Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 23:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe
-
Size
455KB
-
MD5
b8b732ea10e540fc99ce1c29806f5fab
-
SHA1
f62256f4446623914bcfc54f6bb20377dfb33366
-
SHA256
6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4
-
SHA512
dfa003aa580f09c4d571e97e39c2604a6cc62c95fe4a786873dc97b4a544cf9b2772f58b6603479af8ab266c4b452db96e514e4b8c09abfeff557ad37474d4d2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRK:q7Tc2NYHUrAwfMp3CDRK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5048-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-880-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-1141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-1569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4560 5bhhhh.exe 468 vdjjd.exe 1692 rfrrrxf.exe 3728 fxrrrrr.exe 4672 tbtthn.exe 916 lxfxxxx.exe 1124 djjdd.exe 4288 nnnnnt.exe 4736 bthbtt.exe 3532 9hntbb.exe 3668 jdjdd.exe 2712 vjvpj.exe 2304 1rlffxx.exe 5088 ddddp.exe 5052 5bnhbb.exe 1732 jjvvp.exe 1476 ffrrxxr.exe 1760 hhtttt.exe 1924 dddvp.exe 4636 xrxxrrr.exe 1528 ppvdp.exe 3064 1frfxrl.exe 968 pvddv.exe 1664 dpdvv.exe 3760 rlxrrlf.exe 2924 3nnhbh.exe 1952 jdddv.exe 3032 3fxxxff.exe 1056 hbhhhh.exe 3360 3vpjj.exe 2108 9bhhbh.exe 1228 bhtttn.exe 4444 3jvpj.exe 4628 ttbtnh.exe 4316 bnnhhn.exe 4368 lxlfrrl.exe 3112 ntbbbb.exe 3132 5jjdp.exe 4652 jpjdv.exe 636 5rrlflf.exe 2040 nbbbtb.exe 2220 pdpjv.exe 1492 xfflrlf.exe 4648 jjpvp.exe 4640 rrxrlff.exe 1076 1xfxffx.exe 1288 hhttbh.exe 1556 jdjdj.exe 2216 7llflll.exe 3136 ttttnn.exe 3292 vdjdd.exe 2232 fxxrlll.exe 3928 nhnhbb.exe 4964 jpjpv.exe 4544 vvddj.exe 3364 bthbtt.exe 1332 hnhhtb.exe 3932 rxllfff.exe 4856 xxflxfx.exe 1160 tbhhbn.exe 3140 dpddp.exe 2936 lfrllfx.exe 4736 hthbbt.exe 1620 vpjdd.exe -
resource yara_rule behavioral2/memory/5048-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-849-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-880-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-887-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4560 5048 6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe 82 PID 5048 wrote to memory of 4560 5048 6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe 82 PID 5048 wrote to memory of 4560 5048 6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe 82 PID 4560 wrote to memory of 468 4560 5bhhhh.exe 83 PID 4560 wrote to memory of 468 4560 5bhhhh.exe 83 PID 4560 wrote to memory of 468 4560 5bhhhh.exe 83 PID 468 wrote to memory of 1692 468 vdjjd.exe 84 PID 468 wrote to memory of 1692 468 vdjjd.exe 84 PID 468 wrote to memory of 1692 468 vdjjd.exe 84 PID 1692 wrote to memory of 3728 1692 rfrrrxf.exe 85 PID 1692 wrote to memory of 3728 1692 rfrrrxf.exe 85 PID 1692 wrote to memory of 3728 1692 rfrrrxf.exe 85 PID 3728 wrote to memory of 4672 3728 fxrrrrr.exe 86 PID 3728 wrote to memory of 4672 3728 fxrrrrr.exe 86 PID 3728 wrote to memory of 4672 3728 fxrrrrr.exe 86 PID 4672 wrote to memory of 916 4672 tbtthn.exe 87 PID 4672 wrote to memory of 916 4672 tbtthn.exe 87 PID 4672 wrote to memory of 916 4672 tbtthn.exe 87 PID 916 wrote to memory of 1124 916 lxfxxxx.exe 88 PID 916 wrote to memory of 1124 916 lxfxxxx.exe 88 PID 916 wrote to memory of 1124 916 lxfxxxx.exe 88 PID 1124 wrote to memory of 4288 1124 djjdd.exe 89 PID 1124 wrote to memory of 4288 1124 djjdd.exe 89 PID 1124 wrote to memory of 4288 1124 djjdd.exe 89 PID 4288 wrote to memory of 4736 4288 nnnnnt.exe 90 PID 4288 wrote to memory of 4736 4288 nnnnnt.exe 90 PID 4288 wrote to memory of 4736 4288 nnnnnt.exe 90 PID 4736 wrote to memory of 3532 4736 bthbtt.exe 91 PID 4736 wrote to memory of 3532 4736 bthbtt.exe 91 PID 4736 wrote to memory of 3532 4736 bthbtt.exe 91 PID 3532 wrote to memory of 3668 3532 9hntbb.exe 92 PID 3532 wrote to memory of 3668 3532 9hntbb.exe 92 PID 3532 wrote to memory of 3668 3532 9hntbb.exe 92 PID 3668 wrote to memory of 2712 3668 jdjdd.exe 93 PID 3668 wrote to memory of 2712 3668 jdjdd.exe 93 PID 3668 wrote to memory of 2712 3668 jdjdd.exe 93 PID 2712 wrote to memory of 2304 2712 vjvpj.exe 94 PID 2712 wrote to memory of 2304 2712 vjvpj.exe 94 PID 2712 wrote to memory of 2304 2712 vjvpj.exe 94 PID 2304 wrote to memory of 5088 2304 1rlffxx.exe 95 PID 2304 wrote to memory of 5088 2304 1rlffxx.exe 95 PID 2304 wrote to memory of 5088 2304 1rlffxx.exe 95 PID 5088 wrote to memory of 5052 5088 ddddp.exe 96 PID 5088 wrote to memory of 5052 5088 ddddp.exe 96 PID 5088 wrote to memory of 5052 5088 ddddp.exe 96 PID 5052 wrote to memory of 1732 5052 5bnhbb.exe 97 PID 5052 wrote to memory of 1732 5052 5bnhbb.exe 97 PID 5052 wrote to memory of 1732 5052 5bnhbb.exe 97 PID 1732 wrote to memory of 1476 1732 jjvvp.exe 98 PID 1732 wrote to memory of 1476 1732 jjvvp.exe 98 PID 1732 wrote to memory of 1476 1732 jjvvp.exe 98 PID 1476 wrote to memory of 1760 1476 ffrrxxr.exe 99 PID 1476 wrote to memory of 1760 1476 ffrrxxr.exe 99 PID 1476 wrote to memory of 1760 1476 ffrrxxr.exe 99 PID 1760 wrote to memory of 1924 1760 hhtttt.exe 100 PID 1760 wrote to memory of 1924 1760 hhtttt.exe 100 PID 1760 wrote to memory of 1924 1760 hhtttt.exe 100 PID 1924 wrote to memory of 4636 1924 dddvp.exe 101 PID 1924 wrote to memory of 4636 1924 dddvp.exe 101 PID 1924 wrote to memory of 4636 1924 dddvp.exe 101 PID 4636 wrote to memory of 1528 4636 xrxxrrr.exe 102 PID 4636 wrote to memory of 1528 4636 xrxxrrr.exe 102 PID 4636 wrote to memory of 1528 4636 xrxxrrr.exe 102 PID 1528 wrote to memory of 3064 1528 ppvdp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe"C:\Users\Admin\AppData\Local\Temp\6a25a0da1a19632b59f23b6303ff81d01f7c39d8bf8ba14e9c5c49536c910ca4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\5bhhhh.exec:\5bhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\vdjjd.exec:\vdjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\rfrrrxf.exec:\rfrrrxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\tbtthn.exec:\tbtthn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\lxfxxxx.exec:\lxfxxxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\djjdd.exec:\djjdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\nnnnnt.exec:\nnnnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\bthbtt.exec:\bthbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\9hntbb.exec:\9hntbb.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\jdjdd.exec:\jdjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\vjvpj.exec:\vjvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\1rlffxx.exec:\1rlffxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\ddddp.exec:\ddddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\5bnhbb.exec:\5bnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\jjvvp.exec:\jjvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\ffrrxxr.exec:\ffrrxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\hhtttt.exec:\hhtttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\dddvp.exec:\dddvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\ppvdp.exec:\ppvdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\1frfxrl.exec:\1frfxrl.exe23⤵
- Executes dropped EXE
PID:3064 -
\??\c:\pvddv.exec:\pvddv.exe24⤵
- Executes dropped EXE
PID:968 -
\??\c:\dpdvv.exec:\dpdvv.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rlxrrlf.exec:\rlxrrlf.exe26⤵
- Executes dropped EXE
PID:3760 -
\??\c:\3nnhbh.exec:\3nnhbh.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\jdddv.exec:\jdddv.exe28⤵
- Executes dropped EXE
PID:1952 -
\??\c:\3fxxxff.exec:\3fxxxff.exe29⤵
- Executes dropped EXE
PID:3032 -
\??\c:\hbhhhh.exec:\hbhhhh.exe30⤵
- Executes dropped EXE
PID:1056 -
\??\c:\3vpjj.exec:\3vpjj.exe31⤵
- Executes dropped EXE
PID:3360 -
\??\c:\9bhhbh.exec:\9bhhbh.exe32⤵
- Executes dropped EXE
PID:2108 -
\??\c:\bhtttn.exec:\bhtttn.exe33⤵
- Executes dropped EXE
PID:1228 -
\??\c:\3jvpj.exec:\3jvpj.exe34⤵
- Executes dropped EXE
PID:4444 -
\??\c:\ttbtnh.exec:\ttbtnh.exe35⤵
- Executes dropped EXE
PID:4628 -
\??\c:\bnnhhn.exec:\bnnhhn.exe36⤵
- Executes dropped EXE
PID:4316 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe37⤵
- Executes dropped EXE
PID:4368 -
\??\c:\ntbbbb.exec:\ntbbbb.exe38⤵
- Executes dropped EXE
PID:3112 -
\??\c:\5jjdp.exec:\5jjdp.exe39⤵
- Executes dropped EXE
PID:3132 -
\??\c:\jpjdv.exec:\jpjdv.exe40⤵
- Executes dropped EXE
PID:4652 -
\??\c:\5rrlflf.exec:\5rrlflf.exe41⤵
- Executes dropped EXE
PID:636 -
\??\c:\nbbbtb.exec:\nbbbtb.exe42⤵
- Executes dropped EXE
PID:2040 -
\??\c:\pdpjv.exec:\pdpjv.exe43⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xfflrlf.exec:\xfflrlf.exe44⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jjpvp.exec:\jjpvp.exe45⤵
- Executes dropped EXE
PID:4648 -
\??\c:\rrxrlff.exec:\rrxrlff.exe46⤵
- Executes dropped EXE
PID:4640 -
\??\c:\1xfxffx.exec:\1xfxffx.exe47⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hhttbh.exec:\hhttbh.exe48⤵
- Executes dropped EXE
PID:1288 -
\??\c:\jdjdj.exec:\jdjdj.exe49⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ppvvv.exec:\ppvvv.exe50⤵PID:1864
-
\??\c:\7llflll.exec:\7llflll.exe51⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ttttnn.exec:\ttttnn.exe52⤵
- Executes dropped EXE
PID:3136 -
\??\c:\vdjdd.exec:\vdjdd.exe53⤵
- Executes dropped EXE
PID:3292 -
\??\c:\fxxrlll.exec:\fxxrlll.exe54⤵
- Executes dropped EXE
PID:2232 -
\??\c:\nhnhbb.exec:\nhnhbb.exe55⤵
- Executes dropped EXE
PID:3928 -
\??\c:\jpjpv.exec:\jpjpv.exe56⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vvddj.exec:\vvddj.exe57⤵
- Executes dropped EXE
PID:4544 -
\??\c:\bthbtt.exec:\bthbtt.exe58⤵
- Executes dropped EXE
PID:3364 -
\??\c:\hnhhtb.exec:\hnhhtb.exe59⤵
- Executes dropped EXE
PID:1332 -
\??\c:\rxllfff.exec:\rxllfff.exe60⤵
- Executes dropped EXE
PID:3932 -
\??\c:\xxflxfx.exec:\xxflxfx.exe61⤵
- Executes dropped EXE
PID:4856 -
\??\c:\tbhhbn.exec:\tbhhbn.exe62⤵
- Executes dropped EXE
PID:1160 -
\??\c:\dpddp.exec:\dpddp.exe63⤵
- Executes dropped EXE
PID:3140 -
\??\c:\lfrllfx.exec:\lfrllfx.exe64⤵
- Executes dropped EXE
PID:2936 -
\??\c:\hthbbt.exec:\hthbbt.exe65⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vpjdd.exec:\vpjdd.exe66⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rflrlll.exec:\rflrlll.exe67⤵PID:2144
-
\??\c:\lrfffff.exec:\lrfffff.exe68⤵PID:3668
-
\??\c:\ttbnhb.exec:\ttbnhb.exe69⤵PID:2092
-
\??\c:\vpdjd.exec:\vpdjd.exe70⤵PID:2036
-
\??\c:\llxxlll.exec:\llxxlll.exe71⤵PID:4944
-
\??\c:\nbhbbb.exec:\nbhbbb.exe72⤵PID:5088
-
\??\c:\dvdjd.exec:\dvdjd.exe73⤵PID:2768
-
\??\c:\lfllllr.exec:\lfllllr.exe74⤵PID:2488
-
\??\c:\xrfrffr.exec:\xrfrffr.exe75⤵PID:1120
-
\??\c:\nbhhbb.exec:\nbhhbb.exe76⤵PID:2412
-
\??\c:\jpdvp.exec:\jpdvp.exe77⤵PID:3168
-
\??\c:\fxllxxx.exec:\fxllxxx.exe78⤵PID:2424
-
\??\c:\1bnnhh.exec:\1bnnhh.exe79⤵PID:3816
-
\??\c:\dvdvj.exec:\dvdvj.exe80⤵PID:1388
-
\??\c:\xfrlffx.exec:\xfrlffx.exe81⤵PID:1528
-
\??\c:\thtnhh.exec:\thtnhh.exe82⤵PID:4128
-
\??\c:\jdjjd.exec:\jdjjd.exe83⤵PID:1396
-
\??\c:\rflfxrl.exec:\rflfxrl.exe84⤵PID:3812
-
\??\c:\tnnbbh.exec:\tnnbbh.exe85⤵PID:1328
-
\??\c:\jpjjp.exec:\jpjjp.exe86⤵PID:2776
-
\??\c:\tntbbb.exec:\tntbbb.exe87⤵PID:3100
-
\??\c:\9bhbtt.exec:\9bhbtt.exe88⤵PID:4576
-
\??\c:\1dvvj.exec:\1dvvj.exe89⤵PID:1208
-
\??\c:\flrlfxr.exec:\flrlfxr.exe90⤵PID:3032
-
\??\c:\7nhhhh.exec:\7nhhhh.exe91⤵PID:4440
-
\??\c:\7dvvj.exec:\7dvvj.exe92⤵
- System Location Discovery: System Language Discovery
PID:4228 -
\??\c:\llffxxr.exec:\llffxxr.exe93⤵PID:1084
-
\??\c:\hbbbtt.exec:\hbbbtt.exe94⤵PID:2012
-
\??\c:\vpvvd.exec:\vpvvd.exe95⤵PID:2720
-
\??\c:\djvpp.exec:\djvpp.exe96⤵PID:4620
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe97⤵PID:4908
-
\??\c:\bbnhnn.exec:\bbnhnn.exe98⤵PID:3984
-
\??\c:\vjvjj.exec:\vjvjj.exe99⤵PID:3048
-
\??\c:\jjvpp.exec:\jjvpp.exe100⤵PID:3184
-
\??\c:\xxfrfxx.exec:\xxfrfxx.exe101⤵PID:4168
-
\??\c:\1bhthh.exec:\1bhthh.exe102⤵PID:4296
-
\??\c:\jpdvp.exec:\jpdvp.exe103⤵PID:3336
-
\??\c:\xfxxrxf.exec:\xfxxrxf.exe104⤵PID:636
-
\??\c:\frxxxxx.exec:\frxxxxx.exe105⤵PID:2340
-
\??\c:\pvdvd.exec:\pvdvd.exe106⤵PID:3432
-
\??\c:\pvjdv.exec:\pvjdv.exe107⤵PID:4304
-
\??\c:\lffxlrf.exec:\lffxlrf.exe108⤵PID:1944
-
\??\c:\hbhnhh.exec:\hbhnhh.exe109⤵PID:3692
-
\??\c:\jpdjd.exec:\jpdjd.exe110⤵PID:3172
-
\??\c:\1ffxrll.exec:\1ffxrll.exe111⤵PID:1512
-
\??\c:\tbnnnn.exec:\tbnnnn.exe112⤵PID:4376
-
\??\c:\ddjpj.exec:\ddjpj.exe113⤵PID:5048
-
\??\c:\lxrfllx.exec:\lxrfllx.exe114⤵PID:3676
-
\??\c:\1hhhbb.exec:\1hhhbb.exe115⤵PID:2420
-
\??\c:\dvdjj.exec:\dvdjj.exe116⤵PID:3612
-
\??\c:\lflxffl.exec:\lflxffl.exe117⤵PID:2232
-
\??\c:\tnhbtt.exec:\tnhbtt.exe118⤵PID:3928
-
\??\c:\pjvpd.exec:\pjvpd.exe119⤵PID:4980
-
\??\c:\xrrxrlf.exec:\xrrxrlf.exe120⤵
- System Location Discovery: System Language Discovery
PID:4672 -
\??\c:\frxrllf.exec:\frxrllf.exe121⤵PID:464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-