Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe
-
Size
454KB
-
MD5
a79d4e2c7ce5fb45ecf840f57ed5792a
-
SHA1
74fd8f119ca46774e326087862e69af97594aa1e
-
SHA256
beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550
-
SHA512
05bc256c10186ce7252f575801fa6729e0459bd14dba47ac8705b81d178ab39df516fdec6930a1ed61a4659dd5985b77a109062e62d27231c81aa9b4f2b2f3ca
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5076-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-1147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-1265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-1278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-1450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 628 rlxrfxl.exe 856 jdjpv.exe 4604 nnhbnh.exe 4912 xxfrrfl.exe 3036 tttbth.exe 3260 hhnthh.exe 3028 hbttbh.exe 3152 1djvp.exe 2276 hhhnbt.exe 2008 tntntn.exe 4892 jvdvp.exe 2168 7xxlxlf.exe 2320 3pjpd.exe 3096 ppvdp.exe 1532 7jpjp.exe 1476 pvvpd.exe 864 hbhhht.exe 3640 5jdvj.exe 1244 lfxrllf.exe 944 djdvd.exe 4768 djjvp.exe 2676 rlfxlxl.exe 1384 tttnbt.exe 316 pdvjd.exe 3320 xfrffxr.exe 3048 hbbbtn.exe 2836 9jpjj.exe 2496 lxrlffx.exe 2844 nhtbbb.exe 3268 ffxrrxf.exe 1916 nbbtnh.exe 3644 ddvjd.exe 1408 fffrlfx.exe 2420 tnhbbb.exe 1660 dvjdj.exe 2144 jjdvv.exe 3060 fxxxrrl.exe 2208 xrlxxxr.exe 4536 jvjvp.exe 4888 ffxfrrl.exe 3656 9nnnnn.exe 812 jvpdp.exe 4844 7jjdv.exe 4960 vvppp.exe 4272 3fxrrrl.exe 3324 hbthtn.exe 528 ppdjp.exe 924 1pjvp.exe 4420 lfrxxlf.exe 2780 tththt.exe 2228 pdjdp.exe 2712 ddjpj.exe 3352 xlfrfxl.exe 672 tnhthb.exe 4856 dvvjd.exe 3768 lrrlxrl.exe 1600 7lfxxrl.exe 5068 tbhtnb.exe 4528 9jjdp.exe 4596 1flfxrl.exe 116 3hbnbb.exe 2340 jppdv.exe 1044 xrlxlfx.exe 4776 xxxrxxr.exe -
resource yara_rule behavioral2/memory/5076-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-963-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 628 5076 beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe 84 PID 5076 wrote to memory of 628 5076 beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe 84 PID 5076 wrote to memory of 628 5076 beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe 84 PID 628 wrote to memory of 856 628 rlxrfxl.exe 85 PID 628 wrote to memory of 856 628 rlxrfxl.exe 85 PID 628 wrote to memory of 856 628 rlxrfxl.exe 85 PID 856 wrote to memory of 4604 856 jdjpv.exe 86 PID 856 wrote to memory of 4604 856 jdjpv.exe 86 PID 856 wrote to memory of 4604 856 jdjpv.exe 86 PID 4604 wrote to memory of 4912 4604 nnhbnh.exe 87 PID 4604 wrote to memory of 4912 4604 nnhbnh.exe 87 PID 4604 wrote to memory of 4912 4604 nnhbnh.exe 87 PID 4912 wrote to memory of 3036 4912 xxfrrfl.exe 88 PID 4912 wrote to memory of 3036 4912 xxfrrfl.exe 88 PID 4912 wrote to memory of 3036 4912 xxfrrfl.exe 88 PID 3036 wrote to memory of 3260 3036 tttbth.exe 89 PID 3036 wrote to memory of 3260 3036 tttbth.exe 89 PID 3036 wrote to memory of 3260 3036 tttbth.exe 89 PID 3260 wrote to memory of 3028 3260 hhnthh.exe 90 PID 3260 wrote to memory of 3028 3260 hhnthh.exe 90 PID 3260 wrote to memory of 3028 3260 hhnthh.exe 90 PID 3028 wrote to memory of 3152 3028 hbttbh.exe 91 PID 3028 wrote to memory of 3152 3028 hbttbh.exe 91 PID 3028 wrote to memory of 3152 3028 hbttbh.exe 91 PID 3152 wrote to memory of 2276 3152 1djvp.exe 92 PID 3152 wrote to memory of 2276 3152 1djvp.exe 92 PID 3152 wrote to memory of 2276 3152 1djvp.exe 92 PID 2276 wrote to memory of 2008 2276 hhhnbt.exe 93 PID 2276 wrote to memory of 2008 2276 hhhnbt.exe 93 PID 2276 wrote to memory of 2008 2276 hhhnbt.exe 93 PID 2008 wrote to memory of 4892 2008 tntntn.exe 94 PID 2008 wrote to memory of 4892 2008 tntntn.exe 94 PID 2008 wrote to memory of 4892 2008 tntntn.exe 94 PID 4892 wrote to memory of 2168 4892 jvdvp.exe 95 PID 4892 wrote to memory of 2168 4892 jvdvp.exe 95 PID 4892 wrote to memory of 2168 4892 jvdvp.exe 95 PID 2168 wrote to memory of 2320 2168 7xxlxlf.exe 96 PID 2168 wrote to memory of 2320 2168 7xxlxlf.exe 96 PID 2168 wrote to memory of 2320 2168 7xxlxlf.exe 96 PID 2320 wrote to memory of 3096 2320 3pjpd.exe 97 PID 2320 wrote to memory of 3096 2320 3pjpd.exe 97 PID 2320 wrote to memory of 3096 2320 3pjpd.exe 97 PID 3096 wrote to memory of 1532 3096 ppvdp.exe 98 PID 3096 wrote to memory of 1532 3096 ppvdp.exe 98 PID 3096 wrote to memory of 1532 3096 ppvdp.exe 98 PID 1532 wrote to memory of 1476 1532 7jpjp.exe 99 PID 1532 wrote to memory of 1476 1532 7jpjp.exe 99 PID 1532 wrote to memory of 1476 1532 7jpjp.exe 99 PID 1476 wrote to memory of 864 1476 pvvpd.exe 100 PID 1476 wrote to memory of 864 1476 pvvpd.exe 100 PID 1476 wrote to memory of 864 1476 pvvpd.exe 100 PID 864 wrote to memory of 3640 864 hbhhht.exe 101 PID 864 wrote to memory of 3640 864 hbhhht.exe 101 PID 864 wrote to memory of 3640 864 hbhhht.exe 101 PID 3640 wrote to memory of 1244 3640 5jdvj.exe 102 PID 3640 wrote to memory of 1244 3640 5jdvj.exe 102 PID 3640 wrote to memory of 1244 3640 5jdvj.exe 102 PID 1244 wrote to memory of 944 1244 lfxrllf.exe 103 PID 1244 wrote to memory of 944 1244 lfxrllf.exe 103 PID 1244 wrote to memory of 944 1244 lfxrllf.exe 103 PID 944 wrote to memory of 4768 944 djdvd.exe 104 PID 944 wrote to memory of 4768 944 djdvd.exe 104 PID 944 wrote to memory of 4768 944 djdvd.exe 104 PID 4768 wrote to memory of 2676 4768 djjvp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe"C:\Users\Admin\AppData\Local\Temp\beefb54431ce888b522e18ce48c62a09dae62ddc80a065170018023be14d8550.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\rlxrfxl.exec:\rlxrfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\jdjpv.exec:\jdjpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\nnhbnh.exec:\nnhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\xxfrrfl.exec:\xxfrrfl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\tttbth.exec:\tttbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\hhnthh.exec:\hhnthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\hbttbh.exec:\hbttbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\1djvp.exec:\1djvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\hhhnbt.exec:\hhhnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\tntntn.exec:\tntntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\7xxlxlf.exec:\7xxlxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\3pjpd.exec:\3pjpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\ppvdp.exec:\ppvdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\7jpjp.exec:\7jpjp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\pvvpd.exec:\pvvpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\hbhhht.exec:\hbhhht.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\5jdvj.exec:\5jdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\lfxrllf.exec:\lfxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\djdvd.exec:\djdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\djjvp.exec:\djjvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\rlfxlxl.exec:\rlfxlxl.exe23⤵
- Executes dropped EXE
PID:2676 -
\??\c:\tttnbt.exec:\tttnbt.exe24⤵
- Executes dropped EXE
PID:1384 -
\??\c:\pdvjd.exec:\pdvjd.exe25⤵
- Executes dropped EXE
PID:316 -
\??\c:\xfrffxr.exec:\xfrffxr.exe26⤵
- Executes dropped EXE
PID:3320 -
\??\c:\hbbbtn.exec:\hbbbtn.exe27⤵
- Executes dropped EXE
PID:3048 -
\??\c:\9jpjj.exec:\9jpjj.exe28⤵
- Executes dropped EXE
PID:2836 -
\??\c:\lxrlffx.exec:\lxrlffx.exe29⤵
- Executes dropped EXE
PID:2496 -
\??\c:\nhtbbb.exec:\nhtbbb.exe30⤵
- Executes dropped EXE
PID:2844 -
\??\c:\ffxrrxf.exec:\ffxrrxf.exe31⤵
- Executes dropped EXE
PID:3268 -
\??\c:\nbbtnh.exec:\nbbtnh.exe32⤵
- Executes dropped EXE
PID:1916 -
\??\c:\ddvjd.exec:\ddvjd.exe33⤵
- Executes dropped EXE
PID:3644 -
\??\c:\fffrlfx.exec:\fffrlfx.exe34⤵
- Executes dropped EXE
PID:1408 -
\??\c:\tnhbbb.exec:\tnhbbb.exe35⤵
- Executes dropped EXE
PID:2420 -
\??\c:\dvjdj.exec:\dvjdj.exe36⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jjdvv.exec:\jjdvv.exe37⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe38⤵
- Executes dropped EXE
PID:3060 -
\??\c:\xrlxxxr.exec:\xrlxxxr.exe39⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jvjvp.exec:\jvjvp.exe40⤵
- Executes dropped EXE
PID:4536 -
\??\c:\ffxfrrl.exec:\ffxfrrl.exe41⤵
- Executes dropped EXE
PID:4888 -
\??\c:\9nnnnn.exec:\9nnnnn.exe42⤵
- Executes dropped EXE
PID:3656 -
\??\c:\jvpdp.exec:\jvpdp.exe43⤵
- Executes dropped EXE
PID:812 -
\??\c:\7jjdv.exec:\7jjdv.exe44⤵
- Executes dropped EXE
PID:4844 -
\??\c:\vvppp.exec:\vvppp.exe45⤵
- Executes dropped EXE
PID:4960 -
\??\c:\3fxrrrl.exec:\3fxrrrl.exe46⤵
- Executes dropped EXE
PID:4272 -
\??\c:\hbthtn.exec:\hbthtn.exe47⤵
- Executes dropped EXE
PID:3324 -
\??\c:\ppdjp.exec:\ppdjp.exe48⤵
- Executes dropped EXE
PID:528 -
\??\c:\1pjvp.exec:\1pjvp.exe49⤵
- Executes dropped EXE
PID:924 -
\??\c:\lfrxxlf.exec:\lfrxxlf.exe50⤵
- Executes dropped EXE
PID:4420 -
\??\c:\tththt.exec:\tththt.exe51⤵
- Executes dropped EXE
PID:2780 -
\??\c:\pdjdp.exec:\pdjdp.exe52⤵
- Executes dropped EXE
PID:2228 -
\??\c:\ddjpj.exec:\ddjpj.exe53⤵
- Executes dropped EXE
PID:2712 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe54⤵
- Executes dropped EXE
PID:3352 -
\??\c:\tnhthb.exec:\tnhthb.exe55⤵
- Executes dropped EXE
PID:672 -
\??\c:\dvvjd.exec:\dvvjd.exe56⤵
- Executes dropped EXE
PID:4856 -
\??\c:\lrrlxrl.exec:\lrrlxrl.exe57⤵
- Executes dropped EXE
PID:3768 -
\??\c:\7lfxxrl.exec:\7lfxxrl.exe58⤵
- Executes dropped EXE
PID:1600 -
\??\c:\tbhtnb.exec:\tbhtnb.exe59⤵
- Executes dropped EXE
PID:5068 -
\??\c:\9jjdp.exec:\9jjdp.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\1flfxrl.exec:\1flfxrl.exe61⤵
- Executes dropped EXE
PID:4596 -
\??\c:\3hbnbb.exec:\3hbnbb.exe62⤵
- Executes dropped EXE
PID:116 -
\??\c:\jppdv.exec:\jppdv.exe63⤵
- Executes dropped EXE
PID:2340 -
\??\c:\xrlxlfx.exec:\xrlxlfx.exe64⤵
- Executes dropped EXE
PID:1044 -
\??\c:\xxxrxxr.exec:\xxxrxxr.exe65⤵
- Executes dropped EXE
PID:4776 -
\??\c:\tnnhtn.exec:\tnnhtn.exe66⤵PID:3996
-
\??\c:\vpjjd.exec:\vpjjd.exe67⤵PID:3576
-
\??\c:\3lrffxx.exec:\3lrffxx.exe68⤵PID:3976
-
\??\c:\rlxlxrl.exec:\rlxlxrl.exe69⤵PID:4892
-
\??\c:\tnhthb.exec:\tnhthb.exe70⤵PID:4164
-
\??\c:\pppjv.exec:\pppjv.exe71⤵PID:2116
-
\??\c:\flrfxll.exec:\flrfxll.exe72⤵PID:4368
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe73⤵PID:5028
-
\??\c:\1nbbnn.exec:\1nbbnn.exe74⤵PID:2248
-
\??\c:\btnbnh.exec:\btnbnh.exe75⤵PID:1444
-
\??\c:\vvvjv.exec:\vvvjv.exe76⤵PID:4948
-
\??\c:\xrfrxrx.exec:\xrfrxrx.exe77⤵PID:2988
-
\??\c:\bthtnn.exec:\bthtnn.exe78⤵PID:4540
-
\??\c:\vppjd.exec:\vppjd.exe79⤵PID:4436
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe80⤵PID:768
-
\??\c:\rxxlxrx.exec:\rxxlxrx.exe81⤵PID:3772
-
\??\c:\tthnhb.exec:\tthnhb.exe82⤵PID:2728
-
\??\c:\3ppvj.exec:\3ppvj.exe83⤵PID:3508
-
\??\c:\pdvpd.exec:\pdvpd.exe84⤵PID:3568
-
\??\c:\rfxlxrr.exec:\rfxlxrr.exe85⤵PID:4900
-
\??\c:\bbnhbn.exec:\bbnhbn.exe86⤵PID:1384
-
\??\c:\vjvpp.exec:\vjvpp.exe87⤵PID:3368
-
\??\c:\fxrlrrx.exec:\fxrlrrx.exe88⤵PID:792
-
\??\c:\tnbthh.exec:\tnbthh.exe89⤵PID:3956
-
\??\c:\tnnbnn.exec:\tnnbnn.exe90⤵PID:5108
-
\??\c:\pdvjp.exec:\pdvjp.exe91⤵PID:744
-
\??\c:\9frlffr.exec:\9frlffr.exe92⤵PID:2836
-
\??\c:\nntnhh.exec:\nntnhh.exe93⤵PID:2336
-
\??\c:\5vpjv.exec:\5vpjv.exe94⤵PID:3116
-
\??\c:\lxxrxrl.exec:\lxxrxrl.exe95⤵PID:2844
-
\??\c:\5bthtn.exec:\5bthtn.exe96⤵PID:2976
-
\??\c:\pjjpj.exec:\pjjpj.exe97⤵PID:2568
-
\??\c:\flflrlr.exec:\flflrlr.exe98⤵PID:4432
-
\??\c:\nbbnht.exec:\nbbnht.exe99⤵PID:1016
-
\??\c:\thnbnb.exec:\thnbnb.exe100⤵PID:440
-
\??\c:\jppjj.exec:\jppjj.exe101⤵PID:1720
-
\??\c:\xlffxxr.exec:\xlffxxr.exe102⤵PID:3392
-
\??\c:\vddpj.exec:\vddpj.exe103⤵PID:3788
-
\??\c:\pvddp.exec:\pvddp.exe104⤵PID:2940
-
\??\c:\7lffrrf.exec:\7lffrrf.exe105⤵PID:4204
-
\??\c:\nnhttb.exec:\nnhttb.exe106⤵
- System Location Discovery: System Language Discovery
PID:3716 -
\??\c:\1pjvp.exec:\1pjvp.exe107⤵PID:3340
-
\??\c:\pjpdj.exec:\pjpdj.exe108⤵PID:2196
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe109⤵PID:5032
-
\??\c:\nthtnh.exec:\nthtnh.exe110⤵PID:2904
-
\??\c:\vddpj.exec:\vddpj.exe111⤵PID:5100
-
\??\c:\lflfrrf.exec:\lflfrrf.exe112⤵PID:336
-
\??\c:\5nhthb.exec:\5nhthb.exe113⤵PID:4244
-
\??\c:\5ddvp.exec:\5ddvp.exe114⤵PID:1704
-
\??\c:\jjdvj.exec:\jjdvj.exe115⤵PID:4492
-
\??\c:\rlfrxlx.exec:\rlfrxlx.exe116⤵PID:5008
-
\??\c:\5hnbtn.exec:\5hnbtn.exe117⤵PID:5004
-
\??\c:\5vvjv.exec:\5vvjv.exe118⤵PID:856
-
\??\c:\lxxlxrl.exec:\lxxlxrl.exe119⤵PID:2712
-
\??\c:\lffxrlf.exec:\lffxrlf.exe120⤵PID:3928
-
\??\c:\pjpjd.exec:\pjpjd.exe121⤵PID:672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-