Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe
-
Size
454KB
-
MD5
1c46f433d5bc771d0de821f7832ac6b8
-
SHA1
052f91b495772a532b78742ee2a534a024286ca4
-
SHA256
95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288
-
SHA512
64bfccdb5aba6c5ef87c9c9006ce5369d36b40e616d9306dce50e082dfa646d716488f15f0dc5bd94618b315081d6644282d5700fd6234b320d50c7bdfea49a1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-1111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-1788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3240 lllfxxr.exe 4056 rlfxrrf.exe 1576 pvdvp.exe 4752 hnbbtb.exe 4540 vvjjd.exe 3732 xrxflff.exe 3268 htbtnn.exe 1440 dddvv.exe 3376 7rrllll.exe 648 5hnhhh.exe 3728 lxfxrll.exe 3520 jvdvv.exe 4940 lflffxx.exe 3992 hbnhbb.exe 1828 pjvpp.exe 3704 btbbtt.exe 8 7hbbnt.exe 2028 tttnnn.exe 3504 ttnbbb.exe 3600 pjjjp.exe 1352 5fxrrrx.exe 564 nnnbth.exe 3348 7hbttt.exe 1408 vdpdv.exe 3176 1rlxrlx.exe 3512 thntnt.exe 1588 vdjdj.exe 2324 1ppjd.exe 4568 fxfrxfr.exe 3596 nhtbtb.exe 4664 pddvj.exe 64 djjdp.exe 4248 rlxfrxf.exe 2004 bhhtnb.exe 2936 pjppj.exe 3400 9llxllf.exe 4716 1nhbnh.exe 4292 hhnbtn.exe 4128 flxrlff.exe 5072 lxfrlll.exe 2556 vjjdp.exe 4256 vdpdv.exe 2624 5bnnhh.exe 5064 vpjvp.exe 2208 frrfrlf.exe 1712 3nnhbb.exe 1716 pdvvp.exe 1516 nbnbbt.exe 2644 pvjvp.exe 2404 vjpdp.exe 4736 fllfrlf.exe 3292 htnbtn.exe 1724 vjjdj.exe 212 lflxrrl.exe 428 htbbnt.exe 4040 dvddd.exe 1764 ppdpp.exe 2780 xlrffff.exe 312 tbbtnn.exe 4748 jjjvp.exe 2444 rfxfrlf.exe 744 nhbtnb.exe 648 btbttt.exe 4348 1vjvv.exe -
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-707-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 3240 3352 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 3352 wrote to memory of 3240 3352 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 3352 wrote to memory of 3240 3352 95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe 83 PID 3240 wrote to memory of 4056 3240 lllfxxr.exe 84 PID 3240 wrote to memory of 4056 3240 lllfxxr.exe 84 PID 3240 wrote to memory of 4056 3240 lllfxxr.exe 84 PID 4056 wrote to memory of 1576 4056 rlfxrrf.exe 85 PID 4056 wrote to memory of 1576 4056 rlfxrrf.exe 85 PID 4056 wrote to memory of 1576 4056 rlfxrrf.exe 85 PID 1576 wrote to memory of 4752 1576 pvdvp.exe 86 PID 1576 wrote to memory of 4752 1576 pvdvp.exe 86 PID 1576 wrote to memory of 4752 1576 pvdvp.exe 86 PID 4752 wrote to memory of 4540 4752 hnbbtb.exe 87 PID 4752 wrote to memory of 4540 4752 hnbbtb.exe 87 PID 4752 wrote to memory of 4540 4752 hnbbtb.exe 87 PID 4540 wrote to memory of 3732 4540 vvjjd.exe 88 PID 4540 wrote to memory of 3732 4540 vvjjd.exe 88 PID 4540 wrote to memory of 3732 4540 vvjjd.exe 88 PID 3732 wrote to memory of 3268 3732 xrxflff.exe 89 PID 3732 wrote to memory of 3268 3732 xrxflff.exe 89 PID 3732 wrote to memory of 3268 3732 xrxflff.exe 89 PID 3268 wrote to memory of 1440 3268 htbtnn.exe 90 PID 3268 wrote to memory of 1440 3268 htbtnn.exe 90 PID 3268 wrote to memory of 1440 3268 htbtnn.exe 90 PID 1440 wrote to memory of 3376 1440 dddvv.exe 91 PID 1440 wrote to memory of 3376 1440 dddvv.exe 91 PID 1440 wrote to memory of 3376 1440 dddvv.exe 91 PID 3376 wrote to memory of 648 3376 7rrllll.exe 92 PID 3376 wrote to memory of 648 3376 7rrllll.exe 92 PID 3376 wrote to memory of 648 3376 7rrllll.exe 92 PID 648 wrote to memory of 3728 648 5hnhhh.exe 93 PID 648 wrote to memory of 3728 648 5hnhhh.exe 93 PID 648 wrote to memory of 3728 648 5hnhhh.exe 93 PID 3728 wrote to memory of 3520 3728 lxfxrll.exe 94 PID 3728 wrote to memory of 3520 3728 lxfxrll.exe 94 PID 3728 wrote to memory of 3520 3728 lxfxrll.exe 94 PID 3520 wrote to memory of 4940 3520 jvdvv.exe 95 PID 3520 wrote to memory of 4940 3520 jvdvv.exe 95 PID 3520 wrote to memory of 4940 3520 jvdvv.exe 95 PID 4940 wrote to memory of 3992 4940 lflffxx.exe 96 PID 4940 wrote to memory of 3992 4940 lflffxx.exe 96 PID 4940 wrote to memory of 3992 4940 lflffxx.exe 96 PID 3992 wrote to memory of 1828 3992 hbnhbb.exe 97 PID 3992 wrote to memory of 1828 3992 hbnhbb.exe 97 PID 3992 wrote to memory of 1828 3992 hbnhbb.exe 97 PID 1828 wrote to memory of 3704 1828 pjvpp.exe 98 PID 1828 wrote to memory of 3704 1828 pjvpp.exe 98 PID 1828 wrote to memory of 3704 1828 pjvpp.exe 98 PID 3704 wrote to memory of 8 3704 btbbtt.exe 99 PID 3704 wrote to memory of 8 3704 btbbtt.exe 99 PID 3704 wrote to memory of 8 3704 btbbtt.exe 99 PID 8 wrote to memory of 2028 8 7hbbnt.exe 100 PID 8 wrote to memory of 2028 8 7hbbnt.exe 100 PID 8 wrote to memory of 2028 8 7hbbnt.exe 100 PID 2028 wrote to memory of 3504 2028 tttnnn.exe 101 PID 2028 wrote to memory of 3504 2028 tttnnn.exe 101 PID 2028 wrote to memory of 3504 2028 tttnnn.exe 101 PID 3504 wrote to memory of 3600 3504 ttnbbb.exe 102 PID 3504 wrote to memory of 3600 3504 ttnbbb.exe 102 PID 3504 wrote to memory of 3600 3504 ttnbbb.exe 102 PID 3600 wrote to memory of 1352 3600 pjjjp.exe 103 PID 3600 wrote to memory of 1352 3600 pjjjp.exe 103 PID 3600 wrote to memory of 1352 3600 pjjjp.exe 103 PID 1352 wrote to memory of 564 1352 5fxrrrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"C:\Users\Admin\AppData\Local\Temp\95e73277c66487cbda056581adcc46596f86bf96030ea06d1662e07318089288.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\lllfxxr.exec:\lllfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\rlfxrrf.exec:\rlfxrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\pvdvp.exec:\pvdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\hnbbtb.exec:\hnbbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\vvjjd.exec:\vvjjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\xrxflff.exec:\xrxflff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\htbtnn.exec:\htbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\dddvv.exec:\dddvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\7rrllll.exec:\7rrllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\5hnhhh.exec:\5hnhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\lxfxrll.exec:\lxfxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\jvdvv.exec:\jvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\lflffxx.exec:\lflffxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\hbnhbb.exec:\hbnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\pjvpp.exec:\pjvpp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
\??\c:\btbbtt.exec:\btbbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\7hbbnt.exec:\7hbbnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\tttnnn.exec:\tttnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\ttnbbb.exec:\ttnbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\pjjjp.exec:\pjjjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\5fxrrrx.exec:\5fxrrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\nnnbth.exec:\nnnbth.exe23⤵
- Executes dropped EXE
PID:564 -
\??\c:\7hbttt.exec:\7hbttt.exe24⤵
- Executes dropped EXE
PID:3348 -
\??\c:\vdpdv.exec:\vdpdv.exe25⤵
- Executes dropped EXE
PID:1408 -
\??\c:\1rlxrlx.exec:\1rlxrlx.exe26⤵
- Executes dropped EXE
PID:3176 -
\??\c:\thntnt.exec:\thntnt.exe27⤵
- Executes dropped EXE
PID:3512 -
\??\c:\vdjdj.exec:\vdjdj.exe28⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1ppjd.exec:\1ppjd.exe29⤵
- Executes dropped EXE
PID:2324 -
\??\c:\fxfrxfr.exec:\fxfrxfr.exe30⤵
- Executes dropped EXE
PID:4568 -
\??\c:\nhtbtb.exec:\nhtbtb.exe31⤵
- Executes dropped EXE
PID:3596 -
\??\c:\pddvj.exec:\pddvj.exe32⤵
- Executes dropped EXE
PID:4664 -
\??\c:\djjdp.exec:\djjdp.exe33⤵
- Executes dropped EXE
PID:64 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe34⤵
- Executes dropped EXE
PID:4248 -
\??\c:\bhhtnb.exec:\bhhtnb.exe35⤵
- Executes dropped EXE
PID:2004 -
\??\c:\pjppj.exec:\pjppj.exe36⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9llxllf.exec:\9llxllf.exe37⤵
- Executes dropped EXE
PID:3400 -
\??\c:\1nhbnh.exec:\1nhbnh.exe38⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hhnbtn.exec:\hhnbtn.exe39⤵
- Executes dropped EXE
PID:4292 -
\??\c:\flxrlff.exec:\flxrlff.exe40⤵
- Executes dropped EXE
PID:4128 -
\??\c:\lxfrlll.exec:\lxfrlll.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072 -
\??\c:\vjjdp.exec:\vjjdp.exe42⤵
- Executes dropped EXE
PID:2556 -
\??\c:\vdpdv.exec:\vdpdv.exe43⤵
- Executes dropped EXE
PID:4256 -
\??\c:\5bnnhh.exec:\5bnnhh.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\vpjvp.exec:\vpjvp.exe45⤵
- Executes dropped EXE
PID:5064 -
\??\c:\frrfrlf.exec:\frrfrlf.exe46⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3nnhbb.exec:\3nnhbb.exe47⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pdvvp.exec:\pdvvp.exe48⤵
- Executes dropped EXE
PID:1716 -
\??\c:\nbnbbt.exec:\nbnbbt.exe49⤵
- Executes dropped EXE
PID:1516 -
\??\c:\pvjvp.exec:\pvjvp.exe50⤵
- Executes dropped EXE
PID:2644 -
\??\c:\vjpdp.exec:\vjpdp.exe51⤵
- Executes dropped EXE
PID:2404 -
\??\c:\fllfrlf.exec:\fllfrlf.exe52⤵
- Executes dropped EXE
PID:4736 -
\??\c:\htnbtn.exec:\htnbtn.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\vjjdj.exec:\vjjdj.exe54⤵
- Executes dropped EXE
PID:1724 -
\??\c:\lflxrrl.exec:\lflxrrl.exe55⤵
- Executes dropped EXE
PID:212 -
\??\c:\htbbnt.exec:\htbbnt.exe56⤵
- Executes dropped EXE
PID:428 -
\??\c:\dvddd.exec:\dvddd.exe57⤵
- Executes dropped EXE
PID:4040 -
\??\c:\ppdpp.exec:\ppdpp.exe58⤵
- Executes dropped EXE
PID:1764 -
\??\c:\xlrffff.exec:\xlrffff.exe59⤵
- Executes dropped EXE
PID:2780 -
\??\c:\tbbtnn.exec:\tbbtnn.exe60⤵
- Executes dropped EXE
PID:312 -
\??\c:\jjjvp.exec:\jjjvp.exe61⤵
- Executes dropped EXE
PID:4748 -
\??\c:\rfxfrlf.exec:\rfxfrlf.exe62⤵
- Executes dropped EXE
PID:2444 -
\??\c:\nhbtnb.exec:\nhbtnb.exe63⤵
- Executes dropped EXE
PID:744 -
\??\c:\btbttt.exec:\btbttt.exe64⤵
- Executes dropped EXE
PID:648 -
\??\c:\1vjvv.exec:\1vjvv.exe65⤵
- Executes dropped EXE
PID:4348 -
\??\c:\9rlfxrl.exec:\9rlfxrl.exe66⤵
- System Location Discovery: System Language Discovery
PID:4548 -
\??\c:\lrfrlfr.exec:\lrfrlfr.exe67⤵PID:4972
-
\??\c:\jvvpj.exec:\jvvpj.exe68⤵PID:4108
-
\??\c:\9xrlrrl.exec:\9xrlrrl.exe69⤵PID:4992
-
\??\c:\hthbnh.exec:\hthbnh.exe70⤵PID:2912
-
\??\c:\9vdvd.exec:\9vdvd.exe71⤵PID:5028
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe72⤵PID:1404
-
\??\c:\tnbttt.exec:\tnbttt.exe73⤵PID:1860
-
\??\c:\ppdvd.exec:\ppdvd.exe74⤵PID:4840
-
\??\c:\jjddd.exec:\jjddd.exe75⤵PID:2756
-
\??\c:\lffrffx.exec:\lffrffx.exe76⤵PID:3092
-
\??\c:\hhtntn.exec:\hhtntn.exe77⤵PID:940
-
\??\c:\dvvjv.exec:\dvvjv.exe78⤵PID:1008
-
\??\c:\5rfrfxf.exec:\5rfrfxf.exe79⤵PID:1364
-
\??\c:\lrrfxrr.exec:\lrrfxrr.exe80⤵PID:1648
-
\??\c:\thnnnn.exec:\thnnnn.exe81⤵PID:2636
-
\??\c:\5nthbt.exec:\5nthbt.exe82⤵PID:5008
-
\??\c:\vjpdp.exec:\vjpdp.exe83⤵PID:2160
-
\??\c:\9frxrxr.exec:\9frxrxr.exe84⤵PID:4568
-
\??\c:\3tnthb.exec:\3tnthb.exe85⤵PID:1772
-
\??\c:\nhhbtt.exec:\nhhbtt.exe86⤵PID:4968
-
\??\c:\jdvvd.exec:\jdvvd.exe87⤵PID:4672
-
\??\c:\ppjvp.exec:\ppjvp.exe88⤵PID:2820
-
\??\c:\3frlrxl.exec:\3frlrxl.exe89⤵PID:4996
-
\??\c:\tnhbtt.exec:\tnhbtt.exe90⤵PID:5040
-
\??\c:\jjdpd.exec:\jjdpd.exe91⤵PID:4544
-
\??\c:\frxrffx.exec:\frxrffx.exe92⤵PID:2744
-
\??\c:\7bthbt.exec:\7bthbt.exe93⤵PID:2576
-
\??\c:\hbbthh.exec:\hbbthh.exe94⤵PID:476
-
\??\c:\dppdv.exec:\dppdv.exe95⤵PID:4328
-
\??\c:\rllllfx.exec:\rllllfx.exe96⤵PID:876
-
\??\c:\3bnbtn.exec:\3bnbtn.exe97⤵PID:2520
-
\??\c:\5jdjv.exec:\5jdjv.exe98⤵PID:4608
-
\??\c:\1rrlxxf.exec:\1rrlxxf.exe99⤵PID:2972
-
\??\c:\rffxlfr.exec:\rffxlfr.exe100⤵PID:3624
-
\??\c:\bnhbbt.exec:\bnhbbt.exe101⤵PID:2924
-
\??\c:\dvdvp.exec:\dvdvp.exe102⤵PID:2264
-
\??\c:\frxrllr.exec:\frxrllr.exe103⤵PID:5112
-
\??\c:\tnhbhb.exec:\tnhbhb.exe104⤵PID:4792
-
\??\c:\9nhbnh.exec:\9nhbnh.exe105⤵PID:2504
-
\??\c:\jdpjj.exec:\jdpjj.exe106⤵PID:2220
-
\??\c:\xxrllll.exec:\xxrllll.exe107⤵PID:1836
-
\??\c:\hthhnn.exec:\hthhnn.exe108⤵PID:1636
-
\??\c:\ppvjj.exec:\ppvjj.exe109⤵PID:2644
-
\??\c:\7rlxlfx.exec:\7rlxlfx.exe110⤵PID:3240
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe111⤵PID:1564
-
\??\c:\hbhbtn.exec:\hbhbtn.exe112⤵PID:780
-
\??\c:\jppjv.exec:\jppjv.exe113⤵PID:1576
-
\??\c:\xrrrfff.exec:\xrrrfff.exe114⤵PID:2424
-
\??\c:\tbhbtn.exec:\tbhbtn.exe115⤵PID:2616
-
\??\c:\thbthh.exec:\thbthh.exe116⤵PID:4596
-
\??\c:\1jjdp.exec:\1jjdp.exe117⤵PID:2420
-
\??\c:\xxxrrrx.exec:\xxxrrrx.exe118⤵
- System Location Discovery: System Language Discovery
PID:4112 -
\??\c:\nhbtnh.exec:\nhbtnh.exe119⤵PID:2780
-
\??\c:\3vppp.exec:\3vppp.exe120⤵PID:3724
-
\??\c:\pddpd.exec:\pddpd.exe121⤵PID:3164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-