Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 21:28
Behavioral task
behavioral1
Sample
2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
General
-
Target
2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe
-
Size
280KB
-
MD5
c0c9bd52377a618f51600a468ae3e9f9
-
SHA1
a4fb8c7dbb19ad15cfdee74aeb7c603e57e33d95
-
SHA256
2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c
-
SHA512
146abb66de8870cdc5e837e1ff6800f94ec7525349b924a69661f3794d35642f2eda68d15dacb78f99276bdf3d23798772c494da83b59a333a09798946ed3fb1
-
SSDEEP
6144:7cm4FmowdHoSoXSBcm4Vcm4FmowdHoSphra+cm4FMhraHcpOaKHpU:B4wFHoSoXW434wFHoS3eg4aeFaKHpU
Malware Config
Signatures
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/3636-6-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4900-16-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4948-29-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3816-22-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/5116-34-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2848-35-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2848-41-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3100-49-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1464-55-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3056-63-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3516-70-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4876-75-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/988-84-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/320-90-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2420-96-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1528-102-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3212-109-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1792-117-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1872-118-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3020-125-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1872-124-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3020-134-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1360-141-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1360-146-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1512-137-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/928-153-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1828-161-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3924-162-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3924-166-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4844-174-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4808-182-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1492-187-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2504-194-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2164-195-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4708-204-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2164-202-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4708-207-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/5036-214-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2656-222-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2436-228-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4436-229-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4436-233-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3820-234-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3820-238-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4800-243-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4336-244-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4800-248-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3636-253-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4528-258-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2124-263-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3616-265-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3616-268-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/1552-273-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4020-278-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/5072-284-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3740-289-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3152-293-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/3728-298-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/2136-303-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon behavioral2/memory/4152-2423-0x0000000000400000-0x000000000044D000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4900 nnhbtt.exe 3816 nhnhbb.exe 4948 htnhbt.exe 5116 dvppp.exe 2848 ffrrfxl.exe 3100 frfrxrf.exe 1464 lflxrll.exe 3056 pjjdd.exe 3516 lfxrllf.exe 4876 bhnnhh.exe 988 thbnbb.exe 320 vvjjv.exe 2420 vpjdv.exe 1528 1vvjj.exe 3212 xrrlrrl.exe 1792 xxffxfl.exe 1872 btbttn.exe 3020 ddjpv.exe 1512 rlxfxff.exe 1360 hbhhtt.exe 928 ppppp.exe 1828 tbhtht.exe 3924 jpjjd.exe 4844 5xrlrlr.exe 4808 lfrrrxx.exe 1492 frllffx.exe 2504 lxffrxf.exe 2164 llfllxx.exe 4708 1vdvd.exe 5036 lrxllxx.exe 2656 lxxxfff.exe 2436 pjjdd.exe 4436 tbttnn.exe 3820 ppjdv.exe 4336 rxrxrfx.exe 4800 9tttnt.exe 3636 xrxfxxf.exe 4528 pddvj.exe 2124 xfxxrxx.exe 3616 bnnbbh.exe 1552 bbnhnh.exe 4020 vdjpp.exe 5072 nbbtnb.exe 3740 jddvp.exe 3152 pjjdv.exe 3728 hhttnn.exe 2136 hbbbth.exe 216 3pjdv.exe 4868 frfxlfr.exe 4352 1bbbnn.exe 4212 tttnhb.exe 408 5dvvp.exe 4836 xrxlfxr.exe 1528 lrfxxxr.exe 4472 nhnhtt.exe 4796 vddpj.exe 4508 jjjvj.exe 512 rrxrllf.exe 5092 bnttnn.exe 3008 pjpjp.exe 2552 vvjdd.exe 1916 lfrllll.exe 4524 bttttt.exe 4700 jppdv.exe -
resource yara_rule behavioral2/memory/3636-0-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x000900000002346d-3.dat upx behavioral2/memory/3636-6-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/4900-8-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00080000000234be-10.dat upx behavioral2/files/0x00080000000234c1-13.dat upx behavioral2/memory/4900-16-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c2-25.dat upx behavioral2/memory/4948-29-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/5116-26-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3816-22-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/4948-20-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3816-14-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c3-31.dat upx behavioral2/memory/5116-34-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c4-38.dat upx behavioral2/memory/2848-35-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/2848-41-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3100-42-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c5-45.dat upx behavioral2/memory/1464-46-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3100-49-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c6-52.dat upx behavioral2/memory/3056-56-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1464-55-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c8-59.dat upx behavioral2/memory/3056-63-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234c9-66.dat upx behavioral2/memory/3516-70-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/4876-68-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3516-61-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/4876-75-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234ca-73.dat upx behavioral2/memory/988-77-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234cb-80.dat upx behavioral2/memory/988-84-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234cc-87.dat upx behavioral2/memory/2420-88-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/320-82-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/320-90-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234cd-94.dat upx behavioral2/memory/2420-96-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1528-98-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234ce-104.dat upx behavioral2/memory/3212-105-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1528-102-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00080000000234bf-110.dat upx behavioral2/memory/3212-109-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1792-113-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234cf-115.dat upx behavioral2/memory/1792-117-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1872-118-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3020-125-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234d0-126.dat upx behavioral2/memory/1872-124-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234d1-130.dat upx behavioral2/memory/1512-133-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/3020-134-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234d2-138.dat upx behavioral2/memory/1360-141-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/files/0x00070000000234d3-144.dat upx behavioral2/memory/1360-146-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/928-147-0x0000000000400000-0x000000000044D000-memory.dmp upx behavioral2/memory/1512-137-0x0000000000400000-0x000000000044D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4900 3636 2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe 83 PID 3636 wrote to memory of 4900 3636 2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe 83 PID 3636 wrote to memory of 4900 3636 2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe 83 PID 4900 wrote to memory of 3816 4900 nnhbtt.exe 84 PID 4900 wrote to memory of 3816 4900 nnhbtt.exe 84 PID 4900 wrote to memory of 3816 4900 nnhbtt.exe 84 PID 3816 wrote to memory of 4948 3816 nhnhbb.exe 85 PID 3816 wrote to memory of 4948 3816 nhnhbb.exe 85 PID 3816 wrote to memory of 4948 3816 nhnhbb.exe 85 PID 4948 wrote to memory of 5116 4948 htnhbt.exe 86 PID 4948 wrote to memory of 5116 4948 htnhbt.exe 86 PID 4948 wrote to memory of 5116 4948 htnhbt.exe 86 PID 5116 wrote to memory of 2848 5116 dvppp.exe 87 PID 5116 wrote to memory of 2848 5116 dvppp.exe 87 PID 5116 wrote to memory of 2848 5116 dvppp.exe 87 PID 2848 wrote to memory of 3100 2848 ffrrfxl.exe 88 PID 2848 wrote to memory of 3100 2848 ffrrfxl.exe 88 PID 2848 wrote to memory of 3100 2848 ffrrfxl.exe 88 PID 3100 wrote to memory of 1464 3100 frfrxrf.exe 89 PID 3100 wrote to memory of 1464 3100 frfrxrf.exe 89 PID 3100 wrote to memory of 1464 3100 frfrxrf.exe 89 PID 1464 wrote to memory of 3056 1464 lflxrll.exe 90 PID 1464 wrote to memory of 3056 1464 lflxrll.exe 90 PID 1464 wrote to memory of 3056 1464 lflxrll.exe 90 PID 3056 wrote to memory of 3516 3056 pjjdd.exe 91 PID 3056 wrote to memory of 3516 3056 pjjdd.exe 91 PID 3056 wrote to memory of 3516 3056 pjjdd.exe 91 PID 3516 wrote to memory of 4876 3516 lfxrllf.exe 92 PID 3516 wrote to memory of 4876 3516 lfxrllf.exe 92 PID 3516 wrote to memory of 4876 3516 lfxrllf.exe 92 PID 4876 wrote to memory of 988 4876 bhnnhh.exe 93 PID 4876 wrote to memory of 988 4876 bhnnhh.exe 93 PID 4876 wrote to memory of 988 4876 bhnnhh.exe 93 PID 988 wrote to memory of 320 988 thbnbb.exe 94 PID 988 wrote to memory of 320 988 thbnbb.exe 94 PID 988 wrote to memory of 320 988 thbnbb.exe 94 PID 320 wrote to memory of 2420 320 vvjjv.exe 95 PID 320 wrote to memory of 2420 320 vvjjv.exe 95 PID 320 wrote to memory of 2420 320 vvjjv.exe 95 PID 2420 wrote to memory of 1528 2420 vpjdv.exe 96 PID 2420 wrote to memory of 1528 2420 vpjdv.exe 96 PID 2420 wrote to memory of 1528 2420 vpjdv.exe 96 PID 1528 wrote to memory of 3212 1528 1vvjj.exe 97 PID 1528 wrote to memory of 3212 1528 1vvjj.exe 97 PID 1528 wrote to memory of 3212 1528 1vvjj.exe 97 PID 3212 wrote to memory of 1792 3212 xrrlrrl.exe 99 PID 3212 wrote to memory of 1792 3212 xrrlrrl.exe 99 PID 3212 wrote to memory of 1792 3212 xrrlrrl.exe 99 PID 1792 wrote to memory of 1872 1792 xxffxfl.exe 101 PID 1792 wrote to memory of 1872 1792 xxffxfl.exe 101 PID 1792 wrote to memory of 1872 1792 xxffxfl.exe 101 PID 1872 wrote to memory of 3020 1872 btbttn.exe 102 PID 1872 wrote to memory of 3020 1872 btbttn.exe 102 PID 1872 wrote to memory of 3020 1872 btbttn.exe 102 PID 3020 wrote to memory of 1512 3020 ddjpv.exe 104 PID 3020 wrote to memory of 1512 3020 ddjpv.exe 104 PID 3020 wrote to memory of 1512 3020 ddjpv.exe 104 PID 1512 wrote to memory of 1360 1512 rlxfxff.exe 105 PID 1512 wrote to memory of 1360 1512 rlxfxff.exe 105 PID 1512 wrote to memory of 1360 1512 rlxfxff.exe 105 PID 1360 wrote to memory of 928 1360 hbhhtt.exe 106 PID 1360 wrote to memory of 928 1360 hbhhtt.exe 106 PID 1360 wrote to memory of 928 1360 hbhhtt.exe 106 PID 928 wrote to memory of 1828 928 ppppp.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe"C:\Users\Admin\AppData\Local\Temp\2495f9de69e2c25a1d14a8401b36852450a9384c05ba096415697ddb50f5b75c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\nnhbtt.exec:\nnhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\nhnhbb.exec:\nhnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\htnhbt.exec:\htnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\dvppp.exec:\dvppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\ffrrfxl.exec:\ffrrfxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\frfrxrf.exec:\frfrxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\lflxrll.exec:\lflxrll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\pjjdd.exec:\pjjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\lfxrllf.exec:\lfxrllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\bhnnhh.exec:\bhnnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\thbnbb.exec:\thbnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988 -
\??\c:\vvjjv.exec:\vvjjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\vpjdv.exec:\vpjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\1vvjj.exec:\1vvjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\xrrlrrl.exec:\xrrlrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\xxffxfl.exec:\xxffxfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\btbttn.exec:\btbttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\ddjpv.exec:\ddjpv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rlxfxff.exec:\rlxfxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hbhhtt.exec:\hbhhtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\ppppp.exec:\ppppp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928 -
\??\c:\tbhtht.exec:\tbhtht.exe23⤵
- Executes dropped EXE
PID:1828 -
\??\c:\jpjjd.exec:\jpjjd.exe24⤵
- Executes dropped EXE
PID:3924 -
\??\c:\5xrlrlr.exec:\5xrlrlr.exe25⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lfrrrxx.exec:\lfrrrxx.exe26⤵
- Executes dropped EXE
PID:4808 -
\??\c:\frllffx.exec:\frllffx.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\lxffrxf.exec:\lxffrxf.exe28⤵
- Executes dropped EXE
PID:2504 -
\??\c:\llfllxx.exec:\llfllxx.exe29⤵
- Executes dropped EXE
PID:2164 -
\??\c:\1vdvd.exec:\1vdvd.exe30⤵
- Executes dropped EXE
PID:4708 -
\??\c:\lrxllxx.exec:\lrxllxx.exe31⤵
- Executes dropped EXE
PID:5036 -
\??\c:\lxxxfff.exec:\lxxxfff.exe32⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pjjdd.exec:\pjjdd.exe33⤵
- Executes dropped EXE
PID:2436 -
\??\c:\tbttnn.exec:\tbttnn.exe34⤵
- Executes dropped EXE
PID:4436 -
\??\c:\ppjdv.exec:\ppjdv.exe35⤵
- Executes dropped EXE
PID:3820 -
\??\c:\rxrxrfx.exec:\rxrxrfx.exe36⤵
- Executes dropped EXE
PID:4336 -
\??\c:\9tttnt.exec:\9tttnt.exe37⤵
- Executes dropped EXE
PID:4800 -
\??\c:\xrxfxxf.exec:\xrxfxxf.exe38⤵
- Executes dropped EXE
PID:3636 -
\??\c:\pddvj.exec:\pddvj.exe39⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xfxxrxx.exec:\xfxxrxx.exe40⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bnnbbh.exec:\bnnbbh.exe41⤵
- Executes dropped EXE
PID:3616 -
\??\c:\bbnhnh.exec:\bbnhnh.exe42⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vdjpp.exec:\vdjpp.exe43⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nbbtnb.exec:\nbbtnb.exe44⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jddvp.exec:\jddvp.exe45⤵
- Executes dropped EXE
PID:3740 -
\??\c:\pjjdv.exec:\pjjdv.exe46⤵
- Executes dropped EXE
PID:3152 -
\??\c:\hhttnn.exec:\hhttnn.exe47⤵
- Executes dropped EXE
PID:3728 -
\??\c:\hbbbth.exec:\hbbbth.exe48⤵
- Executes dropped EXE
PID:2136 -
\??\c:\3pjdv.exec:\3pjdv.exe49⤵
- Executes dropped EXE
PID:216 -
\??\c:\frfxlfr.exec:\frfxlfr.exe50⤵
- Executes dropped EXE
PID:4868 -
\??\c:\1bbbnn.exec:\1bbbnn.exe51⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tttnhb.exec:\tttnhb.exe52⤵
- Executes dropped EXE
PID:4212 -
\??\c:\5dvvp.exec:\5dvvp.exe53⤵
- Executes dropped EXE
PID:408 -
\??\c:\xrxlfxr.exec:\xrxlfxr.exe54⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe55⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nhnhtt.exec:\nhnhtt.exe56⤵
- Executes dropped EXE
PID:4472 -
\??\c:\vddpj.exec:\vddpj.exe57⤵
- Executes dropped EXE
PID:4796 -
\??\c:\jjjvj.exec:\jjjvj.exe58⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rrxrllf.exec:\rrxrllf.exe59⤵
- Executes dropped EXE
PID:512 -
\??\c:\bnttnn.exec:\bnttnn.exe60⤵
- Executes dropped EXE
PID:5092 -
\??\c:\pjpjp.exec:\pjpjp.exe61⤵
- Executes dropped EXE
PID:3008 -
\??\c:\vvjdd.exec:\vvjdd.exe62⤵
- Executes dropped EXE
PID:2552 -
\??\c:\lfrllll.exec:\lfrllll.exe63⤵
- Executes dropped EXE
PID:1916 -
\??\c:\bttttt.exec:\bttttt.exe64⤵
- Executes dropped EXE
PID:4524 -
\??\c:\jppdv.exec:\jppdv.exe65⤵
- Executes dropped EXE
PID:4700 -
\??\c:\pddjp.exec:\pddjp.exe66⤵PID:2008
-
\??\c:\rxrffxl.exec:\rxrffxl.exe67⤵PID:4052
-
\??\c:\htbntt.exec:\htbntt.exe68⤵PID:4448
-
\??\c:\hhnnht.exec:\hhnnht.exe69⤵PID:5104
-
\??\c:\pdvvd.exec:\pdvvd.exe70⤵PID:2880
-
\??\c:\frrlfxx.exec:\frrlfxx.exe71⤵PID:2772
-
\??\c:\rfxrllf.exec:\rfxrllf.exe72⤵PID:3316
-
\??\c:\bhthbb.exec:\bhthbb.exe73⤵PID:2504
-
\??\c:\tbbtnh.exec:\tbbtnh.exe74⤵PID:5056
-
\??\c:\pdjdv.exec:\pdjdv.exe75⤵PID:2900
-
\??\c:\vpvpp.exec:\vpvpp.exe76⤵PID:4928
-
\??\c:\xxfrlff.exec:\xxfrlff.exe77⤵PID:3940
-
\??\c:\9nnhtb.exec:\9nnhtb.exe78⤵PID:1700
-
\??\c:\nnttnh.exec:\nnttnh.exe79⤵PID:2436
-
\??\c:\djpjd.exec:\djpjd.exe80⤵PID:3904
-
\??\c:\jvvvv.exec:\jvvvv.exe81⤵PID:2332
-
\??\c:\fxrrfxl.exec:\fxrrfxl.exe82⤵PID:1640
-
\??\c:\nttnnb.exec:\nttnnb.exe83⤵PID:2616
-
\??\c:\vpdjj.exec:\vpdjj.exe84⤵PID:4732
-
\??\c:\jvppj.exec:\jvppj.exe85⤵PID:2780
-
\??\c:\rflllll.exec:\rflllll.exe86⤵PID:3288
-
\??\c:\xflffxx.exec:\xflffxx.exe87⤵PID:1576
-
\??\c:\5bbbtt.exec:\5bbbtt.exe88⤵PID:1948
-
\??\c:\1ttnhb.exec:\1ttnhb.exe89⤵PID:4288
-
\??\c:\vpjdv.exec:\vpjdv.exe90⤵PID:2428
-
\??\c:\5fllffx.exec:\5fllffx.exe91⤵PID:4592
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe92⤵PID:3472
-
\??\c:\tthbtn.exec:\tthbtn.exe93⤵PID:3460
-
\??\c:\tnbnnn.exec:\tnbnnn.exe94⤵PID:2136
-
\??\c:\vjjvd.exec:\vjjvd.exe95⤵PID:372
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe96⤵PID:4868
-
\??\c:\xxxflll.exec:\xxxflll.exe97⤵PID:1560
-
\??\c:\bbnntt.exec:\bbnntt.exe98⤵PID:2356
-
\??\c:\1djdp.exec:\1djdp.exe99⤵PID:3188
-
\??\c:\vvvjd.exec:\vvvjd.exe100⤵
- System Location Discovery: System Language Discovery
PID:3172 -
\??\c:\5flffff.exec:\5flffff.exe101⤵PID:5064
-
\??\c:\bnbbbh.exec:\bnbbbh.exe102⤵PID:2728
-
\??\c:\bttbbn.exec:\bttbbn.exe103⤵PID:2612
-
\??\c:\dvdvv.exec:\dvdvv.exe104⤵PID:3352
-
\??\c:\flrllll.exec:\flrllll.exe105⤵PID:4456
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe106⤵PID:1512
-
\??\c:\hbbttb.exec:\hbbttb.exe107⤵PID:2288
-
\??\c:\jjdpd.exec:\jjdpd.exe108⤵PID:2040
-
\??\c:\vjppj.exec:\vjppj.exe109⤵PID:4452
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe110⤵PID:3048
-
\??\c:\lfxrlfr.exec:\lfxrlfr.exe111⤵PID:536
-
\??\c:\tnhhhh.exec:\tnhhhh.exe112⤵PID:872
-
\??\c:\nbhhnn.exec:\nbhhnn.exe113⤵PID:4844
-
\??\c:\xfxfrrr.exec:\xfxfrrr.exe114⤵PID:1572
-
\??\c:\rfxllrr.exec:\rfxllrr.exe115⤵PID:1624
-
\??\c:\bbbbth.exec:\bbbbth.exe116⤵PID:1472
-
\??\c:\tbbtnh.exec:\tbbtnh.exe117⤵PID:3016
-
\??\c:\jvvvv.exec:\jvvvv.exe118⤵PID:4208
-
\??\c:\jpjjd.exec:\jpjjd.exe119⤵PID:1644
-
\??\c:\lrxxrfx.exec:\lrxxrfx.exe120⤵PID:4832
-
\??\c:\rrfxrxr.exec:\rrfxrxr.exe121⤵PID:4916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-