Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe
-
Size
454KB
-
MD5
57f8dbf600286cb6cf5e966a541f8700
-
SHA1
0e256f952d78bd537dec1629995322e1b732ed6f
-
SHA256
f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30
-
SHA512
074fc83d6afc8551519f84f4b414de1e8cddde9a5e90161d253c20f025660b9a885566d6296b41e53e0e915b32e152e029bad3f73c9744efbadfc9be080b0a21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4520-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-937-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-1065-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-1239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-1812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-1975-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2448 lffxrrx.exe 1232 rxlrrxl.exe 2268 pjpjd.exe 3964 fflfrxr.exe 4868 ffflrff.exe 5108 pjvjv.exe 4628 bhhtbt.exe 3588 3rlflfx.exe 4836 vppdp.exe 2140 nhhthh.exe 3700 ppjpj.exe 3220 rlfxlll.exe 3028 tnbnbb.exe 2704 ffrlrlx.exe 4220 tbhhbh.exe 100 1ppjp.exe 4764 hhnnhn.exe 5088 vdpvj.exe 4204 frxlrlf.exe 4196 hbthth.exe 5000 lxlrxfx.exe 2516 hbtnbt.exe 4412 9vvjd.exe 2108 pdvjv.exe 2620 nbtntn.exe 4820 vjjdp.exe 1436 rrllrfr.exe 1608 pjdjj.exe 4616 pjjdv.exe 456 3vpjd.exe 3560 xlrlxlr.exe 2720 1vvjd.exe 4480 hhhhhh.exe 4156 vvvpd.exe 4572 xrlxxrf.exe 3308 bnnbnn.exe 1520 jdvpd.exe 4980 dddvp.exe 528 llxrlxx.exe 1168 pjjdp.exe 2920 3thbtn.exe 228 dpppv.exe 3564 3ffrxrl.exe 4936 thhthb.exe 4748 1vvvd.exe 2272 lflrffx.exe 1800 hnnntt.exe 4576 xrxrllf.exe 2796 3llfxrl.exe 2684 1hbtnh.exe 4976 ppdvp.exe 2436 xrxxffx.exe 2908 rflxlfr.exe 2836 3btnhh.exe 4148 1ddvd.exe 2892 bhhtnb.exe 2656 dvdpj.exe 2888 djppp.exe 2820 7flxxrr.exe 3588 5thttt.exe 4912 nhhhbh.exe 2140 vvdvd.exe 3236 rrrllfr.exe 1056 hntnnb.exe -
resource yara_rule behavioral2/memory/4520-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-861-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-937-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllffrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxllf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4520 wrote to memory of 2448 4520 f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe 82 PID 4520 wrote to memory of 2448 4520 f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe 82 PID 4520 wrote to memory of 2448 4520 f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe 82 PID 2448 wrote to memory of 1232 2448 lffxrrx.exe 83 PID 2448 wrote to memory of 1232 2448 lffxrrx.exe 83 PID 2448 wrote to memory of 1232 2448 lffxrrx.exe 83 PID 1232 wrote to memory of 2268 1232 rxlrrxl.exe 84 PID 1232 wrote to memory of 2268 1232 rxlrrxl.exe 84 PID 1232 wrote to memory of 2268 1232 rxlrrxl.exe 84 PID 2268 wrote to memory of 3964 2268 pjpjd.exe 85 PID 2268 wrote to memory of 3964 2268 pjpjd.exe 85 PID 2268 wrote to memory of 3964 2268 pjpjd.exe 85 PID 3964 wrote to memory of 4868 3964 fflfrxr.exe 86 PID 3964 wrote to memory of 4868 3964 fflfrxr.exe 86 PID 3964 wrote to memory of 4868 3964 fflfrxr.exe 86 PID 4868 wrote to memory of 5108 4868 ffflrff.exe 87 PID 4868 wrote to memory of 5108 4868 ffflrff.exe 87 PID 4868 wrote to memory of 5108 4868 ffflrff.exe 87 PID 5108 wrote to memory of 4628 5108 pjvjv.exe 88 PID 5108 wrote to memory of 4628 5108 pjvjv.exe 88 PID 5108 wrote to memory of 4628 5108 pjvjv.exe 88 PID 4628 wrote to memory of 3588 4628 bhhtbt.exe 89 PID 4628 wrote to memory of 3588 4628 bhhtbt.exe 89 PID 4628 wrote to memory of 3588 4628 bhhtbt.exe 89 PID 3588 wrote to memory of 4836 3588 3rlflfx.exe 90 PID 3588 wrote to memory of 4836 3588 3rlflfx.exe 90 PID 3588 wrote to memory of 4836 3588 3rlflfx.exe 90 PID 4836 wrote to memory of 2140 4836 vppdp.exe 91 PID 4836 wrote to memory of 2140 4836 vppdp.exe 91 PID 4836 wrote to memory of 2140 4836 vppdp.exe 91 PID 2140 wrote to memory of 3700 2140 nhhthh.exe 92 PID 2140 wrote to memory of 3700 2140 nhhthh.exe 92 PID 2140 wrote to memory of 3700 2140 nhhthh.exe 92 PID 3700 wrote to memory of 3220 3700 ppjpj.exe 93 PID 3700 wrote to memory of 3220 3700 ppjpj.exe 93 PID 3700 wrote to memory of 3220 3700 ppjpj.exe 93 PID 3220 wrote to memory of 3028 3220 rlfxlll.exe 94 PID 3220 wrote to memory of 3028 3220 rlfxlll.exe 94 PID 3220 wrote to memory of 3028 3220 rlfxlll.exe 94 PID 3028 wrote to memory of 2704 3028 tnbnbb.exe 95 PID 3028 wrote to memory of 2704 3028 tnbnbb.exe 95 PID 3028 wrote to memory of 2704 3028 tnbnbb.exe 95 PID 2704 wrote to memory of 4220 2704 ffrlrlx.exe 96 PID 2704 wrote to memory of 4220 2704 ffrlrlx.exe 96 PID 2704 wrote to memory of 4220 2704 ffrlrlx.exe 96 PID 4220 wrote to memory of 100 4220 tbhhbh.exe 97 PID 4220 wrote to memory of 100 4220 tbhhbh.exe 97 PID 4220 wrote to memory of 100 4220 tbhhbh.exe 97 PID 100 wrote to memory of 4764 100 1ppjp.exe 98 PID 100 wrote to memory of 4764 100 1ppjp.exe 98 PID 100 wrote to memory of 4764 100 1ppjp.exe 98 PID 4764 wrote to memory of 5088 4764 hhnnhn.exe 99 PID 4764 wrote to memory of 5088 4764 hhnnhn.exe 99 PID 4764 wrote to memory of 5088 4764 hhnnhn.exe 99 PID 5088 wrote to memory of 4204 5088 vdpvj.exe 100 PID 5088 wrote to memory of 4204 5088 vdpvj.exe 100 PID 5088 wrote to memory of 4204 5088 vdpvj.exe 100 PID 4204 wrote to memory of 4196 4204 frxlrlf.exe 101 PID 4204 wrote to memory of 4196 4204 frxlrlf.exe 101 PID 4204 wrote to memory of 4196 4204 frxlrlf.exe 101 PID 4196 wrote to memory of 5000 4196 hbthth.exe 102 PID 4196 wrote to memory of 5000 4196 hbthth.exe 102 PID 4196 wrote to memory of 5000 4196 hbthth.exe 102 PID 5000 wrote to memory of 2516 5000 lxlrxfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe"C:\Users\Admin\AppData\Local\Temp\f58f4514626ceaba702e55abe0cde7029b93d932d2f933d6ab2b5fde8d562d30N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\lffxrrx.exec:\lffxrrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\rxlrrxl.exec:\rxlrrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
\??\c:\pjpjd.exec:\pjpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\fflfrxr.exec:\fflfrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\ffflrff.exec:\ffflrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\pjvjv.exec:\pjvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\bhhtbt.exec:\bhhtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\3rlflfx.exec:\3rlflfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\vppdp.exec:\vppdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\nhhthh.exec:\nhhthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\ppjpj.exec:\ppjpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\rlfxlll.exec:\rlfxlll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\tnbnbb.exec:\tnbnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\ffrlrlx.exec:\ffrlrlx.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\tbhhbh.exec:\tbhhbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\1ppjp.exec:\1ppjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\hhnnhn.exec:\hhnnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\vdpvj.exec:\vdpvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\frxlrlf.exec:\frxlrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\hbthth.exec:\hbthth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\lxlrxfx.exec:\lxlrxfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\hbtnbt.exec:\hbtnbt.exe23⤵
- Executes dropped EXE
PID:2516 -
\??\c:\9vvjd.exec:\9vvjd.exe24⤵
- Executes dropped EXE
PID:4412 -
\??\c:\pdvjv.exec:\pdvjv.exe25⤵
- Executes dropped EXE
PID:2108 -
\??\c:\nbtntn.exec:\nbtntn.exe26⤵
- Executes dropped EXE
PID:2620 -
\??\c:\vjjdp.exec:\vjjdp.exe27⤵
- Executes dropped EXE
PID:4820 -
\??\c:\rrllrfr.exec:\rrllrfr.exe28⤵
- Executes dropped EXE
PID:1436 -
\??\c:\pjdjj.exec:\pjdjj.exe29⤵
- Executes dropped EXE
PID:1608 -
\??\c:\pjjdv.exec:\pjjdv.exe30⤵
- Executes dropped EXE
PID:4616 -
\??\c:\3vpjd.exec:\3vpjd.exe31⤵
- Executes dropped EXE
PID:456 -
\??\c:\xlrlxlr.exec:\xlrlxlr.exe32⤵
- Executes dropped EXE
PID:3560 -
\??\c:\1vvjd.exec:\1vvjd.exe33⤵
- Executes dropped EXE
PID:2720 -
\??\c:\hhhhhh.exec:\hhhhhh.exe34⤵
- Executes dropped EXE
PID:4480 -
\??\c:\vvvpd.exec:\vvvpd.exe35⤵
- Executes dropped EXE
PID:4156 -
\??\c:\xrlxxrf.exec:\xrlxxrf.exe36⤵
- Executes dropped EXE
PID:4572 -
\??\c:\bnnbnn.exec:\bnnbnn.exe37⤵
- Executes dropped EXE
PID:3308 -
\??\c:\jdvpd.exec:\jdvpd.exe38⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dddvp.exec:\dddvp.exe39⤵
- Executes dropped EXE
PID:4980 -
\??\c:\llxrlxx.exec:\llxrlxx.exe40⤵
- Executes dropped EXE
PID:528 -
\??\c:\pjjdp.exec:\pjjdp.exe41⤵
- Executes dropped EXE
PID:1168 -
\??\c:\3thbtn.exec:\3thbtn.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\dpppv.exec:\dpppv.exe43⤵
- Executes dropped EXE
PID:228 -
\??\c:\3ffrxrl.exec:\3ffrxrl.exe44⤵
- Executes dropped EXE
PID:3564 -
\??\c:\thhthb.exec:\thhthb.exe45⤵
- Executes dropped EXE
PID:4936 -
\??\c:\1vvvd.exec:\1vvvd.exe46⤵
- Executes dropped EXE
PID:4748 -
\??\c:\lflrffx.exec:\lflrffx.exe47⤵
- Executes dropped EXE
PID:2272 -
\??\c:\hnnntt.exec:\hnnntt.exe48⤵
- Executes dropped EXE
PID:1800 -
\??\c:\vvvjv.exec:\vvvjv.exe49⤵PID:4416
-
\??\c:\xrxrllf.exec:\xrxrllf.exe50⤵
- Executes dropped EXE
PID:4576 -
\??\c:\3llfxrl.exec:\3llfxrl.exe51⤵
- Executes dropped EXE
PID:2796 -
\??\c:\1hbtnh.exec:\1hbtnh.exe52⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ppdvp.exec:\ppdvp.exe53⤵
- Executes dropped EXE
PID:4976 -
\??\c:\xrxxffx.exec:\xrxxffx.exe54⤵
- Executes dropped EXE
PID:2436 -
\??\c:\rflxlfr.exec:\rflxlfr.exe55⤵
- Executes dropped EXE
PID:2908 -
\??\c:\3btnhh.exec:\3btnhh.exe56⤵
- Executes dropped EXE
PID:2836 -
\??\c:\1ddvd.exec:\1ddvd.exe57⤵
- Executes dropped EXE
PID:4148 -
\??\c:\bhhtnb.exec:\bhhtnb.exe58⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dvdpj.exec:\dvdpj.exe59⤵
- Executes dropped EXE
PID:2656 -
\??\c:\djppp.exec:\djppp.exe60⤵
- Executes dropped EXE
PID:2888 -
\??\c:\7flxxrr.exec:\7flxxrr.exe61⤵
- Executes dropped EXE
PID:2820 -
\??\c:\5thttt.exec:\5thttt.exe62⤵
- Executes dropped EXE
PID:3588 -
\??\c:\nhhhbh.exec:\nhhhbh.exe63⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vvdvd.exec:\vvdvd.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
\??\c:\rrrllfr.exec:\rrrllfr.exe65⤵
- Executes dropped EXE
PID:3236 -
\??\c:\hntnnb.exec:\hntnnb.exe66⤵
- Executes dropped EXE
PID:1056 -
\??\c:\dpvjd.exec:\dpvjd.exe67⤵PID:2600
-
\??\c:\jvdpd.exec:\jvdpd.exe68⤵PID:3220
-
\??\c:\ffxrlxr.exec:\ffxrlxr.exe69⤵PID:3988
-
\??\c:\nhbthb.exec:\nhbthb.exe70⤵PID:4088
-
\??\c:\vjjvj.exec:\vjjvj.exe71⤵PID:3600
-
\??\c:\jvjdv.exec:\jvjdv.exe72⤵PID:4784
-
\??\c:\xfrlffx.exec:\xfrlffx.exe73⤵PID:1368
-
\??\c:\bnhbnb.exec:\bnhbnb.exe74⤵
- System Location Discovery: System Language Discovery
PID:5024 -
\??\c:\dvjdv.exec:\dvjdv.exe75⤵PID:60
-
\??\c:\pppjj.exec:\pppjj.exe76⤵PID:5088
-
\??\c:\nhnhtn.exec:\nhnhtn.exe77⤵PID:3592
-
\??\c:\bhthtt.exec:\bhthtt.exe78⤵PID:1136
-
\??\c:\3pjvp.exec:\3pjvp.exe79⤵PID:1904
-
\??\c:\lfxrrrl.exec:\lfxrrrl.exe80⤵PID:5000
-
\??\c:\5thtnn.exec:\5thtnn.exe81⤵PID:4528
-
\??\c:\vpddv.exec:\vpddv.exe82⤵PID:2420
-
\??\c:\djdvp.exec:\djdvp.exe83⤵PID:4508
-
\??\c:\xxrlffx.exec:\xxrlffx.exe84⤵PID:4592
-
\??\c:\btnhbt.exec:\btnhbt.exe85⤵PID:3932
-
\??\c:\bhnbbt.exec:\bhnbbt.exe86⤵PID:2512
-
\??\c:\pjpvj.exec:\pjpvj.exe87⤵PID:2380
-
\??\c:\rfxlrll.exec:\rfxlrll.exe88⤵PID:1436
-
\??\c:\nnnhtn.exec:\nnnhtn.exe89⤵PID:4552
-
\??\c:\djjdv.exec:\djjdv.exe90⤵PID:1300
-
\??\c:\jddvp.exec:\jddvp.exe91⤵
- System Location Discovery: System Language Discovery
PID:4616 -
\??\c:\frxlrlf.exec:\frxlrlf.exe92⤵PID:456
-
\??\c:\1nnhtn.exec:\1nnhtn.exe93⤵PID:2384
-
\??\c:\hhbhbh.exec:\hhbhbh.exe94⤵PID:4796
-
\??\c:\vjdvj.exec:\vjdvj.exe95⤵PID:2304
-
\??\c:\lflfxrl.exec:\lflfxrl.exe96⤵PID:4932
-
\??\c:\hhtnht.exec:\hhtnht.exe97⤵PID:3680
-
\??\c:\djpjd.exec:\djpjd.exe98⤵PID:3548
-
\??\c:\3frlllr.exec:\3frlllr.exe99⤵PID:5084
-
\??\c:\nttntn.exec:\nttntn.exe100⤵PID:2844
-
\??\c:\tnnbnh.exec:\tnnbnh.exe101⤵PID:2060
-
\??\c:\vpdpd.exec:\vpdpd.exe102⤵PID:4920
-
\??\c:\flfrfxl.exec:\flfrfxl.exe103⤵PID:528
-
\??\c:\xlrxlxl.exec:\xlrxlxl.exe104⤵PID:452
-
\??\c:\hbtnhh.exec:\hbtnhh.exe105⤵PID:3008
-
\??\c:\vvpdp.exec:\vvpdp.exe106⤵PID:628
-
\??\c:\pjdpv.exec:\pjdpv.exe107⤵PID:3416
-
\??\c:\fffffll.exec:\fffffll.exe108⤵PID:876
-
\??\c:\nbthbt.exec:\nbthbt.exe109⤵PID:4392
-
\??\c:\dpppj.exec:\dpppj.exe110⤵PID:4316
-
\??\c:\frxrrlf.exec:\frxrrlf.exe111⤵PID:2204
-
\??\c:\nhhthb.exec:\nhhthb.exe112⤵PID:2320
-
\??\c:\vppdp.exec:\vppdp.exe113⤵PID:1888
-
\??\c:\1pvdv.exec:\1pvdv.exe114⤵PID:3620
-
\??\c:\xrlxfxl.exec:\xrlxfxl.exe115⤵PID:2092
-
\??\c:\btthnh.exec:\btthnh.exe116⤵PID:4568
-
\??\c:\9dvjv.exec:\9dvjv.exe117⤵PID:2960
-
\??\c:\vpvdp.exec:\vpvdp.exe118⤵PID:3664
-
\??\c:\7fxrffx.exec:\7fxrffx.exe119⤵PID:1160
-
\??\c:\nhbnht.exec:\nhbnht.exe120⤵PID:3188
-
\??\c:\jpvpj.exec:\jpvpj.exe121⤵PID:5108
-
\??\c:\fxxrfxx.exec:\fxxrfxx.exe122⤵PID:4864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-