Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 06:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe
-
Size
453KB
-
MD5
e2670bece5d938d0400615cf7383c820
-
SHA1
c0abdeb1691e70e750cdc53c4b9adcf6e51f45e0
-
SHA256
7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780
-
SHA512
a9c75b1a0b42acf5e2e6850abef330f16efb8a1a05ec5137bd6595c506fa1b1b2a2a53bcd1f46b7b4872e7d355f41e70e2f28d49df3353f46366dbdbfa22923d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3588-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/492-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-1574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/500-1663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4532 rxrlfxr.exe 4452 pppvv.exe 4860 xlxrrrr.exe 3256 7bbbtt.exe 492 lffffff.exe 1492 hbtbnb.exe 1232 lrlxlxr.exe 1852 nhnhhb.exe 396 rrfffff.exe 2016 hnnnnt.exe 3820 lfrllxx.exe 2792 jppjj.exe 4776 pvvpj.exe 4424 9bhbtt.exe 4880 jpjpv.exe 1424 fxlfflf.exe 4268 jvdvv.exe 1996 hhhbbn.exe 3572 nnttnt.exe 3392 jpvdv.exe 3044 xrflrfx.exe 4240 vvvvv.exe 2356 7vjvv.exe 3124 pjddj.exe 404 3lxllff.exe 3452 ttbttb.exe 2848 llflxrr.exe 3968 dvdpj.exe 1704 9hhbbt.exe 1264 vvppj.exe 4684 nhnhhh.exe 4984 dvjjp.exe 3356 rxflxff.exe 1096 hhbhhb.exe 968 lrrxxrx.exe 4108 ntbbbb.exe 1612 ddvjj.exe 2372 xrrfrfx.exe 5096 dvvvd.exe 4968 rlflrxl.exe 212 pvvdp.exe 3836 rrllxlx.exe 1192 3httbb.exe 948 lrfrxfx.exe 1080 hhnnhb.exe 2772 3flllrr.exe 5044 nnbnnb.exe 4280 vjjpv.exe 2524 xflxlxl.exe 1808 dvvpp.exe 4608 fxxxxfl.exe 3720 ttbbbn.exe 4856 vddjj.exe 1144 lfllllf.exe 4004 jvdvd.exe 2780 rxfxrlr.exe 4568 9nbtth.exe 4476 pjjvd.exe 3600 xfflffr.exe 3100 tnnbhh.exe 4124 5jjjd.exe 4988 lxxrlrx.exe 4140 nbhntt.exe 2420 jjpvd.exe -
resource yara_rule behavioral2/memory/3588-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/492-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-628-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nttth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3588 wrote to memory of 4532 3588 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 84 PID 3588 wrote to memory of 4532 3588 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 84 PID 3588 wrote to memory of 4532 3588 7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe 84 PID 4532 wrote to memory of 4452 4532 rxrlfxr.exe 85 PID 4532 wrote to memory of 4452 4532 rxrlfxr.exe 85 PID 4532 wrote to memory of 4452 4532 rxrlfxr.exe 85 PID 4452 wrote to memory of 4860 4452 pppvv.exe 86 PID 4452 wrote to memory of 4860 4452 pppvv.exe 86 PID 4452 wrote to memory of 4860 4452 pppvv.exe 86 PID 4860 wrote to memory of 3256 4860 xlxrrrr.exe 87 PID 4860 wrote to memory of 3256 4860 xlxrrrr.exe 87 PID 4860 wrote to memory of 3256 4860 xlxrrrr.exe 87 PID 3256 wrote to memory of 492 3256 7bbbtt.exe 88 PID 3256 wrote to memory of 492 3256 7bbbtt.exe 88 PID 3256 wrote to memory of 492 3256 7bbbtt.exe 88 PID 492 wrote to memory of 1492 492 lffffff.exe 89 PID 492 wrote to memory of 1492 492 lffffff.exe 89 PID 492 wrote to memory of 1492 492 lffffff.exe 89 PID 1492 wrote to memory of 1232 1492 hbtbnb.exe 90 PID 1492 wrote to memory of 1232 1492 hbtbnb.exe 90 PID 1492 wrote to memory of 1232 1492 hbtbnb.exe 90 PID 1232 wrote to memory of 1852 1232 lrlxlxr.exe 91 PID 1232 wrote to memory of 1852 1232 lrlxlxr.exe 91 PID 1232 wrote to memory of 1852 1232 lrlxlxr.exe 91 PID 1852 wrote to memory of 396 1852 nhnhhb.exe 92 PID 1852 wrote to memory of 396 1852 nhnhhb.exe 92 PID 1852 wrote to memory of 396 1852 nhnhhb.exe 92 PID 396 wrote to memory of 2016 396 rrfffff.exe 93 PID 396 wrote to memory of 2016 396 rrfffff.exe 93 PID 396 wrote to memory of 2016 396 rrfffff.exe 93 PID 2016 wrote to memory of 3820 2016 hnnnnt.exe 94 PID 2016 wrote to memory of 3820 2016 hnnnnt.exe 94 PID 2016 wrote to memory of 3820 2016 hnnnnt.exe 94 PID 3820 wrote to memory of 2792 3820 lfrllxx.exe 95 PID 3820 wrote to memory of 2792 3820 lfrllxx.exe 95 PID 3820 wrote to memory of 2792 3820 lfrllxx.exe 95 PID 2792 wrote to memory of 4776 2792 jppjj.exe 96 PID 2792 wrote to memory of 4776 2792 jppjj.exe 96 PID 2792 wrote to memory of 4776 2792 jppjj.exe 96 PID 4776 wrote to memory of 4424 4776 pvvpj.exe 97 PID 4776 wrote to memory of 4424 4776 pvvpj.exe 97 PID 4776 wrote to memory of 4424 4776 pvvpj.exe 97 PID 4424 wrote to memory of 4880 4424 9bhbtt.exe 98 PID 4424 wrote to memory of 4880 4424 9bhbtt.exe 98 PID 4424 wrote to memory of 4880 4424 9bhbtt.exe 98 PID 4880 wrote to memory of 1424 4880 jpjpv.exe 99 PID 4880 wrote to memory of 1424 4880 jpjpv.exe 99 PID 4880 wrote to memory of 1424 4880 jpjpv.exe 99 PID 1424 wrote to memory of 4268 1424 fxlfflf.exe 100 PID 1424 wrote to memory of 4268 1424 fxlfflf.exe 100 PID 1424 wrote to memory of 4268 1424 fxlfflf.exe 100 PID 4268 wrote to memory of 1996 4268 jvdvv.exe 101 PID 4268 wrote to memory of 1996 4268 jvdvv.exe 101 PID 4268 wrote to memory of 1996 4268 jvdvv.exe 101 PID 1996 wrote to memory of 3572 1996 hhhbbn.exe 102 PID 1996 wrote to memory of 3572 1996 hhhbbn.exe 102 PID 1996 wrote to memory of 3572 1996 hhhbbn.exe 102 PID 3572 wrote to memory of 3392 3572 nnttnt.exe 103 PID 3572 wrote to memory of 3392 3572 nnttnt.exe 103 PID 3572 wrote to memory of 3392 3572 nnttnt.exe 103 PID 3392 wrote to memory of 3044 3392 jpvdv.exe 104 PID 3392 wrote to memory of 3044 3392 jpvdv.exe 104 PID 3392 wrote to memory of 3044 3392 jpvdv.exe 104 PID 3044 wrote to memory of 4240 3044 xrflrfx.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe"C:\Users\Admin\AppData\Local\Temp\7ab09eeabe8b84677bafba346d18df567bcfb1bc0364bcdf0ad8d70ff384e780N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\rxrlfxr.exec:\rxrlfxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\pppvv.exec:\pppvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\xlxrrrr.exec:\xlxrrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\7bbbtt.exec:\7bbbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\lffffff.exec:\lffffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
\??\c:\hbtbnb.exec:\hbtbnb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\lrlxlxr.exec:\lrlxlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\nhnhhb.exec:\nhnhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\rrfffff.exec:\rrfffff.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\hnnnnt.exec:\hnnnnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\lfrllxx.exec:\lfrllxx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\jppjj.exec:\jppjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\pvvpj.exec:\pvvpj.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\9bhbtt.exec:\9bhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\jpjpv.exec:\jpjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\fxlfflf.exec:\fxlfflf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\jvdvv.exec:\jvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\hhhbbn.exec:\hhhbbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\nnttnt.exec:\nnttnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\jpvdv.exec:\jpvdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\xrflrfx.exec:\xrflrfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\vvvvv.exec:\vvvvv.exe23⤵
- Executes dropped EXE
PID:4240 -
\??\c:\7vjvv.exec:\7vjvv.exe24⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pjddj.exec:\pjddj.exe25⤵
- Executes dropped EXE
PID:3124 -
\??\c:\3lxllff.exec:\3lxllff.exe26⤵
- Executes dropped EXE
PID:404 -
\??\c:\ttbttb.exec:\ttbttb.exe27⤵
- Executes dropped EXE
PID:3452 -
\??\c:\llflxrr.exec:\llflxrr.exe28⤵
- Executes dropped EXE
PID:2848 -
\??\c:\dvdpj.exec:\dvdpj.exe29⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9hhbbt.exec:\9hhbbt.exe30⤵
- Executes dropped EXE
PID:1704 -
\??\c:\vvppj.exec:\vvppj.exe31⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nhnhhh.exec:\nhnhhh.exe32⤵
- Executes dropped EXE
PID:4684 -
\??\c:\dvjjp.exec:\dvjjp.exe33⤵
- Executes dropped EXE
PID:4984 -
\??\c:\rxflxff.exec:\rxflxff.exe34⤵
- Executes dropped EXE
PID:3356 -
\??\c:\hhbhhb.exec:\hhbhhb.exe35⤵
- Executes dropped EXE
PID:1096 -
\??\c:\lrrxxrx.exec:\lrrxxrx.exe36⤵
- Executes dropped EXE
PID:968 -
\??\c:\ntbbbb.exec:\ntbbbb.exe37⤵
- Executes dropped EXE
PID:4108 -
\??\c:\ddvjj.exec:\ddvjj.exe38⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xrrfrfx.exec:\xrrfrfx.exe39⤵
- Executes dropped EXE
PID:2372 -
\??\c:\dvvvd.exec:\dvvvd.exe40⤵
- Executes dropped EXE
PID:5096 -
\??\c:\rlflrxl.exec:\rlflrxl.exe41⤵
- Executes dropped EXE
PID:4968 -
\??\c:\pvvdp.exec:\pvvdp.exe42⤵
- Executes dropped EXE
PID:212 -
\??\c:\rrllxlx.exec:\rrllxlx.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836 -
\??\c:\3httbb.exec:\3httbb.exe44⤵
- Executes dropped EXE
PID:1192 -
\??\c:\lrfrxfx.exec:\lrfrxfx.exe45⤵
- Executes dropped EXE
PID:948 -
\??\c:\hhnnhb.exec:\hhnnhb.exe46⤵
- Executes dropped EXE
PID:1080 -
\??\c:\3flllrr.exec:\3flllrr.exe47⤵
- Executes dropped EXE
PID:2772 -
\??\c:\nnbnnb.exec:\nnbnnb.exe48⤵
- Executes dropped EXE
PID:5044 -
\??\c:\vjjpv.exec:\vjjpv.exe49⤵
- Executes dropped EXE
PID:4280 -
\??\c:\xflxlxl.exec:\xflxlxl.exe50⤵
- Executes dropped EXE
PID:2524 -
\??\c:\dvvpp.exec:\dvvpp.exe51⤵
- Executes dropped EXE
PID:1808 -
\??\c:\fxxxxfl.exec:\fxxxxfl.exe52⤵
- Executes dropped EXE
PID:4608 -
\??\c:\ttbbbn.exec:\ttbbbn.exe53⤵
- Executes dropped EXE
PID:3720 -
\??\c:\vddjj.exec:\vddjj.exe54⤵
- Executes dropped EXE
PID:4856 -
\??\c:\lfllllf.exec:\lfllllf.exe55⤵
- Executes dropped EXE
PID:1144 -
\??\c:\jvdvd.exec:\jvdvd.exe56⤵
- Executes dropped EXE
PID:4004 -
\??\c:\rxfxrlr.exec:\rxfxrlr.exe57⤵
- Executes dropped EXE
PID:2780 -
\??\c:\9nbtth.exec:\9nbtth.exe58⤵
- Executes dropped EXE
PID:4568 -
\??\c:\pjjvd.exec:\pjjvd.exe59⤵
- Executes dropped EXE
PID:4476 -
\??\c:\xfflffr.exec:\xfflffr.exe60⤵
- Executes dropped EXE
PID:3600 -
\??\c:\tnnbhh.exec:\tnnbhh.exe61⤵
- Executes dropped EXE
PID:3100 -
\??\c:\5jjjd.exec:\5jjjd.exe62⤵
- Executes dropped EXE
PID:4124 -
\??\c:\lxxrlrx.exec:\lxxrlrx.exe63⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nbhntt.exec:\nbhntt.exe64⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jjpvd.exec:\jjpvd.exe65⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rxfflfr.exec:\rxfflfr.exe66⤵PID:1416
-
\??\c:\bhnbbb.exec:\bhnbbb.exe67⤵PID:2792
-
\??\c:\llrrrrl.exec:\llrrrrl.exe68⤵PID:3584
-
\??\c:\nnbthn.exec:\nnbthn.exe69⤵PID:1576
-
\??\c:\3ffffll.exec:\3ffffll.exe70⤵PID:4668
-
\??\c:\ttnthh.exec:\ttnthh.exe71⤵PID:3960
-
\??\c:\nhnnnb.exec:\nhnnnb.exe72⤵PID:2876
-
\??\c:\3lfxxxx.exec:\3lfxxxx.exe73⤵PID:3848
-
\??\c:\ffrlflf.exec:\ffrlflf.exe74⤵PID:888
-
\??\c:\1vppv.exec:\1vppv.exe75⤵PID:4980
-
\??\c:\dvjjj.exec:\dvjjj.exe76⤵PID:1996
-
\??\c:\ffrxxfl.exec:\ffrxxfl.exe77⤵PID:452
-
\??\c:\jpppv.exec:\jpppv.exe78⤵PID:1548
-
\??\c:\ddpvd.exec:\ddpvd.exe79⤵PID:884
-
\??\c:\thbhnb.exec:\thbhnb.exe80⤵PID:3328
-
\??\c:\lxfxxrf.exec:\lxfxxrf.exe81⤵PID:4820
-
\??\c:\tnbhbb.exec:\tnbhbb.exe82⤵PID:4728
-
\??\c:\ppdpp.exec:\ppdpp.exe83⤵PID:868
-
\??\c:\lrxfxrf.exec:\lrxfxrf.exe84⤵PID:1220
-
\??\c:\nhnnnn.exec:\nhnnnn.exe85⤵PID:2924
-
\??\c:\pvvpj.exec:\pvvpj.exe86⤵PID:2180
-
\??\c:\fxrfxxx.exec:\fxrfxxx.exe87⤵PID:3856
-
\??\c:\hbnnnt.exec:\hbnnnt.exe88⤵PID:3552
-
\??\c:\jjvpp.exec:\jjvpp.exe89⤵PID:3680
-
\??\c:\flrlfxr.exec:\flrlfxr.exe90⤵PID:4556
-
\??\c:\ddddd.exec:\ddddd.exe91⤵PID:4848
-
\??\c:\frxxlll.exec:\frxxlll.exe92⤵PID:2500
-
\??\c:\nthhhh.exec:\nthhhh.exe93⤵PID:4684
-
\??\c:\1jvdj.exec:\1jvdj.exe94⤵PID:1804
-
\??\c:\xlxxfxl.exec:\xlxxfxl.exe95⤵PID:2492
-
\??\c:\djpvj.exec:\djpvj.exe96⤵PID:4160
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe97⤵PID:4784
-
\??\c:\tbttnt.exec:\tbttnt.exe98⤵PID:4108
-
\??\c:\djvvj.exec:\djvvj.exe99⤵PID:4816
-
\??\c:\lxxxfff.exec:\lxxxfff.exe100⤵PID:1920
-
\??\c:\nnnhhb.exec:\nnnhhb.exe101⤵PID:4912
-
\??\c:\vdppv.exec:\vdppv.exe102⤵PID:4664
-
\??\c:\ddvjd.exec:\ddvjd.exe103⤵PID:4968
-
\??\c:\xrrlrxx.exec:\xrrlrxx.exe104⤵PID:212
-
\??\c:\dpdpd.exec:\dpdpd.exe105⤵PID:3912
-
\??\c:\flfrlxr.exec:\flfrlxr.exe106⤵PID:3472
-
\??\c:\djjvv.exec:\djjvv.exe107⤵PID:1928
-
\??\c:\lxxffrl.exec:\lxxffrl.exe108⤵PID:4316
-
\??\c:\3lrllll.exec:\3lrllll.exe109⤵PID:4300
-
\??\c:\vvjdj.exec:\vvjdj.exe110⤵PID:5044
-
\??\c:\pdpjv.exec:\pdpjv.exe111⤵PID:1124
-
\??\c:\nbbhhn.exec:\nbbhhn.exe112⤵PID:3588
-
\??\c:\9hnhhn.exec:\9hnhhn.exe113⤵PID:2396
-
\??\c:\jdjvp.exec:\jdjvp.exe114⤵PID:1444
-
\??\c:\xffrfxl.exec:\xffrfxl.exe115⤵PID:3764
-
\??\c:\pjddj.exec:\pjddj.exe116⤵PID:4856
-
\??\c:\xlxxflx.exec:\xlxxflx.exe117⤵PID:1144
-
\??\c:\nbhbtb.exec:\nbhbtb.exe118⤵PID:4004
-
\??\c:\3dddv.exec:\3dddv.exe119⤵PID:1536
-
\??\c:\5xfxflf.exec:\5xfxflf.exe120⤵PID:1028
-
\??\c:\bbhhhb.exec:\bbhhhb.exe121⤵PID:4564
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-