Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe
-
Size
454KB
-
MD5
f9d59d084833e8264cbdfde9a944e700
-
SHA1
3a2038a3abf2767b26bf712d1c02aa3b6a372c75
-
SHA256
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732
-
SHA512
82e3b9ce842b926f836119c67239de19a87661c52c1f6a5d68051b7a48d16245669d74619064d9d2bf93f42335f17880da24c531ec31a85fdec984589829f022
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4748-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4128 rfxfxfr.exe 1228 ppvpj.exe 2976 frfxxrx.exe 3600 hntnhb.exe 2768 pdjvp.exe 3188 rxfrrlf.exe 1364 tnhbtn.exe 116 hbnhnn.exe 460 llfllxx.exe 1144 7htnnb.exe 64 jdppp.exe 2252 htbtnn.exe 3716 rrrlllf.exe 1480 thbtnn.exe 4852 dvvpj.exe 444 lrxrfxr.exe 760 nhtnhb.exe 3888 jpvjj.exe 2840 ffxrlxr.exe 2328 tnnnhh.exe 3088 3jpjd.exe 4680 btbtbb.exe 2516 vjppj.exe 3732 lrrlfxr.exe 4024 fxrlxrx.exe 3340 rrrlfxr.exe 3584 rlrlffx.exe 4404 xxxrxxl.exe 3828 nthbnn.exe 396 3ddvp.exe 2704 ppjdv.exe 2888 lxxrxff.exe 4948 vppjj.exe 1184 rxrrlll.exe 1620 lffxrrl.exe 3400 hbnhbb.exe 2456 bttntt.exe 2540 pjvvd.exe 2000 3xxrllf.exe 2460 hbhbtn.exe 2176 dpjdv.exe 436 xlxrllx.exe 3884 3thnnh.exe 448 9ppjd.exe 3420 1pjvp.exe 4636 9ttbbn.exe 2268 bhnhbh.exe 60 3dpjv.exe 4480 5xxrllf.exe 4736 lllfffx.exe 3952 9hhbnn.exe 1428 bntbnb.exe 1228 7pjdv.exe 3832 xxxllff.exe 3320 hhnnhh.exe 1452 7nbthh.exe 4792 7ddvp.exe 1044 dpdvp.exe 1256 lflllfl.exe 312 hbbtbn.exe 5052 vvpdv.exe 2996 vpjjd.exe 3984 xlrrffr.exe 5076 tbttbh.exe -
resource yara_rule behavioral2/memory/4748-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-1018-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-1262-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4128 4748 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 82 PID 4748 wrote to memory of 4128 4748 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 82 PID 4748 wrote to memory of 4128 4748 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 82 PID 4128 wrote to memory of 1228 4128 rfxfxfr.exe 83 PID 4128 wrote to memory of 1228 4128 rfxfxfr.exe 83 PID 4128 wrote to memory of 1228 4128 rfxfxfr.exe 83 PID 1228 wrote to memory of 2976 1228 ppvpj.exe 84 PID 1228 wrote to memory of 2976 1228 ppvpj.exe 84 PID 1228 wrote to memory of 2976 1228 ppvpj.exe 84 PID 2976 wrote to memory of 3600 2976 frfxxrx.exe 85 PID 2976 wrote to memory of 3600 2976 frfxxrx.exe 85 PID 2976 wrote to memory of 3600 2976 frfxxrx.exe 85 PID 3600 wrote to memory of 2768 3600 hntnhb.exe 86 PID 3600 wrote to memory of 2768 3600 hntnhb.exe 86 PID 3600 wrote to memory of 2768 3600 hntnhb.exe 86 PID 2768 wrote to memory of 3188 2768 pdjvp.exe 87 PID 2768 wrote to memory of 3188 2768 pdjvp.exe 87 PID 2768 wrote to memory of 3188 2768 pdjvp.exe 87 PID 3188 wrote to memory of 1364 3188 rxfrrlf.exe 88 PID 3188 wrote to memory of 1364 3188 rxfrrlf.exe 88 PID 3188 wrote to memory of 1364 3188 rxfrrlf.exe 88 PID 1364 wrote to memory of 116 1364 tnhbtn.exe 89 PID 1364 wrote to memory of 116 1364 tnhbtn.exe 89 PID 1364 wrote to memory of 116 1364 tnhbtn.exe 89 PID 116 wrote to memory of 460 116 hbnhnn.exe 90 PID 116 wrote to memory of 460 116 hbnhnn.exe 90 PID 116 wrote to memory of 460 116 hbnhnn.exe 90 PID 460 wrote to memory of 1144 460 llfllxx.exe 91 PID 460 wrote to memory of 1144 460 llfllxx.exe 91 PID 460 wrote to memory of 1144 460 llfllxx.exe 91 PID 1144 wrote to memory of 64 1144 7htnnb.exe 92 PID 1144 wrote to memory of 64 1144 7htnnb.exe 92 PID 1144 wrote to memory of 64 1144 7htnnb.exe 92 PID 64 wrote to memory of 2252 64 jdppp.exe 93 PID 64 wrote to memory of 2252 64 jdppp.exe 93 PID 64 wrote to memory of 2252 64 jdppp.exe 93 PID 2252 wrote to memory of 3716 2252 htbtnn.exe 94 PID 2252 wrote to memory of 3716 2252 htbtnn.exe 94 PID 2252 wrote to memory of 3716 2252 htbtnn.exe 94 PID 3716 wrote to memory of 1480 3716 rrrlllf.exe 95 PID 3716 wrote to memory of 1480 3716 rrrlllf.exe 95 PID 3716 wrote to memory of 1480 3716 rrrlllf.exe 95 PID 1480 wrote to memory of 4852 1480 thbtnn.exe 96 PID 1480 wrote to memory of 4852 1480 thbtnn.exe 96 PID 1480 wrote to memory of 4852 1480 thbtnn.exe 96 PID 4852 wrote to memory of 444 4852 dvvpj.exe 97 PID 4852 wrote to memory of 444 4852 dvvpj.exe 97 PID 4852 wrote to memory of 444 4852 dvvpj.exe 97 PID 444 wrote to memory of 760 444 lrxrfxr.exe 98 PID 444 wrote to memory of 760 444 lrxrfxr.exe 98 PID 444 wrote to memory of 760 444 lrxrfxr.exe 98 PID 760 wrote to memory of 3888 760 nhtnhb.exe 99 PID 760 wrote to memory of 3888 760 nhtnhb.exe 99 PID 760 wrote to memory of 3888 760 nhtnhb.exe 99 PID 3888 wrote to memory of 2840 3888 jpvjj.exe 100 PID 3888 wrote to memory of 2840 3888 jpvjj.exe 100 PID 3888 wrote to memory of 2840 3888 jpvjj.exe 100 PID 2840 wrote to memory of 2328 2840 ffxrlxr.exe 101 PID 2840 wrote to memory of 2328 2840 ffxrlxr.exe 101 PID 2840 wrote to memory of 2328 2840 ffxrlxr.exe 101 PID 2328 wrote to memory of 3088 2328 tnnnhh.exe 102 PID 2328 wrote to memory of 3088 2328 tnnnhh.exe 102 PID 2328 wrote to memory of 3088 2328 tnnnhh.exe 102 PID 3088 wrote to memory of 4680 3088 3jpjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe"C:\Users\Admin\AppData\Local\Temp\6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\rfxfxfr.exec:\rfxfxfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\ppvpj.exec:\ppvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\frfxxrx.exec:\frfxxrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\hntnhb.exec:\hntnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\pdjvp.exec:\pdjvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rxfrrlf.exec:\rxfrrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\tnhbtn.exec:\tnhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\hbnhnn.exec:\hbnhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\llfllxx.exec:\llfllxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\7htnnb.exec:\7htnnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\jdppp.exec:\jdppp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\htbtnn.exec:\htbtnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\rrrlllf.exec:\rrrlllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\thbtnn.exec:\thbtnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\dvvpj.exec:\dvvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\nhtnhb.exec:\nhtnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\jpvjj.exec:\jpvjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\tnnnhh.exec:\tnnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\3jpjd.exec:\3jpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\btbtbb.exec:\btbtbb.exe23⤵
- Executes dropped EXE
PID:4680 -
\??\c:\vjppj.exec:\vjppj.exe24⤵
- Executes dropped EXE
PID:2516 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe25⤵
- Executes dropped EXE
PID:3732 -
\??\c:\fxrlxrx.exec:\fxrlxrx.exe26⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe27⤵
- Executes dropped EXE
PID:3340 -
\??\c:\rlrlffx.exec:\rlrlffx.exe28⤵
- Executes dropped EXE
PID:3584 -
\??\c:\xxxrxxl.exec:\xxxrxxl.exe29⤵
- Executes dropped EXE
PID:4404 -
\??\c:\nthbnn.exec:\nthbnn.exe30⤵
- Executes dropped EXE
PID:3828 -
\??\c:\3ddvp.exec:\3ddvp.exe31⤵
- Executes dropped EXE
PID:396 -
\??\c:\ppjdv.exec:\ppjdv.exe32⤵
- Executes dropped EXE
PID:2704 -
\??\c:\lxxrxff.exec:\lxxrxff.exe33⤵
- Executes dropped EXE
PID:2888 -
\??\c:\vppjj.exec:\vppjj.exe34⤵
- Executes dropped EXE
PID:4948 -
\??\c:\rxrrlll.exec:\rxrrlll.exe35⤵
- Executes dropped EXE
PID:1184 -
\??\c:\lffxrrl.exec:\lffxrrl.exe36⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hbnhbb.exec:\hbnhbb.exe37⤵
- Executes dropped EXE
PID:3400 -
\??\c:\bttntt.exec:\bttntt.exe38⤵
- Executes dropped EXE
PID:2456 -
\??\c:\pjvvd.exec:\pjvvd.exe39⤵
- Executes dropped EXE
PID:2540 -
\??\c:\3xxrllf.exec:\3xxrllf.exe40⤵
- Executes dropped EXE
PID:2000 -
\??\c:\hbhbtn.exec:\hbhbtn.exe41⤵
- Executes dropped EXE
PID:2460 -
\??\c:\dpjdv.exec:\dpjdv.exe42⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xlxrllx.exec:\xlxrllx.exe43⤵
- Executes dropped EXE
PID:436 -
\??\c:\3thnnh.exec:\3thnnh.exe44⤵
- Executes dropped EXE
PID:3884 -
\??\c:\9ppjd.exec:\9ppjd.exe45⤵
- Executes dropped EXE
PID:448 -
\??\c:\1pjvp.exec:\1pjvp.exe46⤵
- Executes dropped EXE
PID:3420 -
\??\c:\9ttbbn.exec:\9ttbbn.exe47⤵
- Executes dropped EXE
PID:4636 -
\??\c:\bhnhbh.exec:\bhnhbh.exe48⤵
- Executes dropped EXE
PID:2268 -
\??\c:\3dpjv.exec:\3dpjv.exe49⤵
- Executes dropped EXE
PID:60 -
\??\c:\5xxrllf.exec:\5xxrllf.exe50⤵
- Executes dropped EXE
PID:4480 -
\??\c:\lllfffx.exec:\lllfffx.exe51⤵
- Executes dropped EXE
PID:4736 -
\??\c:\9hhbnn.exec:\9hhbnn.exe52⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bntbnb.exec:\bntbnb.exe53⤵
- Executes dropped EXE
PID:1428 -
\??\c:\7pjdv.exec:\7pjdv.exe54⤵
- Executes dropped EXE
PID:1228 -
\??\c:\xxxllff.exec:\xxxllff.exe55⤵
- Executes dropped EXE
PID:3832 -
\??\c:\hhnnhh.exec:\hhnnhh.exe56⤵
- Executes dropped EXE
PID:3320 -
\??\c:\7nbthh.exec:\7nbthh.exe57⤵
- Executes dropped EXE
PID:1452 -
\??\c:\7ddvp.exec:\7ddvp.exe58⤵
- Executes dropped EXE
PID:4792 -
\??\c:\dpdvp.exec:\dpdvp.exe59⤵
- Executes dropped EXE
PID:1044 -
\??\c:\lflllfl.exec:\lflllfl.exe60⤵
- Executes dropped EXE
PID:1256 -
\??\c:\hbbtbn.exec:\hbbtbn.exe61⤵
- Executes dropped EXE
PID:312 -
\??\c:\vvpdv.exec:\vvpdv.exe62⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vpjjd.exec:\vpjjd.exe63⤵
- Executes dropped EXE
PID:2996 -
\??\c:\xlrrffr.exec:\xlrrffr.exe64⤵
- Executes dropped EXE
PID:3984 -
\??\c:\tbttbh.exec:\tbttbh.exe65⤵
- Executes dropped EXE
PID:5076 -
\??\c:\dvvpj.exec:\dvvpj.exe66⤵PID:2444
-
\??\c:\pjpjd.exec:\pjpjd.exe67⤵PID:64
-
\??\c:\fffxlfx.exec:\fffxlfx.exe68⤵PID:3280
-
\??\c:\nhtbhn.exec:\nhtbhn.exe69⤵PID:4704
-
\??\c:\7pppp.exec:\7pppp.exe70⤵PID:2536
-
\??\c:\fxrlllf.exec:\fxrlllf.exe71⤵PID:3716
-
\??\c:\nbhbbt.exec:\nbhbbt.exe72⤵PID:3360
-
\??\c:\nthnhn.exec:\nthnhn.exe73⤵PID:2724
-
\??\c:\jvpjv.exec:\jvpjv.exe74⤵PID:1948
-
\??\c:\lflflfx.exec:\lflflfx.exe75⤵PID:2352
-
\??\c:\7flllrl.exec:\7flllrl.exe76⤵PID:1048
-
\??\c:\nnnhbb.exec:\nnnhbb.exe77⤵PID:760
-
\??\c:\ppjpp.exec:\ppjpp.exe78⤵PID:2660
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe79⤵PID:864
-
\??\c:\btbnnh.exec:\btbnnh.exe80⤵PID:1348
-
\??\c:\7nnnhn.exec:\7nnnhn.exe81⤵PID:2312
-
\??\c:\3jvpv.exec:\3jvpv.exe82⤵PID:2328
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe83⤵PID:2876
-
\??\c:\9fxxrfx.exec:\9fxxrfx.exe84⤵PID:1192
-
\??\c:\3nhnhn.exec:\3nhnhn.exe85⤵PID:4396
-
\??\c:\jjvdv.exec:\jjvdv.exe86⤵PID:872
-
\??\c:\vddvv.exec:\vddvv.exe87⤵PID:3732
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe88⤵PID:1980
-
\??\c:\bbtnnn.exec:\bbtnnn.exe89⤵PID:3288
-
\??\c:\bntnhh.exec:\bntnhh.exe90⤵PID:4964
-
\??\c:\vpvvp.exec:\vpvvp.exe91⤵PID:4864
-
\??\c:\xlrlllf.exec:\xlrlllf.exe92⤵PID:2808
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe93⤵PID:2412
-
\??\c:\bnttnn.exec:\bnttnn.exe94⤵PID:1304
-
\??\c:\pjjvp.exec:\pjjvp.exe95⤵PID:1812
-
\??\c:\jvdvp.exec:\jvdvp.exe96⤵PID:3172
-
\??\c:\rflfxfx.exec:\rflfxfx.exe97⤵PID:4808
-
\??\c:\tttnht.exec:\tttnht.exe98⤵PID:3724
-
\??\c:\dpjdv.exec:\dpjdv.exe99⤵PID:1592
-
\??\c:\jjppj.exec:\jjppj.exe100⤵PID:3788
-
\??\c:\ffxrlff.exec:\ffxrlff.exe101⤵PID:2248
-
\??\c:\3bbnhh.exec:\3bbnhh.exe102⤵PID:1888
-
\??\c:\1tbtnn.exec:\1tbtnn.exe103⤵
- System Location Discovery: System Language Discovery
PID:2892 -
\??\c:\dvjpj.exec:\dvjpj.exe104⤵PID:4696
-
\??\c:\lfllfrl.exec:\lfllfrl.exe105⤵PID:3016
-
\??\c:\rlrrffl.exec:\rlrrffl.exe106⤵PID:2084
-
\??\c:\3hhbtn.exec:\3hhbtn.exe107⤵PID:2680
-
\??\c:\vjpvp.exec:\vjpvp.exe108⤵PID:508
-
\??\c:\9dpjp.exec:\9dpjp.exe109⤵PID:2436
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe110⤵PID:3680
-
\??\c:\bnbnhb.exec:\bnbnhb.exe111⤵PID:2372
-
\??\c:\vdppj.exec:\vdppj.exe112⤵PID:4264
-
\??\c:\dvjvp.exec:\dvjvp.exe113⤵PID:4248
-
\??\c:\3frlrxr.exec:\3frlrxr.exe114⤵PID:4108
-
\??\c:\hhhbth.exec:\hhhbth.exe115⤵PID:4564
-
\??\c:\pvdvp.exec:\pvdvp.exe116⤵PID:4216
-
\??\c:\lffxrxl.exec:\lffxrxl.exe117⤵PID:4128
-
\??\c:\fxffxxx.exec:\fxffxxx.exe118⤵PID:3952
-
\??\c:\ttnhbb.exec:\ttnhbb.exe119⤵PID:2476
-
\??\c:\jdjjp.exec:\jdjjp.exe120⤵PID:1476
-
\??\c:\xxxrfxr.exec:\xxxrfxr.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-