Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 05:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe
-
Size
454KB
-
MD5
bdfd1d1eadccf3785bf2659e796b9332
-
SHA1
a1fc9634b996bc23ffa3f3b10fa89fa34c9f16bd
-
SHA256
eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e
-
SHA512
8d4c97c4fa0e2a11478c95db74ff826c7ffc2b6ffadade3bc7fe3d10fdb77621efa2f65fffcf2535a1913dce30ec390c3f2190b34dddcf6708d4ed3e90701819
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe7:q7Tc2NYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1436-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-1042-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1500 ffllrrx.exe 4104 lxxrfxr.exe 4344 1djjd.exe 4232 xlfflfl.exe 640 5frrxfl.exe 1872 btbnhh.exe 2676 dppjd.exe 3516 thhhth.exe 528 llrrrrr.exe 544 vvddj.exe 2300 dvjvp.exe 4192 jddvp.exe 184 fxfxxff.exe 864 fxlfllf.exe 2836 nnnhnh.exe 2716 jpvpj.exe 3280 rlxrllr.exe 1700 1ntnhh.exe 3624 xxxrxxr.exe 2560 tnbbbh.exe 5096 9fxrrrl.exe 2608 nhbnbb.exe 952 jvddd.exe 3084 7vjdv.exe 1520 thhbbb.exe 2536 llfxrxr.exe 3704 jjppv.exe 3660 flxxllf.exe 3756 1tttnn.exe 4260 pvpvj.exe 3508 3bhbtt.exe 2008 nthbbb.exe 3764 thhbtt.exe 556 xrxxxxr.exe 2196 bbhbnn.exe 1772 hbtthh.exe 1072 pdjpd.exe 4648 vddvp.exe 1604 ffxrlfx.exe 1856 1ntnnn.exe 4212 vjpjj.exe 4268 fxxffrr.exe 1948 tthbtt.exe 5004 vpvjd.exe 3904 rxrxllf.exe 764 lflllrl.exe 4840 nbhbtn.exe 4328 3dvjd.exe 5020 xffxrrl.exe 368 rllfxrl.exe 2996 bthhtt.exe 1500 jdjdv.exe 1864 fxffffl.exe 4776 lrfxrrl.exe 2164 djjdv.exe 2768 1jvjv.exe 4232 llxrlll.exe 212 hthbth.exe 4516 7vvpj.exe 1872 ddppd.exe 4636 ffrrxxx.exe 1008 hbnhtt.exe 3416 fxxxxrx.exe 3516 nhthnh.exe -
resource yara_rule behavioral2/memory/1436-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-948-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1436 wrote to memory of 1500 1436 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 82 PID 1436 wrote to memory of 1500 1436 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 82 PID 1436 wrote to memory of 1500 1436 eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe 82 PID 1500 wrote to memory of 4104 1500 ffllrrx.exe 83 PID 1500 wrote to memory of 4104 1500 ffllrrx.exe 83 PID 1500 wrote to memory of 4104 1500 ffllrrx.exe 83 PID 4104 wrote to memory of 4344 4104 lxxrfxr.exe 84 PID 4104 wrote to memory of 4344 4104 lxxrfxr.exe 84 PID 4104 wrote to memory of 4344 4104 lxxrfxr.exe 84 PID 4344 wrote to memory of 4232 4344 1djjd.exe 85 PID 4344 wrote to memory of 4232 4344 1djjd.exe 85 PID 4344 wrote to memory of 4232 4344 1djjd.exe 85 PID 4232 wrote to memory of 640 4232 xlfflfl.exe 86 PID 4232 wrote to memory of 640 4232 xlfflfl.exe 86 PID 4232 wrote to memory of 640 4232 xlfflfl.exe 86 PID 640 wrote to memory of 1872 640 5frrxfl.exe 87 PID 640 wrote to memory of 1872 640 5frrxfl.exe 87 PID 640 wrote to memory of 1872 640 5frrxfl.exe 87 PID 1872 wrote to memory of 2676 1872 btbnhh.exe 88 PID 1872 wrote to memory of 2676 1872 btbnhh.exe 88 PID 1872 wrote to memory of 2676 1872 btbnhh.exe 88 PID 2676 wrote to memory of 3516 2676 dppjd.exe 89 PID 2676 wrote to memory of 3516 2676 dppjd.exe 89 PID 2676 wrote to memory of 3516 2676 dppjd.exe 89 PID 3516 wrote to memory of 528 3516 thhhth.exe 90 PID 3516 wrote to memory of 528 3516 thhhth.exe 90 PID 3516 wrote to memory of 528 3516 thhhth.exe 90 PID 528 wrote to memory of 544 528 llrrrrr.exe 91 PID 528 wrote to memory of 544 528 llrrrrr.exe 91 PID 528 wrote to memory of 544 528 llrrrrr.exe 91 PID 544 wrote to memory of 2300 544 vvddj.exe 92 PID 544 wrote to memory of 2300 544 vvddj.exe 92 PID 544 wrote to memory of 2300 544 vvddj.exe 92 PID 2300 wrote to memory of 4192 2300 dvjvp.exe 93 PID 2300 wrote to memory of 4192 2300 dvjvp.exe 93 PID 2300 wrote to memory of 4192 2300 dvjvp.exe 93 PID 4192 wrote to memory of 184 4192 jddvp.exe 94 PID 4192 wrote to memory of 184 4192 jddvp.exe 94 PID 4192 wrote to memory of 184 4192 jddvp.exe 94 PID 184 wrote to memory of 864 184 fxfxxff.exe 95 PID 184 wrote to memory of 864 184 fxfxxff.exe 95 PID 184 wrote to memory of 864 184 fxfxxff.exe 95 PID 864 wrote to memory of 2836 864 fxlfllf.exe 96 PID 864 wrote to memory of 2836 864 fxlfllf.exe 96 PID 864 wrote to memory of 2836 864 fxlfllf.exe 96 PID 2836 wrote to memory of 2716 2836 nnnhnh.exe 97 PID 2836 wrote to memory of 2716 2836 nnnhnh.exe 97 PID 2836 wrote to memory of 2716 2836 nnnhnh.exe 97 PID 2716 wrote to memory of 3280 2716 jpvpj.exe 98 PID 2716 wrote to memory of 3280 2716 jpvpj.exe 98 PID 2716 wrote to memory of 3280 2716 jpvpj.exe 98 PID 3280 wrote to memory of 1700 3280 rlxrllr.exe 99 PID 3280 wrote to memory of 1700 3280 rlxrllr.exe 99 PID 3280 wrote to memory of 1700 3280 rlxrllr.exe 99 PID 1700 wrote to memory of 3624 1700 1ntnhh.exe 100 PID 1700 wrote to memory of 3624 1700 1ntnhh.exe 100 PID 1700 wrote to memory of 3624 1700 1ntnhh.exe 100 PID 3624 wrote to memory of 2560 3624 xxxrxxr.exe 101 PID 3624 wrote to memory of 2560 3624 xxxrxxr.exe 101 PID 3624 wrote to memory of 2560 3624 xxxrxxr.exe 101 PID 2560 wrote to memory of 5096 2560 tnbbbh.exe 102 PID 2560 wrote to memory of 5096 2560 tnbbbh.exe 102 PID 2560 wrote to memory of 5096 2560 tnbbbh.exe 102 PID 5096 wrote to memory of 2608 5096 9fxrrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe"C:\Users\Admin\AppData\Local\Temp\eb64efcd17a9fc82e54342a48c2eba87ce632779583aa89f6fc32462ff12131e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\ffllrrx.exec:\ffllrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\1djjd.exec:\1djjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\xlfflfl.exec:\xlfflfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\5frrxfl.exec:\5frrxfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\btbnhh.exec:\btbnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\dppjd.exec:\dppjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\thhhth.exec:\thhhth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\llrrrrr.exec:\llrrrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\vvddj.exec:\vvddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\dvjvp.exec:\dvjvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\jddvp.exec:\jddvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\fxfxxff.exec:\fxfxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\fxlfllf.exec:\fxlfllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\nnnhnh.exec:\nnnhnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\jpvpj.exec:\jpvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\rlxrllr.exec:\rlxrllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\1ntnhh.exec:\1ntnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\xxxrxxr.exec:\xxxrxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\tnbbbh.exec:\tnbbbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\9fxrrrl.exec:\9fxrrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\nhbnbb.exec:\nhbnbb.exe23⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jvddd.exec:\jvddd.exe24⤵
- Executes dropped EXE
PID:952 -
\??\c:\7vjdv.exec:\7vjdv.exe25⤵
- Executes dropped EXE
PID:3084 -
\??\c:\thhbbb.exec:\thhbbb.exe26⤵
- Executes dropped EXE
PID:1520 -
\??\c:\llfxrxr.exec:\llfxrxr.exe27⤵
- Executes dropped EXE
PID:2536 -
\??\c:\jjppv.exec:\jjppv.exe28⤵
- Executes dropped EXE
PID:3704 -
\??\c:\flxxllf.exec:\flxxllf.exe29⤵
- Executes dropped EXE
PID:3660 -
\??\c:\1tttnn.exec:\1tttnn.exe30⤵
- Executes dropped EXE
PID:3756 -
\??\c:\pvpvj.exec:\pvpvj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4260 -
\??\c:\3bhbtt.exec:\3bhbtt.exe32⤵
- Executes dropped EXE
PID:3508 -
\??\c:\nthbbb.exec:\nthbbb.exe33⤵
- Executes dropped EXE
PID:2008 -
\??\c:\thhbtt.exec:\thhbtt.exe34⤵
- Executes dropped EXE
PID:3764 -
\??\c:\xrxxxxr.exec:\xrxxxxr.exe35⤵
- Executes dropped EXE
PID:556 -
\??\c:\bbhbnn.exec:\bbhbnn.exe36⤵
- Executes dropped EXE
PID:2196 -
\??\c:\hbtthh.exec:\hbtthh.exe37⤵
- Executes dropped EXE
PID:1772 -
\??\c:\pdjpd.exec:\pdjpd.exe38⤵
- Executes dropped EXE
PID:1072 -
\??\c:\vddvp.exec:\vddvp.exe39⤵
- Executes dropped EXE
PID:4648 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe40⤵
- Executes dropped EXE
PID:1604 -
\??\c:\1ntnnn.exec:\1ntnnn.exe41⤵
- Executes dropped EXE
PID:1856 -
\??\c:\vjpjj.exec:\vjpjj.exe42⤵
- Executes dropped EXE
PID:4212 -
\??\c:\fxxffrr.exec:\fxxffrr.exe43⤵
- Executes dropped EXE
PID:4268 -
\??\c:\tthbtt.exec:\tthbtt.exe44⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vpvjd.exec:\vpvjd.exe45⤵
- Executes dropped EXE
PID:5004 -
\??\c:\rxrxllf.exec:\rxrxllf.exe46⤵
- Executes dropped EXE
PID:3904 -
\??\c:\lflllrl.exec:\lflllrl.exe47⤵
- Executes dropped EXE
PID:764 -
\??\c:\nbhbtn.exec:\nbhbtn.exe48⤵
- Executes dropped EXE
PID:4840 -
\??\c:\3dvjd.exec:\3dvjd.exe49⤵
- Executes dropped EXE
PID:4328 -
\??\c:\xffxrrl.exec:\xffxrrl.exe50⤵
- Executes dropped EXE
PID:5020 -
\??\c:\rllfxrl.exec:\rllfxrl.exe51⤵
- Executes dropped EXE
PID:368 -
\??\c:\bthhtt.exec:\bthhtt.exe52⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jdjdv.exec:\jdjdv.exe53⤵
- Executes dropped EXE
PID:1500 -
\??\c:\fxffffl.exec:\fxffffl.exe54⤵
- Executes dropped EXE
PID:1864 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe55⤵
- Executes dropped EXE
PID:4776 -
\??\c:\djjdv.exec:\djjdv.exe56⤵
- Executes dropped EXE
PID:2164 -
\??\c:\1jvjv.exec:\1jvjv.exe57⤵
- Executes dropped EXE
PID:2768 -
\??\c:\llxrlll.exec:\llxrlll.exe58⤵
- Executes dropped EXE
PID:4232 -
\??\c:\hthbth.exec:\hthbth.exe59⤵
- Executes dropped EXE
PID:212 -
\??\c:\7vvpj.exec:\7vvpj.exe60⤵
- Executes dropped EXE
PID:4516 -
\??\c:\ddppd.exec:\ddppd.exe61⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ffrrxxx.exec:\ffrrxxx.exe62⤵
- Executes dropped EXE
PID:4636 -
\??\c:\hbnhtt.exec:\hbnhtt.exe63⤵
- Executes dropped EXE
PID:1008 -
\??\c:\fxxxxrx.exec:\fxxxxrx.exe64⤵
- Executes dropped EXE
PID:3416 -
\??\c:\nhthnh.exec:\nhthnh.exe65⤵
- Executes dropped EXE
PID:3516 -
\??\c:\3tttnn.exec:\3tttnn.exe66⤵PID:436
-
\??\c:\jdjvp.exec:\jdjvp.exe67⤵PID:2956
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe68⤵PID:60
-
\??\c:\5xrxrlf.exec:\5xrxrlf.exe69⤵PID:2500
-
\??\c:\pjvpv.exec:\pjvpv.exe70⤵PID:1400
-
\??\c:\5rfxffx.exec:\5rfxffx.exe71⤵PID:4208
-
\??\c:\hnbthh.exec:\hnbthh.exe72⤵PID:2136
-
\??\c:\1bhbbb.exec:\1bhbbb.exe73⤵PID:2496
-
\??\c:\vpjdv.exec:\vpjdv.exe74⤵PID:1084
-
\??\c:\flrfxxx.exec:\flrfxxx.exe75⤵PID:228
-
\??\c:\hbbtnn.exec:\hbbtnn.exe76⤵PID:4464
-
\??\c:\5jddp.exec:\5jddp.exe77⤵PID:2032
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe78⤵PID:5084
-
\??\c:\hntnnn.exec:\hntnnn.exe79⤵PID:2376
-
\??\c:\jppjj.exec:\jppjj.exe80⤵PID:4008
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe81⤵PID:4424
-
\??\c:\frrlffx.exec:\frrlffx.exe82⤵PID:4676
-
\??\c:\nnnnnh.exec:\nnnnnh.exe83⤵PID:4784
-
\??\c:\vvjjj.exec:\vvjjj.exe84⤵PID:792
-
\??\c:\xflfxrl.exec:\xflfxrl.exe85⤵PID:392
-
\??\c:\bnbtnt.exec:\bnbtnt.exe86⤵PID:1944
-
\??\c:\hbhhbb.exec:\hbhhbb.exe87⤵PID:3856
-
\??\c:\dvdvp.exec:\dvdvp.exe88⤵PID:336
-
\??\c:\lxfrxxr.exec:\lxfrxxr.exe89⤵PID:2512
-
\??\c:\nnbhbn.exec:\nnbhbn.exe90⤵PID:1236
-
\??\c:\9tbttt.exec:\9tbttt.exe91⤵PID:1172
-
\??\c:\dpdvp.exec:\dpdvp.exe92⤵PID:2440
-
\??\c:\7lllffx.exec:\7lllffx.exe93⤵PID:4628
-
\??\c:\hntnhh.exec:\hntnhh.exe94⤵PID:3264
-
\??\c:\5vjjp.exec:\5vjjp.exe95⤵PID:400
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe96⤵PID:3756
-
\??\c:\bhthbt.exec:\bhthbt.exe97⤵PID:3980
-
\??\c:\vpdpj.exec:\vpdpj.exe98⤵PID:2232
-
\??\c:\pjpdj.exec:\pjpdj.exe99⤵
- System Location Discovery: System Language Discovery
PID:3596 -
\??\c:\rxllxxl.exec:\rxllxxl.exe100⤵PID:2352
-
\??\c:\tnbntt.exec:\tnbntt.exe101⤵PID:4800
-
\??\c:\pdjdv.exec:\pdjdv.exe102⤵PID:4224
-
\??\c:\frxrrrl.exec:\frxrrrl.exe103⤵PID:3524
-
\??\c:\bthnnt.exec:\bthnnt.exe104⤵PID:1344
-
\??\c:\djjdj.exec:\djjdj.exe105⤵PID:1012
-
\??\c:\djjdv.exec:\djjdv.exe106⤵PID:1852
-
\??\c:\rxlrllf.exec:\rxlrllf.exe107⤵PID:708
-
\??\c:\tnnnhh.exec:\tnnnhh.exe108⤵PID:4528
-
\??\c:\ppvdd.exec:\ppvdd.exe109⤵PID:1860
-
\??\c:\7fxrlrl.exec:\7fxrlrl.exe110⤵PID:4452
-
\??\c:\hhnhtt.exec:\hhnhtt.exe111⤵PID:2292
-
\??\c:\tbtnhb.exec:\tbtnhb.exe112⤵PID:2792
-
\??\c:\7djdp.exec:\7djdp.exe113⤵PID:1632
-
\??\c:\lfllflr.exec:\lfllflr.exe114⤵PID:2572
-
\??\c:\bbhbtt.exec:\bbhbtt.exe115⤵PID:4024
-
\??\c:\pjvvj.exec:\pjvvj.exe116⤵PID:4276
-
\??\c:\frxrlff.exec:\frxrlff.exe117⤵PID:4480
-
\??\c:\lxllfff.exec:\lxllfff.exe118⤵PID:4292
-
\??\c:\hhnhtb.exec:\hhnhtb.exe119⤵PID:3356
-
\??\c:\pvddv.exec:\pvddv.exe120⤵PID:1212
-
\??\c:\7xxxxxx.exec:\7xxxxxx.exe121⤵PID:892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-