Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe
-
Size
456KB
-
MD5
d4bbd701cfe6d14657343f224e90567d
-
SHA1
6a920c03d217333936fc09a466ca3566081f141d
-
SHA256
a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c
-
SHA512
b595449d3d2e3c78b8e7d27f7b00e45ce792c8bdbdffc5213ece2b2f572d6a180a4db9fa611158c6d96182cab50c9880f9b990717107c0ec788e8fdabd617632
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3492-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/664-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-1668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4472 e42888.exe 664 lflfrrx.exe 3784 hnnhth.exe 416 hhttbb.exe 1812 tnhntt.exe 2524 0644268.exe 2920 dvpvd.exe 2868 1ffrxxr.exe 4824 vvpvv.exe 4544 vjdvd.exe 1296 jpjjd.exe 4056 k66600.exe 2152 jjvvv.exe 2004 vvjjj.exe 5076 0606602.exe 2576 pjdvj.exe 1016 htbtnn.exe 4856 hhtthh.exe 2248 dpvjj.exe 3892 xrrllll.exe 4600 jdjjp.exe 1484 nhhbtn.exe 752 lxlllrl.exe 5020 480422.exe 4924 840262.exe 2416 0064864.exe 4976 llllfxr.exe 4860 k08806.exe 1852 26280.exe 392 9pjvj.exe 1712 dpvpd.exe 4040 ppvpv.exe 2484 80226.exe 1652 pddpv.exe 2268 fllffxl.exe 4404 frxrxrf.exe 4316 884826.exe 2824 nttnth.exe 2164 a8644.exe 1444 4088888.exe 1056 nhnbtn.exe 3012 g4600.exe 4996 246668.exe 2828 ddjpd.exe 4484 862486.exe 4420 c466866.exe 536 jpdvj.exe 4864 3llfxfx.exe 448 88686.exe 4552 i028840.exe 3912 0400222.exe 1820 ntnnhh.exe 920 dpvjj.exe 3924 60888.exe 1788 fllfxrr.exe 2524 rfxxxfl.exe 2420 9xxrfff.exe 1516 rxlfxxx.exe 3460 8884442.exe 2704 a2046.exe 3856 3jjjj.exe 1316 9jjjd.exe 2392 rlfffrl.exe 4436 vvjjv.exe -
resource yara_rule behavioral2/memory/3492-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/664-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-602-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2804842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o448446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i460662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 840262.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2020246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 448260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 688048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c882242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4472 3492 a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe 84 PID 3492 wrote to memory of 4472 3492 a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe 84 PID 3492 wrote to memory of 4472 3492 a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe 84 PID 4472 wrote to memory of 664 4472 e42888.exe 85 PID 4472 wrote to memory of 664 4472 e42888.exe 85 PID 4472 wrote to memory of 664 4472 e42888.exe 85 PID 664 wrote to memory of 3784 664 lflfrrx.exe 86 PID 664 wrote to memory of 3784 664 lflfrrx.exe 86 PID 664 wrote to memory of 3784 664 lflfrrx.exe 86 PID 3784 wrote to memory of 416 3784 hnnhth.exe 87 PID 3784 wrote to memory of 416 3784 hnnhth.exe 87 PID 3784 wrote to memory of 416 3784 hnnhth.exe 87 PID 416 wrote to memory of 1812 416 hhttbb.exe 88 PID 416 wrote to memory of 1812 416 hhttbb.exe 88 PID 416 wrote to memory of 1812 416 hhttbb.exe 88 PID 1812 wrote to memory of 2524 1812 tnhntt.exe 89 PID 1812 wrote to memory of 2524 1812 tnhntt.exe 89 PID 1812 wrote to memory of 2524 1812 tnhntt.exe 89 PID 2524 wrote to memory of 2920 2524 0644268.exe 90 PID 2524 wrote to memory of 2920 2524 0644268.exe 90 PID 2524 wrote to memory of 2920 2524 0644268.exe 90 PID 2920 wrote to memory of 2868 2920 dvpvd.exe 91 PID 2920 wrote to memory of 2868 2920 dvpvd.exe 91 PID 2920 wrote to memory of 2868 2920 dvpvd.exe 91 PID 2868 wrote to memory of 4824 2868 1ffrxxr.exe 92 PID 2868 wrote to memory of 4824 2868 1ffrxxr.exe 92 PID 2868 wrote to memory of 4824 2868 1ffrxxr.exe 92 PID 4824 wrote to memory of 4544 4824 vvpvv.exe 93 PID 4824 wrote to memory of 4544 4824 vvpvv.exe 93 PID 4824 wrote to memory of 4544 4824 vvpvv.exe 93 PID 4544 wrote to memory of 1296 4544 vjdvd.exe 94 PID 4544 wrote to memory of 1296 4544 vjdvd.exe 94 PID 4544 wrote to memory of 1296 4544 vjdvd.exe 94 PID 1296 wrote to memory of 4056 1296 jpjjd.exe 95 PID 1296 wrote to memory of 4056 1296 jpjjd.exe 95 PID 1296 wrote to memory of 4056 1296 jpjjd.exe 95 PID 4056 wrote to memory of 2152 4056 k66600.exe 96 PID 4056 wrote to memory of 2152 4056 k66600.exe 96 PID 4056 wrote to memory of 2152 4056 k66600.exe 96 PID 2152 wrote to memory of 2004 2152 jjvvv.exe 97 PID 2152 wrote to memory of 2004 2152 jjvvv.exe 97 PID 2152 wrote to memory of 2004 2152 jjvvv.exe 97 PID 2004 wrote to memory of 5076 2004 vvjjj.exe 98 PID 2004 wrote to memory of 5076 2004 vvjjj.exe 98 PID 2004 wrote to memory of 5076 2004 vvjjj.exe 98 PID 5076 wrote to memory of 2576 5076 0606602.exe 99 PID 5076 wrote to memory of 2576 5076 0606602.exe 99 PID 5076 wrote to memory of 2576 5076 0606602.exe 99 PID 2576 wrote to memory of 1016 2576 pjdvj.exe 100 PID 2576 wrote to memory of 1016 2576 pjdvj.exe 100 PID 2576 wrote to memory of 1016 2576 pjdvj.exe 100 PID 1016 wrote to memory of 4856 1016 htbtnn.exe 101 PID 1016 wrote to memory of 4856 1016 htbtnn.exe 101 PID 1016 wrote to memory of 4856 1016 htbtnn.exe 101 PID 4856 wrote to memory of 2248 4856 hhtthh.exe 102 PID 4856 wrote to memory of 2248 4856 hhtthh.exe 102 PID 4856 wrote to memory of 2248 4856 hhtthh.exe 102 PID 2248 wrote to memory of 3892 2248 dpvjj.exe 103 PID 2248 wrote to memory of 3892 2248 dpvjj.exe 103 PID 2248 wrote to memory of 3892 2248 dpvjj.exe 103 PID 3892 wrote to memory of 4600 3892 xrrllll.exe 104 PID 3892 wrote to memory of 4600 3892 xrrllll.exe 104 PID 3892 wrote to memory of 4600 3892 xrrllll.exe 104 PID 4600 wrote to memory of 1484 4600 jdjjp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe"C:\Users\Admin\AppData\Local\Temp\a88ac9af2c4fd51da933a7bb752f5a9410d24946e28c933a665e2680048a4f6c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\e42888.exec:\e42888.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\lflfrrx.exec:\lflfrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664 -
\??\c:\hnnhth.exec:\hnnhth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\hhttbb.exec:\hhttbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\tnhntt.exec:\tnhntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\0644268.exec:\0644268.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\dvpvd.exec:\dvpvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\1ffrxxr.exec:\1ffrxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vvpvv.exec:\vvpvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\vjdvd.exec:\vjdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\jpjjd.exec:\jpjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\k66600.exec:\k66600.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\jjvvv.exec:\jjvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\vvjjj.exec:\vvjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\0606602.exec:\0606602.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\pjdvj.exec:\pjdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\htbtnn.exec:\htbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\hhtthh.exec:\hhtthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\dpvjj.exec:\dpvjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\xrrllll.exec:\xrrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\jdjjp.exec:\jdjjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\nhhbtn.exec:\nhhbtn.exe23⤵
- Executes dropped EXE
PID:1484 -
\??\c:\lxlllrl.exec:\lxlllrl.exe24⤵
- Executes dropped EXE
PID:752 -
\??\c:\480422.exec:\480422.exe25⤵
- Executes dropped EXE
PID:5020 -
\??\c:\840262.exec:\840262.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\0064864.exec:\0064864.exe27⤵
- Executes dropped EXE
PID:2416 -
\??\c:\llllfxr.exec:\llllfxr.exe28⤵
- Executes dropped EXE
PID:4976 -
\??\c:\k08806.exec:\k08806.exe29⤵
- Executes dropped EXE
PID:4860 -
\??\c:\26280.exec:\26280.exe30⤵
- Executes dropped EXE
PID:1852 -
\??\c:\9pjvj.exec:\9pjvj.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\dpvpd.exec:\dpvpd.exe32⤵
- Executes dropped EXE
PID:1712 -
\??\c:\ppvpv.exec:\ppvpv.exe33⤵
- Executes dropped EXE
PID:4040 -
\??\c:\80226.exec:\80226.exe34⤵
- Executes dropped EXE
PID:2484 -
\??\c:\pddpv.exec:\pddpv.exe35⤵
- Executes dropped EXE
PID:1652 -
\??\c:\fllffxl.exec:\fllffxl.exe36⤵
- Executes dropped EXE
PID:2268 -
\??\c:\frxrxrf.exec:\frxrxrf.exe37⤵
- Executes dropped EXE
PID:4404 -
\??\c:\884826.exec:\884826.exe38⤵
- Executes dropped EXE
PID:4316 -
\??\c:\nttnth.exec:\nttnth.exe39⤵
- Executes dropped EXE
PID:2824 -
\??\c:\a8644.exec:\a8644.exe40⤵
- Executes dropped EXE
PID:2164 -
\??\c:\4088888.exec:\4088888.exe41⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nhnbtn.exec:\nhnbtn.exe42⤵
- Executes dropped EXE
PID:1056 -
\??\c:\g4600.exec:\g4600.exe43⤵
- Executes dropped EXE
PID:3012 -
\??\c:\246668.exec:\246668.exe44⤵
- Executes dropped EXE
PID:4996 -
\??\c:\ddjpd.exec:\ddjpd.exe45⤵
- Executes dropped EXE
PID:2828 -
\??\c:\862486.exec:\862486.exe46⤵
- Executes dropped EXE
PID:4484 -
\??\c:\c466866.exec:\c466866.exe47⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jpdvj.exec:\jpdvj.exe48⤵
- Executes dropped EXE
PID:536 -
\??\c:\3llfxfx.exec:\3llfxfx.exe49⤵
- Executes dropped EXE
PID:4864 -
\??\c:\88686.exec:\88686.exe50⤵
- Executes dropped EXE
PID:448 -
\??\c:\i028840.exec:\i028840.exe51⤵
- Executes dropped EXE
PID:4552 -
\??\c:\0400222.exec:\0400222.exe52⤵
- Executes dropped EXE
PID:3912 -
\??\c:\ntnnhh.exec:\ntnnhh.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\dpvjj.exec:\dpvjj.exe54⤵
- Executes dropped EXE
PID:920 -
\??\c:\60888.exec:\60888.exe55⤵
- Executes dropped EXE
PID:3924 -
\??\c:\fllfxrr.exec:\fllfxrr.exe56⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rfxxxfl.exec:\rfxxxfl.exe57⤵
- Executes dropped EXE
PID:2524 -
\??\c:\9xxrfff.exec:\9xxrfff.exe58⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe59⤵
- Executes dropped EXE
PID:1516 -
\??\c:\8884442.exec:\8884442.exe60⤵
- Executes dropped EXE
PID:3460 -
\??\c:\a2046.exec:\a2046.exe61⤵
- Executes dropped EXE
PID:2704 -
\??\c:\3jjjj.exec:\3jjjj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856 -
\??\c:\9jjjd.exec:\9jjjd.exe63⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rlfffrl.exec:\rlfffrl.exe64⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vvjjv.exec:\vvjjv.exe65⤵
- Executes dropped EXE
PID:4436 -
\??\c:\jvvvp.exec:\jvvvp.exe66⤵PID:4056
-
\??\c:\tbhttn.exec:\tbhttn.exe67⤵PID:2860
-
\??\c:\244048.exec:\244048.exe68⤵PID:2148
-
\??\c:\682048.exec:\682048.exe69⤵PID:3420
-
\??\c:\2844800.exec:\2844800.exe70⤵PID:3148
-
\??\c:\q46000.exec:\q46000.exe71⤵PID:4100
-
\??\c:\frrlxlf.exec:\frrlxlf.exe72⤵PID:1856
-
\??\c:\thnbnb.exec:\thnbnb.exe73⤵PID:2716
-
\??\c:\vvjdd.exec:\vvjdd.exe74⤵PID:4016
-
\??\c:\46022.exec:\46022.exe75⤵PID:2248
-
\??\c:\jjppj.exec:\jjppj.exe76⤵PID:3532
-
\??\c:\vvjjp.exec:\vvjjp.exe77⤵PID:4992
-
\??\c:\vvvpj.exec:\vvvpj.exe78⤵PID:4444
-
\??\c:\frxlffl.exec:\frxlffl.exe79⤵PID:4984
-
\??\c:\662444.exec:\662444.exe80⤵PID:404
-
\??\c:\hhtttt.exec:\hhtttt.exe81⤵PID:1500
-
\??\c:\648026.exec:\648026.exe82⤵PID:3640
-
\??\c:\vvjvv.exec:\vvjvv.exe83⤵PID:4452
-
\??\c:\46004.exec:\46004.exe84⤵PID:4832
-
\??\c:\4400402.exec:\4400402.exe85⤵PID:4152
-
\??\c:\rlfflfl.exec:\rlfflfl.exe86⤵PID:3600
-
\??\c:\dddvp.exec:\dddvp.exe87⤵PID:3144
-
\??\c:\vvpjv.exec:\vvpjv.exe88⤵PID:4860
-
\??\c:\vppjd.exec:\vppjd.exe89⤵PID:3332
-
\??\c:\5bnbtn.exec:\5bnbtn.exe90⤵PID:2792
-
\??\c:\xxlfxrf.exec:\xxlfxrf.exe91⤵PID:64
-
\??\c:\08862.exec:\08862.exe92⤵PID:4796
-
\??\c:\8808680.exec:\8808680.exe93⤵PID:1564
-
\??\c:\06426.exec:\06426.exe94⤵PID:1256
-
\??\c:\fflxllx.exec:\fflxllx.exe95⤵PID:2268
-
\??\c:\hhbtbb.exec:\hhbtbb.exe96⤵PID:4680
-
\??\c:\c640844.exec:\c640844.exe97⤵PID:4328
-
\??\c:\222608.exec:\222608.exe98⤵PID:2824
-
\??\c:\dvdjp.exec:\dvdjp.exe99⤵PID:2164
-
\??\c:\260666.exec:\260666.exe100⤵PID:1444
-
\??\c:\xrxrxrl.exec:\xrxrxrl.exe101⤵PID:2580
-
\??\c:\426086.exec:\426086.exe102⤵PID:3036
-
\??\c:\26844.exec:\26844.exe103⤵PID:1188
-
\??\c:\xlxfffx.exec:\xlxfffx.exe104⤵PID:2828
-
\??\c:\628062.exec:\628062.exe105⤵PID:4400
-
\??\c:\80228.exec:\80228.exe106⤵PID:536
-
\??\c:\828404.exec:\828404.exe107⤵PID:4864
-
\??\c:\nhnhtn.exec:\nhnhtn.exe108⤵PID:624
-
\??\c:\8022288.exec:\8022288.exe109⤵PID:2064
-
\??\c:\62682.exec:\62682.exe110⤵PID:3228
-
\??\c:\2044880.exec:\2044880.exe111⤵PID:1968
-
\??\c:\7xrlllf.exec:\7xrlllf.exe112⤵PID:3296
-
\??\c:\082608.exec:\082608.exe113⤵PID:2752
-
\??\c:\lfxlrxr.exec:\lfxlrxr.exe114⤵PID:1516
-
\??\c:\xxrxfrr.exec:\xxrxfrr.exe115⤵PID:4688
-
\??\c:\u804824.exec:\u804824.exe116⤵PID:4824
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe117⤵PID:2976
-
\??\c:\664048.exec:\664048.exe118⤵PID:5040
-
\??\c:\xlllxfr.exec:\xlllxfr.exe119⤵PID:4436
-
\??\c:\60228.exec:\60228.exe120⤵PID:2556
-
\??\c:\82202.exec:\82202.exe121⤵PID:1152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-