Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe
-
Size
456KB
-
MD5
b46c794a6e50ec8231b2e08387beb07f
-
SHA1
7db6d7cb72ddf1c7bfbe0547e7eda1a9bdb5077e
-
SHA256
95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b
-
SHA512
0b861e39b623111ba4192e9e405c13cdf3f6ad7425b381d801932e3e01fb4ef38f0875a06c4fd7893cb54ab33e42b18c4d6ec66d47373390593627816aecd840
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRP:q7Tc2NYHUrAwfMp3CDRP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3580-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-1609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4304 djpvp.exe 4748 llrfrfr.exe 1988 vddvv.exe 2000 jppjv.exe 2372 lflfrrl.exe 4340 htnbht.exe 4840 bbtnbn.exe 4172 5httnt.exe 4176 bttnnh.exe 3020 5ppdp.exe 832 hnhthn.exe 1232 lfrfrlx.exe 4964 tnhbnh.exe 4992 lfrfrxx.exe 3568 jvdpv.exe 1704 5rrlxrl.exe 4452 httbtt.exe 648 dpdvj.exe 4276 xxflfxr.exe 2568 tbhhbb.exe 4552 vvdvv.exe 3596 rlrrlxx.exe 2760 rlllfff.exe 4364 9tbbhh.exe 1032 vppjv.exe 4980 1vvpj.exe 1956 xllfffx.exe 2380 3bhbtt.exe 3648 frxrlfx.exe 2932 dvvpp.exe 3144 fffxllf.exe 3380 bnnbht.exe 2172 pjddp.exe 1968 pvvpd.exe 208 xxrlxrl.exe 3576 9dpjp.exe 536 rffrlrl.exe 4356 1bbtnh.exe 1824 tnnntn.exe 2304 jppdp.exe 4308 fxrlfxr.exe 3260 nhnnbt.exe 316 jjdpd.exe 3500 5ffxlxr.exe 3936 lflfllr.exe 4396 hnthbt.exe 2000 ddjvj.exe 2072 lxfxrrl.exe 4332 5rfxlxl.exe 1972 thtnnh.exe 4496 dvdpp.exe 4840 jvvjd.exe 3836 xrlxlxr.exe 1668 hthnnh.exe 1676 dddpd.exe 1064 lfxrlfx.exe 1748 fllrlrl.exe 4576 5nnhbb.exe 2520 pjjdp.exe 3360 lxfrlff.exe 2284 lrlfrlx.exe 560 1ttnnn.exe 3532 dddpd.exe 3568 1lrrllx.exe -
resource yara_rule behavioral2/memory/3580-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-842-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5httnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4304 3580 95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe 83 PID 3580 wrote to memory of 4304 3580 95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe 83 PID 3580 wrote to memory of 4304 3580 95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe 83 PID 4304 wrote to memory of 4748 4304 djpvp.exe 84 PID 4304 wrote to memory of 4748 4304 djpvp.exe 84 PID 4304 wrote to memory of 4748 4304 djpvp.exe 84 PID 4748 wrote to memory of 1988 4748 llrfrfr.exe 85 PID 4748 wrote to memory of 1988 4748 llrfrfr.exe 85 PID 4748 wrote to memory of 1988 4748 llrfrfr.exe 85 PID 1988 wrote to memory of 2000 1988 vddvv.exe 86 PID 1988 wrote to memory of 2000 1988 vddvv.exe 86 PID 1988 wrote to memory of 2000 1988 vddvv.exe 86 PID 2000 wrote to memory of 2372 2000 jppjv.exe 87 PID 2000 wrote to memory of 2372 2000 jppjv.exe 87 PID 2000 wrote to memory of 2372 2000 jppjv.exe 87 PID 2372 wrote to memory of 4340 2372 lflfrrl.exe 88 PID 2372 wrote to memory of 4340 2372 lflfrrl.exe 88 PID 2372 wrote to memory of 4340 2372 lflfrrl.exe 88 PID 4340 wrote to memory of 4840 4340 htnbht.exe 89 PID 4340 wrote to memory of 4840 4340 htnbht.exe 89 PID 4340 wrote to memory of 4840 4340 htnbht.exe 89 PID 4840 wrote to memory of 4172 4840 bbtnbn.exe 90 PID 4840 wrote to memory of 4172 4840 bbtnbn.exe 90 PID 4840 wrote to memory of 4172 4840 bbtnbn.exe 90 PID 4172 wrote to memory of 4176 4172 5httnt.exe 91 PID 4172 wrote to memory of 4176 4172 5httnt.exe 91 PID 4172 wrote to memory of 4176 4172 5httnt.exe 91 PID 4176 wrote to memory of 3020 4176 bttnnh.exe 92 PID 4176 wrote to memory of 3020 4176 bttnnh.exe 92 PID 4176 wrote to memory of 3020 4176 bttnnh.exe 92 PID 3020 wrote to memory of 832 3020 5ppdp.exe 93 PID 3020 wrote to memory of 832 3020 5ppdp.exe 93 PID 3020 wrote to memory of 832 3020 5ppdp.exe 93 PID 832 wrote to memory of 1232 832 hnhthn.exe 94 PID 832 wrote to memory of 1232 832 hnhthn.exe 94 PID 832 wrote to memory of 1232 832 hnhthn.exe 94 PID 1232 wrote to memory of 4964 1232 lfrfrlx.exe 95 PID 1232 wrote to memory of 4964 1232 lfrfrlx.exe 95 PID 1232 wrote to memory of 4964 1232 lfrfrlx.exe 95 PID 4964 wrote to memory of 4992 4964 tnhbnh.exe 96 PID 4964 wrote to memory of 4992 4964 tnhbnh.exe 96 PID 4964 wrote to memory of 4992 4964 tnhbnh.exe 96 PID 4992 wrote to memory of 3568 4992 lfrfrxx.exe 97 PID 4992 wrote to memory of 3568 4992 lfrfrxx.exe 97 PID 4992 wrote to memory of 3568 4992 lfrfrxx.exe 97 PID 3568 wrote to memory of 1704 3568 jvdpv.exe 98 PID 3568 wrote to memory of 1704 3568 jvdpv.exe 98 PID 3568 wrote to memory of 1704 3568 jvdpv.exe 98 PID 1704 wrote to memory of 4452 1704 5rrlxrl.exe 99 PID 1704 wrote to memory of 4452 1704 5rrlxrl.exe 99 PID 1704 wrote to memory of 4452 1704 5rrlxrl.exe 99 PID 4452 wrote to memory of 648 4452 httbtt.exe 100 PID 4452 wrote to memory of 648 4452 httbtt.exe 100 PID 4452 wrote to memory of 648 4452 httbtt.exe 100 PID 648 wrote to memory of 4276 648 dpdvj.exe 101 PID 648 wrote to memory of 4276 648 dpdvj.exe 101 PID 648 wrote to memory of 4276 648 dpdvj.exe 101 PID 4276 wrote to memory of 2568 4276 xxflfxr.exe 102 PID 4276 wrote to memory of 2568 4276 xxflfxr.exe 102 PID 4276 wrote to memory of 2568 4276 xxflfxr.exe 102 PID 2568 wrote to memory of 4552 2568 tbhhbb.exe 103 PID 2568 wrote to memory of 4552 2568 tbhhbb.exe 103 PID 2568 wrote to memory of 4552 2568 tbhhbb.exe 103 PID 4552 wrote to memory of 3596 4552 vvdvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe"C:\Users\Admin\AppData\Local\Temp\95ffb1e993ffa5c96232044cfb2c346118510590cdc743e55635c57a8d85b62b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\djpvp.exec:\djpvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\llrfrfr.exec:\llrfrfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\vddvv.exec:\vddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\jppjv.exec:\jppjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\lflfrrl.exec:\lflfrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\htnbht.exec:\htnbht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\bbtnbn.exec:\bbtnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\5httnt.exec:\5httnt.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bttnnh.exec:\bttnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\5ppdp.exec:\5ppdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\hnhthn.exec:\hnhthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\tnhbnh.exec:\tnhbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\lfrfrxx.exec:\lfrfrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\jvdpv.exec:\jvdpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\5rrlxrl.exec:\5rrlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\httbtt.exec:\httbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\dpdvj.exec:\dpdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\xxflfxr.exec:\xxflfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\tbhhbb.exec:\tbhhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\vvdvv.exec:\vvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\rlrrlxx.exec:\rlrrlxx.exe23⤵
- Executes dropped EXE
PID:3596 -
\??\c:\rlllfff.exec:\rlllfff.exe24⤵
- Executes dropped EXE
PID:2760 -
\??\c:\9tbbhh.exec:\9tbbhh.exe25⤵
- Executes dropped EXE
PID:4364 -
\??\c:\vppjv.exec:\vppjv.exe26⤵
- Executes dropped EXE
PID:1032 -
\??\c:\1vvpj.exec:\1vvpj.exe27⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xllfffx.exec:\xllfffx.exe28⤵
- Executes dropped EXE
PID:1956 -
\??\c:\3bhbtt.exec:\3bhbtt.exe29⤵
- Executes dropped EXE
PID:2380 -
\??\c:\frxrlfx.exec:\frxrlfx.exe30⤵
- Executes dropped EXE
PID:3648 -
\??\c:\dvvpp.exec:\dvvpp.exe31⤵
- Executes dropped EXE
PID:2932 -
\??\c:\fffxllf.exec:\fffxllf.exe32⤵
- Executes dropped EXE
PID:3144 -
\??\c:\bnnbht.exec:\bnnbht.exe33⤵
- Executes dropped EXE
PID:3380 -
\??\c:\pjddp.exec:\pjddp.exe34⤵
- Executes dropped EXE
PID:2172 -
\??\c:\pvvpd.exec:\pvvpd.exe35⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe36⤵
- Executes dropped EXE
PID:208 -
\??\c:\9dpjp.exec:\9dpjp.exe37⤵
- Executes dropped EXE
PID:3576 -
\??\c:\rffrlrl.exec:\rffrlrl.exe38⤵
- Executes dropped EXE
PID:536 -
\??\c:\1bbtnh.exec:\1bbtnh.exe39⤵
- Executes dropped EXE
PID:4356 -
\??\c:\tnnntn.exec:\tnnntn.exe40⤵
- Executes dropped EXE
PID:1824 -
\??\c:\jppdp.exec:\jppdp.exe41⤵
- Executes dropped EXE
PID:2304 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe42⤵
- Executes dropped EXE
PID:4308 -
\??\c:\nhnnbt.exec:\nhnnbt.exe43⤵
- Executes dropped EXE
PID:3260 -
\??\c:\jjdpd.exec:\jjdpd.exe44⤵
- Executes dropped EXE
PID:316 -
\??\c:\5ffxlxr.exec:\5ffxlxr.exe45⤵
- Executes dropped EXE
PID:3500 -
\??\c:\lflfllr.exec:\lflfllr.exe46⤵
- Executes dropped EXE
PID:3936 -
\??\c:\hnthbt.exec:\hnthbt.exe47⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ddjvj.exec:\ddjvj.exe48⤵
- Executes dropped EXE
PID:2000 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe49⤵
- Executes dropped EXE
PID:2072 -
\??\c:\5rfxlxl.exec:\5rfxlxl.exe50⤵
- Executes dropped EXE
PID:4332 -
\??\c:\thtnnh.exec:\thtnnh.exe51⤵
- Executes dropped EXE
PID:1972 -
\??\c:\dvdpp.exec:\dvdpp.exe52⤵
- Executes dropped EXE
PID:4496 -
\??\c:\jvvjd.exec:\jvvjd.exe53⤵
- Executes dropped EXE
PID:4840 -
\??\c:\xrlxlxr.exec:\xrlxlxr.exe54⤵
- Executes dropped EXE
PID:3836 -
\??\c:\hthnnh.exec:\hthnnh.exe55⤵
- Executes dropped EXE
PID:1668 -
\??\c:\dddpd.exec:\dddpd.exe56⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe57⤵
- Executes dropped EXE
PID:1064 -
\??\c:\fllrlrl.exec:\fllrlrl.exe58⤵
- Executes dropped EXE
PID:1748 -
\??\c:\5nnhbb.exec:\5nnhbb.exe59⤵
- Executes dropped EXE
PID:4576 -
\??\c:\pjjdp.exec:\pjjdp.exe60⤵
- Executes dropped EXE
PID:2520 -
\??\c:\lxfrlff.exec:\lxfrlff.exe61⤵
- Executes dropped EXE
PID:3360 -
\??\c:\lrlfrlx.exec:\lrlfrlx.exe62⤵
- Executes dropped EXE
PID:2284 -
\??\c:\1ttnnn.exec:\1ttnnn.exe63⤵
- Executes dropped EXE
PID:560 -
\??\c:\dddpd.exec:\dddpd.exe64⤵
- Executes dropped EXE
PID:3532 -
\??\c:\1lrrllx.exec:\1lrrllx.exe65⤵
- Executes dropped EXE
PID:3568 -
\??\c:\ffffxrr.exec:\ffffxrr.exe66⤵PID:4872
-
\??\c:\dvpjd.exec:\dvpjd.exe67⤵PID:4452
-
\??\c:\pvvjd.exec:\pvvjd.exe68⤵PID:2888
-
\??\c:\llllfxr.exec:\llllfxr.exe69⤵PID:404
-
\??\c:\nnthbt.exec:\nnthbt.exe70⤵PID:2908
-
\??\c:\3djdv.exec:\3djdv.exe71⤵PID:2024
-
\??\c:\3vvjj.exec:\3vvjj.exe72⤵PID:3180
-
\??\c:\lxrlrlf.exec:\lxrlrlf.exe73⤵PID:4552
-
\??\c:\httnbt.exec:\httnbt.exe74⤵PID:4128
-
\??\c:\ppppd.exec:\ppppd.exe75⤵PID:1996
-
\??\c:\vpvvp.exec:\vpvvp.exe76⤵PID:1760
-
\??\c:\xlfxlfr.exec:\xlfxlfr.exe77⤵PID:4068
-
\??\c:\thtbbb.exec:\thtbbb.exe78⤵PID:3976
-
\??\c:\9pjdj.exec:\9pjdj.exe79⤵PID:3128
-
\??\c:\pdppv.exec:\pdppv.exe80⤵PID:952
-
\??\c:\xffxlfx.exec:\xffxlfx.exe81⤵PID:1832
-
\??\c:\tnttnt.exec:\tnttnt.exe82⤵PID:2380
-
\??\c:\5nhhtn.exec:\5nhhtn.exe83⤵PID:3000
-
\??\c:\vjpjv.exec:\vjpjv.exe84⤵PID:2548
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe85⤵PID:3144
-
\??\c:\tbhthb.exec:\tbhthb.exe86⤵PID:1532
-
\??\c:\hbthnh.exec:\hbthnh.exe87⤵PID:3380
-
\??\c:\dppjp.exec:\dppjp.exe88⤵PID:1540
-
\??\c:\lllxrlx.exec:\lllxrlx.exe89⤵PID:4880
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe90⤵PID:2120
-
\??\c:\7ttntn.exec:\7ttntn.exe91⤵PID:4784
-
\??\c:\jpvpv.exec:\jpvpv.exe92⤵PID:536
-
\??\c:\fffrfxl.exec:\fffrfxl.exe93⤵PID:4356
-
\??\c:\nthtnh.exec:\nthtnh.exe94⤵PID:1824
-
\??\c:\jpvjv.exec:\jpvjv.exe95⤵PID:4424
-
\??\c:\xxxrffx.exec:\xxxrffx.exe96⤵PID:4144
-
\??\c:\frrlxrf.exec:\frrlxrf.exe97⤵PID:2728
-
\??\c:\tnhhhb.exec:\tnhhhb.exe98⤵PID:3624
-
\??\c:\pjpdv.exec:\pjpdv.exe99⤵PID:3124
-
\??\c:\lrrfrrf.exec:\lrrfrrf.exe100⤵PID:4024
-
\??\c:\bnthtn.exec:\bnthtn.exe101⤵PID:4532
-
\??\c:\vdjdd.exec:\vdjdd.exe102⤵PID:1420
-
\??\c:\7rlxlfr.exec:\7rlxlfr.exe103⤵PID:4400
-
\??\c:\rfffrlf.exec:\rfffrlf.exe104⤵PID:2664
-
\??\c:\bhhhbb.exec:\bhhhbb.exe105⤵PID:1460
-
\??\c:\vjdpj.exec:\vjdpj.exe106⤵PID:1244
-
\??\c:\fxxfrxl.exec:\fxxfrxl.exe107⤵PID:5044
-
\??\c:\hbbtnn.exec:\hbbtnn.exe108⤵PID:2632
-
\??\c:\nhhthh.exec:\nhhthh.exe109⤵PID:932
-
\??\c:\djjdj.exec:\djjdj.exe110⤵PID:5024
-
\??\c:\rxrlxxr.exec:\rxrlxxr.exe111⤵PID:2312
-
\??\c:\fllxrlf.exec:\fllxrlf.exe112⤵PID:1960
-
\??\c:\ntthtn.exec:\ntthtn.exe113⤵PID:2980
-
\??\c:\pdjdv.exec:\pdjdv.exe114⤵PID:1232
-
\??\c:\rrxxxxr.exec:\rrxxxxr.exe115⤵PID:2468
-
\??\c:\1nhthn.exec:\1nhthn.exe116⤵PID:4964
-
\??\c:\jpppj.exec:\jpppj.exe117⤵PID:2368
-
\??\c:\lffxlfx.exec:\lffxlfx.exe118⤵PID:3360
-
\??\c:\rfxlrll.exec:\rfxlrll.exe119⤵PID:3272
-
\??\c:\nnthhb.exec:\nnthhb.exe120⤵PID:512
-
\??\c:\jvjvj.exec:\jvjvj.exe121⤵PID:4704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-