Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe
-
Size
455KB
-
MD5
15ae798e35de13c52aad0ab11b43da22
-
SHA1
920bb05c5addc00cc155fd657a31e77768f39eb4
-
SHA256
996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea
-
SHA512
882f0cd0bf571a57af13543d1813b9a84dcd36f46f02c83f533888a394d70519f01eeff0c7006efafd3dc0bb2e6d6a5610ab6ff66c97ab8f351e6b50ed74aeb3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet:q7Tc2NYHUrAwfMp3CDt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3460-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-1146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-1660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2780 rrfxrxr.exe 4456 vjpjj.exe 4236 tbtttt.exe 1672 nnbnhn.exe 2736 fffxrlf.exe 3168 7frrxxx.exe 5064 frrlfxr.exe 1496 lxxxxxx.exe 1472 tthhnt.exe 4992 vvvpj.exe 1812 9djjd.exe 5000 lxfxxxl.exe 964 nhnbtt.exe 4056 vpjdd.exe 2120 rllllrl.exe 3720 vpvvp.exe 1456 hbbbtt.exe 644 htbttt.exe 1728 lllffxx.exe 1232 hbbtbb.exe 3108 fxlfllx.exe 4980 hnhtbn.exe 840 xflffff.exe 2496 nbhhhn.exe 4800 dpjjp.exe 2540 hnnthb.exe 4904 dppdv.exe 4256 rflfxfx.exe 2300 jjjjj.exe 4568 rllfffr.exe 4972 bbnhnn.exe 1744 rlfxrlf.exe 2952 7nbtnn.exe 4608 ppppp.exe 4824 1llfxfl.exe 3440 bbthtb.exe 3376 dvvjj.exe 1448 pdjjd.exe 2688 rxxxxll.exe 1656 3nhthh.exe 2116 vvpvv.exe 1384 7llfxxx.exe 936 xxlfrfx.exe 3588 1ntttt.exe 952 dvpjj.exe 4932 nnnhbb.exe 5108 pvpjj.exe 2984 frlffff.exe 4908 1bhbtt.exe 4212 3ddjd.exe 4240 3xrfxlf.exe 4392 lrxrrfx.exe 2880 bnttnt.exe 4416 jdvvp.exe 1648 7llfxxl.exe 732 xrrllff.exe 1056 ttbnth.exe 4296 xlxrrlf.exe 3944 lxffxfx.exe 1724 bbnnhb.exe 5064 pjpjd.exe 3904 llrllff.exe 836 ttnhbt.exe 2776 pdjdv.exe -
resource yara_rule behavioral2/memory/3460-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-817-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3460 wrote to memory of 2780 3460 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 82 PID 3460 wrote to memory of 2780 3460 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 82 PID 3460 wrote to memory of 2780 3460 996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe 82 PID 2780 wrote to memory of 4456 2780 rrfxrxr.exe 83 PID 2780 wrote to memory of 4456 2780 rrfxrxr.exe 83 PID 2780 wrote to memory of 4456 2780 rrfxrxr.exe 83 PID 4456 wrote to memory of 4236 4456 vjpjj.exe 84 PID 4456 wrote to memory of 4236 4456 vjpjj.exe 84 PID 4456 wrote to memory of 4236 4456 vjpjj.exe 84 PID 4236 wrote to memory of 1672 4236 tbtttt.exe 85 PID 4236 wrote to memory of 1672 4236 tbtttt.exe 85 PID 4236 wrote to memory of 1672 4236 tbtttt.exe 85 PID 1672 wrote to memory of 2736 1672 nnbnhn.exe 86 PID 1672 wrote to memory of 2736 1672 nnbnhn.exe 86 PID 1672 wrote to memory of 2736 1672 nnbnhn.exe 86 PID 2736 wrote to memory of 3168 2736 fffxrlf.exe 87 PID 2736 wrote to memory of 3168 2736 fffxrlf.exe 87 PID 2736 wrote to memory of 3168 2736 fffxrlf.exe 87 PID 3168 wrote to memory of 5064 3168 7frrxxx.exe 88 PID 3168 wrote to memory of 5064 3168 7frrxxx.exe 88 PID 3168 wrote to memory of 5064 3168 7frrxxx.exe 88 PID 5064 wrote to memory of 1496 5064 frrlfxr.exe 89 PID 5064 wrote to memory of 1496 5064 frrlfxr.exe 89 PID 5064 wrote to memory of 1496 5064 frrlfxr.exe 89 PID 1496 wrote to memory of 1472 1496 lxxxxxx.exe 90 PID 1496 wrote to memory of 1472 1496 lxxxxxx.exe 90 PID 1496 wrote to memory of 1472 1496 lxxxxxx.exe 90 PID 1472 wrote to memory of 4992 1472 tthhnt.exe 91 PID 1472 wrote to memory of 4992 1472 tthhnt.exe 91 PID 1472 wrote to memory of 4992 1472 tthhnt.exe 91 PID 4992 wrote to memory of 1812 4992 vvvpj.exe 92 PID 4992 wrote to memory of 1812 4992 vvvpj.exe 92 PID 4992 wrote to memory of 1812 4992 vvvpj.exe 92 PID 1812 wrote to memory of 5000 1812 9djjd.exe 93 PID 1812 wrote to memory of 5000 1812 9djjd.exe 93 PID 1812 wrote to memory of 5000 1812 9djjd.exe 93 PID 5000 wrote to memory of 964 5000 lxfxxxl.exe 94 PID 5000 wrote to memory of 964 5000 lxfxxxl.exe 94 PID 5000 wrote to memory of 964 5000 lxfxxxl.exe 94 PID 964 wrote to memory of 4056 964 nhnbtt.exe 95 PID 964 wrote to memory of 4056 964 nhnbtt.exe 95 PID 964 wrote to memory of 4056 964 nhnbtt.exe 95 PID 4056 wrote to memory of 2120 4056 vpjdd.exe 96 PID 4056 wrote to memory of 2120 4056 vpjdd.exe 96 PID 4056 wrote to memory of 2120 4056 vpjdd.exe 96 PID 2120 wrote to memory of 3720 2120 rllllrl.exe 97 PID 2120 wrote to memory of 3720 2120 rllllrl.exe 97 PID 2120 wrote to memory of 3720 2120 rllllrl.exe 97 PID 3720 wrote to memory of 1456 3720 vpvvp.exe 98 PID 3720 wrote to memory of 1456 3720 vpvvp.exe 98 PID 3720 wrote to memory of 1456 3720 vpvvp.exe 98 PID 1456 wrote to memory of 644 1456 hbbbtt.exe 99 PID 1456 wrote to memory of 644 1456 hbbbtt.exe 99 PID 1456 wrote to memory of 644 1456 hbbbtt.exe 99 PID 644 wrote to memory of 1728 644 htbttt.exe 100 PID 644 wrote to memory of 1728 644 htbttt.exe 100 PID 644 wrote to memory of 1728 644 htbttt.exe 100 PID 1728 wrote to memory of 1232 1728 lllffxx.exe 101 PID 1728 wrote to memory of 1232 1728 lllffxx.exe 101 PID 1728 wrote to memory of 1232 1728 lllffxx.exe 101 PID 1232 wrote to memory of 3108 1232 hbbtbb.exe 102 PID 1232 wrote to memory of 3108 1232 hbbtbb.exe 102 PID 1232 wrote to memory of 3108 1232 hbbtbb.exe 102 PID 3108 wrote to memory of 4980 3108 fxlfllx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe"C:\Users\Admin\AppData\Local\Temp\996229470ddd761c3e18d0af18c299b8a5dcebd5fdae4e85e9f593bd9c8f88ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\rrfxrxr.exec:\rrfxrxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\vjpjj.exec:\vjpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\tbtttt.exec:\tbtttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\nnbnhn.exec:\nnbnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\fffxrlf.exec:\fffxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\7frrxxx.exec:\7frrxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\frrlfxr.exec:\frrlfxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\tthhnt.exec:\tthhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\vvvpj.exec:\vvvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\9djjd.exec:\9djjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\lxfxxxl.exec:\lxfxxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\nhnbtt.exec:\nhnbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\vpjdd.exec:\vpjdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\rllllrl.exec:\rllllrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\vpvvp.exec:\vpvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\hbbbtt.exec:\hbbbtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\htbttt.exec:\htbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\lllffxx.exec:\lllffxx.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\hbbtbb.exec:\hbbtbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\fxlfllx.exec:\fxlfllx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\hnhtbn.exec:\hnhtbn.exe23⤵
- Executes dropped EXE
PID:4980 -
\??\c:\xflffff.exec:\xflffff.exe24⤵
- Executes dropped EXE
PID:840 -
\??\c:\nbhhhn.exec:\nbhhhn.exe25⤵
- Executes dropped EXE
PID:2496 -
\??\c:\dpjjp.exec:\dpjjp.exe26⤵
- Executes dropped EXE
PID:4800 -
\??\c:\hnnthb.exec:\hnnthb.exe27⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dppdv.exec:\dppdv.exe28⤵
- Executes dropped EXE
PID:4904 -
\??\c:\rflfxfx.exec:\rflfxfx.exe29⤵
- Executes dropped EXE
PID:4256 -
\??\c:\jjjjj.exec:\jjjjj.exe30⤵
- Executes dropped EXE
PID:2300 -
\??\c:\rllfffr.exec:\rllfffr.exe31⤵
- Executes dropped EXE
PID:4568 -
\??\c:\bbnhnn.exec:\bbnhnn.exe32⤵
- Executes dropped EXE
PID:4972 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe33⤵
- Executes dropped EXE
PID:1744 -
\??\c:\7nbtnn.exec:\7nbtnn.exe34⤵
- Executes dropped EXE
PID:2952 -
\??\c:\ppppp.exec:\ppppp.exe35⤵
- Executes dropped EXE
PID:4608 -
\??\c:\1llfxfl.exec:\1llfxfl.exe36⤵
- Executes dropped EXE
PID:4824 -
\??\c:\bbthtb.exec:\bbthtb.exe37⤵
- Executes dropped EXE
PID:3440 -
\??\c:\dvvjj.exec:\dvvjj.exe38⤵
- Executes dropped EXE
PID:3376 -
\??\c:\pdjjd.exec:\pdjjd.exe39⤵
- Executes dropped EXE
PID:1448 -
\??\c:\rxxxxll.exec:\rxxxxll.exe40⤵
- Executes dropped EXE
PID:2688 -
\??\c:\3nhthh.exec:\3nhthh.exe41⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vvpvv.exec:\vvpvv.exe42⤵
- Executes dropped EXE
PID:2116 -
\??\c:\7llfxxx.exec:\7llfxxx.exe43⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xxlfrfx.exec:\xxlfrfx.exe44⤵
- Executes dropped EXE
PID:936 -
\??\c:\1ntttt.exec:\1ntttt.exe45⤵
- Executes dropped EXE
PID:3588 -
\??\c:\dvpjj.exec:\dvpjj.exe46⤵
- Executes dropped EXE
PID:952 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe47⤵PID:4420
-
\??\c:\nnnhbb.exec:\nnnhbb.exe48⤵
- Executes dropped EXE
PID:4932 -
\??\c:\pvpjj.exec:\pvpjj.exe49⤵
- Executes dropped EXE
PID:5108 -
\??\c:\frlffff.exec:\frlffff.exe50⤵
- Executes dropped EXE
PID:2984 -
\??\c:\1bhbtt.exec:\1bhbtt.exe51⤵
- Executes dropped EXE
PID:4908 -
\??\c:\3ddjd.exec:\3ddjd.exe52⤵
- Executes dropped EXE
PID:4212 -
\??\c:\3xrfxlf.exec:\3xrfxlf.exe53⤵
- Executes dropped EXE
PID:4240 -
\??\c:\lrxrrfx.exec:\lrxrrfx.exe54⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bnttnt.exec:\bnttnt.exe55⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jdvvp.exec:\jdvvp.exe56⤵
- Executes dropped EXE
PID:4416 -
\??\c:\7llfxxl.exec:\7llfxxl.exe57⤵
- Executes dropped EXE
PID:1648 -
\??\c:\xrrllff.exec:\xrrllff.exe58⤵
- Executes dropped EXE
PID:732 -
\??\c:\ttbnth.exec:\ttbnth.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
\??\c:\xlxrrlf.exec:\xlxrrlf.exe60⤵
- Executes dropped EXE
PID:4296 -
\??\c:\lxffxfx.exec:\lxffxfx.exe61⤵
- Executes dropped EXE
PID:3944 -
\??\c:\bbnnhb.exec:\bbnnhb.exe62⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pjpjd.exec:\pjpjd.exe63⤵
- Executes dropped EXE
PID:5064 -
\??\c:\llrllff.exec:\llrllff.exe64⤵
- Executes dropped EXE
PID:3904 -
\??\c:\ttnhbt.exec:\ttnhbt.exe65⤵
- Executes dropped EXE
PID:836 -
\??\c:\pdjdv.exec:\pdjdv.exe66⤵
- Executes dropped EXE
PID:2776 -
\??\c:\llrfxxx.exec:\llrfxxx.exe67⤵PID:2092
-
\??\c:\9nnbtt.exec:\9nnbtt.exe68⤵PID:2400
-
\??\c:\3vjdv.exec:\3vjdv.exe69⤵PID:2412
-
\??\c:\jdvpj.exec:\jdvpj.exe70⤵PID:4960
-
\??\c:\xlfxrxr.exec:\xlfxrxr.exe71⤵PID:5000
-
\??\c:\ttnhbb.exec:\ttnhbb.exe72⤵PID:3600
-
\??\c:\vpjvp.exec:\vpjvp.exe73⤵PID:5096
-
\??\c:\rrlfrlf.exec:\rrlfrlf.exe74⤵PID:3624
-
\??\c:\tnnhbb.exec:\tnnhbb.exe75⤵PID:2284
-
\??\c:\dpjdd.exec:\dpjdd.exe76⤵PID:1768
-
\??\c:\5lxrrrf.exec:\5lxrrrf.exe77⤵PID:3380
-
\??\c:\3tbbbb.exec:\3tbbbb.exe78⤵PID:760
-
\??\c:\bnnbtn.exec:\bnnbtn.exe79⤵PID:2672
-
\??\c:\dpvvp.exec:\dpvvp.exe80⤵PID:64
-
\??\c:\xxfrxfx.exec:\xxfrxfx.exe81⤵PID:1456
-
\??\c:\thnhtt.exec:\thnhtt.exe82⤵PID:3396
-
\??\c:\5djdj.exec:\5djdj.exe83⤵PID:4636
-
\??\c:\fxlfrrx.exec:\fxlfrrx.exe84⤵PID:3496
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe85⤵PID:3368
-
\??\c:\7bhtbt.exec:\7bhtbt.exe86⤵PID:1592
-
\??\c:\pjpjv.exec:\pjpjv.exe87⤵PID:3824
-
\??\c:\3xxlfxr.exec:\3xxlfxr.exe88⤵PID:4428
-
\??\c:\htttnn.exec:\htttnn.exe89⤵PID:4088
-
\??\c:\3vppj.exec:\3vppj.exe90⤵PID:3004
-
\??\c:\9jppj.exec:\9jppj.exe91⤵PID:4148
-
\??\c:\lfxrllf.exec:\lfxrllf.exe92⤵PID:5112
-
\??\c:\hbhbbb.exec:\hbhbbb.exe93⤵PID:3928
-
\??\c:\jvjjd.exec:\jvjjd.exe94⤵PID:1928
-
\??\c:\rfrrrrl.exec:\rfrrrrl.exe95⤵PID:3848
-
\??\c:\fxllffx.exec:\fxllffx.exe96⤵PID:3224
-
\??\c:\bthbtn.exec:\bthbtn.exe97⤵PID:4560
-
\??\c:\jppjj.exec:\jppjj.exe98⤵PID:2700
-
\??\c:\frxfxrl.exec:\frxfxrl.exe99⤵PID:2876
-
\??\c:\flxrrlx.exec:\flxrrlx.exe100⤵PID:3604
-
\??\c:\nttntb.exec:\nttntb.exe101⤵PID:2720
-
\??\c:\vppjd.exec:\vppjd.exe102⤵PID:1944
-
\??\c:\lflfrrl.exec:\lflfrrl.exe103⤵PID:4608
-
\??\c:\nbhnhh.exec:\nbhnhh.exe104⤵PID:5068
-
\??\c:\htbthh.exec:\htbthh.exe105⤵PID:3440
-
\??\c:\ppdpv.exec:\ppdpv.exe106⤵PID:3376
-
\??\c:\fflxllr.exec:\fflxllr.exe107⤵PID:4684
-
\??\c:\htbbbb.exec:\htbbbb.exe108⤵PID:4680
-
\??\c:\jdppj.exec:\jdppj.exe109⤵PID:4716
-
\??\c:\rfllffx.exec:\rfllffx.exe110⤵PID:2528
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe111⤵PID:1908
-
\??\c:\hthbbb.exec:\hthbbb.exe112⤵PID:900
-
\??\c:\djvpj.exec:\djvpj.exe113⤵PID:2080
-
\??\c:\xlxrllf.exec:\xlxrllf.exe114⤵PID:4432
-
\??\c:\rlxlxlf.exec:\rlxlxlf.exe115⤵PID:4356
-
\??\c:\btttnn.exec:\btttnn.exe116⤵PID:2792
-
\??\c:\vvdvp.exec:\vvdvp.exe117⤵PID:4272
-
\??\c:\rflllxf.exec:\rflllxf.exe118⤵PID:2232
-
\??\c:\7hnnnt.exec:\7hnnnt.exe119⤵PID:1960
-
\??\c:\nhttth.exec:\nhttth.exe120⤵PID:4908
-
\??\c:\vvvvv.exec:\vvvvv.exe121⤵PID:4212
-
\??\c:\rfrrllf.exec:\rfrrllf.exe122⤵PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-