Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe
-
Size
453KB
-
MD5
f95e69e5fc628ec55c522b2128e8bafc
-
SHA1
af783c9c79fe3f85fd6e6433dbe562104cc0995f
-
SHA256
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672
-
SHA512
e69f440a4e123733a7b202c682a79867ae07fb772f9538999481c7147d0c1e84256f288dd88feecf60347a014d6ee9516c33079028bcbff73fcb2a7fa9e56816
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2332-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4752 rfrlxrx.exe 3420 rllfxrl.exe 2752 jjvpv.exe 3708 xlrlfrr.exe 3728 btttnt.exe 4676 jvdpj.exe 4228 1dvjd.exe 2700 hntnbb.exe 1280 xxfxrlf.exe 2644 xlxfrll.exe 1780 nbbttb.exe 2292 nhnhbh.exe 4152 7jjpj.exe 2492 djvpj.exe 4176 rxfxxxr.exe 2252 httnhh.exe 1040 ppdvp.exe 2316 vpvpj.exe 2948 xrrlfff.exe 3380 thhhth.exe 2376 bhhbbb.exe 3284 xrrlrrx.exe 4624 rflxrrf.exe 3176 pjjdv.exe 1608 btnhbt.exe 552 xrfxfxx.exe 3236 httnbb.exe 1464 lxxrrll.exe 4308 bnnhbb.exe 660 llfxrrl.exe 3276 vjjdd.exe 4772 hbhtnh.exe 4564 3dvpj.exe 3260 frfxrlr.exe 4244 bttnbt.exe 1712 pdjdd.exe 2572 lfrlfxr.exe 2052 xlfxllf.exe 3256 hbhhbb.exe 3988 jpvpj.exe 3772 vjpjj.exe 540 lffxrlf.exe 2352 thnhbb.exe 3416 ppdvd.exe 2284 pppjj.exe 5056 rlrfxxl.exe 4232 tnnhnn.exe 4108 jvdvp.exe 1084 lxfxllx.exe 1876 5nthbb.exe 1248 5vjdv.exe 1004 3pjdv.exe 4736 lflffxf.exe 4556 btbbhb.exe 3420 vpdvd.exe 816 rffxrlf.exe 404 7xxrlxx.exe 4876 bttnht.exe 3332 djppj.exe 3288 frxrrrl.exe 3488 fxrlllf.exe 2396 bbnhbt.exe 3068 jdpjd.exe 936 1jdvp.exe -
resource yara_rule behavioral2/memory/2332-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-685-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4752 2332 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 82 PID 2332 wrote to memory of 4752 2332 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 82 PID 2332 wrote to memory of 4752 2332 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 82 PID 4752 wrote to memory of 3420 4752 rfrlxrx.exe 83 PID 4752 wrote to memory of 3420 4752 rfrlxrx.exe 83 PID 4752 wrote to memory of 3420 4752 rfrlxrx.exe 83 PID 3420 wrote to memory of 2752 3420 rllfxrl.exe 84 PID 3420 wrote to memory of 2752 3420 rllfxrl.exe 84 PID 3420 wrote to memory of 2752 3420 rllfxrl.exe 84 PID 2752 wrote to memory of 3708 2752 jjvpv.exe 85 PID 2752 wrote to memory of 3708 2752 jjvpv.exe 85 PID 2752 wrote to memory of 3708 2752 jjvpv.exe 85 PID 3708 wrote to memory of 3728 3708 xlrlfrr.exe 86 PID 3708 wrote to memory of 3728 3708 xlrlfrr.exe 86 PID 3708 wrote to memory of 3728 3708 xlrlfrr.exe 86 PID 3728 wrote to memory of 4676 3728 btttnt.exe 87 PID 3728 wrote to memory of 4676 3728 btttnt.exe 87 PID 3728 wrote to memory of 4676 3728 btttnt.exe 87 PID 4676 wrote to memory of 4228 4676 jvdpj.exe 88 PID 4676 wrote to memory of 4228 4676 jvdpj.exe 88 PID 4676 wrote to memory of 4228 4676 jvdpj.exe 88 PID 4228 wrote to memory of 2700 4228 1dvjd.exe 89 PID 4228 wrote to memory of 2700 4228 1dvjd.exe 89 PID 4228 wrote to memory of 2700 4228 1dvjd.exe 89 PID 2700 wrote to memory of 1280 2700 hntnbb.exe 90 PID 2700 wrote to memory of 1280 2700 hntnbb.exe 90 PID 2700 wrote to memory of 1280 2700 hntnbb.exe 90 PID 1280 wrote to memory of 2644 1280 xxfxrlf.exe 91 PID 1280 wrote to memory of 2644 1280 xxfxrlf.exe 91 PID 1280 wrote to memory of 2644 1280 xxfxrlf.exe 91 PID 2644 wrote to memory of 1780 2644 xlxfrll.exe 92 PID 2644 wrote to memory of 1780 2644 xlxfrll.exe 92 PID 2644 wrote to memory of 1780 2644 xlxfrll.exe 92 PID 1780 wrote to memory of 2292 1780 nbbttb.exe 93 PID 1780 wrote to memory of 2292 1780 nbbttb.exe 93 PID 1780 wrote to memory of 2292 1780 nbbttb.exe 93 PID 2292 wrote to memory of 4152 2292 nhnhbh.exe 94 PID 2292 wrote to memory of 4152 2292 nhnhbh.exe 94 PID 2292 wrote to memory of 4152 2292 nhnhbh.exe 94 PID 4152 wrote to memory of 2492 4152 7jjpj.exe 95 PID 4152 wrote to memory of 2492 4152 7jjpj.exe 95 PID 4152 wrote to memory of 2492 4152 7jjpj.exe 95 PID 2492 wrote to memory of 4176 2492 djvpj.exe 96 PID 2492 wrote to memory of 4176 2492 djvpj.exe 96 PID 2492 wrote to memory of 4176 2492 djvpj.exe 96 PID 4176 wrote to memory of 2252 4176 rxfxxxr.exe 97 PID 4176 wrote to memory of 2252 4176 rxfxxxr.exe 97 PID 4176 wrote to memory of 2252 4176 rxfxxxr.exe 97 PID 2252 wrote to memory of 1040 2252 httnhh.exe 98 PID 2252 wrote to memory of 1040 2252 httnhh.exe 98 PID 2252 wrote to memory of 1040 2252 httnhh.exe 98 PID 1040 wrote to memory of 2316 1040 ppdvp.exe 99 PID 1040 wrote to memory of 2316 1040 ppdvp.exe 99 PID 1040 wrote to memory of 2316 1040 ppdvp.exe 99 PID 2316 wrote to memory of 2948 2316 vpvpj.exe 100 PID 2316 wrote to memory of 2948 2316 vpvpj.exe 100 PID 2316 wrote to memory of 2948 2316 vpvpj.exe 100 PID 2948 wrote to memory of 3380 2948 xrrlfff.exe 101 PID 2948 wrote to memory of 3380 2948 xrrlfff.exe 101 PID 2948 wrote to memory of 3380 2948 xrrlfff.exe 101 PID 3380 wrote to memory of 2376 3380 thhhth.exe 102 PID 3380 wrote to memory of 2376 3380 thhhth.exe 102 PID 3380 wrote to memory of 2376 3380 thhhth.exe 102 PID 2376 wrote to memory of 3284 2376 bhhbbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe"C:\Users\Admin\AppData\Local\Temp\5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\rfrlxrx.exec:\rfrlxrx.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\rllfxrl.exec:\rllfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\jjvpv.exec:\jjvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\xlrlfrr.exec:\xlrlfrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\btttnt.exec:\btttnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\jvdpj.exec:\jvdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\1dvjd.exec:\1dvjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\hntnbb.exec:\hntnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\xxfxrlf.exec:\xxfxrlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\xlxfrll.exec:\xlxfrll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\nbbttb.exec:\nbbttb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\nhnhbh.exec:\nhnhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\7jjpj.exec:\7jjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4152 -
\??\c:\djvpj.exec:\djvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\httnhh.exec:\httnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\ppdvp.exec:\ppdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\vpvpj.exec:\vpvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\xrrlfff.exec:\xrrlfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\thhhth.exec:\thhhth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\bhhbbb.exec:\bhhbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\xrrlrrx.exec:\xrrlrrx.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3284 -
\??\c:\rflxrrf.exec:\rflxrrf.exe24⤵
- Executes dropped EXE
PID:4624 -
\??\c:\pjjdv.exec:\pjjdv.exe25⤵
- Executes dropped EXE
PID:3176 -
\??\c:\btnhbt.exec:\btnhbt.exe26⤵
- Executes dropped EXE
PID:1608 -
\??\c:\xrfxfxx.exec:\xrfxfxx.exe27⤵
- Executes dropped EXE
PID:552 -
\??\c:\httnbb.exec:\httnbb.exe28⤵
- Executes dropped EXE
PID:3236 -
\??\c:\lxxrrll.exec:\lxxrrll.exe29⤵
- Executes dropped EXE
PID:1464 -
\??\c:\bnnhbb.exec:\bnnhbb.exe30⤵
- Executes dropped EXE
PID:4308 -
\??\c:\llfxrrl.exec:\llfxrrl.exe31⤵
- Executes dropped EXE
PID:660 -
\??\c:\vjjdd.exec:\vjjdd.exe32⤵
- Executes dropped EXE
PID:3276 -
\??\c:\hbhtnh.exec:\hbhtnh.exe33⤵
- Executes dropped EXE
PID:4772 -
\??\c:\3dvpj.exec:\3dvpj.exe34⤵
- Executes dropped EXE
PID:4564 -
\??\c:\frfxrlr.exec:\frfxrlr.exe35⤵
- Executes dropped EXE
PID:3260 -
\??\c:\bttnbt.exec:\bttnbt.exe36⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pdjdd.exec:\pdjdd.exe37⤵
- Executes dropped EXE
PID:1712 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe38⤵
- Executes dropped EXE
PID:2572 -
\??\c:\xlfxllf.exec:\xlfxllf.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\hbhhbb.exec:\hbhhbb.exe40⤵
- Executes dropped EXE
PID:3256 -
\??\c:\jpvpj.exec:\jpvpj.exe41⤵
- Executes dropped EXE
PID:3988 -
\??\c:\vjpjj.exec:\vjpjj.exe42⤵
- Executes dropped EXE
PID:3772 -
\??\c:\lffxrlf.exec:\lffxrlf.exe43⤵
- Executes dropped EXE
PID:540 -
\??\c:\thnhbb.exec:\thnhbb.exe44⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ppdvd.exec:\ppdvd.exe45⤵
- Executes dropped EXE
PID:3416 -
\??\c:\pppjj.exec:\pppjj.exe46⤵
- Executes dropped EXE
PID:2284 -
\??\c:\rlrfxxl.exec:\rlrfxxl.exe47⤵
- Executes dropped EXE
PID:5056 -
\??\c:\tnnhnn.exec:\tnnhnn.exe48⤵
- Executes dropped EXE
PID:4232 -
\??\c:\jvdvp.exec:\jvdvp.exe49⤵
- Executes dropped EXE
PID:4108 -
\??\c:\lxfxllx.exec:\lxfxllx.exe50⤵
- Executes dropped EXE
PID:1084 -
\??\c:\5nthbb.exec:\5nthbb.exe51⤵
- Executes dropped EXE
PID:1876 -
\??\c:\5vjdv.exec:\5vjdv.exe52⤵
- Executes dropped EXE
PID:1248 -
\??\c:\3pjdv.exec:\3pjdv.exe53⤵
- Executes dropped EXE
PID:1004 -
\??\c:\lflffxf.exec:\lflffxf.exe54⤵
- Executes dropped EXE
PID:4736 -
\??\c:\btbbhb.exec:\btbbhb.exe55⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vpdvd.exec:\vpdvd.exe56⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rffxrlf.exec:\rffxrlf.exe57⤵
- Executes dropped EXE
PID:816 -
\??\c:\7xxrlxx.exec:\7xxrlxx.exe58⤵
- Executes dropped EXE
PID:404 -
\??\c:\bttnht.exec:\bttnht.exe59⤵
- Executes dropped EXE
PID:4876 -
\??\c:\djppj.exec:\djppj.exe60⤵
- Executes dropped EXE
PID:3332 -
\??\c:\frxrrrl.exec:\frxrrrl.exe61⤵
- Executes dropped EXE
PID:3288 -
\??\c:\fxrlllf.exec:\fxrlllf.exe62⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bbnhbt.exec:\bbnhbt.exe63⤵
- Executes dropped EXE
PID:2396 -
\??\c:\jdpjd.exec:\jdpjd.exe64⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1jdvp.exec:\1jdvp.exe65⤵
- Executes dropped EXE
PID:936 -
\??\c:\flfrxrl.exec:\flfrxrl.exe66⤵PID:4884
-
\??\c:\thttnn.exec:\thttnn.exe67⤵PID:4944
-
\??\c:\jjvvv.exec:\jjvvv.exe68⤵PID:2644
-
\??\c:\bbnbtn.exec:\bbnbtn.exe69⤵PID:3540
-
\??\c:\pdpjj.exec:\pdpjj.exe70⤵PID:3680
-
\??\c:\djpjd.exec:\djpjd.exe71⤵PID:2792
-
\??\c:\9xrlffx.exec:\9xrlffx.exe72⤵PID:860
-
\??\c:\hbbhbn.exec:\hbbhbn.exe73⤵PID:2492
-
\??\c:\bnthbt.exec:\bnthbt.exe74⤵PID:4144
-
\??\c:\jpdjd.exec:\jpdjd.exe75⤵PID:1960
-
\??\c:\fffrllf.exec:\fffrllf.exe76⤵PID:2796
-
\??\c:\nhnntt.exec:\nhnntt.exe77⤵PID:1188
-
\??\c:\pdjdd.exec:\pdjdd.exe78⤵PID:1368
-
\??\c:\vppjp.exec:\vppjp.exe79⤵PID:4120
-
\??\c:\flrlfff.exec:\flrlfff.exe80⤵PID:992
-
\??\c:\fxflfll.exec:\fxflfll.exe81⤵PID:2948
-
\??\c:\3bbttt.exec:\3bbttt.exe82⤵PID:2760
-
\??\c:\9jjdp.exec:\9jjdp.exe83⤵PID:3128
-
\??\c:\lfllfxr.exec:\lfllfxr.exe84⤵PID:2716
-
\??\c:\flxrrfl.exec:\flxrrfl.exe85⤵PID:1384
-
\??\c:\bntnhn.exec:\bntnhn.exe86⤵PID:2548
-
\??\c:\jjppj.exec:\jjppj.exe87⤵PID:4744
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe88⤵PID:1948
-
\??\c:\hbbntt.exec:\hbbntt.exe89⤵PID:440
-
\??\c:\5jpjp.exec:\5jpjp.exe90⤵PID:648
-
\??\c:\jjpjp.exec:\jjpjp.exe91⤵PID:4776
-
\??\c:\xxrllff.exec:\xxrllff.exe92⤵PID:4420
-
\??\c:\nhbhhb.exec:\nhbhhb.exe93⤵PID:4424
-
\??\c:\5hbnhb.exec:\5hbnhb.exe94⤵PID:3328
-
\??\c:\pjjdv.exec:\pjjdv.exe95⤵PID:1588
-
\??\c:\frfxlrf.exec:\frfxlrf.exe96⤵PID:2656
-
\??\c:\btnnhb.exec:\btnnhb.exe97⤵PID:2940
-
\??\c:\dvvpj.exec:\dvvpj.exe98⤵PID:3664
-
\??\c:\xrfxlfx.exec:\xrfxlfx.exe99⤵PID:4636
-
\??\c:\flrlxxr.exec:\flrlxxr.exe100⤵PID:4208
-
\??\c:\tbnbtt.exec:\tbnbtt.exe101⤵PID:3260
-
\??\c:\jddvp.exec:\jddvp.exe102⤵PID:4808
-
\??\c:\rrxlxlf.exec:\rrxlxlf.exe103⤵PID:1712
-
\??\c:\bnnhbh.exec:\bnnhbh.exe104⤵PID:1152
-
\??\c:\vvvjj.exec:\vvvjj.exe105⤵PID:2052
-
\??\c:\rxllffx.exec:\rxllffx.exe106⤵PID:1572
-
\??\c:\fxlfxff.exec:\fxlfxff.exe107⤵PID:1012
-
\??\c:\ttnhbb.exec:\ttnhbb.exe108⤵PID:4800
-
\??\c:\vvjvd.exec:\vvjvd.exe109⤵PID:3204
-
\??\c:\rlxrllf.exec:\rlxrllf.exe110⤵PID:1576
-
\??\c:\bttnbb.exec:\bttnbb.exe111⤵PID:456
-
\??\c:\5dvpp.exec:\5dvpp.exe112⤵PID:1584
-
\??\c:\lrrlffx.exec:\lrrlffx.exe113⤵PID:1720
-
\??\c:\rlfxfff.exec:\rlfxfff.exe114⤵PID:904
-
\??\c:\tnttnt.exec:\tnttnt.exe115⤵PID:4232
-
\??\c:\pjjjd.exec:\pjjjd.exe116⤵PID:1380
-
\??\c:\rxrfxxl.exec:\rxrfxxl.exe117⤵PID:1084
-
\??\c:\thtnhh.exec:\thtnhh.exe118⤵PID:1876
-
\??\c:\btbnhh.exec:\btbnhh.exe119⤵PID:1248
-
\??\c:\vjddv.exec:\vjddv.exe120⤵PID:1004
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe121⤵PID:2408
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-