 hbnnbt.exe 31 PID 3004 wrote to memory of 1632 3004 hbnnbt.exe 31 PID 3004 wrote to memory of 1632 3004 hbnnbt.exe 31 PID 3004 wrote to memory of 1632 3004 hbnnbt.exe 31 PID 1632 wrote to memory of 2196 1632 bhbhnt.exe 32 PID 1632 wrote to memory of 2196 1632 bhbhnt.exe 32 PID 1632 wrote to memory of 2196 1632 bhbhnt.exe 32 PID 1632 wrote to memory of 2196 1632 bhbhnt.exe 32 PID 2196 wrote to memory of 2340 2196 jpvdv.exe 33 PID 2196 wrote to memory of 2340 2196 jpvdv.exe 33 PID 2196 wrote to memory of 2340 2196 jpvdv.exe 33 PID 2196 wrote to memory of 2340 2196 jpvdv.exe 33 PID 2340 wrote to memory of 2840 2340 rlxxlrf.exe 34 PID 2340 wrote to memory of 2840 2340 rlxxlrf.exe 34 PID 2340 wrote to memory of 2840 2340 rlxxlrf.exe 34 PID 2340 wrote to memory of 2840 2340 rlxxlrf.exe 34 PID 2840 wrote to memory of 2944 2840 nnnbnb.exe 35 PID 2840 wrote to memory of 2944 2840 nnnbnb.exe 35 PID 2840 wrote to memory of 2944 2840 nnnbnb.exe 35 PID 2840 wrote to memory of 2944 2840 nnnbnb.exe 35 PID 2944 wrote to memory of 2808 2944 rllxlrf.exe 36 PID 2944 wrote to memory of 2808 2944 rllxlrf.exe 36 PID 2944 wrote to memory of 2808 2944 rllxlrf.exe 36 PID 2944 wrote to memory of 2808 2944 rllxlrf.exe 36 PID 2808 wrote to memory of 2828 2808 ffxlffl.exe 37 PID 2808 wrote to memory of 2828 2808 ffxlffl.exe 37 PID 2808 wrote to memory of 2828 2808 ffxlffl.exe 37 PID 2808 wrote to memory of 2828 2808 ffxlffl.exe 37 PID 2828 wrote to memory of 2604 2828 3fllrfl.exe 38 PID 2828 wrote to memory of 2604 2828 3fllrfl.exe 38 PID 2828 wrote to memory of 2604 2828 3fllrfl.exe 38 PID 2828 wrote to memory of 2604 2828 3fllrfl.exe 38 PID 2604 wrote to memory of 2680 2604 fxrfxff.exe 39 PID 2604 wrote to memory of 2680 2604 fxrfxff.exe 39 PID 2604 wrote to memory of 2680 2604 fxrfxff.exe 39 PID 2604 wrote to memory of 2680 2604 fxrfxff.exe 39 PID 2680 wrote to memory of 2552 2680 vvpvj.exe 40 PID 2680 wrote to memory of 2552 2680 vvpvj.exe 40 PID 2680 wrote to memory of 2552 2680 vvpvj.exe 40 PID 2680 wrote to memory of 2552 2680 vvpvj.exe 40 PID 2552 wrote to memory of 2508 2552 pppdv.exe 41 PID 2552 wrote to memory of 2508 2552 pppdv.exe 41 PID 2552 wrote to memory of 2508 2552 pppdv.exe 41 PID 2552 wrote to memory of 2508 2552 pppdv.exe 41 PID 2508 wrote to memory of 2008 2508 5frxfrf.exe 42 PID 2508 wrote to memory of 2008 2508 5frxfrf.exe 42 PID 2508 wrote to memory of 2008 2508 5frxfrf.exe 42 PID 2508 wrote to memory of 2008 2508 5frxfrf.exe 42 PID 2008 wrote to memory of 1888 2008 dppvj.exe 43 PID 2008 wrote to memory of 1888 2008 dppvj.exe 43 PID 2008 wrote to memory of 1888 2008 dppvj.exe 43 PID 2008 wrote to memory of 1888 2008 dppvj.exe 43 PID 1888 wrote to memory of 1448 1888 xllrflr.exe 44 PID 1888 wrote to memory of 1448 1888 xllrflr.exe 44 PID 1888 wrote to memory of 1448 1888 xllrflr.exe 44 PID 1888 wrote to memory of 1448 1888 xllrflr.exe 44 PID 1448 wrote to memory of 1588 1448 btbtbb.exe 45 PID 1448 wrote to memory of 1588 1448 btbtbb.exe 45 PID 1448 wrote to memory of 1588 1448 btbtbb.exe 45 PID 1448 wrote to memory of 1588 1448 btbtbb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\hbnnbt.exec:\hbnnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\bhbhnt.exec:\bhbhnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\jpvdv.exec:\jpvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\rlxxlrf.exec:\rlxxlrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\nnnbnb.exec:\nnnbnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\rllxlrf.exec:\rllxlrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\ffxlffl.exec:\ffxlffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\3fllrfl.exec:\3fllrfl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\fxrfxff.exec:\fxrfxff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\vvpvj.exec:\vvpvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\pppdv.exec:\pppdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\5frxfrf.exec:\5frxfrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\dppvj.exec:\dppvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\xllrflr.exec:\xllrflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\btbtbb.exec:\btbtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\hbtthh.exec:\hbtthh.exe17⤵
- Executes dropped EXE
PID:1588 -
\??\c:\pdjpd.exec:\pdjpd.exe18⤵
- Executes dropped EXE
PID:1812 -
\??\c:\dvpvd.exec:\dvpvd.exe19⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jdppv.exec:\jdppv.exe20⤵
- Executes dropped EXE
PID:2844 -
\??\c:\9hbhbh.exec:\9hbhbh.exe21⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9ddvd.exec:\9ddvd.exe22⤵
- Executes dropped EXE
PID:2916 -
\??\c:\3lxfrfl.exec:\3lxfrfl.exe23⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vjdpp.exec:\vjdpp.exe24⤵
- Executes dropped EXE
PID:2664 -
\??\c:\ttntth.exec:\ttntth.exe25⤵
- Executes dropped EXE
PID:988 -
\??\c:\jppjp.exec:\jppjp.exe26⤵
- Executes dropped EXE
PID:1552 -
\??\c:\btbhnt.exec:\btbhnt.exe27⤵
- Executes dropped EXE
PID:1668 -
\??\c:\dvpjp.exec:\dvpjp.exe28⤵
- Executes dropped EXE
PID:2964 -
\??\c:\thnhbb.exec:\thnhbb.exe29⤵
- Executes dropped EXE
PID:2484 -
\??\c:\bnbnhb.exec:\bnbnhb.exe30⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ppjdp.exec:\ppjdp.exe31⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bhbtnt.exec:\bhbtnt.exe32⤵
- Executes dropped EXE
PID:1480 -
\??\c:\lrlrllr.exec:\lrlrllr.exe33⤵
- Executes dropped EXE
PID:2988 -
\??\c:\9nhnbh.exec:\9nhnbh.exe34⤵
- Executes dropped EXE
PID:2324 -
\??\c:\7ddpp.exec:\7ddpp.exe35⤵
- Executes dropped EXE
PID:2928 -
\??\c:\9rxxxlx.exec:\9rxxxlx.exe36⤵
- Executes dropped EXE
PID:580 -
\??\c:\tnbhnb.exec:\tnbhnb.exe37⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vppdp.exec:\vppdp.exe38⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jdvdp.exec:\jdvdp.exe39⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fffrffr.exec:\fffrffr.exe40⤵
- Executes dropped EXE
PID:2896 -
\??\c:\tthbhh.exec:\tthbhh.exe41⤵
- Executes dropped EXE
PID:2856 -
\??\c:\pjvjv.exec:\pjvjv.exe42⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jdvdp.exec:\jdvdp.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\rlfrllx.exec:\rlfrllx.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\hhthnt.exec:\hhthnt.exe45⤵
- Executes dropped EXE
PID:2716 -
\??\c:\tnhntb.exec:\tnhntb.exe46⤵
- Executes dropped EXE
PID:3024 -
\??\c:\9vpdj.exec:\9vpdj.exe47⤵
- Executes dropped EXE
PID:2296 -
\??\c:\fxxfrxr.exec:\fxxfrxr.exe48⤵
- Executes dropped EXE
PID:1716 -
\??\c:\rflrlrx.exec:\rflrlrx.exe49⤵
- Executes dropped EXE
PID:2140 -
\??\c:\tththn.exec:\tththn.exe50⤵
- Executes dropped EXE
PID:2008 -
\??\c:\dpvvd.exec:\dpvvd.exe51⤵
- Executes dropped EXE
PID:1960 -
\??\c:\llffrlf.exec:\llffrlf.exe52⤵
- Executes dropped EXE
PID:1932 -
\??\c:\nthhbb.exec:\nthhbb.exe53⤵
- Executes dropped EXE
PID:1796 -
\??\c:\hbbhtt.exec:\hbbhtt.exe54⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3pvjj.exec:\3pvjj.exe55⤵
- Executes dropped EXE
PID:1920 -
\??\c:\rrllffl.exec:\rrllffl.exe56⤵
- Executes dropped EXE
PID:816 -
\??\c:\hhthtt.exec:\hhthtt.exe57⤵
- Executes dropped EXE
PID:1524 -
\??\c:\7hbbbh.exec:\7hbbbh.exe58⤵
- Executes dropped EXE
PID:2468 -
\??\c:\pjdjv.exec:\pjdjv.exe59⤵
- Executes dropped EXE
PID:2168 -
\??\c:\3lffxxl.exec:\3lffxxl.exe60⤵
- Executes dropped EXE
PID:2824 -
\??\c:\llxlrrx.exec:\llxlrrx.exe61⤵
- Executes dropped EXE
PID:948 -
\??\c:\hbtntn.exec:\hbtntn.exe62⤵
- Executes dropped EXE
PID:2460 -
\??\c:\vpjpv.exec:\vpjpv.exe63⤵
- Executes dropped EXE
PID:1156 -
\??\c:\jvvvp.exec:\jvvvp.exe64⤵
- Executes dropped EXE
PID:404 -
\??\c:\frllxxl.exec:\frllxxl.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\nhbbtt.exec:\nhbbtt.exe66⤵PID:1704
-
\??\c:\5httnn.exec:\5httnn.exe67⤵PID:1660
-
\??\c:\pjjpv.exec:\pjjpv.exe68⤵PID:2180
-
\??\c:\rfrrrxf.exec:\rfrrrxf.exe69⤵PID:2164
-
\??\c:\llxflrr.exec:\llxflrr.exe70⤵PID:2336
-
\??\c:\7bnnnt.exec:\7bnnnt.exe71⤵PID:1876
-
\??\c:\jjdjv.exec:\jjdjv.exe72⤵PID:316
-
\??\c:\pjdjv.exec:\pjdjv.exe73⤵PID:768
-
\??\c:\lfflrxl.exec:\lfflrxl.exe74⤵PID:2984
-
\??\c:\hbthbt.exec:\hbthbt.exe75⤵PID:3008
-
\??\c:\jdvjv.exec:\jdvjv.exe76⤵PID:2080
-
\??\c:\pjpdd.exec:\pjpdd.exe77⤵PID:2324
-
\??\c:\1xxxffl.exec:\1xxxffl.exe78⤵PID:2240
-
\??\c:\hhttbt.exec:\hhttbt.exe79⤵PID:580
-
\??\c:\hbhbbb.exec:\hbhbbb.exe80⤵PID:2220
-
\??\c:\pjdvp.exec:\pjdvp.exe81⤵PID:2696
-
\??\c:\xrffflr.exec:\xrffflr.exe82⤵PID:2268
-
\??\c:\9lrxrxl.exec:\9lrxrxl.exe83⤵PID:2760
-
\??\c:\nnnbnt.exec:\nnnbnt.exe84⤵PID:2856
-
\??\c:\pjdpv.exec:\pjdpv.exe85⤵PID:2852
-
\??\c:\jjdjp.exec:\jjdjp.exe86⤵PID:2808
-
\??\c:\xxrxffl.exec:\xxrxffl.exe87⤵PID:2648
-
\??\c:\bnnnhn.exec:\bnnnhn.exe88⤵PID:2608
-
\??\c:\tttbhn.exec:\tttbhn.exe89⤵PID:3020
-
\??\c:\jdpvp.exec:\jdpvp.exe90⤵PID:1104
-
\??\c:\rrlrfxr.exec:\rrlrfxr.exe91⤵PID:1712
-
\??\c:\ttnnbt.exec:\ttnnbt.exe92⤵PID:2004
-
\??\c:\tnnbnt.exec:\tnnbnt.exe93⤵PID:2356
-
\??\c:\dpddj.exec:\dpddj.exe94⤵PID:1888
-
\??\c:\fxrxxfr.exec:\fxrxxfr.exe95⤵PID:1720
-
\??\c:\hhbhnn.exec:\hhbhnn.exe96⤵PID:2416
-
\??\c:\hbthbh.exec:\hbthbh.exe97⤵PID:1508
-
\??\c:\pjddp.exec:\pjddp.exe98⤵PID:1040
-
\??\c:\9lxxrxl.exec:\9lxxrxl.exe99⤵PID:1804
-
\??\c:\3thtbb.exec:\3thtbb.exe100⤵
- System Location Discovery: System Language Discovery
PID:1524 -
\??\c:\vvvdj.exec:\vvvdj.exe101⤵PID:548
-
\??\c:\7vddp.exec:\7vddp.exe102⤵PID:2168
-
\??\c:\1xrxflx.exec:\1xrxflx.exe103⤵PID:1648
-
\??\c:\nbtthn.exec:\nbtthn.exe104⤵PID:1048
-
\??\c:\bttbnt.exec:\bttbnt.exe105⤵PID:1084
-
\??\c:\ppdpj.exec:\ppdpj.exe106⤵PID:1184
-
\??\c:\rlxffxr.exec:\rlxffxr.exe107⤵PID:404
-
\??\c:\hhhnbh.exec:\hhhnbh.exe108⤵PID:1748
-
\??\c:\nhtbhh.exec:\nhtbhh.exe109⤵PID:2328
-
\??\c:\dvpdj.exec:\dvpdj.exe110⤵PID:2476
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe111⤵PID:2180
-
\??\c:\nbnnbn.exec:\nbnnbn.exe112⤵PID:544
-
\??\c:\bnhnbn.exec:\bnhnbn.exe113⤵PID:932
-
\??\c:\3pjpv.exec:\3pjpv.exe114⤵PID:700
-
\??\c:\xxrxlrr.exec:\xxrxlrr.exe115⤵PID:2136
-
\??\c:\5rrfxfl.exec:\5rrfxfl.exe116⤵PID:2544
-
\??\c:\nhhhtb.exec:\nhhhtb.exe117⤵PID:2984
-
\??\c:\7vjdj.exec:\7vjdj.exe118⤵PID:2228
-
\??\c:\lfxxfxl.exec:\lfxxfxl.exe119⤵PID:3004
-
\??\c:\5xflrxf.exec:\5xflrxf.exe120⤵PID:2324
-
\??\c:\9hthnn.exec:\9hthnn.exe121⤵PID:2712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-