Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 11:14
Behavioral task
behavioral1
Sample
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe
-
Size
332KB
-
MD5
327d873702a29e016b3efb1d652ef7f1
-
SHA1
d492d233471bd1a83a19d3f32d0fe1f4ef610514
-
SHA256
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2
-
SHA512
9ee0b24f1beb135d5a9022e711adb0f993ace447a4a3edfc0b861b884940b5145dacf73c055e7c1248d6392c967961bc9bfb9711c4faf66c1954139096c5121c
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe2:R4wFHoSHYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
Processes:
resource yara_rule behavioral2/memory/452-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2384-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4336-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1280-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1016-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2420-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1552-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3888-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4708-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/932-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3752-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3716-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1444-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/184-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4092-278-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1480-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4940-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3564-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-511-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-617-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-632-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-723-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-796-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-809-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
lflfxxx.exetnthbb.exerrrffrl.exedpdvj.exevvpdv.exeppjdd.exexxlflll.exedpdpd.exeflllfxx.exepvjdd.exe5xlffxx.exebtbtnh.exejvddv.exebnnhbb.exefflffxx.exelfrlxfr.exeffrffll.exerlflxrr.exetbhbbt.exe5vpjv.exexffxrlr.exefxxrlrr.exebthbbh.exelxlffxx.exebhnhbt.exedvvdv.exelxxrrrr.exejjvpv.exettttth.exejppjd.exehbnbtt.exe9jjdv.exexlxxrrl.exebbtnhh.exe5vvpj.exe3rxlffr.exedjpjd.exerllxrll.exebtthbb.exedpjpp.exepppdp.exerxfxrlf.exethnnhn.exejppjd.exelxxrffx.exennnhbb.exepjjdv.exevpvvv.exexflxrrl.exentttnn.exe7vdvp.exexlrrllx.exefrrlfxx.exebbbtnh.exetntntn.exejpvvv.exefxlffff.exennhbbt.exedpvvp.exelxrlfxx.exenthbtt.exehbhhbb.exedjjdv.exerxxxxxx.exepid Process 4632 lflfxxx.exe 2472 tnthbb.exe 2384 rrrffrl.exe 3636 dpdvj.exe 1108 vvpdv.exe 4508 ppjdd.exe 4336 xxlflll.exe 1280 dpdpd.exe 2444 flllfxx.exe 1016 pvjdd.exe 1384 5xlffxx.exe 4388 btbtnh.exe 2908 jvddv.exe 2420 bnnhbb.exe 3848 fflffxx.exe 1668 lfrlxfr.exe 1328 ffrffll.exe 3964 rlflxrr.exe 3384 tbhbbt.exe 4308 5vpjv.exe 1892 xffxrlr.exe 3580 fxxrlrr.exe 4728 bthbbh.exe 1552 lxlffxx.exe 4708 bhnhbt.exe 3888 dvvdv.exe 2392 lxxrrrr.exe 2820 jjvpv.exe 4448 ttttth.exe 320 jppjd.exe 1460 hbnbtt.exe 4952 9jjdv.exe 932 xlxxrrl.exe 1244 bbtnhh.exe 1596 5vvpj.exe 1480 3rxlffr.exe 4912 djpjd.exe 3476 rllxrll.exe 412 btthbb.exe 456 dpjpp.exe 3752 pppdp.exe 3988 rxfxrlf.exe 4248 thnnhn.exe 3716 jppjd.exe 1220 lxxrffx.exe 2436 nnnhbb.exe 3120 pjjdv.exe 1444 vpvvv.exe 768 xflxrrl.exe 840 ntttnn.exe 3524 7vdvp.exe 2376 xlrrllx.exe 5000 frrlfxx.exe 4368 bbbtnh.exe 4828 tntntn.exe 452 jpvvv.exe 4616 fxlffff.exe 1048 nnhbbt.exe 4940 dpvvp.exe 4468 lxrlfxx.exe 3648 nthbtt.exe 3636 hbhhbb.exe 2092 djjdv.exe 2640 rxxxxxx.exe -
Processes:
resource yara_rule behavioral2/memory/452-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b8f-3.dat upx behavioral2/memory/452-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c86-8.dat upx behavioral2/memory/4632-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-11.dat upx behavioral2/files/0x0007000000023c88-17.dat upx behavioral2/memory/3636-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-23.dat upx behavioral2/memory/2384-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-27.dat upx behavioral2/memory/1108-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-32.dat upx behavioral2/memory/4508-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-39.dat upx behavioral2/memory/4336-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1280-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-44.dat upx behavioral2/files/0x0007000000023c8e-47.dat upx behavioral2/memory/2444-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-52.dat upx behavioral2/memory/1384-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1016-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-58.dat upx behavioral2/memory/1384-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-63.dat upx behavioral2/files/0x0007000000023c93-67.dat upx behavioral2/memory/2420-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3848-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-72.dat upx behavioral2/files/0x0009000000023c7f-77.dat upx behavioral2/memory/1668-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-83.dat upx behavioral2/memory/1668-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1328-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-87.dat upx behavioral2/files/0x0007000000023c97-92.dat upx behavioral2/memory/3964-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-98.dat upx behavioral2/memory/4308-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-102.dat upx behavioral2/files/0x0007000000023c9a-106.dat upx behavioral2/files/0x0007000000023c9b-111.dat upx behavioral2/memory/3580-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9c-115.dat upx behavioral2/memory/4728-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-120.dat upx behavioral2/memory/1552-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3888-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-131.dat upx behavioral2/memory/4708-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-126.dat upx behavioral2/files/0x0007000000023ca0-135.dat upx behavioral2/memory/2820-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-140.dat upx behavioral2/files/0x0007000000023ca2-144.dat upx behavioral2/memory/4448-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-149.dat upx behavioral2/memory/320-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-154.dat upx behavioral2/memory/4952-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/932-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1596-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4912-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bbhhnt.exexrxrlll.exe7vdpd.exetbttbb.exenhhhnn.exepjvpj.exevpddv.exennbnhh.exerxxxxxx.exebthbbn.exedpvvp.exeddvpj.exeppddj.exefrrlxrr.exeppdvv.exetnbbnt.exepvjjj.exelffxxxx.exevpdvp.exebthbhh.exetnhtbb.exeddvpv.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exelflfxxx.exetnthbb.exerrrffrl.exedpdvj.exevvpdv.exeppjdd.exexxlflll.exedpdpd.exeflllfxx.exepvjdd.exe5xlffxx.exebtbtnh.exejvddv.exebnnhbb.exefflffxx.exelfrlxfr.exeffrffll.exerlflxrr.exetbhbbt.exe5vpjv.exexffxrlr.exedescription pid Process procid_target PID 452 wrote to memory of 4632 452 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 452 wrote to memory of 4632 452 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 452 wrote to memory of 4632 452 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 4632 wrote to memory of 2472 4632 lflfxxx.exe 84 PID 4632 wrote to memory of 2472 4632 lflfxxx.exe 84 PID 4632 wrote to memory of 2472 4632 lflfxxx.exe 84 PID 2472 wrote to memory of 2384 2472 tnthbb.exe 85 PID 2472 wrote to memory of 2384 2472 tnthbb.exe 85 PID 2472 wrote to memory of 2384 2472 tnthbb.exe 85 PID 2384 wrote to memory of 3636 2384 rrrffrl.exe 86 PID 2384 wrote to memory of 3636 2384 rrrffrl.exe 86 PID 2384 wrote to memory of 3636 2384 rrrffrl.exe 86 PID 3636 wrote to memory of 1108 3636 dpdvj.exe 87 PID 3636 wrote to memory of 1108 3636 dpdvj.exe 87 PID 3636 wrote to memory of 1108 3636 dpdvj.exe 87 PID 1108 wrote to memory of 4508 1108 vvpdv.exe 88 PID 1108 wrote to memory of 4508 1108 vvpdv.exe 88 PID 1108 wrote to memory of 4508 1108 vvpdv.exe 88 PID 4508 wrote to memory of 4336 4508 ppjdd.exe 89 PID 4508 wrote to memory of 4336 4508 ppjdd.exe 89 PID 4508 wrote to memory of 4336 4508 ppjdd.exe 89 PID 4336 wrote to memory of 1280 4336 xxlflll.exe 90 PID 4336 wrote to memory of 1280 4336 xxlflll.exe 90 PID 4336 wrote to memory of 1280 4336 xxlflll.exe 90 PID 1280 wrote to memory of 2444 1280 dpdpd.exe 91 PID 1280 wrote to memory of 2444 1280 dpdpd.exe 91 PID 1280 wrote to memory of 2444 1280 dpdpd.exe 91 PID 2444 wrote to memory of 1016 2444 flllfxx.exe 92 PID 2444 wrote to memory of 1016 2444 flllfxx.exe 92 PID 2444 wrote to memory of 1016 2444 flllfxx.exe 92 PID 1016 wrote to memory of 1384 1016 pvjdd.exe 93 PID 1016 wrote to memory of 1384 1016 pvjdd.exe 93 PID 1016 wrote to memory of 1384 1016 pvjdd.exe 93 PID 1384 wrote to memory of 4388 1384 5xlffxx.exe 94 PID 1384 wrote to memory of 4388 1384 5xlffxx.exe 94 PID 1384 wrote to memory of 4388 1384 5xlffxx.exe 94 PID 4388 wrote to memory of 2908 4388 btbtnh.exe 95 PID 4388 wrote to memory of 2908 4388 btbtnh.exe 95 PID 4388 wrote to memory of 2908 4388 btbtnh.exe 95 PID 2908 wrote to memory of 2420 2908 jvddv.exe 96 PID 2908 wrote to memory of 2420 2908 jvddv.exe 96 PID 2908 wrote to memory of 2420 2908 jvddv.exe 96 PID 2420 wrote to memory of 3848 2420 bnnhbb.exe 97 PID 2420 wrote to memory of 3848 2420 bnnhbb.exe 97 PID 2420 wrote to memory of 3848 2420 bnnhbb.exe 97 PID 3848 wrote to memory of 1668 3848 fflffxx.exe 98 PID 3848 wrote to memory of 1668 3848 fflffxx.exe 98 PID 3848 wrote to memory of 1668 3848 fflffxx.exe 98 PID 1668 wrote to memory of 1328 1668 lfrlxfr.exe 99 PID 1668 wrote to memory of 1328 1668 lfrlxfr.exe 99 PID 1668 wrote to memory of 1328 1668 lfrlxfr.exe 99 PID 1328 wrote to memory of 3964 1328 ffrffll.exe 100 PID 1328 wrote to memory of 3964 1328 ffrffll.exe 100 PID 1328 wrote to memory of 3964 1328 ffrffll.exe 100 PID 3964 wrote to memory of 3384 3964 rlflxrr.exe 101 PID 3964 wrote to memory of 3384 3964 rlflxrr.exe 101 PID 3964 wrote to memory of 3384 3964 rlflxrr.exe 101 PID 3384 wrote to memory of 4308 3384 tbhbbt.exe 102 PID 3384 wrote to memory of 4308 3384 tbhbbt.exe 102 PID 3384 wrote to memory of 4308 3384 tbhbbt.exe 102 PID 4308 wrote to memory of 1892 4308 5vpjv.exe 103 PID 4308 wrote to memory of 1892 4308 5vpjv.exe 103 PID 4308 wrote to memory of 1892 4308 5vpjv.exe 103 PID 1892 wrote to memory of 3580 1892 xffxrlr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\lflfxxx.exec:\lflfxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\tnthbb.exec:\tnthbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\rrrffrl.exec:\rrrffrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\dpdvj.exec:\dpdvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\vvpdv.exec:\vvpdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\ppjdd.exec:\ppjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\xxlflll.exec:\xxlflll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\dpdpd.exec:\dpdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\flllfxx.exec:\flllfxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\pvjdd.exec:\pvjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\5xlffxx.exec:\5xlffxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\btbtnh.exec:\btbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\jvddv.exec:\jvddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\bnnhbb.exec:\bnnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\fflffxx.exec:\fflffxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\lfrlxfr.exec:\lfrlxfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\ffrffll.exec:\ffrffll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\rlflxrr.exec:\rlflxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\tbhbbt.exec:\tbhbbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\5vpjv.exec:\5vpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\xffxrlr.exec:\xffxrlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\fxxrlrr.exec:\fxxrlrr.exe23⤵
- Executes dropped EXE
PID:3580 -
\??\c:\bthbbh.exec:\bthbbh.exe24⤵
- Executes dropped EXE
PID:4728 -
\??\c:\lxlffxx.exec:\lxlffxx.exe25⤵
- Executes dropped EXE
PID:1552 -
\??\c:\bhnhbt.exec:\bhnhbt.exe26⤵
- Executes dropped EXE
PID:4708 -
\??\c:\dvvdv.exec:\dvvdv.exe27⤵
- Executes dropped EXE
PID:3888 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe28⤵
- Executes dropped EXE
PID:2392 -
\??\c:\jjvpv.exec:\jjvpv.exe29⤵
- Executes dropped EXE
PID:2820 -
\??\c:\ttttth.exec:\ttttth.exe30⤵
- Executes dropped EXE
PID:4448 -
\??\c:\jppjd.exec:\jppjd.exe31⤵
- Executes dropped EXE
PID:320 -
\??\c:\hbnbtt.exec:\hbnbtt.exe32⤵
- Executes dropped EXE
PID:1460 -
\??\c:\9jjdv.exec:\9jjdv.exe33⤵
- Executes dropped EXE
PID:4952 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe34⤵
- Executes dropped EXE
PID:932 -
\??\c:\bbtnhh.exec:\bbtnhh.exe35⤵
- Executes dropped EXE
PID:1244 -
\??\c:\5vvpj.exec:\5vvpj.exe36⤵
- Executes dropped EXE
PID:1596 -
\??\c:\3rxlffr.exec:\3rxlffr.exe37⤵
- Executes dropped EXE
PID:1480 -
\??\c:\djpjd.exec:\djpjd.exe38⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rllxrll.exec:\rllxrll.exe39⤵
- Executes dropped EXE
PID:3476 -
\??\c:\btthbb.exec:\btthbb.exe40⤵
- Executes dropped EXE
PID:412 -
\??\c:\dpjpp.exec:\dpjpp.exe41⤵
- Executes dropped EXE
PID:456 -
\??\c:\pppdp.exec:\pppdp.exe42⤵
- Executes dropped EXE
PID:3752 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe43⤵
- Executes dropped EXE
PID:3988 -
\??\c:\thnnhn.exec:\thnnhn.exe44⤵
- Executes dropped EXE
PID:4248 -
\??\c:\jppjd.exec:\jppjd.exe45⤵
- Executes dropped EXE
PID:3716 -
\??\c:\lxxrffx.exec:\lxxrffx.exe46⤵
- Executes dropped EXE
PID:1220 -
\??\c:\nnnhbb.exec:\nnnhbb.exe47⤵
- Executes dropped EXE
PID:2436 -
\??\c:\pjjdv.exec:\pjjdv.exe48⤵
- Executes dropped EXE
PID:3120 -
\??\c:\vpvvv.exec:\vpvvv.exe49⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xflxrrl.exec:\xflxrrl.exe50⤵
- Executes dropped EXE
PID:768 -
\??\c:\ntttnn.exec:\ntttnn.exe51⤵
- Executes dropped EXE
PID:840 -
\??\c:\7vdvp.exec:\7vdvp.exe52⤵
- Executes dropped EXE
PID:3524 -
\??\c:\xlrrllx.exec:\xlrrllx.exe53⤵
- Executes dropped EXE
PID:2376 -
\??\c:\frrlfxx.exec:\frrlfxx.exe54⤵
- Executes dropped EXE
PID:5000 -
\??\c:\bbbtnh.exec:\bbbtnh.exe55⤵
- Executes dropped EXE
PID:4368 -
\??\c:\tntntn.exec:\tntntn.exe56⤵
- Executes dropped EXE
PID:4828 -
\??\c:\jpvvv.exec:\jpvvv.exe57⤵
- Executes dropped EXE
PID:452 -
\??\c:\fxlffff.exec:\fxlffff.exe58⤵
- Executes dropped EXE
PID:4616 -
\??\c:\nnhbbt.exec:\nnhbbt.exe59⤵
- Executes dropped EXE
PID:1048 -
\??\c:\dpvvp.exec:\dpvvp.exe60⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lxrlfxx.exec:\lxrlfxx.exe61⤵
- Executes dropped EXE
PID:4468 -
\??\c:\nthbtt.exec:\nthbtt.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\hbhhbb.exec:\hbhhbb.exe63⤵
- Executes dropped EXE
PID:3636 -
\??\c:\djjdv.exec:\djjdv.exe64⤵
- Executes dropped EXE
PID:2092 -
\??\c:\rxxxxxx.exec:\rxxxxxx.exe65⤵
- Executes dropped EXE
PID:2640 -
\??\c:\nhhbbb.exec:\nhhbbb.exe66⤵PID:4032
-
\??\c:\dpvvv.exec:\dpvvv.exe67⤵PID:1984
-
\??\c:\xrfxxlf.exec:\xrfxxlf.exe68⤵PID:3520
-
\??\c:\hbbbbb.exec:\hbbbbb.exe69⤵PID:540
-
\??\c:\vjvpv.exec:\vjvpv.exe70⤵PID:628
-
\??\c:\djpjv.exec:\djpjv.exe71⤵PID:1072
-
\??\c:\frrlxxr.exec:\frrlxxr.exe72⤵PID:2200
-
\??\c:\3xxxrlf.exec:\3xxxrlf.exe73⤵PID:2824
-
\??\c:\nhhbtt.exec:\nhhbtt.exe74⤵PID:1660
-
\??\c:\dvvpj.exec:\dvvpj.exe75⤵PID:2008
-
\??\c:\xffxllx.exec:\xffxllx.exe76⤵PID:2420
-
\??\c:\bhtnbb.exec:\bhtnbb.exe77⤵PID:4476
-
\??\c:\jpvpj.exec:\jpvpj.exe78⤵PID:4208
-
\??\c:\frxrrrl.exec:\frxrrrl.exe79⤵PID:1852
-
\??\c:\xlrlfrf.exec:\xlrlfrf.exe80⤵PID:4052
-
\??\c:\btnhbt.exec:\btnhbt.exe81⤵PID:184
-
\??\c:\jdvpd.exec:\jdvpd.exe82⤵PID:1000
-
\??\c:\rllfxrx.exec:\rllfxrx.exe83⤵PID:1484
-
\??\c:\nhnhbh.exec:\nhnhbh.exe84⤵PID:3580
-
\??\c:\jdvpv.exec:\jdvpv.exe85⤵PID:4092
-
\??\c:\jdvpj.exec:\jdvpj.exe86⤵PID:4072
-
\??\c:\bthbhb.exec:\bthbhb.exe87⤵PID:2448
-
\??\c:\thnhnn.exec:\thnhnn.exe88⤵PID:2936
-
\??\c:\jvdjd.exec:\jvdjd.exe89⤵PID:860
-
\??\c:\fflfffx.exec:\fflfffx.exe90⤵PID:2204
-
\??\c:\tnnhtt.exec:\tnnhtt.exe91⤵PID:2856
-
\??\c:\jpppj.exec:\jpppj.exe92⤵PID:3744
-
\??\c:\vdpjd.exec:\vdpjd.exe93⤵PID:4284
-
\??\c:\1rrlxxr.exec:\1rrlxxr.exe94⤵PID:1488
-
\??\c:\tnbtnt.exec:\tnbtnt.exe95⤵PID:920
-
\??\c:\pdvpd.exec:\pdvpd.exe96⤵PID:712
-
\??\c:\pdjdd.exec:\pdjdd.exe97⤵PID:4952
-
\??\c:\xrrrrll.exec:\xrrrrll.exe98⤵PID:3868
-
\??\c:\bbhbtb.exec:\bbhbtb.exe99⤵PID:2612
-
\??\c:\vjvvp.exec:\vjvvp.exe100⤵PID:940
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe101⤵PID:1228
-
\??\c:\tntnnn.exec:\tntnnn.exe102⤵PID:1480
-
\??\c:\bbbnhb.exec:\bbbnhb.exe103⤵PID:3436
-
\??\c:\vjpjp.exec:\vjpjp.exe104⤵PID:4088
-
\??\c:\7vdpd.exec:\7vdpd.exe105⤵
- System Location Discovery: System Language Discovery
PID:3220 -
\??\c:\rxffrrl.exec:\rxffrrl.exe106⤵PID:1736
-
\??\c:\nttnhh.exec:\nttnhh.exe107⤵PID:3752
-
\??\c:\nhnhtt.exec:\nhnhtt.exe108⤵PID:3988
-
\??\c:\ppdjd.exec:\ppdjd.exe109⤵PID:4248
-
\??\c:\rrxrllf.exec:\rrxrllf.exe110⤵PID:1824
-
\??\c:\lllfllx.exec:\lllfllx.exe111⤵PID:1220
-
\??\c:\nbhbtt.exec:\nbhbtt.exe112⤵PID:2436
-
\??\c:\djdjv.exec:\djdjv.exe113⤵PID:3120
-
\??\c:\flrlffx.exec:\flrlffx.exe114⤵PID:3076
-
\??\c:\tnhbnt.exec:\tnhbnt.exe115⤵PID:4116
-
\??\c:\vjpdv.exec:\vjpdv.exe116⤵PID:3700
-
\??\c:\5jpjp.exec:\5jpjp.exe117⤵PID:3524
-
\??\c:\rffxllf.exec:\rffxllf.exe118⤵PID:2376
-
\??\c:\nttnhh.exec:\nttnhh.exe119⤵PID:5000
-
\??\c:\7vpjv.exec:\7vpjv.exe120⤵PID:3892
-
\??\c:\xrxrlll.exec:\xrxrlll.exe121⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-