Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe
-
Size
453KB
-
MD5
492df9769bfdcaa8ceb85632d62ed220
-
SHA1
f85dd34aaaadc2a85fc34853f02b15bc5be60cbd
-
SHA256
7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57
-
SHA512
4b6446b7b28d67f9f39576b01596372a384f761909c6e9df040eebc95892e4dd70248bb5fed46dcddd868347ae656f15ea5e64b9e95e91f143bed6d89c8505dc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5092-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-972-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-1051-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-1095-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-1724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-1882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 544 rlfxrll.exe 5076 fxlflfx.exe 3660 rlxrrrf.exe 4504 lrxlfxl.exe 4236 nbbttn.exe 4648 dvvpv.exe 2416 lffrlfx.exe 5052 xlrllff.exe 2584 bntttn.exe 2976 pjjdv.exe 2448 pdpdd.exe 216 xrlfrrf.exe 3640 nttnhb.exe 1988 vjpjd.exe 4396 fxlxxrl.exe 2492 hhtnbb.exe 3608 dvdvv.exe 3352 ffffxxr.exe 1040 bttnhb.exe 2316 dvpdj.exe 2216 rflfrrl.exe 2896 xrlllll.exe 2036 tbnhtt.exe 1656 dvjjv.exe 2972 lrfxrrl.exe 1540 bhttnn.exe 5072 tnbtnt.exe 2068 pdjdv.exe 4692 rxfxrrx.exe 4852 nhhbbb.exe 1952 hhthbb.exe 1964 pjjjp.exe 4296 lrfxlfx.exe 508 hnbnhh.exe 3972 thnhtt.exe 2656 dpppd.exe 2344 rllxfrr.exe 1884 rfrlfff.exe 1284 tntnnn.exe 3604 dpvvp.exe 1528 pjvpv.exe 1712 rlfxxff.exe 2572 xrrxrll.exe 4680 tbnhtn.exe 3112 5vvpj.exe 2924 vdpjd.exe 4904 xlrlfff.exe 820 3nbtnn.exe 3000 hnbttn.exe 4800 jpdvp.exe 4716 flxxrrx.exe 3144 rrxrfxr.exe 2880 btttnn.exe 4028 jdddj.exe 1720 xlxrllf.exe 1972 xffxlfr.exe 4108 hbnnhh.exe 4584 bhnnhb.exe 3184 dddpj.exe 3360 rrrlflr.exe 3308 hbhbtn.exe 2308 vjpjd.exe 544 fxfxflr.exe 2248 fxllflf.exe -
resource yara_rule behavioral2/memory/544-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-815-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-972-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-1051-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-1095-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5092 wrote to memory of 544 5092 7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe 82 PID 5092 wrote to memory of 544 5092 7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe 82 PID 5092 wrote to memory of 544 5092 7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe 82 PID 544 wrote to memory of 5076 544 rlfxrll.exe 147 PID 544 wrote to memory of 5076 544 rlfxrll.exe 147 PID 544 wrote to memory of 5076 544 rlfxrll.exe 147 PID 5076 wrote to memory of 3660 5076 fxlflfx.exe 84 PID 5076 wrote to memory of 3660 5076 fxlflfx.exe 84 PID 5076 wrote to memory of 3660 5076 fxlflfx.exe 84 PID 3660 wrote to memory of 4504 3660 rlxrrrf.exe 85 PID 3660 wrote to memory of 4504 3660 rlxrrrf.exe 85 PID 3660 wrote to memory of 4504 3660 rlxrrrf.exe 85 PID 4504 wrote to memory of 4236 4504 lrxlfxl.exe 86 PID 4504 wrote to memory of 4236 4504 lrxlfxl.exe 86 PID 4504 wrote to memory of 4236 4504 lrxlfxl.exe 86 PID 4236 wrote to memory of 4648 4236 nbbttn.exe 87 PID 4236 wrote to memory of 4648 4236 nbbttn.exe 87 PID 4236 wrote to memory of 4648 4236 nbbttn.exe 87 PID 4648 wrote to memory of 2416 4648 dvvpv.exe 88 PID 4648 wrote to memory of 2416 4648 dvvpv.exe 88 PID 4648 wrote to memory of 2416 4648 dvvpv.exe 88 PID 2416 wrote to memory of 5052 2416 lffrlfx.exe 89 PID 2416 wrote to memory of 5052 2416 lffrlfx.exe 89 PID 2416 wrote to memory of 5052 2416 lffrlfx.exe 89 PID 5052 wrote to memory of 2584 5052 xlrllff.exe 90 PID 5052 wrote to memory of 2584 5052 xlrllff.exe 90 PID 5052 wrote to memory of 2584 5052 xlrllff.exe 90 PID 2584 wrote to memory of 2976 2584 bntttn.exe 91 PID 2584 wrote to memory of 2976 2584 bntttn.exe 91 PID 2584 wrote to memory of 2976 2584 bntttn.exe 91 PID 2976 wrote to memory of 2448 2976 pjjdv.exe 92 PID 2976 wrote to memory of 2448 2976 pjjdv.exe 92 PID 2976 wrote to memory of 2448 2976 pjjdv.exe 92 PID 2448 wrote to memory of 216 2448 pdpdd.exe 93 PID 2448 wrote to memory of 216 2448 pdpdd.exe 93 PID 2448 wrote to memory of 216 2448 pdpdd.exe 93 PID 216 wrote to memory of 3640 216 xrlfrrf.exe 94 PID 216 wrote to memory of 3640 216 xrlfrrf.exe 94 PID 216 wrote to memory of 3640 216 xrlfrrf.exe 94 PID 3640 wrote to memory of 1988 3640 nttnhb.exe 95 PID 3640 wrote to memory of 1988 3640 nttnhb.exe 95 PID 3640 wrote to memory of 1988 3640 nttnhb.exe 95 PID 1988 wrote to memory of 4396 1988 vjpjd.exe 96 PID 1988 wrote to memory of 4396 1988 vjpjd.exe 96 PID 1988 wrote to memory of 4396 1988 vjpjd.exe 96 PID 4396 wrote to memory of 2492 4396 fxlxxrl.exe 97 PID 4396 wrote to memory of 2492 4396 fxlxxrl.exe 97 PID 4396 wrote to memory of 2492 4396 fxlxxrl.exe 97 PID 2492 wrote to memory of 3608 2492 hhtnbb.exe 98 PID 2492 wrote to memory of 3608 2492 hhtnbb.exe 98 PID 2492 wrote to memory of 3608 2492 hhtnbb.exe 98 PID 3608 wrote to memory of 3352 3608 dvdvv.exe 99 PID 3608 wrote to memory of 3352 3608 dvdvv.exe 99 PID 3608 wrote to memory of 3352 3608 dvdvv.exe 99 PID 3352 wrote to memory of 1040 3352 ffffxxr.exe 100 PID 3352 wrote to memory of 1040 3352 ffffxxr.exe 100 PID 3352 wrote to memory of 1040 3352 ffffxxr.exe 100 PID 1040 wrote to memory of 2316 1040 bttnhb.exe 101 PID 1040 wrote to memory of 2316 1040 bttnhb.exe 101 PID 1040 wrote to memory of 2316 1040 bttnhb.exe 101 PID 2316 wrote to memory of 2216 2316 dvpdj.exe 102 PID 2316 wrote to memory of 2216 2316 dvpdj.exe 102 PID 2316 wrote to memory of 2216 2316 dvpdj.exe 102 PID 2216 wrote to memory of 2896 2216 rflfrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe"C:\Users\Admin\AppData\Local\Temp\7cb47fd08b32a174b1539d2b2c20ecdecd479a65e7a4dfd64bce7fe2110f4c57N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\rlfxrll.exec:\rlfxrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\fxlflfx.exec:\fxlflfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\rlxrrrf.exec:\rlxrrrf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\lrxlfxl.exec:\lrxlfxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\nbbttn.exec:\nbbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\dvvpv.exec:\dvvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\lffrlfx.exec:\lffrlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\xlrllff.exec:\xlrllff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\bntttn.exec:\bntttn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\pjjdv.exec:\pjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\pdpdd.exec:\pdpdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\xrlfrrf.exec:\xrlfrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\nttnhb.exec:\nttnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\vjpjd.exec:\vjpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\fxlxxrl.exec:\fxlxxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\hhtnbb.exec:\hhtnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\dvdvv.exec:\dvdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\ffffxxr.exec:\ffffxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\bttnhb.exec:\bttnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\dvpdj.exec:\dvpdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rflfrrl.exec:\rflfrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\xrlllll.exec:\xrlllll.exe23⤵
- Executes dropped EXE
PID:2896 -
\??\c:\tbnhtt.exec:\tbnhtt.exe24⤵
- Executes dropped EXE
PID:2036 -
\??\c:\dvjjv.exec:\dvjjv.exe25⤵
- Executes dropped EXE
PID:1656 -
\??\c:\lrfxrrl.exec:\lrfxrrl.exe26⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bhttnn.exec:\bhttnn.exe27⤵
- Executes dropped EXE
PID:1540 -
\??\c:\tnbtnt.exec:\tnbtnt.exe28⤵
- Executes dropped EXE
PID:5072 -
\??\c:\pdjdv.exec:\pdjdv.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\rxfxrrx.exec:\rxfxrrx.exe30⤵
- Executes dropped EXE
PID:4692 -
\??\c:\nhhbbb.exec:\nhhbbb.exe31⤵
- Executes dropped EXE
PID:4852 -
\??\c:\hhthbb.exec:\hhthbb.exe32⤵
- Executes dropped EXE
PID:1952 -
\??\c:\pjjjp.exec:\pjjjp.exe33⤵
- Executes dropped EXE
PID:1964 -
\??\c:\lrfxlfx.exec:\lrfxlfx.exe34⤵
- Executes dropped EXE
PID:4296 -
\??\c:\hnbnhh.exec:\hnbnhh.exe35⤵
- Executes dropped EXE
PID:508 -
\??\c:\thnhtt.exec:\thnhtt.exe36⤵
- Executes dropped EXE
PID:3972 -
\??\c:\dpppd.exec:\dpppd.exe37⤵
- Executes dropped EXE
PID:2656 -
\??\c:\rllxfrr.exec:\rllxfrr.exe38⤵
- Executes dropped EXE
PID:2344 -
\??\c:\rfrlfff.exec:\rfrlfff.exe39⤵
- Executes dropped EXE
PID:1884 -
\??\c:\tntnnn.exec:\tntnnn.exe40⤵
- Executes dropped EXE
PID:1284 -
\??\c:\dpvvp.exec:\dpvvp.exe41⤵
- Executes dropped EXE
PID:3604 -
\??\c:\pjvpv.exec:\pjvpv.exe42⤵
- Executes dropped EXE
PID:1528 -
\??\c:\rlfxxff.exec:\rlfxxff.exe43⤵
- Executes dropped EXE
PID:1712 -
\??\c:\xrrxrll.exec:\xrrxrll.exe44⤵
- Executes dropped EXE
PID:2572 -
\??\c:\tbnhtn.exec:\tbnhtn.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\5vvpj.exec:\5vvpj.exe46⤵
- Executes dropped EXE
PID:3112 -
\??\c:\vdpjd.exec:\vdpjd.exe47⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xlrlfff.exec:\xlrlfff.exe48⤵
- Executes dropped EXE
PID:4904 -
\??\c:\3nbtnn.exec:\3nbtnn.exe49⤵
- Executes dropped EXE
PID:820 -
\??\c:\hnbttn.exec:\hnbttn.exe50⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jpdvp.exec:\jpdvp.exe51⤵
- Executes dropped EXE
PID:4800 -
\??\c:\flxxrrx.exec:\flxxrrx.exe52⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rrxrfxr.exec:\rrxrfxr.exe53⤵
- Executes dropped EXE
PID:3144 -
\??\c:\btttnn.exec:\btttnn.exe54⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jdddj.exec:\jdddj.exe55⤵
- Executes dropped EXE
PID:4028 -
\??\c:\xlxrllf.exec:\xlxrllf.exe56⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xffxlfr.exec:\xffxlfr.exe57⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hbnnhh.exec:\hbnnhh.exe58⤵
- Executes dropped EXE
PID:4108 -
\??\c:\bhnnhb.exec:\bhnnhb.exe59⤵
- Executes dropped EXE
PID:4584 -
\??\c:\dddpj.exec:\dddpj.exe60⤵
- Executes dropped EXE
PID:3184 -
\??\c:\rrrlflr.exec:\rrrlflr.exe61⤵
- Executes dropped EXE
PID:3360 -
\??\c:\bbbttn.exec:\bbbttn.exe62⤵PID:1248
-
\??\c:\hbhbtn.exec:\hbhbtn.exe63⤵
- Executes dropped EXE
PID:3308 -
\??\c:\vjpjd.exec:\vjpjd.exe64⤵
- Executes dropped EXE
PID:2308 -
\??\c:\fxfxflr.exec:\fxfxflr.exe65⤵
- Executes dropped EXE
PID:544 -
\??\c:\fxllflf.exec:\fxllflf.exe66⤵
- Executes dropped EXE
PID:2248 -
\??\c:\5tbthh.exec:\5tbthh.exe67⤵PID:5076
-
\??\c:\dpvvd.exec:\dpvvd.exe68⤵PID:2136
-
\??\c:\rllfxrl.exec:\rllfxrl.exe69⤵PID:2412
-
\??\c:\9hnbtn.exec:\9hnbtn.exe70⤵PID:4016
-
\??\c:\nhnhbb.exec:\nhnhbb.exe71⤵PID:2640
-
\??\c:\5jjdv.exec:\5jjdv.exe72⤵PID:2500
-
\??\c:\5btnth.exec:\5btnth.exe73⤵PID:920
-
\??\c:\dvppv.exec:\dvppv.exe74⤵PID:1308
-
\??\c:\xxxrllf.exec:\xxxrllf.exe75⤵PID:1428
-
\??\c:\nbhbtt.exec:\nbhbtt.exe76⤵PID:4212
-
\??\c:\pddvv.exec:\pddvv.exe77⤵PID:1736
-
\??\c:\frrlfxr.exec:\frrlfxr.exe78⤵PID:2044
-
\??\c:\xlllffx.exec:\xlllffx.exe79⤵PID:5088
-
\??\c:\nhhhbb.exec:\nhhhbb.exe80⤵PID:3060
-
\??\c:\bthbnt.exec:\bthbnt.exe81⤵PID:936
-
\??\c:\rlrrlff.exec:\rlrrlff.exe82⤵PID:4604
-
\??\c:\flxfxrx.exec:\flxfxrx.exe83⤵PID:4228
-
\??\c:\bnnhbb.exec:\bnnhbb.exe84⤵PID:3228
-
\??\c:\dvvvp.exec:\dvvvp.exe85⤵PID:4280
-
\??\c:\bthbtb.exec:\bthbtb.exe86⤵PID:740
-
\??\c:\vppjd.exec:\vppjd.exe87⤵PID:4900
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe88⤵PID:4872
-
\??\c:\dppjd.exec:\dppjd.exe89⤵PID:3712
-
\??\c:\fxlllxf.exec:\fxlllxf.exe90⤵PID:2632
-
\??\c:\bnhhbh.exec:\bnhhbh.exe91⤵PID:3236
-
\??\c:\fxxrrll.exec:\fxxrrll.exe92⤵PID:3624
-
\??\c:\5hhbtt.exec:\5hhbtt.exe93⤵PID:4960
-
\??\c:\vpvpv.exec:\vpvpv.exe94⤵PID:3268
-
\??\c:\jvdvp.exec:\jvdvp.exe95⤵PID:3784
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe96⤵PID:2256
-
\??\c:\jpvpp.exec:\jpvpp.exe97⤵PID:4600
-
\??\c:\lfflfll.exec:\lfflfll.exe98⤵PID:2220
-
\??\c:\ppdvv.exec:\ppdvv.exe99⤵PID:1284
-
\??\c:\1rrlxrl.exec:\1rrlxrl.exe100⤵PID:3552
-
\??\c:\nbbthb.exec:\nbbthb.exe101⤵PID:1140
-
\??\c:\7jjvp.exec:\7jjvp.exe102⤵PID:4772
-
\??\c:\lrrlfxl.exec:\lrrlfxl.exe103⤵PID:4564
-
\??\c:\ttbtnn.exec:\ttbtnn.exe104⤵PID:1144
-
\??\c:\nhthbb.exec:\nhthbb.exe105⤵PID:960
-
\??\c:\pvppd.exec:\pvppd.exe106⤵PID:4904
-
\??\c:\rfxllxl.exec:\rfxllxl.exe107⤵PID:1636
-
\??\c:\tbbtnh.exec:\tbbtnh.exe108⤵PID:4456
-
\??\c:\5vdvv.exec:\5vdvv.exe109⤵PID:3188
-
\??\c:\bbbtnn.exec:\bbbtnn.exe110⤵PID:400
-
\??\c:\vpppj.exec:\vpppj.exe111⤵PID:4896
-
\??\c:\7frlrrx.exec:\7frlrrx.exe112⤵PID:3376
-
\??\c:\rrxxfxf.exec:\rrxxfxf.exe113⤵PID:3772
-
\??\c:\1xfxxxx.exec:\1xfxxxx.exe114⤵PID:4672
-
\??\c:\hthhbt.exec:\hthhbt.exe115⤵PID:2352
-
\??\c:\tntnhh.exec:\tntnhh.exe116⤵PID:1972
-
\??\c:\vppjd.exec:\vppjd.exe117⤵PID:1584
-
\??\c:\llrrllf.exec:\llrrllf.exe118⤵PID:4136
-
\??\c:\hnnhtn.exec:\hnnhtn.exe119⤵PID:636
-
\??\c:\hbbtnn.exec:\hbbtnn.exe120⤵PID:3832
-
\??\c:\ppdvp.exec:\ppdvp.exe121⤵PID:1716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-