Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe
-
Size
454KB
-
MD5
c13b9cd72959128a35499c01694261eb
-
SHA1
8f202387ea428641fa629bbc3b90c5fcda895b4f
-
SHA256
95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d
-
SHA512
68db9efb599086b26e54702fc5728b9f6492feaff82599cf227e7a60ccaf5fd5dd50a2de43db9d95a5b9a5912f6d964817da212ebf1bc11da2eccf8abbe04be9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2256-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3156 dppdp.exe 1092 1frlffx.exe 3476 9lxlxrl.exe 3776 bhhtth.exe 1200 1ffrlfx.exe 1128 3xrlxrl.exe 2140 3tnhtt.exe 2400 htthbt.exe 4288 jvpjv.exe 1976 nbhhtb.exe 2024 vvdpd.exe 2332 frrfrrf.exe 3660 jjvjv.exe 3628 lxrfxxf.exe 3064 1nhthn.exe 1996 9rrlxfx.exe 1664 ntbnhb.exe 1160 5vpjv.exe 440 pddvj.exe 744 rlrllll.exe 3052 7tbntn.exe 3284 5vvjv.exe 4568 nbnhbt.exe 4540 1jpdp.exe 1720 5frlxrf.exe 1888 7tbtbt.exe 4708 9dpdp.exe 932 3xrfrlx.exe 3260 5nthhb.exe 3720 vppdd.exe 1752 nnhthb.exe 4000 rxxlxrf.exe 3408 ntnhtt.exe 3680 5llxllx.exe 3704 bnhtnh.exe 3096 jjjjv.exe 1816 xllxrlr.exe 740 7lrffxx.exe 1908 thhbbt.exe 3624 jvdvv.exe 4400 llrflrf.exe 2864 rlfrfxr.exe 724 htbttn.exe 3956 djpdp.exe 3556 xlfrfxl.exe 2792 9nthtn.exe 4312 nbbntt.exe 1724 vdpjv.exe 4596 fxxlfxr.exe 3140 nhbtnn.exe 4452 3vdpv.exe 1092 7lfrfxr.exe 3904 nhnhbb.exe 1336 dvdpj.exe 3772 3dpjv.exe 2680 ffxxxxl.exe 408 hnnbbn.exe 1196 pdppp.exe 2200 jddpj.exe 2140 9lrrlrl.exe 1544 hthnnb.exe 2400 pdjjj.exe 3920 vpppj.exe 2500 rxrrfxr.exe -
resource yara_rule behavioral2/memory/2256-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-731-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 3156 2256 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 82 PID 2256 wrote to memory of 3156 2256 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 82 PID 2256 wrote to memory of 3156 2256 95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe 82 PID 3156 wrote to memory of 1092 3156 dppdp.exe 83 PID 3156 wrote to memory of 1092 3156 dppdp.exe 83 PID 3156 wrote to memory of 1092 3156 dppdp.exe 83 PID 1092 wrote to memory of 3476 1092 1frlffx.exe 84 PID 1092 wrote to memory of 3476 1092 1frlffx.exe 84 PID 1092 wrote to memory of 3476 1092 1frlffx.exe 84 PID 3476 wrote to memory of 3776 3476 9lxlxrl.exe 85 PID 3476 wrote to memory of 3776 3476 9lxlxrl.exe 85 PID 3476 wrote to memory of 3776 3476 9lxlxrl.exe 85 PID 3776 wrote to memory of 1200 3776 bhhtth.exe 86 PID 3776 wrote to memory of 1200 3776 bhhtth.exe 86 PID 3776 wrote to memory of 1200 3776 bhhtth.exe 86 PID 1200 wrote to memory of 1128 1200 1ffrlfx.exe 87 PID 1200 wrote to memory of 1128 1200 1ffrlfx.exe 87 PID 1200 wrote to memory of 1128 1200 1ffrlfx.exe 87 PID 1128 wrote to memory of 2140 1128 3xrlxrl.exe 88 PID 1128 wrote to memory of 2140 1128 3xrlxrl.exe 88 PID 1128 wrote to memory of 2140 1128 3xrlxrl.exe 88 PID 2140 wrote to memory of 2400 2140 3tnhtt.exe 89 PID 2140 wrote to memory of 2400 2140 3tnhtt.exe 89 PID 2140 wrote to memory of 2400 2140 3tnhtt.exe 89 PID 2400 wrote to memory of 4288 2400 htthbt.exe 90 PID 2400 wrote to memory of 4288 2400 htthbt.exe 90 PID 2400 wrote to memory of 4288 2400 htthbt.exe 90 PID 4288 wrote to memory of 1976 4288 jvpjv.exe 91 PID 4288 wrote to memory of 1976 4288 jvpjv.exe 91 PID 4288 wrote to memory of 1976 4288 jvpjv.exe 91 PID 1976 wrote to memory of 2024 1976 nbhhtb.exe 92 PID 1976 wrote to memory of 2024 1976 nbhhtb.exe 92 PID 1976 wrote to memory of 2024 1976 nbhhtb.exe 92 PID 2024 wrote to memory of 2332 2024 vvdpd.exe 93 PID 2024 wrote to memory of 2332 2024 vvdpd.exe 93 PID 2024 wrote to memory of 2332 2024 vvdpd.exe 93 PID 2332 wrote to memory of 3660 2332 frrfrrf.exe 94 PID 2332 wrote to memory of 3660 2332 frrfrrf.exe 94 PID 2332 wrote to memory of 3660 2332 frrfrrf.exe 94 PID 3660 wrote to memory of 3628 3660 jjvjv.exe 95 PID 3660 wrote to memory of 3628 3660 jjvjv.exe 95 PID 3660 wrote to memory of 3628 3660 jjvjv.exe 95 PID 3628 wrote to memory of 3064 3628 lxrfxxf.exe 96 PID 3628 wrote to memory of 3064 3628 lxrfxxf.exe 96 PID 3628 wrote to memory of 3064 3628 lxrfxxf.exe 96 PID 3064 wrote to memory of 1996 3064 1nhthn.exe 97 PID 3064 wrote to memory of 1996 3064 1nhthn.exe 97 PID 3064 wrote to memory of 1996 3064 1nhthn.exe 97 PID 1996 wrote to memory of 1664 1996 9rrlxfx.exe 98 PID 1996 wrote to memory of 1664 1996 9rrlxfx.exe 98 PID 1996 wrote to memory of 1664 1996 9rrlxfx.exe 98 PID 1664 wrote to memory of 1160 1664 ntbnhb.exe 99 PID 1664 wrote to memory of 1160 1664 ntbnhb.exe 99 PID 1664 wrote to memory of 1160 1664 ntbnhb.exe 99 PID 1160 wrote to memory of 440 1160 5vpjv.exe 100 PID 1160 wrote to memory of 440 1160 5vpjv.exe 100 PID 1160 wrote to memory of 440 1160 5vpjv.exe 100 PID 440 wrote to memory of 744 440 pddvj.exe 101 PID 440 wrote to memory of 744 440 pddvj.exe 101 PID 440 wrote to memory of 744 440 pddvj.exe 101 PID 744 wrote to memory of 3052 744 rlrllll.exe 102 PID 744 wrote to memory of 3052 744 rlrllll.exe 102 PID 744 wrote to memory of 3052 744 rlrllll.exe 102 PID 3052 wrote to memory of 3284 3052 7tbntn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe"C:\Users\Admin\AppData\Local\Temp\95ce0a75b044c06acd21307f27af281b17ad2113aa4295021cec2fb6d9c6d82d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\dppdp.exec:\dppdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\1frlffx.exec:\1frlffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\9lxlxrl.exec:\9lxlxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\bhhtth.exec:\bhhtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\3xrlxrl.exec:\3xrlxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\3tnhtt.exec:\3tnhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\htthbt.exec:\htthbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\jvpjv.exec:\jvpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\nbhhtb.exec:\nbhhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\vvdpd.exec:\vvdpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\frrfrrf.exec:\frrfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\jjvjv.exec:\jjvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\lxrfxxf.exec:\lxrfxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\1nhthn.exec:\1nhthn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\9rrlxfx.exec:\9rrlxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\ntbnhb.exec:\ntbnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\5vpjv.exec:\5vpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\pddvj.exec:\pddvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\rlrllll.exec:\rlrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\7tbntn.exec:\7tbntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\5vvjv.exec:\5vvjv.exe23⤵
- Executes dropped EXE
PID:3284 -
\??\c:\nbnhbt.exec:\nbnhbt.exe24⤵
- Executes dropped EXE
PID:4568 -
\??\c:\1jpdp.exec:\1jpdp.exe25⤵
- Executes dropped EXE
PID:4540 -
\??\c:\5frlxrf.exec:\5frlxrf.exe26⤵
- Executes dropped EXE
PID:1720 -
\??\c:\7tbtbt.exec:\7tbtbt.exe27⤵
- Executes dropped EXE
PID:1888 -
\??\c:\9dpdp.exec:\9dpdp.exe28⤵
- Executes dropped EXE
PID:4708 -
\??\c:\3xrfrlx.exec:\3xrfrlx.exe29⤵
- Executes dropped EXE
PID:932 -
\??\c:\5nthhb.exec:\5nthhb.exe30⤵
- Executes dropped EXE
PID:3260 -
\??\c:\vppdd.exec:\vppdd.exe31⤵
- Executes dropped EXE
PID:3720 -
\??\c:\nnhthb.exec:\nnhthb.exe32⤵
- Executes dropped EXE
PID:1752 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe33⤵
- Executes dropped EXE
PID:4000 -
\??\c:\ntnhtt.exec:\ntnhtt.exe34⤵
- Executes dropped EXE
PID:3408 -
\??\c:\5llxllx.exec:\5llxllx.exe35⤵
- Executes dropped EXE
PID:3680 -
\??\c:\bnhtnh.exec:\bnhtnh.exe36⤵
- Executes dropped EXE
PID:3704 -
\??\c:\jjjjv.exec:\jjjjv.exe37⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xllxrlr.exec:\xllxrlr.exe38⤵
- Executes dropped EXE
PID:1816 -
\??\c:\7lrffxx.exec:\7lrffxx.exe39⤵
- Executes dropped EXE
PID:740 -
\??\c:\thhbbt.exec:\thhbbt.exe40⤵
- Executes dropped EXE
PID:1908 -
\??\c:\jvdvv.exec:\jvdvv.exe41⤵
- Executes dropped EXE
PID:3624 -
\??\c:\llrflrf.exec:\llrflrf.exe42⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe43⤵
- Executes dropped EXE
PID:2864 -
\??\c:\htbttn.exec:\htbttn.exe44⤵
- Executes dropped EXE
PID:724 -
\??\c:\djpdp.exec:\djpdp.exe45⤵
- Executes dropped EXE
PID:3956 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe46⤵
- Executes dropped EXE
PID:3556 -
\??\c:\9nthtn.exec:\9nthtn.exe47⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nbbntt.exec:\nbbntt.exe48⤵
- Executes dropped EXE
PID:4312 -
\??\c:\vdpjv.exec:\vdpjv.exe49⤵
- Executes dropped EXE
PID:1724 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe50⤵
- Executes dropped EXE
PID:4596 -
\??\c:\nhbtnn.exec:\nhbtnn.exe51⤵
- Executes dropped EXE
PID:3140 -
\??\c:\3vdpv.exec:\3vdpv.exe52⤵
- Executes dropped EXE
PID:4452 -
\??\c:\7lfrfxr.exec:\7lfrfxr.exe53⤵
- Executes dropped EXE
PID:1092 -
\??\c:\nhnhbb.exec:\nhnhbb.exe54⤵
- Executes dropped EXE
PID:3904 -
\??\c:\dvdpj.exec:\dvdpj.exe55⤵
- Executes dropped EXE
PID:1336 -
\??\c:\3dpjv.exec:\3dpjv.exe56⤵
- Executes dropped EXE
PID:3772 -
\??\c:\ffxxxxl.exec:\ffxxxxl.exe57⤵
- Executes dropped EXE
PID:2680 -
\??\c:\hnnbbn.exec:\hnnbbn.exe58⤵
- Executes dropped EXE
PID:408 -
\??\c:\pdppp.exec:\pdppp.exe59⤵
- Executes dropped EXE
PID:1196 -
\??\c:\jddpj.exec:\jddpj.exe60⤵
- Executes dropped EXE
PID:2200 -
\??\c:\9lrrlrl.exec:\9lrrlrl.exe61⤵
- Executes dropped EXE
PID:2140 -
\??\c:\hthnnb.exec:\hthnnb.exe62⤵
- Executes dropped EXE
PID:1544 -
\??\c:\pdjjj.exec:\pdjjj.exe63⤵
- Executes dropped EXE
PID:2400 -
\??\c:\vpppj.exec:\vpppj.exe64⤵
- Executes dropped EXE
PID:3920 -
\??\c:\rxrrfxr.exec:\rxrrfxr.exe65⤵
- Executes dropped EXE
PID:2500 -
\??\c:\hbbbbb.exec:\hbbbbb.exe66⤵PID:1976
-
\??\c:\hbnhhh.exec:\hbnhhh.exe67⤵PID:4904
-
\??\c:\1jpjj.exec:\1jpjj.exe68⤵PID:1016
-
\??\c:\rrfxxxr.exec:\rrfxxxr.exe69⤵PID:1252
-
\??\c:\bnbtht.exec:\bnbtht.exe70⤵PID:1216
-
\??\c:\vdddd.exec:\vdddd.exe71⤵PID:2460
-
\??\c:\jvdvv.exec:\jvdvv.exe72⤵PID:4612
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe73⤵PID:232
-
\??\c:\tbttbb.exec:\tbttbb.exe74⤵
- System Location Discovery: System Language Discovery
PID:1240 -
\??\c:\pddpj.exec:\pddpj.exe75⤵PID:1624
-
\??\c:\lflrxrr.exec:\lflrxrr.exe76⤵PID:2992
-
\??\c:\bntnbn.exec:\bntnbn.exe77⤵PID:3560
-
\??\c:\nnhtht.exec:\nnhtht.exe78⤵PID:1868
-
\??\c:\jpvdd.exec:\jpvdd.exe79⤵PID:2172
-
\??\c:\frxrlll.exec:\frxrlll.exe80⤵PID:3932
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe81⤵PID:1644
-
\??\c:\7hnhbb.exec:\7hnhbb.exe82⤵PID:2868
-
\??\c:\pdjdv.exec:\pdjdv.exe83⤵PID:3568
-
\??\c:\djpdp.exec:\djpdp.exe84⤵PID:1788
-
\??\c:\xxfllfl.exec:\xxfllfl.exe85⤵PID:2708
-
\??\c:\5bhbbb.exec:\5bhbbb.exe86⤵PID:4540
-
\??\c:\jdvpd.exec:\jdvpd.exe87⤵PID:2736
-
\??\c:\flrlffr.exec:\flrlffr.exe88⤵PID:4332
-
\??\c:\5hhtnh.exec:\5hhtnh.exe89⤵PID:4892
-
\??\c:\1vvdp.exec:\1vvdp.exe90⤵PID:1584
-
\??\c:\ddjdp.exec:\ddjdp.exe91⤵PID:1260
-
\??\c:\lxfrlfx.exec:\lxfrlfx.exe92⤵PID:4684
-
\??\c:\nhnbbn.exec:\nhnbbn.exe93⤵PID:2152
-
\??\c:\1dvvp.exec:\1dvvp.exe94⤵PID:3260
-
\??\c:\xlxlrrf.exec:\xlxlrrf.exe95⤵PID:2628
-
\??\c:\tnbhth.exec:\tnbhth.exe96⤵PID:3720
-
\??\c:\vdpvv.exec:\vdpvv.exe97⤵PID:372
-
\??\c:\jjdvp.exec:\jjdvp.exe98⤵PID:432
-
\??\c:\xrffffl.exec:\xrffffl.exe99⤵PID:964
-
\??\c:\7hhhbb.exec:\7hhhbb.exe100⤵PID:4924
-
\??\c:\5vjdd.exec:\5vjdd.exe101⤵PID:3296
-
\??\c:\1ppjd.exec:\1ppjd.exe102⤵PID:2248
-
\??\c:\lrlfffx.exec:\lrlfffx.exe103⤵PID:1756
-
\??\c:\tthbbb.exec:\tthbbb.exe104⤵PID:2540
-
\??\c:\dpvvp.exec:\dpvvp.exe105⤵PID:3076
-
\??\c:\pvvpd.exec:\pvvpd.exe106⤵PID:3684
-
\??\c:\xllfllf.exec:\xllfllf.exe107⤵PID:4044
-
\??\c:\1hhbtn.exec:\1hhbtn.exe108⤵PID:4724
-
\??\c:\dvpdv.exec:\dvpdv.exe109⤵PID:1320
-
\??\c:\rflllll.exec:\rflllll.exe110⤵PID:1768
-
\??\c:\btbttn.exec:\btbttn.exe111⤵PID:4944
-
\??\c:\tntnhb.exec:\tntnhb.exe112⤵PID:4204
-
\??\c:\pppjd.exec:\pppjd.exe113⤵PID:4320
-
\??\c:\9rrlffx.exec:\9rrlffx.exe114⤵PID:4460
-
\??\c:\ttnnhh.exec:\ttnnhh.exe115⤵PID:4948
-
\??\c:\1pvpj.exec:\1pvpj.exe116⤵PID:2228
-
\??\c:\lflfrxl.exec:\lflfrxl.exe117⤵PID:3156
-
\??\c:\ththnh.exec:\ththnh.exe118⤵PID:4852
-
\??\c:\jdjdj.exec:\jdjdj.exe119⤵PID:2260
-
\??\c:\rrrlffx.exec:\rrrlffx.exe120⤵PID:2564
-
\??\c:\rlrlfff.exec:\rlrlfff.exe121⤵PID:3896
-
\??\c:\9ntnnn.exec:\9ntnnn.exe122⤵PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-