Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 11:17
Behavioral task
behavioral1
Sample
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe
-
Size
332KB
-
MD5
327d873702a29e016b3efb1d652ef7f1
-
SHA1
d492d233471bd1a83a19d3f32d0fe1f4ef610514
-
SHA256
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2
-
SHA512
9ee0b24f1beb135d5a9022e711adb0f993ace447a4a3edfc0b861b884940b5145dacf73c055e7c1248d6392c967961bc9bfb9711c4faf66c1954139096c5121c
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe2:R4wFHoSHYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/1684-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1428-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3256-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3792-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4340-61-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2804-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3708-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5032-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1092-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2604-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4056-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/64-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1900-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4332-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4276-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1936-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4352-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4204-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2776-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4756-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2568-423-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2120-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-488-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-524-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4696-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-616-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-637-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1292-733-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-927-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
1hnbbt.exejvppp.exenhhbbb.exebhhtbt.exe7xlxrrf.exedvpjd.exehnbbht.exellrlxrf.exehtnbhb.exe7jpjv.exerxrfxrf.exebnhbtn.exe9xfxllf.exe9dvjv.exehhnhnh.exe5ppdp.exevvpdv.exellxrfxl.exetnhbtt.exe7nbbtb.exe7jjdv.exebhbtnb.exejdddp.exe9ppjv.exexrrlffx.exefrfxrlf.exenbbhnb.exe7dpdv.exehbbthb.exedddvj.exeddjvp.exerrlrrlf.exejvvpd.exethhbtn.exevvdpd.exerflxffr.exe9nbbhb.exe7fxlfxr.exellxrrrr.exejjdpj.exefxfffff.exebtbtnh.exehnbnhh.exejjpjv.exe1rxrrrr.exehtnbhn.exenbhtnt.exepjpdd.exexlrlxrl.exehbbtnn.exebnnbtn.exejvvjp.exe3htbtt.exettnhbb.exedpvpj.exerfxrxrr.exehbhbtt.exeddvpv.exevpddv.exeflxrlll.exehhtnbh.exejvvpj.exe7xfrffx.exe1nthbt.exepid Process 4904 1hnbbt.exe 3192 jvppp.exe 1428 nhhbbb.exe 3376 bhhtbt.exe 3256 7xlxrrf.exe 2696 dvpjd.exe 1232 hnbbht.exe 4816 llrlxrf.exe 1996 htnbhb.exe 4524 7jpjv.exe 3792 rxrfxrf.exe 4340 bnhbtn.exe 2804 9xfxllf.exe 3708 9dvjv.exe 2336 hhnhnh.exe 3188 5ppdp.exe 2644 vvpdv.exe 5032 llxrfxl.exe 1092 tnhbtt.exe 4720 7nbbtb.exe 1700 7jjdv.exe 3820 bhbtnb.exe 2604 jdddp.exe 4532 9ppjv.exe 928 xrrlffx.exe 4056 frfxrlf.exe 368 nbbhnb.exe 3512 7dpdv.exe 3260 hbbthb.exe 64 dddvj.exe 4000 ddjvp.exe 4456 rrlrrlf.exe 4336 jvvpd.exe 4536 thhbtn.exe 2396 vvdpd.exe 920 rflxffr.exe 5084 9nbbhb.exe 1900 7fxlfxr.exe 4888 llxrrrr.exe 3648 jjdpj.exe 4620 fxfffff.exe 4332 btbtnh.exe 2300 hnbnhh.exe 4548 jjpjv.exe 4276 1rxrrrr.exe 4296 htnbhn.exe 4628 nbhtnt.exe 4784 pjpdd.exe 4404 xlrlxrl.exe 3424 hbbtnn.exe 3516 bnnbtn.exe 1936 jvvjp.exe 3576 3htbtt.exe 2708 ttnhbb.exe 4464 dpvpj.exe 2932 rfxrxrr.exe 748 hbhbtt.exe 4728 ddvpv.exe 1964 vpddv.exe 1004 flxrlll.exe 3608 hhtnbh.exe 3584 jvvpj.exe 2988 7xfrffx.exe 2068 1nthbt.exe -
Processes:
resource yara_rule behavioral2/memory/1684-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b81-2.dat upx behavioral2/memory/1684-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c70-8.dat upx behavioral2/memory/4904-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c75-13.dat upx behavioral2/memory/1428-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3192-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c76-19.dat upx behavioral2/files/0x0007000000023c77-23.dat upx behavioral2/memory/3376-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c78-28.dat upx behavioral2/memory/3256-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c79-33.dat upx behavioral2/memory/2696-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7a-38.dat upx behavioral2/files/0x0007000000023c7b-42.dat upx behavioral2/memory/4816-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7c-47.dat upx behavioral2/memory/1996-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7d-52.dat upx behavioral2/memory/3792-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7e-57.dat upx behavioral2/memory/4340-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c7f-62.dat upx behavioral2/files/0x0007000000023c80-67.dat upx behavioral2/memory/2804-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c71-71.dat upx behavioral2/memory/3708-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c81-76.dat upx behavioral2/memory/2336-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c82-81.dat upx behavioral2/memory/2644-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c83-85.dat upx behavioral2/files/0x0007000000023c84-91.dat upx behavioral2/memory/5032-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1092-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c85-95.dat upx behavioral2/files/0x0007000000023c86-100.dat upx behavioral2/files/0x0007000000023c87-104.dat upx behavioral2/memory/3820-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-109.dat upx behavioral2/memory/3820-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2604-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-120.dat upx behavioral2/files/0x0007000000023c8c-126.dat upx behavioral2/memory/4056-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-131.dat upx behavioral2/files/0x0007000000023c8e-135.dat upx behavioral2/files/0x0007000000023c8f-140.dat upx behavioral2/memory/3512-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/928-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-115.dat upx behavioral2/files/0x0007000000023c90-143.dat upx behavioral2/memory/64-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-148.dat upx behavioral2/memory/4000-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-153.dat upx behavioral2/memory/4456-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4536-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1900-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4888-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3648-177-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
pvvpp.exehbhbtt.exexxrlfxr.exevjvvd.exerrfxllx.exebnnhbh.exetnnhbb.exexrrlffr.exe5vpvp.exetnnhbb.exehbbtnn.exelxxlrlr.exejjppd.exetnbbnt.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe1hnbbt.exejvppp.exenhhbbb.exebhhtbt.exe7xlxrrf.exedvpjd.exehnbbht.exellrlxrf.exehtnbhb.exe7jpjv.exerxrfxrf.exebnhbtn.exe9xfxllf.exe9dvjv.exehhnhnh.exe5ppdp.exevvpdv.exellxrfxl.exetnhbtt.exe7nbbtb.exe7jjdv.exedescription pid Process procid_target PID 1684 wrote to memory of 4904 1684 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 1684 wrote to memory of 4904 1684 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 1684 wrote to memory of 4904 1684 94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe 83 PID 4904 wrote to memory of 3192 4904 1hnbbt.exe 84 PID 4904 wrote to memory of 3192 4904 1hnbbt.exe 84 PID 4904 wrote to memory of 3192 4904 1hnbbt.exe 84 PID 3192 wrote to memory of 1428 3192 jvppp.exe 85 PID 3192 wrote to memory of 1428 3192 jvppp.exe 85 PID 3192 wrote to memory of 1428 3192 jvppp.exe 85 PID 1428 wrote to memory of 3376 1428 nhhbbb.exe 86 PID 1428 wrote to memory of 3376 1428 nhhbbb.exe 86 PID 1428 wrote to memory of 3376 1428 nhhbbb.exe 86 PID 3376 wrote to memory of 3256 3376 bhhtbt.exe 87 PID 3376 wrote to memory of 3256 3376 bhhtbt.exe 87 PID 3376 wrote to memory of 3256 3376 bhhtbt.exe 87 PID 3256 wrote to memory of 2696 3256 7xlxrrf.exe 88 PID 3256 wrote to memory of 2696 3256 7xlxrrf.exe 88 PID 3256 wrote to memory of 2696 3256 7xlxrrf.exe 88 PID 2696 wrote to memory of 1232 2696 dvpjd.exe 89 PID 2696 wrote to memory of 1232 2696 dvpjd.exe 89 PID 2696 wrote to memory of 1232 2696 dvpjd.exe 89 PID 1232 wrote to memory of 4816 1232 hnbbht.exe 90 PID 1232 wrote to memory of 4816 1232 hnbbht.exe 90 PID 1232 wrote to memory of 4816 1232 hnbbht.exe 90 PID 4816 wrote to memory of 1996 4816 llrlxrf.exe 91 PID 4816 wrote to memory of 1996 4816 llrlxrf.exe 91 PID 4816 wrote to memory of 1996 4816 llrlxrf.exe 91 PID 1996 wrote to memory of 4524 1996 htnbhb.exe 92 PID 1996 wrote to memory of 4524 1996 htnbhb.exe 92 PID 1996 wrote to memory of 4524 1996 htnbhb.exe 92 PID 4524 wrote to memory of 3792 4524 7jpjv.exe 93 PID 4524 wrote to memory of 3792 4524 7jpjv.exe 93 PID 4524 wrote to memory of 3792 4524 7jpjv.exe 93 PID 3792 wrote to memory of 4340 3792 rxrfxrf.exe 94 PID 3792 wrote to memory of 4340 3792 rxrfxrf.exe 94 PID 3792 wrote to memory of 4340 3792 rxrfxrf.exe 94 PID 4340 wrote to memory of 2804 4340 bnhbtn.exe 95 PID 4340 wrote to memory of 2804 4340 bnhbtn.exe 95 PID 4340 wrote to memory of 2804 4340 bnhbtn.exe 95 PID 2804 wrote to memory of 3708 2804 9xfxllf.exe 96 PID 2804 wrote to memory of 3708 2804 9xfxllf.exe 96 PID 2804 wrote to memory of 3708 2804 9xfxllf.exe 96 PID 3708 wrote to memory of 2336 3708 9dvjv.exe 97 PID 3708 wrote to memory of 2336 3708 9dvjv.exe 97 PID 3708 wrote to memory of 2336 3708 9dvjv.exe 97 PID 2336 wrote to memory of 3188 2336 hhnhnh.exe 98 PID 2336 wrote to memory of 3188 2336 hhnhnh.exe 98 PID 2336 wrote to memory of 3188 2336 hhnhnh.exe 98 PID 3188 wrote to memory of 2644 3188 5ppdp.exe 99 PID 3188 wrote to memory of 2644 3188 5ppdp.exe 99 PID 3188 wrote to memory of 2644 3188 5ppdp.exe 99 PID 2644 wrote to memory of 5032 2644 vvpdv.exe 100 PID 2644 wrote to memory of 5032 2644 vvpdv.exe 100 PID 2644 wrote to memory of 5032 2644 vvpdv.exe 100 PID 5032 wrote to memory of 1092 5032 llxrfxl.exe 101 PID 5032 wrote to memory of 1092 5032 llxrfxl.exe 101 PID 5032 wrote to memory of 1092 5032 llxrfxl.exe 101 PID 1092 wrote to memory of 4720 1092 tnhbtt.exe 102 PID 1092 wrote to memory of 4720 1092 tnhbtt.exe 102 PID 1092 wrote to memory of 4720 1092 tnhbtt.exe 102 PID 4720 wrote to memory of 1700 4720 7nbbtb.exe 103 PID 4720 wrote to memory of 1700 4720 7nbbtb.exe 103 PID 4720 wrote to memory of 1700 4720 7nbbtb.exe 103 PID 1700 wrote to memory of 3820 1700 7jjdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"C:\Users\Admin\AppData\Local\Temp\94c5d09e7063dba9084ce23232694c9454c520f39092cde8f6d03f45232343a2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\1hnbbt.exec:\1hnbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\jvppp.exec:\jvppp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\nhhbbb.exec:\nhhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\bhhtbt.exec:\bhhtbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\7xlxrrf.exec:\7xlxrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\dvpjd.exec:\dvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\hnbbht.exec:\hnbbht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\llrlxrf.exec:\llrlxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\htnbhb.exec:\htnbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\7jpjv.exec:\7jpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\rxrfxrf.exec:\rxrfxrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\bnhbtn.exec:\bnhbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\9xfxllf.exec:\9xfxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\9dvjv.exec:\9dvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\hhnhnh.exec:\hhnhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\5ppdp.exec:\5ppdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\vvpdv.exec:\vvpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\llxrfxl.exec:\llxrfxl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\tnhbtt.exec:\tnhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\7nbbtb.exec:\7nbbtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\7jjdv.exec:\7jjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\bhbtnb.exec:\bhbtnb.exe23⤵
- Executes dropped EXE
PID:3820 -
\??\c:\jdddp.exec:\jdddp.exe24⤵
- Executes dropped EXE
PID:2604 -
\??\c:\9ppjv.exec:\9ppjv.exe25⤵
- Executes dropped EXE
PID:4532 -
\??\c:\xrrlffx.exec:\xrrlffx.exe26⤵
- Executes dropped EXE
PID:928 -
\??\c:\frfxrlf.exec:\frfxrlf.exe27⤵
- Executes dropped EXE
PID:4056 -
\??\c:\nbbhnb.exec:\nbbhnb.exe28⤵
- Executes dropped EXE
PID:368 -
\??\c:\7dpdv.exec:\7dpdv.exe29⤵
- Executes dropped EXE
PID:3512 -
\??\c:\hbbthb.exec:\hbbthb.exe30⤵
- Executes dropped EXE
PID:3260 -
\??\c:\dddvj.exec:\dddvj.exe31⤵
- Executes dropped EXE
PID:64 -
\??\c:\ddjvp.exec:\ddjvp.exe32⤵
- Executes dropped EXE
PID:4000 -
\??\c:\rrlrrlf.exec:\rrlrrlf.exe33⤵
- Executes dropped EXE
PID:4456 -
\??\c:\jvvpd.exec:\jvvpd.exe34⤵
- Executes dropped EXE
PID:4336 -
\??\c:\thhbtn.exec:\thhbtn.exe35⤵
- Executes dropped EXE
PID:4536 -
\??\c:\vvdpd.exec:\vvdpd.exe36⤵
- Executes dropped EXE
PID:2396 -
\??\c:\rflxffr.exec:\rflxffr.exe37⤵
- Executes dropped EXE
PID:920 -
\??\c:\9nbbhb.exec:\9nbbhb.exe38⤵
- Executes dropped EXE
PID:5084 -
\??\c:\7fxlfxr.exec:\7fxlfxr.exe39⤵
- Executes dropped EXE
PID:1900 -
\??\c:\llxrrrr.exec:\llxrrrr.exe40⤵
- Executes dropped EXE
PID:4888 -
\??\c:\jjdpj.exec:\jjdpj.exe41⤵
- Executes dropped EXE
PID:3648 -
\??\c:\fxfffff.exec:\fxfffff.exe42⤵
- Executes dropped EXE
PID:4620 -
\??\c:\btbtnh.exec:\btbtnh.exe43⤵
- Executes dropped EXE
PID:4332 -
\??\c:\hnbnhh.exec:\hnbnhh.exe44⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jjpjv.exec:\jjpjv.exe45⤵
- Executes dropped EXE
PID:4548 -
\??\c:\1rxrrrr.exec:\1rxrrrr.exe46⤵
- Executes dropped EXE
PID:4276 -
\??\c:\htnbhn.exec:\htnbhn.exe47⤵
- Executes dropped EXE
PID:4296 -
\??\c:\nbhtnt.exec:\nbhtnt.exe48⤵
- Executes dropped EXE
PID:4628 -
\??\c:\pjpdd.exec:\pjpdd.exe49⤵
- Executes dropped EXE
PID:4784 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe50⤵
- Executes dropped EXE
PID:4404 -
\??\c:\hbbtnn.exec:\hbbtnn.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424 -
\??\c:\bnnbtn.exec:\bnnbtn.exe52⤵
- Executes dropped EXE
PID:3516 -
\??\c:\jvvjp.exec:\jvvjp.exe53⤵
- Executes dropped EXE
PID:1936 -
\??\c:\3htbtt.exec:\3htbtt.exe54⤵
- Executes dropped EXE
PID:3576 -
\??\c:\ttnhbb.exec:\ttnhbb.exe55⤵
- Executes dropped EXE
PID:2708 -
\??\c:\dpvpj.exec:\dpvpj.exe56⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rfxrxrr.exec:\rfxrxrr.exe57⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hbhbtt.exec:\hbhbtt.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
\??\c:\ddvpv.exec:\ddvpv.exe59⤵
- Executes dropped EXE
PID:4728 -
\??\c:\vpddv.exec:\vpddv.exe60⤵
- Executes dropped EXE
PID:1964 -
\??\c:\flxrlll.exec:\flxrlll.exe61⤵
- Executes dropped EXE
PID:1004 -
\??\c:\hhtnbh.exec:\hhtnbh.exe62⤵
- Executes dropped EXE
PID:3608 -
\??\c:\jvvpj.exec:\jvvpj.exe63⤵
- Executes dropped EXE
PID:3584 -
\??\c:\7xfrffx.exec:\7xfrffx.exe64⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1nthbt.exec:\1nthbt.exe65⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jjvjj.exec:\jjvjj.exe66⤵PID:2376
-
\??\c:\3pdjd.exec:\3pdjd.exe67⤵PID:4612
-
\??\c:\ffrrrrx.exec:\ffrrrrx.exe68⤵PID:5024
-
\??\c:\vvdjp.exec:\vvdjp.exe69⤵PID:4896
-
\??\c:\rrxfxrr.exec:\rrxfxrr.exe70⤵PID:224
-
\??\c:\thnbnt.exec:\thnbnt.exe71⤵PID:404
-
\??\c:\bbhbtt.exec:\bbhbtt.exe72⤵PID:116
-
\??\c:\pjpdj.exec:\pjpdj.exe73⤵PID:212
-
\??\c:\lxlrlxf.exec:\lxlrlxf.exe74⤵PID:4836
-
\??\c:\fflfxxx.exec:\fflfxxx.exe75⤵PID:4144
-
\??\c:\hntnhb.exec:\hntnhb.exe76⤵PID:936
-
\??\c:\jpjdp.exec:\jpjdp.exe77⤵PID:2380
-
\??\c:\rflfxrl.exec:\rflfxrl.exe78⤵PID:4352
-
\??\c:\xlrlffx.exec:\xlrlffx.exe79⤵PID:5004
-
\??\c:\7hhhnt.exec:\7hhhnt.exe80⤵PID:2116
-
\??\c:\5pvdv.exec:\5pvdv.exe81⤵PID:4452
-
\??\c:\vjjjp.exec:\vjjjp.exe82⤵PID:4980
-
\??\c:\xxffllr.exec:\xxffllr.exe83⤵PID:792
-
\??\c:\bntnbb.exec:\bntnbb.exe84⤵PID:1208
-
\??\c:\dddjp.exec:\dddjp.exe85⤵PID:4572
-
\??\c:\djjjj.exec:\djjjj.exe86⤵PID:1332
-
\??\c:\lrxrllx.exec:\lrxrllx.exe87⤵PID:4204
-
\??\c:\nnnbtn.exec:\nnnbtn.exe88⤵PID:972
-
\??\c:\ntnbnn.exec:\ntnbnn.exe89⤵PID:2792
-
\??\c:\dvvvp.exec:\dvvvp.exe90⤵PID:2776
-
\??\c:\xfrlflf.exec:\xfrlflf.exe91⤵PID:1188
-
\??\c:\nththb.exec:\nththb.exe92⤵PID:4056
-
\??\c:\dpdvp.exec:\dpdvp.exe93⤵PID:4376
-
\??\c:\jjvpd.exec:\jjvpd.exe94⤵PID:3512
-
\??\c:\xflxrrl.exec:\xflxrrl.exe95⤵PID:4712
-
\??\c:\7bbtbt.exec:\7bbtbt.exe96⤵PID:4624
-
\??\c:\9jjvd.exec:\9jjvd.exe97⤵PID:4604
-
\??\c:\jjvjd.exec:\jjvjd.exe98⤵PID:4756
-
\??\c:\llfxrrl.exec:\llfxrrl.exe99⤵PID:4736
-
\??\c:\nnnhhh.exec:\nnnhhh.exe100⤵PID:5116
-
\??\c:\pppdp.exec:\pppdp.exe101⤵PID:5088
-
\??\c:\fxxllll.exec:\fxxllll.exe102⤵PID:4500
-
\??\c:\bnhbtt.exec:\bnhbtt.exe103⤵PID:4508
-
\??\c:\jjppp.exec:\jjppp.exe104⤵PID:2280
-
\??\c:\lflrrfx.exec:\lflrrfx.exe105⤵PID:3924
-
\??\c:\xxrlfxr.exec:\xxrlfxr.exe106⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\nbbtbb.exec:\nbbtbb.exe107⤵PID:920
-
\??\c:\djjvp.exec:\djjvp.exe108⤵PID:2452
-
\??\c:\vvjdv.exec:\vvjdv.exe109⤵PID:3392
-
\??\c:\rrllxxf.exec:\rrllxxf.exe110⤵PID:3972
-
\??\c:\nbnbtt.exec:\nbnbtt.exe111⤵PID:3364
-
\??\c:\ddvjp.exec:\ddvjp.exe112⤵PID:4684
-
\??\c:\vppdv.exec:\vppdv.exe113⤵PID:3124
-
\??\c:\lflrlff.exec:\lflrlff.exe114⤵PID:4504
-
\??\c:\tnhbhh.exec:\tnhbhh.exe115⤵PID:4288
-
\??\c:\5dpdv.exec:\5dpdv.exe116⤵PID:4548
-
\??\c:\lxfxrfx.exec:\lxfxrfx.exe117⤵PID:3100
-
\??\c:\llffrlf.exec:\llffrlf.exe118⤵PID:1560
-
\??\c:\9tnhtn.exec:\9tnhtn.exe119⤵PID:4300
-
\??\c:\ppvvp.exec:\ppvvp.exe120⤵PID:2144
-
\??\c:\rrffxfr.exec:\rrffxfr.exe121⤵PID:4784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-