Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe
-
Size
454KB
-
MD5
88943742fb126eddd36896fe56492d1c
-
SHA1
b59c47bf053355f69f79165ff33fae52a03582fb
-
SHA256
922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a
-
SHA512
e4ea52b69ff0da35087208b43efffdf610eacd9b96ab401ebd5985873547a8f27095b7258cf352c3cdaa9c5d3f1d9d3e538e8eb250c35c8dc6731225a597c8dc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2416-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-1446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4576 hhhhnn.exe 4504 7lffffx.exe 4404 vdvpj.exe 2152 hbhtnt.exe 2204 ppppj.exe 2832 ttbttt.exe 2876 1djdv.exe 1880 hbnhhh.exe 2652 7vdvj.exe 3480 lxrlxxr.exe 2208 vdpvv.exe 4200 5flffff.exe 2228 ppvpj.exe 3940 xfffrrl.exe 3140 pppjd.exe 3452 3rxrrrr.exe 892 thnhbt.exe 2932 jvddp.exe 1412 5lfrllf.exe 3340 tnhbhb.exe 2176 vvvpv.exe 1432 ddpdj.exe 3120 nbbhbb.exe 1812 tthhtb.exe 216 djdpj.exe 2284 tbnbbt.exe 4796 jdddv.exe 2868 djvpj.exe 3448 7fxxrxr.exe 3520 bbbttn.exe 2908 bhnnhh.exe 3252 rrfflll.exe 668 3nhtnh.exe 3288 flrlllf.exe 4208 ttbtnn.exe 3044 ppdvv.exe 2092 xxxrllf.exe 4964 nhtnnn.exe 2268 ddpvv.exe 4948 xlrlxxr.exe 2144 ntbnbt.exe 4912 9jjdv.exe 4128 vjvjd.exe 4392 nbhbtt.exe 4512 dddjv.exe 4388 7lfxrrl.exe 4632 tnhbbb.exe 4576 pdpjd.exe 4788 7jvpd.exe 1300 lllfxrl.exe 2448 vvvjd.exe 2216 llxxlll.exe 1996 nhnntt.exe 1008 vpdvp.exe 3428 xfffxrf.exe 1552 xxrflxr.exe 4900 5bbthb.exe 3660 jvpdp.exe 1984 rxfxxrr.exe 332 7nbthb.exe 1460 1vjvp.exe 452 lrxrrll.exe 1916 rfxrfrf.exe 4036 btbbbb.exe -
resource yara_rule behavioral2/memory/2416-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-1175-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxllx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 4576 2416 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 82 PID 2416 wrote to memory of 4576 2416 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 82 PID 2416 wrote to memory of 4576 2416 922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe 82 PID 4576 wrote to memory of 4504 4576 hhhhnn.exe 83 PID 4576 wrote to memory of 4504 4576 hhhhnn.exe 83 PID 4576 wrote to memory of 4504 4576 hhhhnn.exe 83 PID 4504 wrote to memory of 4404 4504 7lffffx.exe 84 PID 4504 wrote to memory of 4404 4504 7lffffx.exe 84 PID 4504 wrote to memory of 4404 4504 7lffffx.exe 84 PID 4404 wrote to memory of 2152 4404 vdvpj.exe 85 PID 4404 wrote to memory of 2152 4404 vdvpj.exe 85 PID 4404 wrote to memory of 2152 4404 vdvpj.exe 85 PID 2152 wrote to memory of 2204 2152 hbhtnt.exe 86 PID 2152 wrote to memory of 2204 2152 hbhtnt.exe 86 PID 2152 wrote to memory of 2204 2152 hbhtnt.exe 86 PID 2204 wrote to memory of 2832 2204 ppppj.exe 87 PID 2204 wrote to memory of 2832 2204 ppppj.exe 87 PID 2204 wrote to memory of 2832 2204 ppppj.exe 87 PID 2832 wrote to memory of 2876 2832 ttbttt.exe 88 PID 2832 wrote to memory of 2876 2832 ttbttt.exe 88 PID 2832 wrote to memory of 2876 2832 ttbttt.exe 88 PID 2876 wrote to memory of 1880 2876 1djdv.exe 89 PID 2876 wrote to memory of 1880 2876 1djdv.exe 89 PID 2876 wrote to memory of 1880 2876 1djdv.exe 89 PID 1880 wrote to memory of 2652 1880 hbnhhh.exe 90 PID 1880 wrote to memory of 2652 1880 hbnhhh.exe 90 PID 1880 wrote to memory of 2652 1880 hbnhhh.exe 90 PID 2652 wrote to memory of 3480 2652 7vdvj.exe 91 PID 2652 wrote to memory of 3480 2652 7vdvj.exe 91 PID 2652 wrote to memory of 3480 2652 7vdvj.exe 91 PID 3480 wrote to memory of 2208 3480 lxrlxxr.exe 92 PID 3480 wrote to memory of 2208 3480 lxrlxxr.exe 92 PID 3480 wrote to memory of 2208 3480 lxrlxxr.exe 92 PID 2208 wrote to memory of 4200 2208 vdpvv.exe 93 PID 2208 wrote to memory of 4200 2208 vdpvv.exe 93 PID 2208 wrote to memory of 4200 2208 vdpvv.exe 93 PID 4200 wrote to memory of 2228 4200 5flffff.exe 94 PID 4200 wrote to memory of 2228 4200 5flffff.exe 94 PID 4200 wrote to memory of 2228 4200 5flffff.exe 94 PID 2228 wrote to memory of 3940 2228 ppvpj.exe 95 PID 2228 wrote to memory of 3940 2228 ppvpj.exe 95 PID 2228 wrote to memory of 3940 2228 ppvpj.exe 95 PID 3940 wrote to memory of 3140 3940 xfffrrl.exe 96 PID 3940 wrote to memory of 3140 3940 xfffrrl.exe 96 PID 3940 wrote to memory of 3140 3940 xfffrrl.exe 96 PID 3140 wrote to memory of 3452 3140 pppjd.exe 97 PID 3140 wrote to memory of 3452 3140 pppjd.exe 97 PID 3140 wrote to memory of 3452 3140 pppjd.exe 97 PID 3452 wrote to memory of 892 3452 3rxrrrr.exe 98 PID 3452 wrote to memory of 892 3452 3rxrrrr.exe 98 PID 3452 wrote to memory of 892 3452 3rxrrrr.exe 98 PID 892 wrote to memory of 2932 892 thnhbt.exe 99 PID 892 wrote to memory of 2932 892 thnhbt.exe 99 PID 892 wrote to memory of 2932 892 thnhbt.exe 99 PID 2932 wrote to memory of 1412 2932 jvddp.exe 100 PID 2932 wrote to memory of 1412 2932 jvddp.exe 100 PID 2932 wrote to memory of 1412 2932 jvddp.exe 100 PID 1412 wrote to memory of 3340 1412 5lfrllf.exe 101 PID 1412 wrote to memory of 3340 1412 5lfrllf.exe 101 PID 1412 wrote to memory of 3340 1412 5lfrllf.exe 101 PID 3340 wrote to memory of 2176 3340 tnhbhb.exe 102 PID 3340 wrote to memory of 2176 3340 tnhbhb.exe 102 PID 3340 wrote to memory of 2176 3340 tnhbhb.exe 102 PID 2176 wrote to memory of 1432 2176 vvvpv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe"C:\Users\Admin\AppData\Local\Temp\922a838af9a73692b432131c4c60b42af497c53751e184d0c1e9dced3108fc2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\hhhhnn.exec:\hhhhnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\7lffffx.exec:\7lffffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\vdvpj.exec:\vdvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\hbhtnt.exec:\hbhtnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\ppppj.exec:\ppppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\ttbttt.exec:\ttbttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\1djdv.exec:\1djdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\hbnhhh.exec:\hbnhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\7vdvj.exec:\7vdvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\lxrlxxr.exec:\lxrlxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\vdpvv.exec:\vdpvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\5flffff.exec:\5flffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\ppvpj.exec:\ppvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\xfffrrl.exec:\xfffrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\pppjd.exec:\pppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\3rxrrrr.exec:\3rxrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\thnhbt.exec:\thnhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\jvddp.exec:\jvddp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\5lfrllf.exec:\5lfrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\tnhbhb.exec:\tnhbhb.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\vvvpv.exec:\vvvpv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\ddpdj.exec:\ddpdj.exe23⤵
- Executes dropped EXE
PID:1432 -
\??\c:\nbbhbb.exec:\nbbhbb.exe24⤵
- Executes dropped EXE
PID:3120 -
\??\c:\tthhtb.exec:\tthhtb.exe25⤵
- Executes dropped EXE
PID:1812 -
\??\c:\djdpj.exec:\djdpj.exe26⤵
- Executes dropped EXE
PID:216 -
\??\c:\tbnbbt.exec:\tbnbbt.exe27⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jdddv.exec:\jdddv.exe28⤵
- Executes dropped EXE
PID:4796 -
\??\c:\djvpj.exec:\djvpj.exe29⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7fxxrxr.exec:\7fxxrxr.exe30⤵
- Executes dropped EXE
PID:3448 -
\??\c:\bbbttn.exec:\bbbttn.exe31⤵
- Executes dropped EXE
PID:3520 -
\??\c:\bhnnhh.exec:\bhnnhh.exe32⤵
- Executes dropped EXE
PID:2908 -
\??\c:\rrfflll.exec:\rrfflll.exe33⤵
- Executes dropped EXE
PID:3252 -
\??\c:\3nhtnh.exec:\3nhtnh.exe34⤵
- Executes dropped EXE
PID:668 -
\??\c:\flrlllf.exec:\flrlllf.exe35⤵
- Executes dropped EXE
PID:3288 -
\??\c:\ttbtnn.exec:\ttbtnn.exe36⤵
- Executes dropped EXE
PID:4208 -
\??\c:\ppdvv.exec:\ppdvv.exe37⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xxxrllf.exec:\xxxrllf.exe38⤵
- Executes dropped EXE
PID:2092 -
\??\c:\nhtnnn.exec:\nhtnnn.exe39⤵
- Executes dropped EXE
PID:4964 -
\??\c:\ddpvv.exec:\ddpvv.exe40⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe41⤵
- Executes dropped EXE
PID:4948 -
\??\c:\ntbnbt.exec:\ntbnbt.exe42⤵
- Executes dropped EXE
PID:2144 -
\??\c:\9jjdv.exec:\9jjdv.exe43⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vjvjd.exec:\vjvjd.exe44⤵
- Executes dropped EXE
PID:4128 -
\??\c:\nbhbtt.exec:\nbhbtt.exe45⤵
- Executes dropped EXE
PID:4392 -
\??\c:\dddjv.exec:\dddjv.exe46⤵
- Executes dropped EXE
PID:4512 -
\??\c:\7lfxrrl.exec:\7lfxrrl.exe47⤵
- Executes dropped EXE
PID:4388 -
\??\c:\tnhbbb.exec:\tnhbbb.exe48⤵
- Executes dropped EXE
PID:4632 -
\??\c:\pdpjd.exec:\pdpjd.exe49⤵
- Executes dropped EXE
PID:4576 -
\??\c:\7jvpd.exec:\7jvpd.exe50⤵
- Executes dropped EXE
PID:4788 -
\??\c:\lllfxrl.exec:\lllfxrl.exe51⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vvvjd.exec:\vvvjd.exe52⤵
- Executes dropped EXE
PID:2448 -
\??\c:\llxxlll.exec:\llxxlll.exe53⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nhnntt.exec:\nhnntt.exe54⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vpdvp.exec:\vpdvp.exe55⤵
- Executes dropped EXE
PID:1008 -
\??\c:\xfffxrf.exec:\xfffxrf.exe56⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xxrflxr.exec:\xxrflxr.exe57⤵
- Executes dropped EXE
PID:1552 -
\??\c:\5bbthb.exec:\5bbthb.exe58⤵
- Executes dropped EXE
PID:4900 -
\??\c:\jvpdp.exec:\jvpdp.exe59⤵
- Executes dropped EXE
PID:3660 -
\??\c:\rxfxxrr.exec:\rxfxxrr.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984 -
\??\c:\7nbthb.exec:\7nbthb.exe61⤵
- Executes dropped EXE
PID:332 -
\??\c:\1vjvp.exec:\1vjvp.exe62⤵
- Executes dropped EXE
PID:1460 -
\??\c:\lrxrrll.exec:\lrxrrll.exe63⤵
- Executes dropped EXE
PID:452 -
\??\c:\rfxrfrf.exec:\rfxrfrf.exe64⤵
- Executes dropped EXE
PID:1916 -
\??\c:\btbbbb.exec:\btbbbb.exe65⤵
- Executes dropped EXE
PID:4036 -
\??\c:\vvpdp.exec:\vvpdp.exe66⤵PID:3148
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe67⤵PID:2228
-
\??\c:\nnbtbb.exec:\nnbtbb.exe68⤵PID:3924
-
\??\c:\ddjjd.exec:\ddjjd.exe69⤵PID:940
-
\??\c:\flxrfxl.exec:\flxrfxl.exe70⤵PID:4832
-
\??\c:\btbttt.exec:\btbttt.exe71⤵PID:3240
-
\??\c:\bhbthh.exec:\bhbthh.exe72⤵PID:1040
-
\??\c:\pjjvj.exec:\pjjvj.exe73⤵PID:2404
-
\??\c:\fxfrxxl.exec:\fxfrxxl.exe74⤵PID:3164
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe75⤵PID:4408
-
\??\c:\bbbtnn.exec:\bbbtnn.exe76⤵PID:3560
-
\??\c:\jdjdd.exec:\jdjdd.exe77⤵PID:4548
-
\??\c:\xfflxrl.exec:\xfflxrl.exe78⤵PID:4272
-
\??\c:\bttnbt.exec:\bttnbt.exe79⤵PID:3888
-
\??\c:\1vpdj.exec:\1vpdj.exe80⤵PID:2156
-
\??\c:\vpjdp.exec:\vpjdp.exe81⤵PID:3244
-
\??\c:\bntbtb.exec:\bntbtb.exe82⤵PID:1644
-
\??\c:\ttbnbt.exec:\ttbnbt.exe83⤵PID:2284
-
\??\c:\9jjpd.exec:\9jjpd.exe84⤵PID:2972
-
\??\c:\xrfrllr.exec:\xrfrllr.exe85⤵PID:4468
-
\??\c:\bthtnn.exec:\bthtnn.exe86⤵
- System Location Discovery: System Language Discovery
PID:3516 -
\??\c:\pjddp.exec:\pjddp.exe87⤵PID:4472
-
\??\c:\1xrfrfr.exec:\1xrfrfr.exe88⤵PID:2484
-
\??\c:\lxfxxrf.exec:\lxfxxrf.exe89⤵PID:4844
-
\??\c:\ntbnnh.exec:\ntbnnh.exe90⤵PID:1620
-
\??\c:\jvpdv.exec:\jvpdv.exe91⤵PID:3988
-
\??\c:\xxrfrfr.exec:\xxrfrfr.exe92⤵PID:3180
-
\??\c:\nhbnbh.exec:\nhbnbh.exe93⤵PID:3036
-
\??\c:\5dvpd.exec:\5dvpd.exe94⤵PID:2288
-
\??\c:\rlrlxlx.exec:\rlrlxlx.exe95⤵PID:2136
-
\??\c:\btnbnh.exec:\btnbnh.exe96⤵PID:3708
-
\??\c:\tbnnbb.exec:\tbnnbb.exe97⤵PID:2848
-
\??\c:\3pjvj.exec:\3pjvj.exe98⤵PID:1964
-
\??\c:\rrllrfl.exec:\rrllrfl.exe99⤵PID:2496
-
\??\c:\nnnbnh.exec:\nnnbnh.exe100⤵PID:4004
-
\??\c:\jpvvj.exec:\jpvvj.exe101⤵PID:2060
-
\??\c:\fxxrrlx.exec:\fxxrrlx.exe102⤵PID:4324
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe103⤵PID:4524
-
\??\c:\bnnbth.exec:\bnnbth.exe104⤵PID:4368
-
\??\c:\3vpjv.exec:\3vpjv.exe105⤵PID:4512
-
\??\c:\fflxxfl.exec:\fflxxfl.exe106⤵PID:5068
-
\??\c:\1lfrffr.exec:\1lfrffr.exe107⤵PID:1780
-
\??\c:\nhnhhb.exec:\nhnhhb.exe108⤵PID:4576
-
\??\c:\jdjdd.exec:\jdjdd.exe109⤵PID:3216
-
\??\c:\fxxxlfx.exec:\fxxxlfx.exe110⤵PID:4988
-
\??\c:\1bthtt.exec:\1bthtt.exe111⤵PID:2712
-
\??\c:\dpjpj.exec:\dpjpj.exe112⤵PID:2916
-
\??\c:\pddjp.exec:\pddjp.exe113⤵PID:4980
-
\??\c:\xrxllfx.exec:\xrxllfx.exe114⤵PID:5100
-
\??\c:\9tnhhb.exec:\9tnhhb.exe115⤵PID:3108
-
\??\c:\vvpdj.exec:\vvpdj.exe116⤵PID:3684
-
\??\c:\7xrfxrl.exec:\7xrfxrl.exe117⤵PID:1580
-
\??\c:\tbnhtn.exec:\tbnhtn.exe118⤵PID:3640
-
\??\c:\7nthhn.exec:\7nthhn.exe119⤵PID:1172
-
\??\c:\dvpjv.exec:\dvpjv.exe120⤵PID:1932
-
\??\c:\xxlxfxl.exec:\xxlxfxl.exe121⤵PID:4000
-
\??\c:\bbbnhn.exec:\bbbnhn.exe122⤵PID:2988
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-