Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe
-
Size
454KB
-
MD5
ea897fdd73a39369fbc0f600dcb60300
-
SHA1
0c3030b4f2035c340c6c75581ca2a01b95fe4b1d
-
SHA256
95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1
-
SHA512
13279385c906a7e1d6bbb61aec9110226ff2b2780e9346c1290a1c340eee4dea154cec3e4eed4536c55cd1f57eceb74bda07e06e804aae19023af2fa9ba4e21d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2196-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-929-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-1367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-1428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-1531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-1571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 dpvvp.exe 3808 rlllflf.exe 3968 bttnhh.exe 4212 tnhbbt.exe 244 846664.exe 4220 2226004.exe 1408 0248604.exe 5052 tttbbt.exe 5084 ntthbt.exe 872 266082.exe 2180 btbthh.exe 3172 flxlxlx.exe 3940 600822.exe 2912 688482.exe 3052 02048.exe 432 xxrrllf.exe 3404 62486.exe 3920 jvpdp.exe 2436 64820.exe 3580 222048.exe 2544 ttthbn.exe 2572 08264.exe 4248 0260400.exe 780 860260.exe 1484 tnnntt.exe 3396 3nhtnh.exe 4444 006084.exe 4904 9jvpd.exe 4428 2846868.exe 1644 8882826.exe 5116 e22082.exe 1872 080048.exe 1564 htthtt.exe 2440 g8264.exe 392 028266.exe 3080 60826.exe 1496 vjdvj.exe 1592 llrllll.exe 3660 6842626.exe 4632 3rfxrfx.exe 2900 1hhhhh.exe 4120 068604.exe 3368 288026.exe 3988 ttthtn.exe 184 5llrfxl.exe 2908 m0208.exe 2856 lfxrlff.exe 4824 xlrxlff.exe 2212 i404826.exe 4648 dvddv.exe 2196 thnhbb.exe 2480 w28242.exe 1948 02642.exe 3772 lllfxfx.exe 208 rfxlfrf.exe 1832 lxlfxrl.exe 3408 nbtntn.exe 244 hhnhbb.exe 4144 ppvpj.exe 2432 420844.exe 1408 442208.exe 4892 4682266.exe 4796 64600.exe 4508 lfxrffx.exe -
resource yara_rule behavioral2/memory/2196-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-871-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g8482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 862060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4406048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q42604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0482608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88460.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i448482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2220048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8408260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8400404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 262044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0664864.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 4544 2196 95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe 85 PID 2196 wrote to memory of 4544 2196 95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe 85 PID 2196 wrote to memory of 4544 2196 95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe 85 PID 4544 wrote to memory of 3808 4544 dpvvp.exe 86 PID 4544 wrote to memory of 3808 4544 dpvvp.exe 86 PID 4544 wrote to memory of 3808 4544 dpvvp.exe 86 PID 3808 wrote to memory of 3968 3808 rlllflf.exe 87 PID 3808 wrote to memory of 3968 3808 rlllflf.exe 87 PID 3808 wrote to memory of 3968 3808 rlllflf.exe 87 PID 3968 wrote to memory of 4212 3968 bttnhh.exe 88 PID 3968 wrote to memory of 4212 3968 bttnhh.exe 88 PID 3968 wrote to memory of 4212 3968 bttnhh.exe 88 PID 4212 wrote to memory of 244 4212 tnhbbt.exe 89 PID 4212 wrote to memory of 244 4212 tnhbbt.exe 89 PID 4212 wrote to memory of 244 4212 tnhbbt.exe 89 PID 244 wrote to memory of 4220 244 846664.exe 90 PID 244 wrote to memory of 4220 244 846664.exe 90 PID 244 wrote to memory of 4220 244 846664.exe 90 PID 4220 wrote to memory of 1408 4220 2226004.exe 91 PID 4220 wrote to memory of 1408 4220 2226004.exe 91 PID 4220 wrote to memory of 1408 4220 2226004.exe 91 PID 1408 wrote to memory of 5052 1408 0248604.exe 92 PID 1408 wrote to memory of 5052 1408 0248604.exe 92 PID 1408 wrote to memory of 5052 1408 0248604.exe 92 PID 5052 wrote to memory of 5084 5052 tttbbt.exe 93 PID 5052 wrote to memory of 5084 5052 tttbbt.exe 93 PID 5052 wrote to memory of 5084 5052 tttbbt.exe 93 PID 5084 wrote to memory of 872 5084 ntthbt.exe 94 PID 5084 wrote to memory of 872 5084 ntthbt.exe 94 PID 5084 wrote to memory of 872 5084 ntthbt.exe 94 PID 872 wrote to memory of 2180 872 266082.exe 95 PID 872 wrote to memory of 2180 872 266082.exe 95 PID 872 wrote to memory of 2180 872 266082.exe 95 PID 2180 wrote to memory of 3172 2180 btbthh.exe 96 PID 2180 wrote to memory of 3172 2180 btbthh.exe 96 PID 2180 wrote to memory of 3172 2180 btbthh.exe 96 PID 3172 wrote to memory of 3940 3172 flxlxlx.exe 97 PID 3172 wrote to memory of 3940 3172 flxlxlx.exe 97 PID 3172 wrote to memory of 3940 3172 flxlxlx.exe 97 PID 3940 wrote to memory of 2912 3940 600822.exe 98 PID 3940 wrote to memory of 2912 3940 600822.exe 98 PID 3940 wrote to memory of 2912 3940 600822.exe 98 PID 2912 wrote to memory of 3052 2912 688482.exe 99 PID 2912 wrote to memory of 3052 2912 688482.exe 99 PID 2912 wrote to memory of 3052 2912 688482.exe 99 PID 3052 wrote to memory of 432 3052 02048.exe 100 PID 3052 wrote to memory of 432 3052 02048.exe 100 PID 3052 wrote to memory of 432 3052 02048.exe 100 PID 432 wrote to memory of 3404 432 xxrrllf.exe 101 PID 432 wrote to memory of 3404 432 xxrrllf.exe 101 PID 432 wrote to memory of 3404 432 xxrrllf.exe 101 PID 3404 wrote to memory of 3920 3404 62486.exe 102 PID 3404 wrote to memory of 3920 3404 62486.exe 102 PID 3404 wrote to memory of 3920 3404 62486.exe 102 PID 3920 wrote to memory of 2436 3920 jvpdp.exe 103 PID 3920 wrote to memory of 2436 3920 jvpdp.exe 103 PID 3920 wrote to memory of 2436 3920 jvpdp.exe 103 PID 2436 wrote to memory of 3580 2436 64820.exe 104 PID 2436 wrote to memory of 3580 2436 64820.exe 104 PID 2436 wrote to memory of 3580 2436 64820.exe 104 PID 3580 wrote to memory of 2544 3580 222048.exe 105 PID 3580 wrote to memory of 2544 3580 222048.exe 105 PID 3580 wrote to memory of 2544 3580 222048.exe 105 PID 2544 wrote to memory of 2572 2544 ttthbn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe"C:\Users\Admin\AppData\Local\Temp\95fbc384c795a4174e1a7d0b098f0a363754e02fbf062f7a46e65822e63d61c1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\dpvvp.exec:\dpvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\rlllflf.exec:\rlllflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\bttnhh.exec:\bttnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\tnhbbt.exec:\tnhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\846664.exec:\846664.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\2226004.exec:\2226004.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\0248604.exec:\0248604.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
\??\c:\tttbbt.exec:\tttbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\ntthbt.exec:\ntthbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\266082.exec:\266082.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\btbthh.exec:\btbthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\flxlxlx.exec:\flxlxlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\600822.exec:\600822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\688482.exec:\688482.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\02048.exec:\02048.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\xxrrllf.exec:\xxrrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\62486.exec:\62486.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\jvpdp.exec:\jvpdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\64820.exec:\64820.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\222048.exec:\222048.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\ttthbn.exec:\ttthbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\08264.exec:\08264.exe23⤵
- Executes dropped EXE
PID:2572 -
\??\c:\0260400.exec:\0260400.exe24⤵
- Executes dropped EXE
PID:4248 -
\??\c:\860260.exec:\860260.exe25⤵
- Executes dropped EXE
PID:780 -
\??\c:\tnnntt.exec:\tnnntt.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3nhtnh.exec:\3nhtnh.exe27⤵
- Executes dropped EXE
PID:3396 -
\??\c:\006084.exec:\006084.exe28⤵
- Executes dropped EXE
PID:4444 -
\??\c:\9jvpd.exec:\9jvpd.exe29⤵
- Executes dropped EXE
PID:4904 -
\??\c:\2846868.exec:\2846868.exe30⤵
- Executes dropped EXE
PID:4428 -
\??\c:\8882826.exec:\8882826.exe31⤵
- Executes dropped EXE
PID:1644 -
\??\c:\e22082.exec:\e22082.exe32⤵
- Executes dropped EXE
PID:5116 -
\??\c:\080048.exec:\080048.exe33⤵
- Executes dropped EXE
PID:1872 -
\??\c:\htthtt.exec:\htthtt.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\g8264.exec:\g8264.exe35⤵
- Executes dropped EXE
PID:2440 -
\??\c:\028266.exec:\028266.exe36⤵
- Executes dropped EXE
PID:392 -
\??\c:\60826.exec:\60826.exe37⤵
- Executes dropped EXE
PID:3080 -
\??\c:\vjdvj.exec:\vjdvj.exe38⤵
- Executes dropped EXE
PID:1496 -
\??\c:\llrllll.exec:\llrllll.exe39⤵
- Executes dropped EXE
PID:1592 -
\??\c:\6842626.exec:\6842626.exe40⤵
- Executes dropped EXE
PID:3660 -
\??\c:\3rfxrfx.exec:\3rfxrfx.exe41⤵
- Executes dropped EXE
PID:4632 -
\??\c:\1hhhhh.exec:\1hhhhh.exe42⤵
- Executes dropped EXE
PID:2900 -
\??\c:\068604.exec:\068604.exe43⤵
- Executes dropped EXE
PID:4120 -
\??\c:\288026.exec:\288026.exe44⤵
- Executes dropped EXE
PID:3368 -
\??\c:\ttthtn.exec:\ttthtn.exe45⤵
- Executes dropped EXE
PID:3988 -
\??\c:\5llrfxl.exec:\5llrfxl.exe46⤵
- Executes dropped EXE
PID:184 -
\??\c:\m0208.exec:\m0208.exe47⤵
- Executes dropped EXE
PID:2908 -
\??\c:\lfxrlff.exec:\lfxrlff.exe48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xlrxlff.exec:\xlrxlff.exe49⤵
- Executes dropped EXE
PID:4824 -
\??\c:\i404826.exec:\i404826.exe50⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvddv.exec:\dvddv.exe51⤵
- Executes dropped EXE
PID:4648 -
\??\c:\thnhbb.exec:\thnhbb.exe52⤵
- Executes dropped EXE
PID:2196 -
\??\c:\w28242.exec:\w28242.exe53⤵
- Executes dropped EXE
PID:2480 -
\??\c:\02642.exec:\02642.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\lllfxfx.exec:\lllfxfx.exe55⤵
- Executes dropped EXE
PID:3772 -
\??\c:\rfxlfrf.exec:\rfxlfrf.exe56⤵
- Executes dropped EXE
PID:208 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe57⤵
- Executes dropped EXE
PID:1832 -
\??\c:\nbtntn.exec:\nbtntn.exe58⤵
- Executes dropped EXE
PID:3408 -
\??\c:\hhnhbb.exec:\hhnhbb.exe59⤵
- Executes dropped EXE
PID:244 -
\??\c:\ppvpj.exec:\ppvpj.exe60⤵
- Executes dropped EXE
PID:4144 -
\??\c:\420844.exec:\420844.exe61⤵
- Executes dropped EXE
PID:2432 -
\??\c:\442208.exec:\442208.exe62⤵
- Executes dropped EXE
PID:1408 -
\??\c:\4682266.exec:\4682266.exe63⤵
- Executes dropped EXE
PID:4892 -
\??\c:\64600.exec:\64600.exe64⤵
- Executes dropped EXE
PID:4796 -
\??\c:\lfxrffx.exec:\lfxrffx.exe65⤵
- Executes dropped EXE
PID:4508 -
\??\c:\djpdv.exec:\djpdv.exe66⤵PID:2768
-
\??\c:\llxxffl.exec:\llxxffl.exe67⤵PID:4952
-
\??\c:\4808684.exec:\4808684.exe68⤵PID:348
-
\??\c:\rxffrlx.exec:\rxffrlx.exe69⤵PID:444
-
\??\c:\bnthbb.exec:\bnthbb.exe70⤵PID:2948
-
\??\c:\66222.exec:\66222.exe71⤵PID:4976
-
\??\c:\684866.exec:\684866.exe72⤵PID:4416
-
\??\c:\c888204.exec:\c888204.exe73⤵PID:1348
-
\??\c:\a0626.exec:\a0626.exe74⤵PID:64
-
\??\c:\bbbnht.exec:\bbbnht.exe75⤵PID:4468
-
\??\c:\pjdvp.exec:\pjdvp.exe76⤵PID:460
-
\??\c:\dpvpj.exec:\dpvpj.exe77⤵PID:2640
-
\??\c:\8444444.exec:\8444444.exe78⤵PID:320
-
\??\c:\88264.exec:\88264.exe79⤵PID:3268
-
\??\c:\7ddpd.exec:\7ddpd.exe80⤵PID:2616
-
\??\c:\m4422.exec:\m4422.exe81⤵PID:2796
-
\??\c:\tttnnn.exec:\tttnnn.exe82⤵PID:864
-
\??\c:\02686.exec:\02686.exe83⤵PID:3820
-
\??\c:\1llxlfr.exec:\1llxlfr.exe84⤵PID:2564
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe85⤵PID:1828
-
\??\c:\88460.exec:\88460.exe86⤵
- System Location Discovery: System Language Discovery
PID:4700 -
\??\c:\04046.exec:\04046.exe87⤵PID:3876
-
\??\c:\ddpjd.exec:\ddpjd.exe88⤵PID:4616
-
\??\c:\2626826.exec:\2626826.exe89⤵PID:3008
-
\??\c:\44042.exec:\44042.exe90⤵PID:3248
-
\??\c:\3vdvp.exec:\3vdvp.exe91⤵PID:4584
-
\??\c:\rllrfxl.exec:\rllrfxl.exe92⤵PID:4760
-
\??\c:\288648.exec:\288648.exe93⤵PID:4452
-
\??\c:\hnbnnn.exec:\hnbnnn.exe94⤵PID:2224
-
\??\c:\thntht.exec:\thntht.exe95⤵PID:4312
-
\??\c:\840860.exec:\840860.exe96⤵PID:4364
-
\??\c:\262044.exec:\262044.exe97⤵
- System Location Discovery: System Language Discovery
PID:3352 -
\??\c:\20042.exec:\20042.exe98⤵PID:2148
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe99⤵PID:1664
-
\??\c:\0284288.exec:\0284288.exe100⤵PID:3832
-
\??\c:\6248888.exec:\6248888.exe101⤵PID:4784
-
\??\c:\2286420.exec:\2286420.exe102⤵PID:1952
-
\??\c:\0860048.exec:\0860048.exe103⤵PID:2000
-
\??\c:\5tbttt.exec:\5tbttt.exe104⤵PID:3660
-
\??\c:\066086.exec:\066086.exe105⤵PID:2604
-
\??\c:\84420.exec:\84420.exe106⤵PID:1972
-
\??\c:\8226048.exec:\8226048.exe107⤵PID:1536
-
\??\c:\i228280.exec:\i228280.exe108⤵PID:1476
-
\??\c:\3fxlxxl.exec:\3fxlxxl.exe109⤵PID:2996
-
\??\c:\644444.exec:\644444.exe110⤵PID:1532
-
\??\c:\bnnhbt.exec:\bnnhbt.exe111⤵PID:2568
-
\??\c:\u862660.exec:\u862660.exe112⤵PID:4816
-
\??\c:\bnhthb.exec:\bnhthb.exe113⤵PID:2856
-
\??\c:\nbhbbb.exec:\nbhbbb.exe114⤵PID:2920
-
\??\c:\w02642.exec:\w02642.exe115⤵PID:4304
-
\??\c:\04228.exec:\04228.exe116⤵PID:3176
-
\??\c:\7rflxrl.exec:\7rflxrl.exe117⤵PID:3640
-
\??\c:\06486.exec:\06486.exe118⤵
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\64280.exec:\64280.exe119⤵PID:2480
-
\??\c:\2480848.exec:\2480848.exe120⤵PID:4888
-
\??\c:\lxrllll.exec:\lxrllll.exe121⤵PID:936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-