Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe
-
Size
454KB
-
MD5
aeb3c190dac5971025d1b8f4a57c12e4
-
SHA1
ad59702b6b3d3173081336020e60cd13247a119b
-
SHA256
55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5
-
SHA512
b56e49646a006fa22e6fde9852c8181c11c972e50ab361a559433804da71c54497d02ce3fd21d3498a770a2cb2693cb79b5ef77313c2f959068272abc9a0ef84
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2684-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-871-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-1780-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3400 1hnnhn.exe 5024 vjvvv.exe 4656 7pvvp.exe 5008 vdvvp.exe 2536 3jpjj.exe 3632 frrfxxx.exe 3604 ntnbbh.exe 1108 lrfflrr.exe 2312 ppvpd.exe 1360 bnhhbh.exe 3036 xrxxrxx.exe 5088 tbbthh.exe 2700 jvddd.exe 3444 ntbhhn.exe 3896 7ffllrx.exe 2284 ddddd.exe 2912 nbhnnn.exe 1452 ddvvj.exe 4500 rrfxxrl.exe 4768 pppvp.exe 4772 frfxffl.exe 1944 dvjpd.exe 4488 jjvvj.exe 2396 btbtbb.exe 1048 ffffxfx.exe 3016 jjvvj.exe 5068 dddvv.exe 3484 pdppp.exe 4240 ddddd.exe 320 7ntttb.exe 2936 pvdvv.exe 2136 nhhhbb.exe 5064 dddvp.exe 1608 llfxllf.exe 4040 ntttbh.exe 2960 1pppv.exe 1588 rxllfff.exe 1772 3nnhht.exe 4560 jvdpj.exe 4468 lxfrffr.exe 540 9ttnbt.exe 1748 3bhbhh.exe 3944 jdppp.exe 1676 lrxlxxx.exe 3700 hnhhnn.exe 4480 1vpjd.exe 4632 jdjdv.exe 776 rffrffr.exe 888 bnnbtn.exe 4404 jvjdd.exe 4916 xrxrxrx.exe 3848 nhhhbb.exe 3640 vpjjj.exe 3960 dpvpj.exe 4600 lxffrxr.exe 4116 nhnnhh.exe 3048 vdvvp.exe 1756 ppjvd.exe 3668 llrrrxx.exe 4528 nthbbb.exe 4812 nhnhht.exe 4408 pdpjd.exe 1088 xflfxrl.exe 1792 nnnbtn.exe -
resource yara_rule behavioral2/memory/2684-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-871-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-976-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 3400 2684 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 83 PID 2684 wrote to memory of 3400 2684 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 83 PID 2684 wrote to memory of 3400 2684 55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe 83 PID 3400 wrote to memory of 5024 3400 1hnnhn.exe 84 PID 3400 wrote to memory of 5024 3400 1hnnhn.exe 84 PID 3400 wrote to memory of 5024 3400 1hnnhn.exe 84 PID 5024 wrote to memory of 4656 5024 vjvvv.exe 85 PID 5024 wrote to memory of 4656 5024 vjvvv.exe 85 PID 5024 wrote to memory of 4656 5024 vjvvv.exe 85 PID 4656 wrote to memory of 5008 4656 7pvvp.exe 86 PID 4656 wrote to memory of 5008 4656 7pvvp.exe 86 PID 4656 wrote to memory of 5008 4656 7pvvp.exe 86 PID 5008 wrote to memory of 2536 5008 vdvvp.exe 87 PID 5008 wrote to memory of 2536 5008 vdvvp.exe 87 PID 5008 wrote to memory of 2536 5008 vdvvp.exe 87 PID 2536 wrote to memory of 3632 2536 3jpjj.exe 88 PID 2536 wrote to memory of 3632 2536 3jpjj.exe 88 PID 2536 wrote to memory of 3632 2536 3jpjj.exe 88 PID 3632 wrote to memory of 3604 3632 frrfxxx.exe 89 PID 3632 wrote to memory of 3604 3632 frrfxxx.exe 89 PID 3632 wrote to memory of 3604 3632 frrfxxx.exe 89 PID 3604 wrote to memory of 1108 3604 ntnbbh.exe 90 PID 3604 wrote to memory of 1108 3604 ntnbbh.exe 90 PID 3604 wrote to memory of 1108 3604 ntnbbh.exe 90 PID 1108 wrote to memory of 2312 1108 lrfflrr.exe 91 PID 1108 wrote to memory of 2312 1108 lrfflrr.exe 91 PID 1108 wrote to memory of 2312 1108 lrfflrr.exe 91 PID 2312 wrote to memory of 1360 2312 ppvpd.exe 92 PID 2312 wrote to memory of 1360 2312 ppvpd.exe 92 PID 2312 wrote to memory of 1360 2312 ppvpd.exe 92 PID 1360 wrote to memory of 3036 1360 bnhhbh.exe 93 PID 1360 wrote to memory of 3036 1360 bnhhbh.exe 93 PID 1360 wrote to memory of 3036 1360 bnhhbh.exe 93 PID 3036 wrote to memory of 5088 3036 xrxxrxx.exe 94 PID 3036 wrote to memory of 5088 3036 xrxxrxx.exe 94 PID 3036 wrote to memory of 5088 3036 xrxxrxx.exe 94 PID 5088 wrote to memory of 2700 5088 tbbthh.exe 95 PID 5088 wrote to memory of 2700 5088 tbbthh.exe 95 PID 5088 wrote to memory of 2700 5088 tbbthh.exe 95 PID 2700 wrote to memory of 3444 2700 jvddd.exe 96 PID 2700 wrote to memory of 3444 2700 jvddd.exe 96 PID 2700 wrote to memory of 3444 2700 jvddd.exe 96 PID 3444 wrote to memory of 3896 3444 ntbhhn.exe 97 PID 3444 wrote to memory of 3896 3444 ntbhhn.exe 97 PID 3444 wrote to memory of 3896 3444 ntbhhn.exe 97 PID 3896 wrote to memory of 2284 3896 7ffllrx.exe 98 PID 3896 wrote to memory of 2284 3896 7ffllrx.exe 98 PID 3896 wrote to memory of 2284 3896 7ffllrx.exe 98 PID 2284 wrote to memory of 2912 2284 ddddd.exe 99 PID 2284 wrote to memory of 2912 2284 ddddd.exe 99 PID 2284 wrote to memory of 2912 2284 ddddd.exe 99 PID 2912 wrote to memory of 1452 2912 nbhnnn.exe 100 PID 2912 wrote to memory of 1452 2912 nbhnnn.exe 100 PID 2912 wrote to memory of 1452 2912 nbhnnn.exe 100 PID 1452 wrote to memory of 4500 1452 ddvvj.exe 101 PID 1452 wrote to memory of 4500 1452 ddvvj.exe 101 PID 1452 wrote to memory of 4500 1452 ddvvj.exe 101 PID 4500 wrote to memory of 4768 4500 rrfxxrl.exe 102 PID 4500 wrote to memory of 4768 4500 rrfxxrl.exe 102 PID 4500 wrote to memory of 4768 4500 rrfxxrl.exe 102 PID 4768 wrote to memory of 4772 4768 pppvp.exe 103 PID 4768 wrote to memory of 4772 4768 pppvp.exe 103 PID 4768 wrote to memory of 4772 4768 pppvp.exe 103 PID 4772 wrote to memory of 1944 4772 frfxffl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe"C:\Users\Admin\AppData\Local\Temp\55560003645bd14047ef325761c02e34b4ecbcc5a6a8ab4cbe6fc7fd1bbe59c5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\1hnnhn.exec:\1hnnhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\vjvvv.exec:\vjvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\7pvvp.exec:\7pvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\vdvvp.exec:\vdvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\3jpjj.exec:\3jpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\frrfxxx.exec:\frrfxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\ntnbbh.exec:\ntnbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\lrfflrr.exec:\lrfflrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\ppvpd.exec:\ppvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\bnhhbh.exec:\bnhhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\tbbthh.exec:\tbbthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\jvddd.exec:\jvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\ntbhhn.exec:\ntbhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\7ffllrx.exec:\7ffllrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\ddddd.exec:\ddddd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\nbhnnn.exec:\nbhnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\ddvvj.exec:\ddvvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\rrfxxrl.exec:\rrfxxrl.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pppvp.exec:\pppvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\frfxffl.exec:\frfxffl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\dvjpd.exec:\dvjpd.exe23⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jjvvj.exec:\jjvvj.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\btbtbb.exec:\btbtbb.exe25⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ffffxfx.exec:\ffffxfx.exe26⤵
- Executes dropped EXE
PID:1048 -
\??\c:\jjvvj.exec:\jjvvj.exe27⤵
- Executes dropped EXE
PID:3016 -
\??\c:\dddvv.exec:\dddvv.exe28⤵
- Executes dropped EXE
PID:5068 -
\??\c:\pdppp.exec:\pdppp.exe29⤵
- Executes dropped EXE
PID:3484 -
\??\c:\ddddd.exec:\ddddd.exe30⤵
- Executes dropped EXE
PID:4240 -
\??\c:\7ntttb.exec:\7ntttb.exe31⤵
- Executes dropped EXE
PID:320 -
\??\c:\pvdvv.exec:\pvdvv.exe32⤵
- Executes dropped EXE
PID:2936 -
\??\c:\nhhhbb.exec:\nhhhbb.exe33⤵
- Executes dropped EXE
PID:2136 -
\??\c:\dddvp.exec:\dddvp.exe34⤵
- Executes dropped EXE
PID:5064 -
\??\c:\llfxllf.exec:\llfxllf.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\ntttbh.exec:\ntttbh.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\1pppv.exec:\1pppv.exe37⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rxllfff.exec:\rxllfff.exe38⤵
- Executes dropped EXE
PID:1588 -
\??\c:\3nnhht.exec:\3nnhht.exe39⤵
- Executes dropped EXE
PID:1772 -
\??\c:\jvdpj.exec:\jvdpj.exe40⤵
- Executes dropped EXE
PID:4560 -
\??\c:\lxfrffr.exec:\lxfrffr.exe41⤵
- Executes dropped EXE
PID:4468 -
\??\c:\9ttnbt.exec:\9ttnbt.exe42⤵
- Executes dropped EXE
PID:540 -
\??\c:\3bhbhh.exec:\3bhbhh.exe43⤵
- Executes dropped EXE
PID:1748 -
\??\c:\jdppp.exec:\jdppp.exe44⤵
- Executes dropped EXE
PID:3944 -
\??\c:\lrxlxxx.exec:\lrxlxxx.exe45⤵
- Executes dropped EXE
PID:1676 -
\??\c:\hnhhnn.exec:\hnhhnn.exe46⤵
- Executes dropped EXE
PID:3700 -
\??\c:\1vpjd.exec:\1vpjd.exe47⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jdjdv.exec:\jdjdv.exe48⤵
- Executes dropped EXE
PID:4632 -
\??\c:\rffrffr.exec:\rffrffr.exe49⤵
- Executes dropped EXE
PID:776 -
\??\c:\bnnbtn.exec:\bnnbtn.exe50⤵
- Executes dropped EXE
PID:888 -
\??\c:\jvjdd.exec:\jvjdd.exe51⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe52⤵
- Executes dropped EXE
PID:4916 -
\??\c:\nhhhbb.exec:\nhhhbb.exe53⤵
- Executes dropped EXE
PID:3848 -
\??\c:\vpjjj.exec:\vpjjj.exe54⤵
- Executes dropped EXE
PID:3640 -
\??\c:\dpvpj.exec:\dpvpj.exe55⤵
- Executes dropped EXE
PID:3960 -
\??\c:\lxffrxr.exec:\lxffrxr.exe56⤵
- Executes dropped EXE
PID:4600 -
\??\c:\nhnnhh.exec:\nhnnhh.exe57⤵
- Executes dropped EXE
PID:4116 -
\??\c:\vdvvp.exec:\vdvvp.exe58⤵
- Executes dropped EXE
PID:3048 -
\??\c:\ppjvd.exec:\ppjvd.exe59⤵
- Executes dropped EXE
PID:1756 -
\??\c:\llrrrxx.exec:\llrrrxx.exe60⤵
- Executes dropped EXE
PID:3668 -
\??\c:\nthbbb.exec:\nthbbb.exe61⤵
- Executes dropped EXE
PID:4528 -
\??\c:\nhnhht.exec:\nhnhht.exe62⤵
- Executes dropped EXE
PID:4812 -
\??\c:\pdpjd.exec:\pdpjd.exe63⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xflfxrl.exec:\xflfxrl.exe64⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nnnbtn.exec:\nnnbtn.exe65⤵
- Executes dropped EXE
PID:1792 -
\??\c:\vvvvj.exec:\vvvvj.exe66⤵PID:1184
-
\??\c:\rlxrrrr.exec:\rlxrrrr.exe67⤵PID:1640
-
\??\c:\nbnnnn.exec:\nbnnnn.exe68⤵PID:1360
-
\??\c:\dpvpj.exec:\dpvpj.exe69⤵PID:2584
-
\??\c:\xxfxrlf.exec:\xxfxrlf.exe70⤵PID:428
-
\??\c:\7hnntt.exec:\7hnntt.exe71⤵PID:208
-
\??\c:\thttnn.exec:\thttnn.exe72⤵PID:4700
-
\??\c:\pdpjj.exec:\pdpjj.exe73⤵PID:4720
-
\??\c:\lxffxxr.exec:\lxffxxr.exe74⤵PID:3664
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe75⤵PID:2864
-
\??\c:\nnbthn.exec:\nnbthn.exe76⤵PID:1196
-
\??\c:\jdjdd.exec:\jdjdd.exe77⤵PID:4652
-
\??\c:\9xxrrxr.exec:\9xxrrxr.exe78⤵PID:3516
-
\??\c:\rrllrxx.exec:\rrllrxx.exe79⤵PID:556
-
\??\c:\nhhbnn.exec:\nhhbnn.exe80⤵PID:4088
-
\??\c:\1vjvj.exec:\1vjvj.exe81⤵PID:1416
-
\??\c:\lrxxllf.exec:\lrxxllf.exe82⤵PID:832
-
\??\c:\nbbtht.exec:\nbbtht.exe83⤵PID:2680
-
\??\c:\5dddv.exec:\5dddv.exe84⤵PID:4472
-
\??\c:\fxlfllr.exec:\fxlfllr.exe85⤵PID:3956
-
\??\c:\nbbtnn.exec:\nbbtnn.exe86⤵PID:2640
-
\??\c:\vvppj.exec:\vvppj.exe87⤵PID:2396
-
\??\c:\vdjdd.exec:\vdjdd.exe88⤵PID:2288
-
\??\c:\xfxxlrf.exec:\xfxxlrf.exe89⤵PID:2924
-
\??\c:\3bnhbt.exec:\3bnhbt.exe90⤵PID:1324
-
\??\c:\pjvpp.exec:\pjvpp.exe91⤵PID:1092
-
\??\c:\pdppj.exec:\pdppj.exe92⤵PID:4184
-
\??\c:\lfrllff.exec:\lfrllff.exe93⤵PID:4392
-
\??\c:\hnnttb.exec:\hnnttb.exe94⤵PID:320
-
\??\c:\jvvpv.exec:\jvvpv.exe95⤵PID:4360
-
\??\c:\llxrxfx.exec:\llxrxfx.exe96⤵PID:2936
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe97⤵PID:2136
-
\??\c:\tttttt.exec:\tttttt.exe98⤵PID:2316
-
\??\c:\vdddd.exec:\vdddd.exe99⤵PID:2264
-
\??\c:\jjvvv.exec:\jjvvv.exe100⤵PID:1968
-
\??\c:\lfrrrrx.exec:\lfrrrrx.exe101⤵PID:2960
-
\??\c:\bhnnhb.exec:\bhnnhb.exe102⤵PID:2628
-
\??\c:\pvjjv.exec:\pvjjv.exe103⤵PID:3992
-
\??\c:\lllllxf.exec:\lllllxf.exe104⤵PID:2876
-
\??\c:\nhttnn.exec:\nhttnn.exe105⤵PID:4820
-
\??\c:\ppjjv.exec:\ppjjv.exe106⤵PID:1424
-
\??\c:\jdjjj.exec:\jdjjj.exe107⤵PID:228
-
\??\c:\1xxrffx.exec:\1xxrffx.exe108⤵PID:3944
-
\??\c:\hbnhbn.exec:\hbnhbn.exe109⤵PID:3428
-
\??\c:\ttttnn.exec:\ttttnn.exe110⤵PID:3964
-
\??\c:\vvvjv.exec:\vvvjv.exe111⤵PID:4984
-
\??\c:\lfrxrxx.exec:\lfrxrxx.exe112⤵PID:2060
-
\??\c:\9hhbnn.exec:\9hhbnn.exe113⤵PID:3576
-
\??\c:\3jdjj.exec:\3jdjj.exe114⤵PID:4448
-
\??\c:\xllrlfr.exec:\xllrlfr.exe115⤵PID:4608
-
\??\c:\thhtnn.exec:\thhtnn.exe116⤵PID:3476
-
\??\c:\vjjdp.exec:\vjjdp.exe117⤵PID:5052
-
\??\c:\5xfxrrx.exec:\5xfxrrx.exe118⤵PID:4868
-
\??\c:\nhbbtn.exec:\nhbbtn.exe119⤵PID:4848
-
\??\c:\9vjdp.exec:\9vjdp.exe120⤵PID:2988
-
\??\c:\jjddj.exec:\jjddj.exe121⤵PID:4852
-
\??\c:\lrfflll.exec:\lrfflll.exe122⤵PID:5008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-