Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe
-
Size
456KB
-
MD5
51248d1bd3c1c6c61876e486b9401c40
-
SHA1
b3ddaf132f731146e62041b8b41451399098e88c
-
SHA256
602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0
-
SHA512
d13a0048ba54e7f560446a68bf1b23bbceb7b2cfce6c06b54fb5afdda39ac7ea7b3a80eaedcbad9223ffea2753bc877d4947924ab4be626364396c9571416657
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTU0:q7Tc2NYHUrAwfMp3CDg0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/848-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-771-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-1647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-1795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1996 rflxlfl.exe 1236 htbttt.exe 3784 dvdjj.exe 4800 7lfrlfr.exe 3320 5rlfrrf.exe 3976 7jpjv.exe 2216 3nnhbt.exe 4320 7fllfxr.exe 3436 xlxfrff.exe 4080 bnnhbh.exe 1188 5djvp.exe 5032 1fxlxxr.exe 4528 jjppd.exe 4628 1nhthn.exe 1064 lrlfrlf.exe 1672 tbnhth.exe 2888 pvddv.exe 1676 7hhthn.exe 1788 9vvpj.exe 4720 vddvp.exe 4040 5lrrlrr.exe 3516 dpvvv.exe 3780 xxrfrrr.exe 3140 5nnhbn.exe 3604 7lxrrrr.exe 4620 hbbtnn.exe 2580 1rrrflx.exe 824 bhnhbt.exe 1416 fxrrrxx.exe 2696 hbnhbb.exe 1228 ddjdj.exe 3560 xlllffx.exe 4704 tbbtbb.exe 4444 htbtnh.exe 3596 ddjpj.exe 1040 7lrlffl.exe 3148 hbhnhh.exe 2016 5vjjj.exe 4000 fxflflr.exe 1016 ntnntt.exe 3236 9ppjj.exe 4344 7rrrlxx.exe 1520 thbtbt.exe 4540 jpdvp.exe 4328 pdvdp.exe 4848 xlllffx.exe 5076 tbhbtt.exe 4812 vdppj.exe 4352 lxxrffx.exe 2260 bthhbh.exe 4536 tnbbbb.exe 1992 dpddp.exe 4912 jjdvv.exe 4600 9lrlrrx.exe 4244 tbtnhb.exe 3540 djpjd.exe 4728 frrrllf.exe 4260 7lxrllf.exe 100 3bbnhb.exe 3944 jjppj.exe 1484 rxlxrlr.exe 3432 llrlfff.exe 1488 bhnhbb.exe 2572 vvjvj.exe -
resource yara_rule behavioral2/memory/848-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-719-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 1996 848 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 83 PID 848 wrote to memory of 1996 848 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 83 PID 848 wrote to memory of 1996 848 602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe 83 PID 1996 wrote to memory of 1236 1996 rflxlfl.exe 84 PID 1996 wrote to memory of 1236 1996 rflxlfl.exe 84 PID 1996 wrote to memory of 1236 1996 rflxlfl.exe 84 PID 1236 wrote to memory of 3784 1236 htbttt.exe 85 PID 1236 wrote to memory of 3784 1236 htbttt.exe 85 PID 1236 wrote to memory of 3784 1236 htbttt.exe 85 PID 3784 wrote to memory of 4800 3784 dvdjj.exe 86 PID 3784 wrote to memory of 4800 3784 dvdjj.exe 86 PID 3784 wrote to memory of 4800 3784 dvdjj.exe 86 PID 4800 wrote to memory of 3320 4800 7lfrlfr.exe 87 PID 4800 wrote to memory of 3320 4800 7lfrlfr.exe 87 PID 4800 wrote to memory of 3320 4800 7lfrlfr.exe 87 PID 3320 wrote to memory of 3976 3320 5rlfrrf.exe 88 PID 3320 wrote to memory of 3976 3320 5rlfrrf.exe 88 PID 3320 wrote to memory of 3976 3320 5rlfrrf.exe 88 PID 3976 wrote to memory of 2216 3976 7jpjv.exe 89 PID 3976 wrote to memory of 2216 3976 7jpjv.exe 89 PID 3976 wrote to memory of 2216 3976 7jpjv.exe 89 PID 2216 wrote to memory of 4320 2216 3nnhbt.exe 90 PID 2216 wrote to memory of 4320 2216 3nnhbt.exe 90 PID 2216 wrote to memory of 4320 2216 3nnhbt.exe 90 PID 4320 wrote to memory of 3436 4320 7fllfxr.exe 91 PID 4320 wrote to memory of 3436 4320 7fllfxr.exe 91 PID 4320 wrote to memory of 3436 4320 7fllfxr.exe 91 PID 3436 wrote to memory of 4080 3436 xlxfrff.exe 92 PID 3436 wrote to memory of 4080 3436 xlxfrff.exe 92 PID 3436 wrote to memory of 4080 3436 xlxfrff.exe 92 PID 4080 wrote to memory of 1188 4080 bnnhbh.exe 93 PID 4080 wrote to memory of 1188 4080 bnnhbh.exe 93 PID 4080 wrote to memory of 1188 4080 bnnhbh.exe 93 PID 1188 wrote to memory of 5032 1188 5djvp.exe 94 PID 1188 wrote to memory of 5032 1188 5djvp.exe 94 PID 1188 wrote to memory of 5032 1188 5djvp.exe 94 PID 5032 wrote to memory of 4528 5032 1fxlxxr.exe 95 PID 5032 wrote to memory of 4528 5032 1fxlxxr.exe 95 PID 5032 wrote to memory of 4528 5032 1fxlxxr.exe 95 PID 4528 wrote to memory of 4628 4528 jjppd.exe 96 PID 4528 wrote to memory of 4628 4528 jjppd.exe 96 PID 4528 wrote to memory of 4628 4528 jjppd.exe 96 PID 4628 wrote to memory of 1064 4628 1nhthn.exe 97 PID 4628 wrote to memory of 1064 4628 1nhthn.exe 97 PID 4628 wrote to memory of 1064 4628 1nhthn.exe 97 PID 1064 wrote to memory of 1672 1064 lrlfrlf.exe 98 PID 1064 wrote to memory of 1672 1064 lrlfrlf.exe 98 PID 1064 wrote to memory of 1672 1064 lrlfrlf.exe 98 PID 1672 wrote to memory of 2888 1672 tbnhth.exe 99 PID 1672 wrote to memory of 2888 1672 tbnhth.exe 99 PID 1672 wrote to memory of 2888 1672 tbnhth.exe 99 PID 2888 wrote to memory of 1676 2888 pvddv.exe 100 PID 2888 wrote to memory of 1676 2888 pvddv.exe 100 PID 2888 wrote to memory of 1676 2888 pvddv.exe 100 PID 1676 wrote to memory of 1788 1676 7hhthn.exe 101 PID 1676 wrote to memory of 1788 1676 7hhthn.exe 101 PID 1676 wrote to memory of 1788 1676 7hhthn.exe 101 PID 1788 wrote to memory of 4720 1788 9vvpj.exe 102 PID 1788 wrote to memory of 4720 1788 9vvpj.exe 102 PID 1788 wrote to memory of 4720 1788 9vvpj.exe 102 PID 4720 wrote to memory of 4040 4720 vddvp.exe 103 PID 4720 wrote to memory of 4040 4720 vddvp.exe 103 PID 4720 wrote to memory of 4040 4720 vddvp.exe 103 PID 4040 wrote to memory of 3516 4040 5lrrlrr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe"C:\Users\Admin\AppData\Local\Temp\602959adb9c198e84c6fb30c35d6756029bff3187d88a91f0fecf3fde5db8de0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\rflxlfl.exec:\rflxlfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\htbttt.exec:\htbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\dvdjj.exec:\dvdjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\7lfrlfr.exec:\7lfrlfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\5rlfrrf.exec:\5rlfrrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\7jpjv.exec:\7jpjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\3nnhbt.exec:\3nnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\7fllfxr.exec:\7fllfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\xlxfrff.exec:\xlxfrff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\bnnhbh.exec:\bnnhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\5djvp.exec:\5djvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\1fxlxxr.exec:\1fxlxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\jjppd.exec:\jjppd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\1nhthn.exec:\1nhthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\lrlfrlf.exec:\lrlfrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\tbnhth.exec:\tbnhth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\pvddv.exec:\pvddv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\7hhthn.exec:\7hhthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\9vvpj.exec:\9vvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\vddvp.exec:\vddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\5lrrlrr.exec:\5lrrlrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\dpvvv.exec:\dpvvv.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
\??\c:\xxrfrrr.exec:\xxrfrrr.exe24⤵
- Executes dropped EXE
PID:3780 -
\??\c:\5nnhbn.exec:\5nnhbn.exe25⤵
- Executes dropped EXE
PID:3140 -
\??\c:\7lxrrrr.exec:\7lxrrrr.exe26⤵
- Executes dropped EXE
PID:3604 -
\??\c:\hbbtnn.exec:\hbbtnn.exe27⤵
- Executes dropped EXE
PID:4620 -
\??\c:\1rrrflx.exec:\1rrrflx.exe28⤵
- Executes dropped EXE
PID:2580 -
\??\c:\bhnhbt.exec:\bhnhbt.exe29⤵
- Executes dropped EXE
PID:824 -
\??\c:\fxrrrxx.exec:\fxrrrxx.exe30⤵
- Executes dropped EXE
PID:1416 -
\??\c:\hbnhbb.exec:\hbnhbb.exe31⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ddjdj.exec:\ddjdj.exe32⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xlllffx.exec:\xlllffx.exe33⤵
- Executes dropped EXE
PID:3560 -
\??\c:\tbbtbb.exec:\tbbtbb.exe34⤵
- Executes dropped EXE
PID:4704 -
\??\c:\htbtnh.exec:\htbtnh.exe35⤵
- Executes dropped EXE
PID:4444 -
\??\c:\ddjpj.exec:\ddjpj.exe36⤵
- Executes dropped EXE
PID:3596 -
\??\c:\7lrlffl.exec:\7lrlffl.exe37⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hbhnhh.exec:\hbhnhh.exe38⤵
- Executes dropped EXE
PID:3148 -
\??\c:\5vjjj.exec:\5vjjj.exe39⤵
- Executes dropped EXE
PID:2016 -
\??\c:\fxflflr.exec:\fxflflr.exe40⤵
- Executes dropped EXE
PID:4000 -
\??\c:\ntnntt.exec:\ntnntt.exe41⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9ppjj.exec:\9ppjj.exe42⤵
- Executes dropped EXE
PID:3236 -
\??\c:\7rrrlxx.exec:\7rrrlxx.exe43⤵
- Executes dropped EXE
PID:4344 -
\??\c:\thbtbt.exec:\thbtbt.exe44⤵
- Executes dropped EXE
PID:1520 -
\??\c:\jpdvp.exec:\jpdvp.exe45⤵
- Executes dropped EXE
PID:4540 -
\??\c:\pdvdp.exec:\pdvdp.exe46⤵
- Executes dropped EXE
PID:4328 -
\??\c:\xlllffx.exec:\xlllffx.exe47⤵
- Executes dropped EXE
PID:4848 -
\??\c:\tbhbtt.exec:\tbhbtt.exe48⤵
- Executes dropped EXE
PID:5076 -
\??\c:\vdppj.exec:\vdppj.exe49⤵
- Executes dropped EXE
PID:4812 -
\??\c:\lxxrffx.exec:\lxxrffx.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\bthhbh.exec:\bthhbh.exe51⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tnbbbb.exec:\tnbbbb.exe52⤵
- Executes dropped EXE
PID:4536 -
\??\c:\dpddp.exec:\dpddp.exe53⤵
- Executes dropped EXE
PID:1992 -
\??\c:\jjdvv.exec:\jjdvv.exe54⤵
- Executes dropped EXE
PID:4912 -
\??\c:\9lrlrrx.exec:\9lrlrrx.exe55⤵
- Executes dropped EXE
PID:4600 -
\??\c:\tbtnhb.exec:\tbtnhb.exe56⤵
- Executes dropped EXE
PID:4244 -
\??\c:\djpjd.exec:\djpjd.exe57⤵
- Executes dropped EXE
PID:3540 -
\??\c:\frrrllf.exec:\frrrllf.exe58⤵
- Executes dropped EXE
PID:4728 -
\??\c:\7lxrllf.exec:\7lxrllf.exe59⤵
- Executes dropped EXE
PID:4260 -
\??\c:\3bbnhb.exec:\3bbnhb.exe60⤵
- Executes dropped EXE
PID:100 -
\??\c:\jjppj.exec:\jjppj.exe61⤵
- Executes dropped EXE
PID:3944 -
\??\c:\rxlxrlr.exec:\rxlxrlr.exe62⤵
- Executes dropped EXE
PID:1484 -
\??\c:\llrlfff.exec:\llrlfff.exe63⤵
- Executes dropped EXE
PID:3432 -
\??\c:\bhnhbb.exec:\bhnhbb.exe64⤵
- Executes dropped EXE
PID:1488 -
\??\c:\vvjvj.exec:\vvjvj.exe65⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7rrrllf.exec:\7rrrllf.exe66⤵PID:5060
-
\??\c:\hnhbtt.exec:\hnhbtt.exe67⤵PID:1300
-
\??\c:\nbhhhb.exec:\nbhhhb.exe68⤵PID:2504
-
\??\c:\jpvvj.exec:\jpvvj.exe69⤵PID:4592
-
\??\c:\rrxrflf.exec:\rrxrflf.exe70⤵PID:5032
-
\??\c:\thhbtn.exec:\thhbtn.exe71⤵PID:1956
-
\??\c:\httttn.exec:\httttn.exe72⤵PID:1352
-
\??\c:\pdppj.exec:\pdppj.exe73⤵PID:1852
-
\??\c:\lxrlrff.exec:\lxrlrff.exe74⤵PID:3304
-
\??\c:\bhnhtt.exec:\bhnhtt.exe75⤵PID:4120
-
\??\c:\djjjj.exec:\djjjj.exe76⤵PID:3076
-
\??\c:\lffxrrx.exec:\lffxrrx.exe77⤵PID:2000
-
\??\c:\9ffxxxx.exec:\9ffxxxx.exe78⤵PID:1964
-
\??\c:\3tbnhh.exec:\3tbnhh.exe79⤵PID:3680
-
\??\c:\1pjjd.exec:\1pjjd.exe80⤵PID:436
-
\??\c:\5rlfxff.exec:\5rlfxff.exe81⤵PID:2248
-
\??\c:\bbttnn.exec:\bbttnn.exe82⤵PID:2140
-
\??\c:\hbhnth.exec:\hbhnth.exe83⤵PID:4048
-
\??\c:\1vvvp.exec:\1vvvp.exe84⤵PID:4868
-
\??\c:\lxffxxx.exec:\lxffxxx.exe85⤵PID:3812
-
\??\c:\ntbtnn.exec:\ntbtnn.exe86⤵PID:2476
-
\??\c:\nnbtbb.exec:\nnbtbb.exe87⤵PID:4092
-
\??\c:\ppdjj.exec:\ppdjj.exe88⤵PID:3272
-
\??\c:\1lllrlr.exec:\1lllrlr.exe89⤵PID:3392
-
\??\c:\bttntn.exec:\bttntn.exe90⤵PID:428
-
\??\c:\dddvd.exec:\dddvd.exe91⤵PID:2872
-
\??\c:\jdddv.exec:\jdddv.exe92⤵
- System Location Discovery: System Language Discovery
PID:736 -
\??\c:\flrrrfl.exec:\flrrrfl.exe93⤵PID:404
-
\??\c:\tbbbtt.exec:\tbbbtt.exe94⤵PID:4784
-
\??\c:\ddpdd.exec:\ddpdd.exe95⤵PID:4644
-
\??\c:\lrrlrrr.exec:\lrrlrrr.exe96⤵PID:3560
-
\??\c:\lflffxx.exec:\lflffxx.exe97⤵PID:1784
-
\??\c:\tnnbnt.exec:\tnnbnt.exe98⤵PID:4960
-
\??\c:\5ppdv.exec:\5ppdv.exe99⤵PID:2656
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe100⤵PID:3112
-
\??\c:\rxxrllr.exec:\rxxrllr.exe101⤵PID:740
-
\??\c:\bbbnnh.exec:\bbbnnh.exe102⤵PID:4412
-
\??\c:\9pjdd.exec:\9pjdd.exe103⤵PID:3648
-
\??\c:\rllxrll.exec:\rllxrll.exe104⤵PID:2472
-
\??\c:\llxfllr.exec:\llxfllr.exe105⤵PID:1404
-
\??\c:\tttnbn.exec:\tttnbn.exe106⤵PID:4636
-
\??\c:\ddddv.exec:\ddddv.exe107⤵PID:3188
-
\??\c:\fxlfffl.exec:\fxlfffl.exe108⤵PID:3040
-
\??\c:\3hnthh.exec:\3hnthh.exe109⤵PID:2604
-
\??\c:\9vdvv.exec:\9vdvv.exe110⤵PID:4024
-
\??\c:\rffxrlf.exec:\rffxrlf.exe111⤵PID:4188
-
\??\c:\tnhbtn.exec:\tnhbtn.exe112⤵PID:3580
-
\??\c:\ppjvp.exec:\ppjvp.exe113⤵PID:3608
-
\??\c:\dvpjd.exec:\dvpjd.exe114⤵PID:2376
-
\??\c:\frxfxxx.exec:\frxfxxx.exe115⤵PID:848
-
\??\c:\btntbn.exec:\btntbn.exe116⤵PID:4968
-
\??\c:\bbttjj.exec:\bbttjj.exe117⤵PID:1992
-
\??\c:\rllflfl.exec:\rllflfl.exe118⤵PID:4060
-
\??\c:\rlllflr.exec:\rlllflr.exe119⤵PID:4600
-
\??\c:\bbhbtt.exec:\bbhbtt.exe120⤵PID:4800
-
\??\c:\jddvj.exec:\jddvj.exe121⤵PID:4716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-