Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe
-
Size
454KB
-
MD5
88943742fb126eddd36896fe56492d1c
-
SHA1
b59c47bf053355f69f79165ff33fae52a03582fb
-
SHA256
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a
-
SHA512
e4ea52b69ff0da35087208b43efffdf610eacd9b96ab401ebd5985873547a8f27095b7258cf352c3cdaa9c5d3f1d9d3e538e8eb250c35c8dc6731225a597c8dc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 50 IoCs
resource yara_rule behavioral1/memory/2252-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2784-46-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2672-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1204-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-141-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1516-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-304-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2276-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1464-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-324-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/444-398-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1716-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-447-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1692-488-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2548-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2304-525-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1648-538-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2332-564-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1764-567-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2208-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2780-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2572-629-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2848-665-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2380-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1532-753-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2164-840-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2620-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-904-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon behavioral1/memory/2120-950-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2176 xxlflrx.exe 376 dddvj.exe 2248 frlxlrx.exe 2784 jdpjj.exe 2672 5fflrfx.exe 2168 dvjpp.exe 2596 xxfrxxf.exe 2732 bnthhb.exe 2588 jvjpp.exe 976 lfxfllx.exe 2636 vpjjv.exe 1204 ppjpd.exe 2888 htnntt.exe 2916 jvjjp.exe 2748 bhtthh.exe 2948 vdvpv.exe 3008 fxlrflf.exe 1516 dvjpd.exe 480 xxfrxrl.exe 1896 9jddj.exe 1288 fxrxrxf.exe 1692 3btbhn.exe 2440 rlflxxl.exe 1328 5bhthh.exe 1648 fxllxxl.exe 1912 lrllrrf.exe 3024 jjdjv.exe 1676 rrflrrf.exe 2136 nnhbnn.exe 2472 jdpvv.exe 1636 7xlllff.exe 2276 bnthbb.exe 2100 1xfrxfl.exe 1464 xxrrffr.exe 2808 hhtthn.exe 2796 3pjjj.exe 2820 9xxxlfx.exe 2728 xrlxlfr.exe 2168 nnbtnb.exe 2596 5pddj.exe 2564 9pjjp.exe 444 xrflxxf.exe 2088 ttnthn.exe 2628 vdpvd.exe 1716 xrllxxl.exe 1604 fxxflrx.exe 2888 htnhnb.exe 1252 dvjjp.exe 1996 rlfllxr.exe 1480 xrffllf.exe 1424 ntbhnn.exe 1688 jdvvj.exe 2608 lfrrxxl.exe 1780 xfrrfrx.exe 528 3tnntt.exe 1896 dddvv.exe 1072 jdjjp.exe 2180 fffrfrf.exe 1692 hhntht.exe 2440 nhbnbh.exe 396 dvjvd.exe 2548 dvdjv.exe 1648 lxrxffr.exe 2304 tntbnn.exe -
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2784-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1204-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2948-157-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2948-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1692-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2276-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/444-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2236-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-665-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2380-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-840-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/2692-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-924-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2176 2252 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 31 PID 2252 wrote to memory of 2176 2252 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 31 PID 2252 wrote to memory of 2176 2252 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 31 PID 2252 wrote to memory of 2176 2252 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 31 PID 2176 wrote to memory of 376 2176 xxlflrx.exe 32 PID 2176 wrote to memory of 376 2176 xxlflrx.exe 32 PID 2176 wrote to memory of 376 2176 xxlflrx.exe 32 PID 2176 wrote to memory of 376 2176 xxlflrx.exe 32 PID 376 wrote to memory of 2248 376 dddvj.exe 33 PID 376 wrote to memory of 2248 376 dddvj.exe 33 PID 376 wrote to memory of 2248 376 dddvj.exe 33 PID 376 wrote to memory of 2248 376 dddvj.exe 33 PID 2248 wrote to memory of 2784 2248 frlxlrx.exe 34 PID 2248 wrote to memory of 2784 2248 frlxlrx.exe 34 PID 2248 wrote to memory of 2784 2248 frlxlrx.exe 34 PID 2248 wrote to memory of 2784 2248 frlxlrx.exe 34 PID 2784 wrote to memory of 2672 2784 jdpjj.exe 35 PID 2784 wrote to memory of 2672 2784 jdpjj.exe 35 PID 2784 wrote to memory of 2672 2784 jdpjj.exe 35 PID 2784 wrote to memory of 2672 2784 jdpjj.exe 35 PID 2672 wrote to memory of 2168 2672 5fflrfx.exe 36 PID 2672 wrote to memory of 2168 2672 5fflrfx.exe 36 PID 2672 wrote to memory of 2168 2672 5fflrfx.exe 36 PID 2672 wrote to memory of 2168 2672 5fflrfx.exe 36 PID 2168 wrote to memory of 2596 2168 dvjpp.exe 37 PID 2168 wrote to memory of 2596 2168 dvjpp.exe 37 PID 2168 wrote to memory of 2596 2168 dvjpp.exe 37 PID 2168 wrote to memory of 2596 2168 dvjpp.exe 37 PID 2596 wrote to memory of 2732 2596 xxfrxxf.exe 38 PID 2596 wrote to memory of 2732 2596 xxfrxxf.exe 38 PID 2596 wrote to memory of 2732 2596 xxfrxxf.exe 38 PID 2596 wrote to memory of 2732 2596 xxfrxxf.exe 38 PID 2732 wrote to memory of 2588 2732 bnthhb.exe 39 PID 2732 wrote to memory of 2588 2732 bnthhb.exe 39 PID 2732 wrote to memory of 2588 2732 bnthhb.exe 39 PID 2732 wrote to memory of 2588 2732 bnthhb.exe 39 PID 2588 wrote to memory of 976 2588 jvjpp.exe 40 PID 2588 wrote to memory of 976 2588 jvjpp.exe 40 PID 2588 wrote to memory of 976 2588 jvjpp.exe 40 PID 2588 wrote to memory of 976 2588 jvjpp.exe 40 PID 976 wrote to memory of 2636 976 lfxfllx.exe 41 PID 976 wrote to memory of 2636 976 lfxfllx.exe 41 PID 976 wrote to memory of 2636 976 lfxfllx.exe 41 PID 976 wrote to memory of 2636 976 lfxfllx.exe 41 PID 2636 wrote to memory of 1204 2636 vpjjv.exe 42 PID 2636 wrote to memory of 1204 2636 vpjjv.exe 42 PID 2636 wrote to memory of 1204 2636 vpjjv.exe 42 PID 2636 wrote to memory of 1204 2636 vpjjv.exe 42 PID 1204 wrote to memory of 2888 1204 ppjpd.exe 43 PID 1204 wrote to memory of 2888 1204 ppjpd.exe 43 PID 1204 wrote to memory of 2888 1204 ppjpd.exe 43 PID 1204 wrote to memory of 2888 1204 ppjpd.exe 43 PID 2888 wrote to memory of 2916 2888 htnntt.exe 44 PID 2888 wrote to memory of 2916 2888 htnntt.exe 44 PID 2888 wrote to memory of 2916 2888 htnntt.exe 44 PID 2888 wrote to memory of 2916 2888 htnntt.exe 44 PID 2916 wrote to memory of 2748 2916 jvjjp.exe 45 PID 2916 wrote to memory of 2748 2916 jvjjp.exe 45 PID 2916 wrote to memory of 2748 2916 jvjjp.exe 45 PID 2916 wrote to memory of 2748 2916 jvjjp.exe 45 PID 2748 wrote to memory of 2948 2748 bhtthh.exe 46 PID 2748 wrote to memory of 2948 2748 bhtthh.exe 46 PID 2748 wrote to memory of 2948 2748 bhtthh.exe 46 PID 2748 wrote to memory of 2948 2748 bhtthh.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe"C:\Users\Admin\AppData\Local\Temp\922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\xxlflrx.exec:\xxlflrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\dddvj.exec:\dddvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\frlxlrx.exec:\frlxlrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\jdpjj.exec:\jdpjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\5fflrfx.exec:\5fflrfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\dvjpp.exec:\dvjpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\xxfrxxf.exec:\xxfrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\bnthhb.exec:\bnthhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\jvjpp.exec:\jvjpp.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\lfxfllx.exec:\lfxfllx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\vpjjv.exec:\vpjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\ppjpd.exec:\ppjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\htnntt.exec:\htnntt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\jvjjp.exec:\jvjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\bhtthh.exec:\bhtthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\vdvpv.exec:\vdvpv.exe17⤵
- Executes dropped EXE
PID:2948 -
\??\c:\fxlrflf.exec:\fxlrflf.exe18⤵
- Executes dropped EXE
PID:3008 -
\??\c:\dvjpd.exec:\dvjpd.exe19⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xxfrxrl.exec:\xxfrxrl.exe20⤵
- Executes dropped EXE
PID:480 -
\??\c:\9jddj.exec:\9jddj.exe21⤵
- Executes dropped EXE
PID:1896 -
\??\c:\fxrxrxf.exec:\fxrxrxf.exe22⤵
- Executes dropped EXE
PID:1288 -
\??\c:\3btbhn.exec:\3btbhn.exe23⤵
- Executes dropped EXE
PID:1692 -
\??\c:\rlflxxl.exec:\rlflxxl.exe24⤵
- Executes dropped EXE
PID:2440 -
\??\c:\5bhthh.exec:\5bhthh.exe25⤵
- Executes dropped EXE
PID:1328 -
\??\c:\fxllxxl.exec:\fxllxxl.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
\??\c:\lrllrrf.exec:\lrllrrf.exe27⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jjdjv.exec:\jjdjv.exe28⤵
- Executes dropped EXE
PID:3024 -
\??\c:\rrflrrf.exec:\rrflrrf.exe29⤵
- Executes dropped EXE
PID:1676 -
\??\c:\nnhbnn.exec:\nnhbnn.exe30⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jdpvv.exec:\jdpvv.exe31⤵
- Executes dropped EXE
PID:2472 -
\??\c:\7xlllff.exec:\7xlllff.exe32⤵
- Executes dropped EXE
PID:1636 -
\??\c:\bnthbb.exec:\bnthbb.exe33⤵
- Executes dropped EXE
PID:2276 -
\??\c:\1xfrxfl.exec:\1xfrxfl.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xxrrffr.exec:\xxrrffr.exe35⤵
- Executes dropped EXE
PID:1464 -
\??\c:\hhtthn.exec:\hhtthn.exe36⤵
- Executes dropped EXE
PID:2808 -
\??\c:\3pjjj.exec:\3pjjj.exe37⤵
- Executes dropped EXE
PID:2796 -
\??\c:\9xxxlfx.exec:\9xxxlfx.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe39⤵
- Executes dropped EXE
PID:2728 -
\??\c:\nnbtnb.exec:\nnbtnb.exe40⤵
- Executes dropped EXE
PID:2168 -
\??\c:\5pddj.exec:\5pddj.exe41⤵
- Executes dropped EXE
PID:2596 -
\??\c:\9pjjp.exec:\9pjjp.exe42⤵
- Executes dropped EXE
PID:2564 -
\??\c:\xrflxxf.exec:\xrflxxf.exe43⤵
- Executes dropped EXE
PID:444 -
\??\c:\ttnthn.exec:\ttnthn.exe44⤵
- Executes dropped EXE
PID:2088 -
\??\c:\vdpvd.exec:\vdpvd.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xrllxxl.exec:\xrllxxl.exe46⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fxxflrx.exec:\fxxflrx.exe47⤵
- Executes dropped EXE
PID:1604 -
\??\c:\htnhnb.exec:\htnhnb.exe48⤵
- Executes dropped EXE
PID:2888 -
\??\c:\dvjjp.exec:\dvjjp.exe49⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rlfllxr.exec:\rlfllxr.exe50⤵
- Executes dropped EXE
PID:1996 -
\??\c:\xrffllf.exec:\xrffllf.exe51⤵
- Executes dropped EXE
PID:1480 -
\??\c:\ntbhnn.exec:\ntbhnn.exe52⤵
- Executes dropped EXE
PID:1424 -
\??\c:\jdvvj.exec:\jdvvj.exe53⤵
- Executes dropped EXE
PID:1688 -
\??\c:\lfrrxxl.exec:\lfrrxxl.exe54⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xfrrfrx.exec:\xfrrfrx.exe55⤵
- Executes dropped EXE
PID:1780 -
\??\c:\3tnntt.exec:\3tnntt.exe56⤵
- Executes dropped EXE
PID:528 -
\??\c:\dddvv.exec:\dddvv.exe57⤵
- Executes dropped EXE
PID:1896 -
\??\c:\jdjjp.exec:\jdjjp.exe58⤵
- Executes dropped EXE
PID:1072 -
\??\c:\fffrfrf.exec:\fffrfrf.exe59⤵
- Executes dropped EXE
PID:2180 -
\??\c:\hhntht.exec:\hhntht.exe60⤵
- Executes dropped EXE
PID:1692 -
\??\c:\nhbnbh.exec:\nhbnbh.exe61⤵
- Executes dropped EXE
PID:2440 -
\??\c:\dvjvd.exec:\dvjvd.exe62⤵
- Executes dropped EXE
PID:396 -
\??\c:\dvdjv.exec:\dvdjv.exe63⤵
- Executes dropped EXE
PID:2548 -
\??\c:\lxrxffr.exec:\lxrxffr.exe64⤵
- Executes dropped EXE
PID:1648 -
\??\c:\tntbnn.exec:\tntbnn.exe65⤵
- Executes dropped EXE
PID:2304 -
\??\c:\nnbnnt.exec:\nnbnnt.exe66⤵PID:292
-
\??\c:\jdddp.exec:\jdddp.exe67⤵PID:1008
-
\??\c:\7xlfllr.exec:\7xlfllr.exe68⤵PID:1676
-
\??\c:\bbntbb.exec:\bbntbb.exe69⤵PID:2188
-
\??\c:\hnbhbh.exec:\hnbhbh.exe70⤵PID:2236
-
\??\c:\vdddd.exec:\vdddd.exe71⤵PID:2332
-
\??\c:\xrfrfrf.exec:\xrfrfrf.exe72⤵PID:1764
-
\??\c:\fxrflrf.exec:\fxrflrf.exe73⤵PID:2208
-
\??\c:\tttbtn.exec:\tttbtn.exe74⤵PID:1472
-
\??\c:\nnnntb.exec:\nnnntb.exe75⤵PID:2780
-
\??\c:\jjdpv.exec:\jjdpv.exe76⤵PID:2696
-
\??\c:\xflxrxl.exec:\xflxrxl.exe77⤵PID:2576
-
\??\c:\rrrxrxf.exec:\rrrxrxf.exe78⤵PID:2860
-
\??\c:\htnhth.exec:\htnhth.exe79⤵PID:2728
-
\??\c:\vpjpv.exec:\vpjpv.exe80⤵PID:2812
-
\??\c:\jdvdd.exec:\jdvdd.exe81⤵PID:2572
-
\??\c:\rlrffxf.exec:\rlrffxf.exe82⤵PID:2732
-
\??\c:\5frrrfl.exec:\5frrrfl.exe83⤵PID:2640
-
\??\c:\hbthnt.exec:\hbthnt.exe84⤵PID:2612
-
\??\c:\pjddp.exec:\pjddp.exe85⤵PID:2960
-
\??\c:\fxrrrxl.exec:\fxrrrxl.exe86⤵PID:2636
-
\??\c:\frxflrx.exec:\frxflrx.exe87⤵PID:2848
-
\??\c:\bthntb.exec:\bthntb.exe88⤵PID:2896
-
\??\c:\nttthn.exec:\nttthn.exe89⤵PID:2400
-
\??\c:\9jdpv.exec:\9jdpv.exe90⤵PID:1268
-
\??\c:\9pdjv.exec:\9pdjv.exe91⤵PID:1880
-
\??\c:\lfxxlrf.exec:\lfxxlrf.exe92⤵PID:1428
-
\??\c:\1nhhnn.exec:\1nhhnn.exe93⤵PID:1744
-
\??\c:\nnttbb.exec:\nnttbb.exe94⤵PID:2380
-
\??\c:\ppvdj.exec:\ppvdj.exe95⤵PID:1516
-
\??\c:\7llrxxl.exec:\7llrxxl.exe96⤵PID:2608
-
\??\c:\rfxflrr.exec:\rfxflrr.exe97⤵PID:272
-
\??\c:\thbntb.exec:\thbntb.exe98⤵PID:2352
-
\??\c:\5vppp.exec:\5vppp.exe99⤵PID:1824
-
\??\c:\3lxflrx.exec:\3lxflrx.exe100⤵PID:1508
-
\??\c:\fxllrxl.exec:\fxllrxl.exe101⤵PID:1532
-
\??\c:\nhbntb.exec:\nhbntb.exe102⤵PID:2240
-
\??\c:\hhbnbn.exec:\hhbnbn.exe103⤵PID:1320
-
\??\c:\vdvjp.exec:\vdvjp.exe104⤵PID:2128
-
\??\c:\fxrrflr.exec:\fxrrflr.exe105⤵PID:2492
-
\??\c:\3hhntb.exec:\3hhntb.exe106⤵PID:564
-
\??\c:\bbtttt.exec:\bbtttt.exe107⤵PID:1216
-
\??\c:\vpjjp.exec:\vpjjp.exe108⤵PID:556
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe109⤵PID:1552
-
\??\c:\flxlflf.exec:\flxlflf.exe110⤵PID:1976
-
\??\c:\3hhhtt.exec:\3hhhtt.exe111⤵PID:2472
-
\??\c:\ddppd.exec:\ddppd.exe112⤵PID:2164
-
\??\c:\jpppd.exec:\jpppd.exe113⤵PID:1572
-
\??\c:\rrflrrf.exec:\rrflrrf.exe114⤵PID:2652
-
\??\c:\ttttht.exec:\ttttht.exe115⤵PID:2384
-
\??\c:\dvddd.exec:\dvddd.exe116⤵
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\ppddd.exec:\ppddd.exe117⤵PID:2788
-
\??\c:\1lxrrrl.exec:\1lxrrrl.exe118⤵PID:2692
-
\??\c:\bbnthh.exec:\bbnthh.exe119⤵PID:2672
-
\??\c:\9bttbt.exec:\9bttbt.exe120⤵PID:2700
-
\??\c:\ddpvd.exec:\ddpvd.exe121⤵PID:2920
-
\??\c:\rlrxxxl.exec:\rlrxxxl.exe122⤵PID:2300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-