Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe
-
Size
453KB
-
MD5
ce63ad30c4fc21683f52c105f311b457
-
SHA1
0e2ba74fcb74ef12a42dacf42cf3f648542414d9
-
SHA256
95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb
-
SHA512
2fc35c04f97e41cf7fa421ce9f1003daf74dd465318da4d8339268ffdbdfce3fcc0373d892977374f320307eba8f4d7c408a9ae698dceedf1447ac1800bd3d37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-793-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-1061-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 5hhbbb.exe 4736 lfrlxfx.exe 2064 1bhbhn.exe 2352 nnnbtn.exe 2356 jdvjj.exe 3616 tnhbnh.exe 2300 rrrfxrl.exe 4584 bntnnh.exe 4216 tntnbb.exe 2180 hntnhb.exe 852 pvdvv.exe 4428 hnnbnh.exe 4960 9pdvv.exe 1476 xxxrxrl.exe 1548 vpjvp.exe 4828 flxlxrl.exe 2280 xllxxxx.exe 3544 1ppdp.exe 1428 flxllfx.exe 1516 htbthh.exe 3584 hnnbnb.exe 3148 1dddp.exe 3752 bhtnhb.exe 4984 1pjvj.exe 3220 dppjv.exe 4992 xfxlxlx.exe 3252 lrxfxrl.exe 4292 3bhthb.exe 2500 xlrfrlr.exe 3448 lfffxlf.exe 2440 5tbnnn.exe 4284 frrfxll.exe 1960 9tthhn.exe 1780 dvdvj.exe 4996 1ffxllx.exe 1048 tnhbth.exe 4764 jppdp.exe 4692 fxlfrrl.exe 1424 3bhbnh.exe 4808 1nnhtn.exe 1444 3vpvd.exe 4560 lffrlxr.exe 1644 5xrxfxl.exe 2124 nbthtt.exe 556 9xrrlll.exe 3464 ntbnhn.exe 1772 7ppjv.exe 1808 3flxrlx.exe 1604 3ttnht.exe 1320 httntn.exe 3536 vjvjd.exe 1468 lffrxrl.exe 3616 rxlfxrf.exe 2948 hbhbbn.exe 1328 ppjvp.exe 4540 lxfxxrr.exe 1676 tbbthb.exe 3520 dpvpv.exe 4768 lrrfrll.exe 336 nhbtnb.exe 4224 vvddp.exe 2644 7jdpd.exe 2268 xrfxllf.exe 824 nbbnbt.exe -
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-527-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5btnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4188 2988 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 82 PID 2988 wrote to memory of 4188 2988 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 82 PID 2988 wrote to memory of 4188 2988 95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe 82 PID 4188 wrote to memory of 4736 4188 5hhbbb.exe 83 PID 4188 wrote to memory of 4736 4188 5hhbbb.exe 83 PID 4188 wrote to memory of 4736 4188 5hhbbb.exe 83 PID 4736 wrote to memory of 2064 4736 lfrlxfx.exe 84 PID 4736 wrote to memory of 2064 4736 lfrlxfx.exe 84 PID 4736 wrote to memory of 2064 4736 lfrlxfx.exe 84 PID 2064 wrote to memory of 2352 2064 1bhbhn.exe 85 PID 2064 wrote to memory of 2352 2064 1bhbhn.exe 85 PID 2064 wrote to memory of 2352 2064 1bhbhn.exe 85 PID 2352 wrote to memory of 2356 2352 nnnbtn.exe 86 PID 2352 wrote to memory of 2356 2352 nnnbtn.exe 86 PID 2352 wrote to memory of 2356 2352 nnnbtn.exe 86 PID 2356 wrote to memory of 3616 2356 jdvjj.exe 87 PID 2356 wrote to memory of 3616 2356 jdvjj.exe 87 PID 2356 wrote to memory of 3616 2356 jdvjj.exe 87 PID 3616 wrote to memory of 2300 3616 tnhbnh.exe 88 PID 3616 wrote to memory of 2300 3616 tnhbnh.exe 88 PID 3616 wrote to memory of 2300 3616 tnhbnh.exe 88 PID 2300 wrote to memory of 4584 2300 rrrfxrl.exe 89 PID 2300 wrote to memory of 4584 2300 rrrfxrl.exe 89 PID 2300 wrote to memory of 4584 2300 rrrfxrl.exe 89 PID 4584 wrote to memory of 4216 4584 bntnnh.exe 90 PID 4584 wrote to memory of 4216 4584 bntnnh.exe 90 PID 4584 wrote to memory of 4216 4584 bntnnh.exe 90 PID 4216 wrote to memory of 2180 4216 tntnbb.exe 91 PID 4216 wrote to memory of 2180 4216 tntnbb.exe 91 PID 4216 wrote to memory of 2180 4216 tntnbb.exe 91 PID 2180 wrote to memory of 852 2180 hntnhb.exe 92 PID 2180 wrote to memory of 852 2180 hntnhb.exe 92 PID 2180 wrote to memory of 852 2180 hntnhb.exe 92 PID 852 wrote to memory of 4428 852 pvdvv.exe 93 PID 852 wrote to memory of 4428 852 pvdvv.exe 93 PID 852 wrote to memory of 4428 852 pvdvv.exe 93 PID 4428 wrote to memory of 4960 4428 hnnbnh.exe 94 PID 4428 wrote to memory of 4960 4428 hnnbnh.exe 94 PID 4428 wrote to memory of 4960 4428 hnnbnh.exe 94 PID 4960 wrote to memory of 1476 4960 9pdvv.exe 95 PID 4960 wrote to memory of 1476 4960 9pdvv.exe 95 PID 4960 wrote to memory of 1476 4960 9pdvv.exe 95 PID 1476 wrote to memory of 1548 1476 xxxrxrl.exe 96 PID 1476 wrote to memory of 1548 1476 xxxrxrl.exe 96 PID 1476 wrote to memory of 1548 1476 xxxrxrl.exe 96 PID 1548 wrote to memory of 4828 1548 vpjvp.exe 97 PID 1548 wrote to memory of 4828 1548 vpjvp.exe 97 PID 1548 wrote to memory of 4828 1548 vpjvp.exe 97 PID 4828 wrote to memory of 2280 4828 flxlxrl.exe 98 PID 4828 wrote to memory of 2280 4828 flxlxrl.exe 98 PID 4828 wrote to memory of 2280 4828 flxlxrl.exe 98 PID 2280 wrote to memory of 3544 2280 xllxxxx.exe 99 PID 2280 wrote to memory of 3544 2280 xllxxxx.exe 99 PID 2280 wrote to memory of 3544 2280 xllxxxx.exe 99 PID 3544 wrote to memory of 1428 3544 1ppdp.exe 100 PID 3544 wrote to memory of 1428 3544 1ppdp.exe 100 PID 3544 wrote to memory of 1428 3544 1ppdp.exe 100 PID 1428 wrote to memory of 1516 1428 flxllfx.exe 101 PID 1428 wrote to memory of 1516 1428 flxllfx.exe 101 PID 1428 wrote to memory of 1516 1428 flxllfx.exe 101 PID 1516 wrote to memory of 3584 1516 htbthh.exe 102 PID 1516 wrote to memory of 3584 1516 htbthh.exe 102 PID 1516 wrote to memory of 3584 1516 htbthh.exe 102 PID 3584 wrote to memory of 3148 3584 hnnbnb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe"C:\Users\Admin\AppData\Local\Temp\95ab65738cf93b1e6fc48032c8909e463551101b0e91bf135bce2ff5270b7dcb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\5hhbbb.exec:\5hhbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\lfrlxfx.exec:\lfrlxfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\1bhbhn.exec:\1bhbhn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\nnnbtn.exec:\nnnbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\jdvjj.exec:\jdvjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\tnhbnh.exec:\tnhbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\rrrfxrl.exec:\rrrfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\bntnnh.exec:\bntnnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\tntnbb.exec:\tntnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\hntnhb.exec:\hntnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\pvdvv.exec:\pvdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\hnnbnh.exec:\hnnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\9pdvv.exec:\9pdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\xxxrxrl.exec:\xxxrxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\vpjvp.exec:\vpjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\flxlxrl.exec:\flxlxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\xllxxxx.exec:\xllxxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\1ppdp.exec:\1ppdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\flxllfx.exec:\flxllfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\htbthh.exec:\htbthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\hnnbnb.exec:\hnnbnb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\1dddp.exec:\1dddp.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\bhtnhb.exec:\bhtnhb.exe24⤵
- Executes dropped EXE
PID:3752 -
\??\c:\1pjvj.exec:\1pjvj.exe25⤵
- Executes dropped EXE
PID:4984 -
\??\c:\dppjv.exec:\dppjv.exe26⤵
- Executes dropped EXE
PID:3220 -
\??\c:\xfxlxlx.exec:\xfxlxlx.exe27⤵
- Executes dropped EXE
PID:4992 -
\??\c:\lrxfxrl.exec:\lrxfxrl.exe28⤵
- Executes dropped EXE
PID:3252 -
\??\c:\3bhthb.exec:\3bhthb.exe29⤵
- Executes dropped EXE
PID:4292 -
\??\c:\xlrfrlr.exec:\xlrfrlr.exe30⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lfffxlf.exec:\lfffxlf.exe31⤵
- Executes dropped EXE
PID:3448 -
\??\c:\5tbnnn.exec:\5tbnnn.exe32⤵
- Executes dropped EXE
PID:2440 -
\??\c:\frrfxll.exec:\frrfxll.exe33⤵
- Executes dropped EXE
PID:4284 -
\??\c:\9tthhn.exec:\9tthhn.exe34⤵
- Executes dropped EXE
PID:1960 -
\??\c:\dvdvj.exec:\dvdvj.exe35⤵
- Executes dropped EXE
PID:1780 -
\??\c:\1ffxllx.exec:\1ffxllx.exe36⤵
- Executes dropped EXE
PID:4996 -
\??\c:\tnhbth.exec:\tnhbth.exe37⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jppdp.exec:\jppdp.exe38⤵
- Executes dropped EXE
PID:4764 -
\??\c:\fxlfrrl.exec:\fxlfrrl.exe39⤵
- Executes dropped EXE
PID:4692 -
\??\c:\3bhbnh.exec:\3bhbnh.exe40⤵
- Executes dropped EXE
PID:1424 -
\??\c:\1nnhtn.exec:\1nnhtn.exe41⤵
- Executes dropped EXE
PID:4808 -
\??\c:\3vpvd.exec:\3vpvd.exe42⤵
- Executes dropped EXE
PID:1444 -
\??\c:\lffrlxr.exec:\lffrlxr.exe43⤵
- Executes dropped EXE
PID:4560 -
\??\c:\5xrxfxl.exec:\5xrxfxl.exe44⤵
- Executes dropped EXE
PID:1644 -
\??\c:\nbthtt.exec:\nbthtt.exe45⤵
- Executes dropped EXE
PID:2124 -
\??\c:\vjdvj.exec:\vjdvj.exe46⤵PID:4528
-
\??\c:\9xrrlll.exec:\9xrrlll.exe47⤵
- Executes dropped EXE
PID:556 -
\??\c:\ntbnhn.exec:\ntbnhn.exe48⤵
- Executes dropped EXE
PID:3464 -
\??\c:\7ppjv.exec:\7ppjv.exe49⤵
- Executes dropped EXE
PID:1772 -
\??\c:\3flxrlx.exec:\3flxrlx.exe50⤵
- Executes dropped EXE
PID:1808 -
\??\c:\3ttnht.exec:\3ttnht.exe51⤵
- Executes dropped EXE
PID:1604 -
\??\c:\httntn.exec:\httntn.exe52⤵
- Executes dropped EXE
PID:1320 -
\??\c:\vjvjd.exec:\vjvjd.exe53⤵
- Executes dropped EXE
PID:3536 -
\??\c:\lffrxrl.exec:\lffrxrl.exe54⤵
- Executes dropped EXE
PID:1468 -
\??\c:\rxlfxrf.exec:\rxlfxrf.exe55⤵
- Executes dropped EXE
PID:3616 -
\??\c:\hbhbbn.exec:\hbhbbn.exe56⤵
- Executes dropped EXE
PID:2948 -
\??\c:\ppjvp.exec:\ppjvp.exe57⤵
- Executes dropped EXE
PID:1328 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe58⤵
- Executes dropped EXE
PID:4540 -
\??\c:\tbbthb.exec:\tbbthb.exe59⤵
- Executes dropped EXE
PID:1676 -
\??\c:\dpvpv.exec:\dpvpv.exe60⤵
- Executes dropped EXE
PID:3520 -
\??\c:\lrrfrll.exec:\lrrfrll.exe61⤵
- Executes dropped EXE
PID:4768 -
\??\c:\nhbtnb.exec:\nhbtnb.exe62⤵
- Executes dropped EXE
PID:336 -
\??\c:\vvddp.exec:\vvddp.exe63⤵
- Executes dropped EXE
PID:4224 -
\??\c:\7jdpd.exec:\7jdpd.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xrfxllf.exec:\xrfxllf.exe65⤵
- Executes dropped EXE
PID:2268 -
\??\c:\nbbnbt.exec:\nbbnbt.exe66⤵
- Executes dropped EXE
PID:824 -
\??\c:\thbnbt.exec:\thbnbt.exe67⤵PID:228
-
\??\c:\djdpd.exec:\djdpd.exe68⤵PID:4828
-
\??\c:\1xxlrlx.exec:\1xxlrlx.exe69⤵PID:2056
-
\??\c:\3fxlfxl.exec:\3fxlfxl.exe70⤵PID:1844
-
\??\c:\hbnhhh.exec:\hbnhhh.exe71⤵PID:3544
-
\??\c:\1dvvj.exec:\1dvvj.exe72⤵
- System Location Discovery: System Language Discovery
PID:1976 -
\??\c:\5xlflrl.exec:\5xlflrl.exe73⤵PID:2872
-
\??\c:\frrfxfl.exec:\frrfxfl.exe74⤵PID:1224
-
\??\c:\ntthbt.exec:\ntthbt.exe75⤵PID:3108
-
\??\c:\jdvjv.exec:\jdvjv.exe76⤵PID:4684
-
\??\c:\9xlxlfx.exec:\9xlxlfx.exe77⤵PID:1348
-
\??\c:\nnnhth.exec:\nnnhth.exe78⤵PID:456
-
\??\c:\5hbnnn.exec:\5hbnnn.exe79⤵PID:3228
-
\??\c:\jjpdj.exec:\jjpdj.exe80⤵PID:516
-
\??\c:\ffrrlrl.exec:\ffrrlrl.exe81⤵PID:4888
-
\??\c:\hnthtn.exec:\hnthtn.exe82⤵PID:4944
-
\??\c:\ntthbb.exec:\ntthbb.exe83⤵PID:3076
-
\??\c:\jpvpd.exec:\jpvpd.exe84⤵PID:468
-
\??\c:\5vjvj.exec:\5vjvj.exe85⤵PID:2964
-
\??\c:\5rfrflr.exec:\5rfrflr.exe86⤵PID:4032
-
\??\c:\nbbthb.exec:\nbbthb.exe87⤵PID:2856
-
\??\c:\vvvjp.exec:\vvvjp.exe88⤵PID:3340
-
\??\c:\rfxrfrl.exec:\rfxrfrl.exe89⤵PID:2700
-
\??\c:\nbnhbb.exec:\nbnhbb.exe90⤵PID:2712
-
\??\c:\jvdpj.exec:\jvdpj.exe91⤵PID:2936
-
\??\c:\rllxxxl.exec:\rllxxxl.exe92⤵PID:4176
-
\??\c:\rfrffxx.exec:\rfrffxx.exe93⤵PID:3716
-
\??\c:\nnnbnh.exec:\nnnbnh.exe94⤵PID:1048
-
\??\c:\jppdp.exec:\jppdp.exe95⤵PID:4764
-
\??\c:\9jvvd.exec:\9jvvd.exe96⤵PID:2236
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe97⤵PID:3920
-
\??\c:\nhbtnh.exec:\nhbtnh.exe98⤵PID:3728
-
\??\c:\nhnhhh.exec:\nhnhhh.exe99⤵PID:2520
-
\??\c:\pjjvv.exec:\pjjvv.exe100⤵
- System Location Discovery: System Language Discovery
PID:4876 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe101⤵PID:3748
-
\??\c:\nhhthb.exec:\nhhthb.exe102⤵PID:2124
-
\??\c:\tbbnbb.exec:\tbbnbb.exe103⤵PID:948
-
\??\c:\jvdpp.exec:\jvdpp.exe104⤵PID:2996
-
\??\c:\lflxxxx.exec:\lflxxxx.exe105⤵PID:4188
-
\??\c:\7btnbt.exec:\7btnbt.exe106⤵PID:1336
-
\??\c:\jdjdj.exec:\jdjdj.exe107⤵PID:812
-
\??\c:\dppdv.exec:\dppdv.exe108⤵PID:2132
-
\??\c:\lfxrflf.exec:\lfxrflf.exe109⤵PID:1116
-
\??\c:\7thbnn.exec:\7thbnn.exe110⤵PID:3980
-
\??\c:\7tbnhb.exec:\7tbnhb.exe111⤵PID:3540
-
\??\c:\vdjvj.exec:\vdjvj.exe112⤵PID:740
-
\??\c:\fffxlfx.exec:\fffxlfx.exe113⤵PID:2300
-
\??\c:\xflffxr.exec:\xflffxr.exe114⤵PID:2948
-
\??\c:\btbhhb.exec:\btbhhb.exe115⤵PID:4160
-
\??\c:\jdjdd.exec:\jdjdd.exe116⤵PID:1496
-
\??\c:\9jvjd.exec:\9jvjd.exe117⤵PID:4980
-
\??\c:\7rxllfl.exec:\7rxllfl.exe118⤵
- System Location Discovery: System Language Discovery
PID:1528 -
\??\c:\5xlfrlx.exec:\5xlfrlx.exe119⤵PID:440
-
\??\c:\thhbhb.exec:\thhbhb.exe120⤵PID:4768
-
\??\c:\3dvpd.exec:\3dvpd.exe121⤵PID:1824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-