Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe
-
Size
454KB
-
MD5
0d90f5002420f598054cc3e18baa454c
-
SHA1
f7e0ebf970ba987751b48cb8f4d65e72f427a082
-
SHA256
88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c
-
SHA512
dabeb9bab015eb810ffd40d16ed4bb431a89c699417e0e1a08479f1c641f963c7c91a96b2dc5dafa24957bf8210a00718360e1ec71b3d2c024f809b4943e4f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-1068-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 464 nhnnnh.exe 1736 jpvpj.exe 1576 vppdv.exe 1268 pjjdj.exe 3892 nhnhbb.exe 964 pjvpj.exe 5092 1rllfff.exe 4612 5vjdp.exe 3452 xlxrrrl.exe 4340 pjppj.exe 428 nnbbnn.exe 4716 rlxlffx.exe 940 bntnnn.exe 5056 xrllxll.exe 3024 nbtnhh.exe 4524 hhhhhh.exe 1540 3vddv.exe 2748 xrrrllf.exe 2116 frxrlfx.exe 3192 llxrffr.exe 4176 7jjvj.exe 4864 thnhbt.exe 3680 5rrllxx.exe 4872 1ttttb.exe 1628 xxllrrx.exe 4876 5tbhbt.exe 4920 7bhnnb.exe 800 vvjjj.exe 4468 pvvvv.exe 1028 bhhnnn.exe 872 pdjjd.exe 992 3ffxxxx.exe 3840 rrrllff.exe 3428 rlrllll.exe 3632 7bhhhn.exe 3488 jdppp.exe 4400 1rxffrl.exe 3540 bnnhhb.exe 2184 pvjdp.exe 5064 fflllrx.exe 2728 bbbhbn.exe 3620 vpvvp.exe 548 7llffff.exe 1420 nnnhbb.exe 2188 1vdvp.exe 2512 ppddd.exe 5004 lfrlrrx.exe 952 nbhntb.exe 388 hnnhbb.exe 3420 jdpjd.exe 4368 rrxxxxx.exe 5020 7nttnt.exe 2340 hhbbtt.exe 1600 dppjp.exe 4744 lffxxfx.exe 3600 xxxxrxr.exe 2272 hbtntn.exe 648 vppjd.exe 1156 flrlrrl.exe 2608 tntbtt.exe 1252 dpjvj.exe 4328 rlrffxx.exe 2268 bbtnhb.exe 3152 vddvd.exe -
resource yara_rule behavioral2/memory/464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-592-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4116 wrote to memory of 464 4116 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 4116 wrote to memory of 464 4116 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 4116 wrote to memory of 464 4116 88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe 83 PID 464 wrote to memory of 1736 464 nhnnnh.exe 84 PID 464 wrote to memory of 1736 464 nhnnnh.exe 84 PID 464 wrote to memory of 1736 464 nhnnnh.exe 84 PID 1736 wrote to memory of 1576 1736 jpvpj.exe 85 PID 1736 wrote to memory of 1576 1736 jpvpj.exe 85 PID 1736 wrote to memory of 1576 1736 jpvpj.exe 85 PID 1576 wrote to memory of 1268 1576 vppdv.exe 86 PID 1576 wrote to memory of 1268 1576 vppdv.exe 86 PID 1576 wrote to memory of 1268 1576 vppdv.exe 86 PID 1268 wrote to memory of 3892 1268 pjjdj.exe 87 PID 1268 wrote to memory of 3892 1268 pjjdj.exe 87 PID 1268 wrote to memory of 3892 1268 pjjdj.exe 87 PID 3892 wrote to memory of 964 3892 nhnhbb.exe 88 PID 3892 wrote to memory of 964 3892 nhnhbb.exe 88 PID 3892 wrote to memory of 964 3892 nhnhbb.exe 88 PID 964 wrote to memory of 5092 964 pjvpj.exe 89 PID 964 wrote to memory of 5092 964 pjvpj.exe 89 PID 964 wrote to memory of 5092 964 pjvpj.exe 89 PID 5092 wrote to memory of 4612 5092 1rllfff.exe 90 PID 5092 wrote to memory of 4612 5092 1rllfff.exe 90 PID 5092 wrote to memory of 4612 5092 1rllfff.exe 90 PID 4612 wrote to memory of 3452 4612 5vjdp.exe 91 PID 4612 wrote to memory of 3452 4612 5vjdp.exe 91 PID 4612 wrote to memory of 3452 4612 5vjdp.exe 91 PID 3452 wrote to memory of 4340 3452 xlxrrrl.exe 92 PID 3452 wrote to memory of 4340 3452 xlxrrrl.exe 92 PID 3452 wrote to memory of 4340 3452 xlxrrrl.exe 92 PID 4340 wrote to memory of 428 4340 pjppj.exe 93 PID 4340 wrote to memory of 428 4340 pjppj.exe 93 PID 4340 wrote to memory of 428 4340 pjppj.exe 93 PID 428 wrote to memory of 4716 428 nnbbnn.exe 94 PID 428 wrote to memory of 4716 428 nnbbnn.exe 94 PID 428 wrote to memory of 4716 428 nnbbnn.exe 94 PID 4716 wrote to memory of 940 4716 rlxlffx.exe 95 PID 4716 wrote to memory of 940 4716 rlxlffx.exe 95 PID 4716 wrote to memory of 940 4716 rlxlffx.exe 95 PID 940 wrote to memory of 5056 940 bntnnn.exe 96 PID 940 wrote to memory of 5056 940 bntnnn.exe 96 PID 940 wrote to memory of 5056 940 bntnnn.exe 96 PID 5056 wrote to memory of 3024 5056 xrllxll.exe 97 PID 5056 wrote to memory of 3024 5056 xrllxll.exe 97 PID 5056 wrote to memory of 3024 5056 xrllxll.exe 97 PID 3024 wrote to memory of 4524 3024 nbtnhh.exe 98 PID 3024 wrote to memory of 4524 3024 nbtnhh.exe 98 PID 3024 wrote to memory of 4524 3024 nbtnhh.exe 98 PID 4524 wrote to memory of 1540 4524 hhhhhh.exe 99 PID 4524 wrote to memory of 1540 4524 hhhhhh.exe 99 PID 4524 wrote to memory of 1540 4524 hhhhhh.exe 99 PID 1540 wrote to memory of 2748 1540 3vddv.exe 100 PID 1540 wrote to memory of 2748 1540 3vddv.exe 100 PID 1540 wrote to memory of 2748 1540 3vddv.exe 100 PID 2748 wrote to memory of 2116 2748 xrrrllf.exe 101 PID 2748 wrote to memory of 2116 2748 xrrrllf.exe 101 PID 2748 wrote to memory of 2116 2748 xrrrllf.exe 101 PID 2116 wrote to memory of 3192 2116 frxrlfx.exe 102 PID 2116 wrote to memory of 3192 2116 frxrlfx.exe 102 PID 2116 wrote to memory of 3192 2116 frxrlfx.exe 102 PID 3192 wrote to memory of 4176 3192 llxrffr.exe 103 PID 3192 wrote to memory of 4176 3192 llxrffr.exe 103 PID 3192 wrote to memory of 4176 3192 llxrffr.exe 103 PID 4176 wrote to memory of 4864 4176 7jjvj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"C:\Users\Admin\AppData\Local\Temp\88a43dc7c47cdc8689b6569879d26bc6002cc224474de0ab5b727c3ecc030c6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\nhnnnh.exec:\nhnnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\jpvpj.exec:\jpvpj.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\vppdv.exec:\vppdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\pjjdj.exec:\pjjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\nhnhbb.exec:\nhnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\pjvpj.exec:\pjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\1rllfff.exec:\1rllfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\5vjdp.exec:\5vjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\pjppj.exec:\pjppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\nnbbnn.exec:\nnbbnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\rlxlffx.exec:\rlxlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\bntnnn.exec:\bntnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\xrllxll.exec:\xrllxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\nbtnhh.exec:\nbtnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\hhhhhh.exec:\hhhhhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\3vddv.exec:\3vddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\xrrrllf.exec:\xrrrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\frxrlfx.exec:\frxrlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\llxrffr.exec:\llxrffr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\7jjvj.exec:\7jjvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\thnhbt.exec:\thnhbt.exe23⤵
- Executes dropped EXE
PID:4864 -
\??\c:\5rrllxx.exec:\5rrllxx.exe24⤵
- Executes dropped EXE
PID:3680 -
\??\c:\1ttttb.exec:\1ttttb.exe25⤵
- Executes dropped EXE
PID:4872 -
\??\c:\xxllrrx.exec:\xxllrrx.exe26⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5tbhbt.exec:\5tbhbt.exe27⤵
- Executes dropped EXE
PID:4876 -
\??\c:\7bhnnb.exec:\7bhnnb.exe28⤵
- Executes dropped EXE
PID:4920 -
\??\c:\vvjjj.exec:\vvjjj.exe29⤵
- Executes dropped EXE
PID:800 -
\??\c:\pvvvv.exec:\pvvvv.exe30⤵
- Executes dropped EXE
PID:4468 -
\??\c:\bhhnnn.exec:\bhhnnn.exe31⤵
- Executes dropped EXE
PID:1028 -
\??\c:\pdjjd.exec:\pdjjd.exe32⤵
- Executes dropped EXE
PID:872 -
\??\c:\3ffxxxx.exec:\3ffxxxx.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992 -
\??\c:\rrrllff.exec:\rrrllff.exe34⤵
- Executes dropped EXE
PID:3840 -
\??\c:\rlrllll.exec:\rlrllll.exe35⤵
- Executes dropped EXE
PID:3428 -
\??\c:\7bhhhn.exec:\7bhhhn.exe36⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jdppp.exec:\jdppp.exe37⤵
- Executes dropped EXE
PID:3488 -
\??\c:\1rxffrl.exec:\1rxffrl.exe38⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bnnhhb.exec:\bnnhhb.exe39⤵
- Executes dropped EXE
PID:3540 -
\??\c:\pvjdp.exec:\pvjdp.exe40⤵
- Executes dropped EXE
PID:2184 -
\??\c:\fflllrx.exec:\fflllrx.exe41⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bbbhbn.exec:\bbbhbn.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\vpvvp.exec:\vpvvp.exe43⤵
- Executes dropped EXE
PID:3620 -
\??\c:\7llffff.exec:\7llffff.exe44⤵
- Executes dropped EXE
PID:548 -
\??\c:\nnnhbb.exec:\nnnhbb.exe45⤵
- Executes dropped EXE
PID:1420 -
\??\c:\1vdvp.exec:\1vdvp.exe46⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ppddd.exec:\ppddd.exe47⤵
- Executes dropped EXE
PID:2512 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe48⤵
- Executes dropped EXE
PID:5004 -
\??\c:\nbhntb.exec:\nbhntb.exe49⤵
- Executes dropped EXE
PID:952 -
\??\c:\hnnhbb.exec:\hnnhbb.exe50⤵
- Executes dropped EXE
PID:388 -
\??\c:\jdpjd.exec:\jdpjd.exe51⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe52⤵
- Executes dropped EXE
PID:4368 -
\??\c:\7nttnt.exec:\7nttnt.exe53⤵
- Executes dropped EXE
PID:5020 -
\??\c:\hhbbtt.exec:\hhbbtt.exe54⤵
- Executes dropped EXE
PID:2340 -
\??\c:\dppjp.exec:\dppjp.exe55⤵
- Executes dropped EXE
PID:1600 -
\??\c:\lffxxfx.exec:\lffxxfx.exe56⤵
- Executes dropped EXE
PID:4744 -
\??\c:\xxxxrxr.exec:\xxxxrxr.exe57⤵
- Executes dropped EXE
PID:3600 -
\??\c:\hbtntn.exec:\hbtntn.exe58⤵
- Executes dropped EXE
PID:2272 -
\??\c:\vppjd.exec:\vppjd.exe59⤵
- Executes dropped EXE
PID:648 -
\??\c:\flrlrrl.exec:\flrlrrl.exe60⤵
- Executes dropped EXE
PID:1156 -
\??\c:\tntbtt.exec:\tntbtt.exe61⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dpjvj.exec:\dpjvj.exe62⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rlrffxx.exec:\rlrffxx.exe63⤵
- Executes dropped EXE
PID:4328 -
\??\c:\bbtnhb.exec:\bbtnhb.exe64⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vddvd.exec:\vddvd.exe65⤵
- Executes dropped EXE
PID:3152 -
\??\c:\rrflfrr.exec:\rrflfrr.exe66⤵PID:4384
-
\??\c:\ttbtbb.exec:\ttbtbb.exe67⤵PID:3376
-
\??\c:\pjpdd.exec:\pjpdd.exe68⤵PID:3612
-
\??\c:\xrxrllf.exec:\xrxrllf.exe69⤵PID:456
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe70⤵
- System Location Discovery: System Language Discovery
PID:3984 -
\??\c:\ppvpd.exec:\ppvpd.exe71⤵PID:796
-
\??\c:\fxlffff.exec:\fxlffff.exe72⤵PID:312
-
\??\c:\nhnhhh.exec:\nhnhhh.exe73⤵PID:4332
-
\??\c:\hbhhhh.exec:\hbhhhh.exe74⤵PID:2308
-
\??\c:\dppjj.exec:\dppjj.exe75⤵PID:3408
-
\??\c:\1xrlxxx.exec:\1xrlxxx.exe76⤵PID:1980
-
\??\c:\hthhhh.exec:\hthhhh.exe77⤵PID:3036
-
\??\c:\pjjjd.exec:\pjjjd.exe78⤵PID:956
-
\??\c:\dddvv.exec:\dddvv.exe79⤵PID:5116
-
\??\c:\rlxrllf.exec:\rlxrllf.exe80⤵PID:2840
-
\??\c:\tbhhbb.exec:\tbhhbb.exe81⤵PID:1732
-
\??\c:\ppppd.exec:\ppppd.exe82⤵PID:740
-
\??\c:\lrfxrrl.exec:\lrfxrrl.exe83⤵PID:4996
-
\??\c:\bttnht.exec:\bttnht.exe84⤵PID:3144
-
\??\c:\5dddv.exec:\5dddv.exe85⤵PID:4840
-
\??\c:\frxrllf.exec:\frxrllf.exe86⤵PID:4752
-
\??\c:\btttnt.exec:\btttnt.exe87⤵PID:3128
-
\??\c:\jjjpp.exec:\jjjpp.exe88⤵PID:3716
-
\??\c:\xxflllf.exec:\xxflllf.exe89⤵PID:4876
-
\??\c:\nhnnhh.exec:\nhnnhh.exe90⤵PID:2624
-
\??\c:\pjdvv.exec:\pjdvv.exe91⤵PID:3520
-
\??\c:\lflfxxx.exec:\lflfxxx.exe92⤵PID:5084
-
\??\c:\nhtbhh.exec:\nhtbhh.exe93⤵PID:904
-
\??\c:\ddddv.exec:\ddddv.exe94⤵PID:2900
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe95⤵PID:932
-
\??\c:\jvjdd.exec:\jvjdd.exe96⤵PID:3908
-
\??\c:\flxllff.exec:\flxllff.exe97⤵PID:2948
-
\??\c:\rxrlffx.exec:\rxrlffx.exe98⤵PID:1676
-
\??\c:\thnhhb.exec:\thnhhb.exe99⤵PID:756
-
\??\c:\lfxxrfr.exec:\lfxxrfr.exe100⤵PID:5096
-
\??\c:\bhhhbt.exec:\bhhhbt.exe101⤵PID:4008
-
\??\c:\ddvpj.exec:\ddvpj.exe102⤵PID:2332
-
\??\c:\vjpjv.exec:\vjpjv.exe103⤵PID:3476
-
\??\c:\flxrlxf.exec:\flxrlxf.exe104⤵PID:2040
-
\??\c:\nhthbb.exec:\nhthbb.exe105⤵PID:4460
-
\??\c:\vjdvd.exec:\vjdvd.exe106⤵PID:2720
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe107⤵PID:1532
-
\??\c:\7bbbbt.exec:\7bbbbt.exe108⤵PID:1712
-
\??\c:\pdpdv.exec:\pdpdv.exe109⤵PID:3416
-
\??\c:\lrfxllf.exec:\lrfxllf.exe110⤵PID:3028
-
\??\c:\bbthtt.exec:\bbthtt.exe111⤵PID:8
-
\??\c:\9pdvd.exec:\9pdvd.exe112⤵PID:4968
-
\??\c:\jjppd.exec:\jjppd.exe113⤵PID:216
-
\??\c:\bthnnn.exec:\bthnnn.exe114⤵PID:3068
-
\??\c:\nhttbb.exec:\nhttbb.exe115⤵PID:3672
-
\??\c:\pjvpv.exec:\pjvpv.exe116⤵PID:1300
-
\??\c:\lllfxxx.exec:\lllfxxx.exe117⤵PID:3360
-
\??\c:\hhnnhh.exec:\hhnnhh.exe118⤵PID:1728
-
\??\c:\dvdvp.exec:\dvdvp.exe119⤵PID:1736
-
\??\c:\xrxrllr.exec:\xrxrllr.exe120⤵PID:536
-
\??\c:\3bbtnn.exec:\3bbtnn.exe121⤵PID:4356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-