Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:54
Behavioral task
behavioral1
Sample
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe
-
Size
333KB
-
MD5
af5dd4a22905b691573b8336d067e257
-
SHA1
88565884ff2c487405e604ab91092097a8958c33
-
SHA256
955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4
-
SHA512
00b137fdd837274e6de7c294abdb81a4fc6458d649c0043a2235e7dae4cdef715fc3104ba5de027c615af7ca5ee15899e0bf0a3af420afad7c9e246991f6884d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeq:R4wFHoSHYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/772-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1484-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1596-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1696-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4980-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4972-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3316-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2192-156-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1964-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2300-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2508-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2824-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4084-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/984-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3824-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3952-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-370-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/648-385-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-415-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4888-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-493-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2076-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1832-622-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-635-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-704-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-879-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3076-1105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-1114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4456 xfxfxff.exe 1484 rrxrrrr.exe 448 fffffff.exe 3428 jddvp.exe 648 htbtnb.exe 1160 jjdpp.exe 4944 hhhhbt.exe 2208 rlfxxxr.exe 636 xlrrlll.exe 3544 tnbbbb.exe 4484 thttnb.exe 4872 vppjp.exe 1596 5vppj.exe 3528 jvpvp.exe 1368 xflffll.exe 2552 ntnnhb.exe 3772 jdvvv.exe 1696 rfrllff.exe 4980 1thbhb.exe 2012 jdppp.exe 4972 xlxxrrr.exe 3316 djjjj.exe 2720 xlxxrrr.exe 2420 3vddd.exe 3240 tthbnn.exe 3672 pdpjv.exe 4412 xlxrrrl.exe 1404 nbhhhh.exe 1532 nbnnbb.exe 4176 pdvpj.exe 4276 3xllxxr.exe 2192 ddddd.exe 2100 bhtttt.exe 3956 bttntt.exe 1964 djvpj.exe 1340 rlrrlxx.exe 1168 thttnn.exe 2024 jppjv.exe 2696 lxxrlfr.exe 2692 lxlflfx.exe 2300 1bhhhh.exe 2640 dpjdd.exe 2508 lrlfxrl.exe 4184 frfxxxx.exe 2740 nttnbb.exe 1832 vddvd.exe 3816 djpjj.exe 472 fxxrrfx.exe 2492 hbbthb.exe 3892 vdjdv.exe 1556 pdvpp.exe 2296 ffxxllf.exe 2076 thnhtt.exe 2824 jjddj.exe 4728 xflfxlf.exe 4036 bnhbbb.exe 3928 nbhhhh.exe 4324 pjppp.exe 3392 fxffxrl.exe 1656 ttbbtt.exe 4456 jdpjd.exe 3348 pjdvp.exe 4084 lflfxrl.exe 4936 hbhbth.exe -
resource yara_rule behavioral2/memory/772-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x00090000000228f4-3.dat upx behavioral2/memory/4456-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/772-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b2c-10.dat upx behavioral2/memory/4456-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1484-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b37-13.dat upx behavioral2/files/0x000a000000023b39-19.dat upx behavioral2/memory/448-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3a-24.dat upx behavioral2/files/0x000a000000023b3b-28.dat upx behavioral2/memory/648-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3c-33.dat upx behavioral2/memory/1160-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3d-38.dat upx behavioral2/memory/4944-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/636-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b3e-45.dat upx behavioral2/files/0x000a000000023b3f-50.dat upx behavioral2/memory/2208-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b40-53.dat upx behavioral2/memory/3544-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4484-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b42-59.dat upx behavioral2/memory/4872-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b43-64.dat upx behavioral2/files/0x000c000000023b2d-68.dat upx behavioral2/memory/1596-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b44-74.dat upx behavioral2/memory/3528-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b45-78.dat upx behavioral2/memory/2552-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1368-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b46-84.dat upx behavioral2/files/0x000a000000023b47-88.dat upx behavioral2/memory/1696-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b48-93.dat upx behavioral2/files/0x000a000000023b49-97.dat upx behavioral2/memory/4980-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4a-102.dat upx behavioral2/memory/2012-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4972-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4b-108.dat upx behavioral2/files/0x000a000000023b4a-112.dat upx behavioral2/memory/3316-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4c-117.dat upx behavioral2/memory/2720-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4d-122.dat upx behavioral2/files/0x000a000000023b4e-126.dat upx behavioral2/memory/3240-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b4f-132.dat upx behavioral2/files/0x000a000000023b51-135.dat upx behavioral2/files/0x000a000000023b52-139.dat upx behavioral2/memory/1404-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b53-144.dat upx behavioral2/files/0x000a000000023b54-148.dat upx behavioral2/files/0x000a000000023b55-152.dat upx behavioral2/memory/2192-156-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3956-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1964-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1340-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2692-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2300-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 772 wrote to memory of 4456 772 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 81 PID 772 wrote to memory of 4456 772 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 81 PID 772 wrote to memory of 4456 772 955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe 81 PID 4456 wrote to memory of 1484 4456 xfxfxff.exe 82 PID 4456 wrote to memory of 1484 4456 xfxfxff.exe 82 PID 4456 wrote to memory of 1484 4456 xfxfxff.exe 82 PID 1484 wrote to memory of 448 1484 rrxrrrr.exe 83 PID 1484 wrote to memory of 448 1484 rrxrrrr.exe 83 PID 1484 wrote to memory of 448 1484 rrxrrrr.exe 83 PID 448 wrote to memory of 3428 448 fffffff.exe 84 PID 448 wrote to memory of 3428 448 fffffff.exe 84 PID 448 wrote to memory of 3428 448 fffffff.exe 84 PID 3428 wrote to memory of 648 3428 jddvp.exe 85 PID 3428 wrote to memory of 648 3428 jddvp.exe 85 PID 3428 wrote to memory of 648 3428 jddvp.exe 85 PID 648 wrote to memory of 1160 648 htbtnb.exe 86 PID 648 wrote to memory of 1160 648 htbtnb.exe 86 PID 648 wrote to memory of 1160 648 htbtnb.exe 86 PID 1160 wrote to memory of 4944 1160 jjdpp.exe 87 PID 1160 wrote to memory of 4944 1160 jjdpp.exe 87 PID 1160 wrote to memory of 4944 1160 jjdpp.exe 87 PID 4944 wrote to memory of 2208 4944 hhhhbt.exe 88 PID 4944 wrote to memory of 2208 4944 hhhhbt.exe 88 PID 4944 wrote to memory of 2208 4944 hhhhbt.exe 88 PID 2208 wrote to memory of 636 2208 rlfxxxr.exe 89 PID 2208 wrote to memory of 636 2208 rlfxxxr.exe 89 PID 2208 wrote to memory of 636 2208 rlfxxxr.exe 89 PID 636 wrote to memory of 3544 636 xlrrlll.exe 90 PID 636 wrote to memory of 3544 636 xlrrlll.exe 90 PID 636 wrote to memory of 3544 636 xlrrlll.exe 90 PID 3544 wrote to memory of 4484 3544 tnbbbb.exe 91 PID 3544 wrote to memory of 4484 3544 tnbbbb.exe 91 PID 3544 wrote to memory of 4484 3544 tnbbbb.exe 91 PID 4484 wrote to memory of 4872 4484 thttnb.exe 92 PID 4484 wrote to memory of 4872 4484 thttnb.exe 92 PID 4484 wrote to memory of 4872 4484 thttnb.exe 92 PID 4872 wrote to memory of 1596 4872 vppjp.exe 93 PID 4872 wrote to memory of 1596 4872 vppjp.exe 93 PID 4872 wrote to memory of 1596 4872 vppjp.exe 93 PID 1596 wrote to memory of 3528 1596 5vppj.exe 94 PID 1596 wrote to memory of 3528 1596 5vppj.exe 94 PID 1596 wrote to memory of 3528 1596 5vppj.exe 94 PID 3528 wrote to memory of 1368 3528 jvpvp.exe 95 PID 3528 wrote to memory of 1368 3528 jvpvp.exe 95 PID 3528 wrote to memory of 1368 3528 jvpvp.exe 95 PID 1368 wrote to memory of 2552 1368 xflffll.exe 96 PID 1368 wrote to memory of 2552 1368 xflffll.exe 96 PID 1368 wrote to memory of 2552 1368 xflffll.exe 96 PID 2552 wrote to memory of 3772 2552 ntnnhb.exe 97 PID 2552 wrote to memory of 3772 2552 ntnnhb.exe 97 PID 2552 wrote to memory of 3772 2552 ntnnhb.exe 97 PID 3772 wrote to memory of 1696 3772 jdvvv.exe 98 PID 3772 wrote to memory of 1696 3772 jdvvv.exe 98 PID 3772 wrote to memory of 1696 3772 jdvvv.exe 98 PID 1696 wrote to memory of 4980 1696 rfrllff.exe 99 PID 1696 wrote to memory of 4980 1696 rfrllff.exe 99 PID 1696 wrote to memory of 4980 1696 rfrllff.exe 99 PID 4980 wrote to memory of 2012 4980 1thbhb.exe 100 PID 4980 wrote to memory of 2012 4980 1thbhb.exe 100 PID 4980 wrote to memory of 2012 4980 1thbhb.exe 100 PID 2012 wrote to memory of 4972 2012 jdppp.exe 101 PID 2012 wrote to memory of 4972 2012 jdppp.exe 101 PID 2012 wrote to memory of 4972 2012 jdppp.exe 101 PID 4972 wrote to memory of 3316 4972 xlxxrrr.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe"C:\Users\Admin\AppData\Local\Temp\955db8cc80e6ec138d577681a36045631db86c7a2d751b2110c4113c8c4929b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\xfxfxff.exec:\xfxfxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\fffffff.exec:\fffffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\htbtnb.exec:\htbtnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\jjdpp.exec:\jjdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\hhhhbt.exec:\hhhhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xlrrlll.exec:\xlrrlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\tnbbbb.exec:\tnbbbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\thttnb.exec:\thttnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\vppjp.exec:\vppjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\5vppj.exec:\5vppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\jvpvp.exec:\jvpvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\xflffll.exec:\xflffll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\ntnnhb.exec:\ntnnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\jdvvv.exec:\jdvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\rfrllff.exec:\rfrllff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\1thbhb.exec:\1thbhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\jdppp.exec:\jdppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\xlxxrrr.exec:\xlxxrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\djjjj.exec:\djjjj.exe23⤵
- Executes dropped EXE
PID:3316 -
\??\c:\xlxxrrr.exec:\xlxxrrr.exe24⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3vddd.exec:\3vddd.exe25⤵
- Executes dropped EXE
PID:2420 -
\??\c:\tthbnn.exec:\tthbnn.exe26⤵
- Executes dropped EXE
PID:3240 -
\??\c:\pdpjv.exec:\pdpjv.exe27⤵
- Executes dropped EXE
PID:3672 -
\??\c:\xlxrrrl.exec:\xlxrrrl.exe28⤵
- Executes dropped EXE
PID:4412 -
\??\c:\nbhhhh.exec:\nbhhhh.exe29⤵
- Executes dropped EXE
PID:1404 -
\??\c:\nbnnbb.exec:\nbnnbb.exe30⤵
- Executes dropped EXE
PID:1532 -
\??\c:\pdvpj.exec:\pdvpj.exe31⤵
- Executes dropped EXE
PID:4176 -
\??\c:\3xllxxr.exec:\3xllxxr.exe32⤵
- Executes dropped EXE
PID:4276 -
\??\c:\ddddd.exec:\ddddd.exe33⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bhtttt.exec:\bhtttt.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\bttntt.exec:\bttntt.exe35⤵
- Executes dropped EXE
PID:3956 -
\??\c:\djvpj.exec:\djvpj.exe36⤵
- Executes dropped EXE
PID:1964 -
\??\c:\rlrrlxx.exec:\rlrrlxx.exe37⤵
- Executes dropped EXE
PID:1340 -
\??\c:\thttnn.exec:\thttnn.exe38⤵
- Executes dropped EXE
PID:1168 -
\??\c:\jppjv.exec:\jppjv.exe39⤵
- Executes dropped EXE
PID:2024 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe40⤵
- Executes dropped EXE
PID:2696 -
\??\c:\lxlflfx.exec:\lxlflfx.exe41⤵
- Executes dropped EXE
PID:2692 -
\??\c:\1bhhhh.exec:\1bhhhh.exe42⤵
- Executes dropped EXE
PID:2300 -
\??\c:\dpjdd.exec:\dpjdd.exe43⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lrlfxrl.exec:\lrlfxrl.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
\??\c:\frfxxxx.exec:\frfxxxx.exe45⤵
- Executes dropped EXE
PID:4184 -
\??\c:\nttnbb.exec:\nttnbb.exe46⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vddvd.exec:\vddvd.exe47⤵
- Executes dropped EXE
PID:1832 -
\??\c:\djpjj.exec:\djpjj.exe48⤵
- Executes dropped EXE
PID:3816 -
\??\c:\fxxrrfx.exec:\fxxrrfx.exe49⤵
- Executes dropped EXE
PID:472 -
\??\c:\hbbthb.exec:\hbbthb.exe50⤵
- Executes dropped EXE
PID:2492 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:3892 -
\??\c:\pdvpp.exec:\pdvpp.exe52⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ffxxllf.exec:\ffxxllf.exe53⤵
- Executes dropped EXE
PID:2296 -
\??\c:\thnhtt.exec:\thnhtt.exe54⤵
- Executes dropped EXE
PID:2076 -
\??\c:\jjddj.exec:\jjddj.exe55⤵
- Executes dropped EXE
PID:2824 -
\??\c:\xflfxlf.exec:\xflfxlf.exe56⤵
- Executes dropped EXE
PID:4728 -
\??\c:\bnhbbb.exec:\bnhbbb.exe57⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nbhhhh.exec:\nbhhhh.exe58⤵
- Executes dropped EXE
PID:3928 -
\??\c:\pjppp.exec:\pjppp.exe59⤵
- Executes dropped EXE
PID:4324 -
\??\c:\fxffxrl.exec:\fxffxrl.exe60⤵
- Executes dropped EXE
PID:3392 -
\??\c:\ttbbtt.exec:\ttbbtt.exe61⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jdpjd.exec:\jdpjd.exe62⤵
- Executes dropped EXE
PID:4456 -
\??\c:\pjdvp.exec:\pjdvp.exe63⤵
- Executes dropped EXE
PID:3348 -
\??\c:\lflfxrl.exec:\lflfxrl.exe64⤵
- Executes dropped EXE
PID:4084 -
\??\c:\hbhbth.exec:\hbhbth.exe65⤵
- Executes dropped EXE
PID:4936 -
\??\c:\pvpjj.exec:\pvpjj.exe66⤵PID:448
-
\??\c:\xxflxrl.exec:\xxflxrl.exe67⤵PID:3288
-
\??\c:\xlxllfl.exec:\xlxllfl.exe68⤵PID:632
-
\??\c:\hhtnhh.exec:\hhtnhh.exe69⤵PID:2972
-
\??\c:\jvpjj.exec:\jvpjj.exe70⤵PID:3972
-
\??\c:\9nnbtt.exec:\9nnbtt.exe71⤵PID:3324
-
\??\c:\tnhhbn.exec:\tnhhbn.exe72⤵PID:4520
-
\??\c:\vjjjd.exec:\vjjjd.exe73⤵PID:2124
-
\??\c:\fxxlfrl.exec:\fxxlfrl.exe74⤵PID:872
-
\??\c:\bhbbbn.exec:\bhbbbn.exe75⤵PID:3460
-
\??\c:\djdjd.exec:\djdjd.exe76⤵PID:4828
-
\??\c:\rlrfxxx.exec:\rlrfxxx.exe77⤵PID:736
-
\??\c:\7tnhbt.exec:\7tnhbt.exe78⤵PID:984
-
\??\c:\9htnhb.exec:\9htnhb.exe79⤵PID:1728
-
\??\c:\3vjvj.exec:\3vjvj.exe80⤵
- System Location Discovery: System Language Discovery
PID:3824 -
\??\c:\1fxxrrf.exec:\1fxxrrf.exe81⤵PID:3784
-
\??\c:\ttbbnn.exec:\ttbbnn.exe82⤵PID:4012
-
\??\c:\jjjdv.exec:\jjjdv.exe83⤵PID:1440
-
\??\c:\rrlxxfx.exec:\rrlxxfx.exe84⤵PID:2260
-
\??\c:\nnttnn.exec:\nnttnn.exe85⤵PID:1284
-
\??\c:\pjjdp.exec:\pjjdp.exe86⤵PID:4960
-
\??\c:\1ppjd.exec:\1ppjd.exe87⤵PID:4568
-
\??\c:\xlrffxr.exec:\xlrffxr.exe88⤵PID:2384
-
\??\c:\btnnht.exec:\btnnht.exe89⤵PID:4200
-
\??\c:\bhbtnh.exec:\bhbtnh.exe90⤵PID:3980
-
\??\c:\vvppd.exec:\vvppd.exe91⤵PID:2012
-
\??\c:\flxrrff.exec:\flxrrff.exe92⤵PID:220
-
\??\c:\1tbbbb.exec:\1tbbbb.exe93⤵PID:5044
-
\??\c:\tbhtnh.exec:\tbhtnh.exe94⤵PID:712
-
\??\c:\jdvvv.exec:\jdvvv.exe95⤵PID:4968
-
\??\c:\vvdvp.exec:\vvdvp.exe96⤵PID:4900
-
\??\c:\lfrffxx.exec:\lfrffxx.exe97⤵PID:3952
-
\??\c:\hthhbb.exec:\hthhbb.exe98⤵PID:2612
-
\??\c:\dpvvp.exec:\dpvvp.exe99⤵PID:4844
-
\??\c:\xrxrrrx.exec:\xrxrrrx.exe100⤵PID:3916
-
\??\c:\7lrlrxr.exec:\7lrlrxr.exe101⤵PID:384
-
\??\c:\nbbttt.exec:\nbbttt.exe102⤵PID:3116
-
\??\c:\ppvpj.exec:\ppvpj.exe103⤵PID:1872
-
\??\c:\jvpdv.exec:\jvpdv.exe104⤵PID:2816
-
\??\c:\fxffrrx.exec:\fxffrrx.exe105⤵PID:4996
-
\??\c:\tnbbhb.exec:\tnbbhb.exe106⤵PID:1840
-
\??\c:\thbnhb.exec:\thbnhb.exe107⤵PID:4116
-
\??\c:\ddvvv.exec:\ddvvv.exe108⤵PID:3940
-
\??\c:\lfrlrrx.exec:\lfrlrrx.exe109⤵PID:2724
-
\??\c:\rfrlfxr.exec:\rfrlfxr.exe110⤵PID:2948
-
\??\c:\hbhbtt.exec:\hbhbtt.exe111⤵PID:2696
-
\??\c:\pvdjd.exec:\pvdjd.exe112⤵PID:4596
-
\??\c:\jpvvj.exec:\jpvvj.exe113⤵PID:5056
-
\??\c:\5lrlxxl.exec:\5lrlxxl.exe114⤵PID:3984
-
\??\c:\bbtnbb.exec:\bbtnbb.exe115⤵PID:3936
-
\??\c:\dddvj.exec:\dddvj.exe116⤵PID:4756
-
\??\c:\llxfxfr.exec:\llxfxfr.exe117⤵PID:3816
-
\??\c:\btnbth.exec:\btnbth.exe118⤵PID:472
-
\??\c:\bnbtnh.exec:\bnbtnh.exe119⤵PID:2492
-
\??\c:\jjvpp.exec:\jjvpp.exe120⤵PID:3932
-
\??\c:\rrllffr.exec:\rrllffr.exe121⤵PID:1556
-
\??\c:\9bhbtt.exec:\9bhbtt.exe122⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-