Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 21:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
Resource
win7-20250207-en
windows7-x64
7 signatures
150 seconds
General
-
Target
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe
-
Size
457KB
-
MD5
b0968197740f76cede5c6516cfc99850
-
SHA1
f3b18d0f66cea268bf4322f4b64db1ff5f219723
-
SHA256
596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e
-
SHA512
aa1882d7a9caf7c4e257e491dfe86c928748b43cbc3ede271273a212ddd318ef26db728d59e8b72987f343c19ff82c6f43e583e2178e16ea69760523ebf1f976
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5240-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5176-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5412-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5172-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5612-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6020-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5824-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5592-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6056-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5124-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6068-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6000-997-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5376-1170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2752 rlrlffx.exe 5176 tnntnn.exe 1644 1vvvp.exe 116 pjjdv.exe 1764 1ntnhn.exe 5412 ddjvp.exe 5172 rrrlfxx.exe 2984 lxxrxfx.exe 2196 lrfxrrl.exe 3932 pvjjp.exe 4332 ffxxrll.exe 5896 btnhbb.exe 3872 pvdvp.exe 4528 lxxrrrl.exe 4564 tbhbtt.exe 4776 3jjvp.exe 4492 rxfrllf.exe 2536 vvvvp.exe 3404 xlrlxxr.exe 4620 vddvv.exe 4688 llrllff.exe 1720 fxrlfff.exe 3744 jdvpj.exe 5612 lrxrffx.exe 4420 htbtnh.exe 3660 frrllfx.exe 6092 hntbbt.exe 3648 xxxrrrl.exe 3416 jddvp.exe 1020 dvdvv.exe 1516 hnhhnn.exe 4292 vvdvd.exe 2568 hbnhnn.exe 456 dvppj.exe 3124 rffxlxr.exe 1364 bttnhh.exe 4828 pjjjj.exe 3256 7djdj.exe 1372 ffrlffx.exe 4108 ntbthh.exe 3448 5jdvp.exe 2116 rrllxlr.exe 2000 vjvdv.exe 3372 1lxrffx.exe 3940 rrlllrr.exe 3644 hntnhb.exe 3680 ppvpv.exe 5768 flrlfff.exe 2464 llrlrrx.exe 5780 5bbnhh.exe 6100 hbtntn.exe 2092 5ppjj.exe 1680 fxrrlfx.exe 1928 bttnbt.exe 1084 7jjdd.exe 5268 jvdvp.exe 3420 rffxrrl.exe 4964 nhhbtt.exe 4996 hthhhh.exe 5036 1ppjp.exe 5072 pjdjd.exe 1408 rlfxrll.exe 1392 1bnhnn.exe 4800 btbbtt.exe -
resource yara_rule behavioral2/memory/5240-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5176-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5412-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5172-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5612-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5612-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6020-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5824-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5592-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6056-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5124-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5744-838-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5240 wrote to memory of 2752 5240 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 5240 wrote to memory of 2752 5240 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 5240 wrote to memory of 2752 5240 596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe 85 PID 2752 wrote to memory of 5176 2752 rlrlffx.exe 86 PID 2752 wrote to memory of 5176 2752 rlrlffx.exe 86 PID 2752 wrote to memory of 5176 2752 rlrlffx.exe 86 PID 5176 wrote to memory of 1644 5176 tnntnn.exe 87 PID 5176 wrote to memory of 1644 5176 tnntnn.exe 87 PID 5176 wrote to memory of 1644 5176 tnntnn.exe 87 PID 1644 wrote to memory of 116 1644 1vvvp.exe 90 PID 1644 wrote to memory of 116 1644 1vvvp.exe 90 PID 1644 wrote to memory of 116 1644 1vvvp.exe 90 PID 116 wrote to memory of 1764 116 pjjdv.exe 91 PID 116 wrote to memory of 1764 116 pjjdv.exe 91 PID 116 wrote to memory of 1764 116 pjjdv.exe 91 PID 1764 wrote to memory of 5412 1764 1ntnhn.exe 92 PID 1764 wrote to memory of 5412 1764 1ntnhn.exe 92 PID 1764 wrote to memory of 5412 1764 1ntnhn.exe 92 PID 5412 wrote to memory of 5172 5412 ddjvp.exe 93 PID 5412 wrote to memory of 5172 5412 ddjvp.exe 93 PID 5412 wrote to memory of 5172 5412 ddjvp.exe 93 PID 5172 wrote to memory of 2984 5172 rrrlfxx.exe 94 PID 5172 wrote to memory of 2984 5172 rrrlfxx.exe 94 PID 5172 wrote to memory of 2984 5172 rrrlfxx.exe 94 PID 2984 wrote to memory of 2196 2984 lxxrxfx.exe 95 PID 2984 wrote to memory of 2196 2984 lxxrxfx.exe 95 PID 2984 wrote to memory of 2196 2984 lxxrxfx.exe 95 PID 2196 wrote to memory of 3932 2196 lrfxrrl.exe 96 PID 2196 wrote to memory of 3932 2196 lrfxrrl.exe 96 PID 2196 wrote to memory of 3932 2196 lrfxrrl.exe 96 PID 3932 wrote to memory of 4332 3932 pvjjp.exe 97 PID 3932 wrote to memory of 4332 3932 pvjjp.exe 97 PID 3932 wrote to memory of 4332 3932 pvjjp.exe 97 PID 4332 wrote to memory of 5896 4332 ffxxrll.exe 98 PID 4332 wrote to memory of 5896 4332 ffxxrll.exe 98 PID 4332 wrote to memory of 5896 4332 ffxxrll.exe 98 PID 5896 wrote to memory of 3872 5896 btnhbb.exe 99 PID 5896 wrote to memory of 3872 5896 btnhbb.exe 99 PID 5896 wrote to memory of 3872 5896 btnhbb.exe 99 PID 3872 wrote to memory of 4528 3872 pvdvp.exe 100 PID 3872 wrote to memory of 4528 3872 pvdvp.exe 100 PID 3872 wrote to memory of 4528 3872 pvdvp.exe 100 PID 4528 wrote to memory of 4564 4528 lxxrrrl.exe 101 PID 4528 wrote to memory of 4564 4528 lxxrrrl.exe 101 PID 4528 wrote to memory of 4564 4528 lxxrrrl.exe 101 PID 4564 wrote to memory of 4776 4564 tbhbtt.exe 102 PID 4564 wrote to memory of 4776 4564 tbhbtt.exe 102 PID 4564 wrote to memory of 4776 4564 tbhbtt.exe 102 PID 4776 wrote to memory of 4492 4776 3jjvp.exe 103 PID 4776 wrote to memory of 4492 4776 3jjvp.exe 103 PID 4776 wrote to memory of 4492 4776 3jjvp.exe 103 PID 4492 wrote to memory of 2536 4492 rxfrllf.exe 105 PID 4492 wrote to memory of 2536 4492 rxfrllf.exe 105 PID 4492 wrote to memory of 2536 4492 rxfrllf.exe 105 PID 2536 wrote to memory of 3404 2536 vvvvp.exe 106 PID 2536 wrote to memory of 3404 2536 vvvvp.exe 106 PID 2536 wrote to memory of 3404 2536 vvvvp.exe 106 PID 3404 wrote to memory of 4620 3404 xlrlxxr.exe 107 PID 3404 wrote to memory of 4620 3404 xlrlxxr.exe 107 PID 3404 wrote to memory of 4620 3404 xlrlxxr.exe 107 PID 4620 wrote to memory of 4688 4620 vddvv.exe 109 PID 4620 wrote to memory of 4688 4620 vddvv.exe 109 PID 4620 wrote to memory of 4688 4620 vddvv.exe 109 PID 4688 wrote to memory of 1720 4688 llrllff.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"C:\Users\Admin\AppData\Local\Temp\596011535e1f98ab06aa8ce72ef854fae80da7ea6e4d6c4380f413ec40c79c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5240 -
\??\c:\rlrlffx.exec:\rlrlffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\tnntnn.exec:\tnntnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5176 -
\??\c:\1vvvp.exec:\1vvvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\pjjdv.exec:\pjjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\1ntnhn.exec:\1ntnhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\ddjvp.exec:\ddjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5412 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5172 -
\??\c:\lxxrxfx.exec:\lxxrxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\pvjjp.exec:\pvjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\ffxxrll.exec:\ffxxrll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\btnhbb.exec:\btnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5896 -
\??\c:\pvdvp.exec:\pvdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\tbhbtt.exec:\tbhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\3jjvp.exec:\3jjvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\rxfrllf.exec:\rxfrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\vvvvp.exec:\vvvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\xlrlxxr.exec:\xlrlxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\vddvv.exec:\vddvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\llrllff.exec:\llrllff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\fxrlfff.exec:\fxrlfff.exe23⤵
- Executes dropped EXE
PID:1720 -
\??\c:\jdvpj.exec:\jdvpj.exe24⤵
- Executes dropped EXE
PID:3744 -
\??\c:\lrxrffx.exec:\lrxrffx.exe25⤵
- Executes dropped EXE
PID:5612 -
\??\c:\htbtnh.exec:\htbtnh.exe26⤵
- Executes dropped EXE
PID:4420 -
\??\c:\frrllfx.exec:\frrllfx.exe27⤵
- Executes dropped EXE
PID:3660 -
\??\c:\hntbbt.exec:\hntbbt.exe28⤵
- Executes dropped EXE
PID:6092 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe29⤵
- Executes dropped EXE
PID:3648 -
\??\c:\jddvp.exec:\jddvp.exe30⤵
- Executes dropped EXE
PID:3416 -
\??\c:\dvdvv.exec:\dvdvv.exe31⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hnhhnn.exec:\hnhhnn.exe32⤵
- Executes dropped EXE
PID:1516 -
\??\c:\vvdvd.exec:\vvdvd.exe33⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hbnhnn.exec:\hbnhnn.exe34⤵
- Executes dropped EXE
PID:2568 -
\??\c:\dvppj.exec:\dvppj.exe35⤵
- Executes dropped EXE
PID:456 -
\??\c:\rffxlxr.exec:\rffxlxr.exe36⤵
- Executes dropped EXE
PID:3124 -
\??\c:\bttnhh.exec:\bttnhh.exe37⤵
- Executes dropped EXE
PID:1364 -
\??\c:\pjjjj.exec:\pjjjj.exe38⤵
- Executes dropped EXE
PID:4828 -
\??\c:\7djdj.exec:\7djdj.exe39⤵
- Executes dropped EXE
PID:3256 -
\??\c:\ffrlffx.exec:\ffrlffx.exe40⤵
- Executes dropped EXE
PID:1372 -
\??\c:\ntbthh.exec:\ntbthh.exe41⤵
- Executes dropped EXE
PID:4108 -
\??\c:\5jdvp.exec:\5jdvp.exe42⤵
- Executes dropped EXE
PID:3448 -
\??\c:\rrllxlr.exec:\rrllxlr.exe43⤵
- Executes dropped EXE
PID:2116 -
\??\c:\vjvdv.exec:\vjvdv.exe44⤵
- Executes dropped EXE
PID:2000 -
\??\c:\1lxrffx.exec:\1lxrffx.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3372 -
\??\c:\rrlllrr.exec:\rrlllrr.exe46⤵
- Executes dropped EXE
PID:3940 -
\??\c:\hntnhb.exec:\hntnhb.exe47⤵
- Executes dropped EXE
PID:3644 -
\??\c:\ppvpv.exec:\ppvpv.exe48⤵
- Executes dropped EXE
PID:3680 -
\??\c:\flrlfff.exec:\flrlfff.exe49⤵
- Executes dropped EXE
PID:5768 -
\??\c:\llrlrrx.exec:\llrlrrx.exe50⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5bbnhh.exec:\5bbnhh.exe51⤵
- Executes dropped EXE
PID:5780 -
\??\c:\hbtntn.exec:\hbtntn.exe52⤵
- Executes dropped EXE
PID:6100 -
\??\c:\5ppjj.exec:\5ppjj.exe53⤵
- Executes dropped EXE
PID:2092 -
\??\c:\fxrrlfx.exec:\fxrrlfx.exe54⤵
- Executes dropped EXE
PID:1680 -
\??\c:\bttnbt.exec:\bttnbt.exe55⤵
- Executes dropped EXE
PID:1928 -
\??\c:\7jjdd.exec:\7jjdd.exe56⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jvdvp.exec:\jvdvp.exe57⤵
- Executes dropped EXE
PID:5268 -
\??\c:\rffxrrl.exec:\rffxrrl.exe58⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nhhbtt.exec:\nhhbtt.exe59⤵
- Executes dropped EXE
PID:4964 -
\??\c:\hthhhh.exec:\hthhhh.exe60⤵
- Executes dropped EXE
PID:4996 -
\??\c:\1ppjp.exec:\1ppjp.exe61⤵
- Executes dropped EXE
PID:5036 -
\??\c:\pjdjd.exec:\pjdjd.exe62⤵
- Executes dropped EXE
PID:5072 -
\??\c:\rlfxrll.exec:\rlfxrll.exe63⤵
- Executes dropped EXE
PID:1408 -
\??\c:\1bnhnn.exec:\1bnhnn.exe64⤵
- Executes dropped EXE
PID:1392 -
\??\c:\btbbtt.exec:\btbbtt.exe65⤵
- Executes dropped EXE
PID:4800 -
\??\c:\pvvvv.exec:\pvvvv.exe66⤵PID:4852
-
\??\c:\ffxllff.exec:\ffxllff.exe67⤵PID:1860
-
\??\c:\hnthbt.exec:\hnthbt.exe68⤵PID:5976
-
\??\c:\bbhhtt.exec:\bbhhtt.exe69⤵PID:2752
-
\??\c:\5jjdv.exec:\5jjdv.exe70⤵
- System Location Discovery: System Language Discovery
PID:3236 -
\??\c:\jvdvv.exec:\jvdvv.exe71⤵PID:5520
-
\??\c:\xrffflr.exec:\xrffflr.exe72⤵PID:5176
-
\??\c:\tttnbb.exec:\tttnbb.exe73⤵PID:1464
-
\??\c:\nthttn.exec:\nthttn.exe74⤵PID:2248
-
\??\c:\3vvpd.exec:\3vvpd.exe75⤵PID:116
-
\??\c:\7llfffx.exec:\7llfffx.exe76⤵PID:6020
-
\??\c:\rflrlxl.exec:\rflrlxl.exe77⤵PID:5824
-
\??\c:\nthbtt.exec:\nthbtt.exe78⤵PID:5860
-
\??\c:\7ppjj.exec:\7ppjj.exe79⤵PID:2944
-
\??\c:\9dvvj.exec:\9dvvj.exe80⤵PID:2888
-
\??\c:\7fffxxx.exec:\7fffxxx.exe81⤵PID:3368
-
\??\c:\nbbnbt.exec:\nbbnbt.exe82⤵PID:5592
-
\??\c:\jjddp.exec:\jjddp.exe83⤵PID:3856
-
\??\c:\rflffrf.exec:\rflffrf.exe84⤵PID:1308
-
\??\c:\rfffxxr.exec:\rfffxxr.exe85⤵PID:5432
-
\??\c:\nhhbtt.exec:\nhhbtt.exe86⤵PID:3708
-
\??\c:\hnhbbb.exec:\hnhbbb.exe87⤵PID:2388
-
\??\c:\jdddp.exec:\jdddp.exe88⤵PID:4464
-
\??\c:\lffxxxx.exec:\lffxxxx.exe89⤵PID:3872
-
\??\c:\5tnnhh.exec:\5tnnhh.exe90⤵PID:4736
-
\??\c:\btnhbt.exec:\btnhbt.exe91⤵PID:4788
-
\??\c:\pjpjv.exec:\pjpjv.exe92⤵PID:4804
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe93⤵PID:2232
-
\??\c:\fxrlrxx.exec:\fxrlrxx.exe94⤵PID:6056
-
\??\c:\hbbtnn.exec:\hbbtnn.exe95⤵PID:3908
-
\??\c:\pdpjd.exec:\pdpjd.exe96⤵PID:2536
-
\??\c:\dpvpd.exec:\dpvpd.exe97⤵PID:5772
-
\??\c:\frrlxrl.exec:\frrlxrl.exe98⤵PID:4624
-
\??\c:\1nttnt.exec:\1nttnt.exe99⤵PID:4664
-
\??\c:\hhtttt.exec:\hhtttt.exe100⤵PID:4688
-
\??\c:\pjpjj.exec:\pjpjj.exe101⤵PID:4840
-
\??\c:\xllrrfl.exec:\xllrrfl.exe102⤵PID:3632
-
\??\c:\rlllffx.exec:\rlllffx.exe103⤵PID:5004
-
\??\c:\htnhhb.exec:\htnhhb.exe104⤵PID:1684
-
\??\c:\ppjvp.exec:\ppjvp.exe105⤵PID:3992
-
\??\c:\pdpjd.exec:\pdpjd.exe106⤵PID:4420
-
\??\c:\rrlrlrl.exec:\rrlrlrl.exe107⤵PID:5496
-
\??\c:\nnttbt.exec:\nnttbt.exe108⤵PID:4256
-
\??\c:\5pjjd.exec:\5pjjd.exe109⤵PID:1972
-
\??\c:\3xxrlxr.exec:\3xxrlxr.exe110⤵PID:552
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe111⤵PID:2416
-
\??\c:\bnnhbb.exec:\bnnhbb.exe112⤵PID:3980
-
\??\c:\jdppj.exec:\jdppj.exe113⤵PID:3684
-
\??\c:\vpjjv.exec:\vpjjv.exe114⤵PID:1160
-
\??\c:\xfllxxx.exec:\xfllxxx.exe115⤵PID:4044
-
\??\c:\7hbbbb.exec:\7hbbbb.exe116⤵PID:3176
-
\??\c:\hhnnhb.exec:\hhnnhb.exe117⤵PID:1236
-
\??\c:\pjjdp.exec:\pjjdp.exe118⤵PID:2748
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe119⤵PID:2352
-
\??\c:\9nnhhh.exec:\9nnhhh.exe120⤵PID:892
-
\??\c:\1ttbtb.exec:\1ttbtb.exe121⤵PID:4808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-