Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 14:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe
-
Size
456KB
-
MD5
2613612a2a41da63f47c13019085c150
-
SHA1
2fd7f53b64cdc9cb50a66ec6c4dcb763c5aaf60c
-
SHA256
6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4d
-
SHA512
c3a0fd3cc9348cbcc5a3e1dac128f7fefbf46099f3d48279ac2f23fb4f8d5d7cc22473d3a48e9fbad162b3e236f1e0a03acbf6e1f4e5c012444f036f91c32acb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeSn:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2256-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-1073-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-1590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3140 lxxfrlx.exe 3388 5tbbnh.exe 3984 lfrlrlf.exe 3896 hbhbnb.exe 1396 jpdvp.exe 2688 rlfrxfr.exe 2756 bhhbnh.exe 3636 5ppjj.exe 2444 5lxlrrr.exe 3612 lrlxlxl.exe 2584 ntbnbt.exe 3464 9jdpd.exe 2468 frxrfxr.exe 4216 htnthn.exe 4296 3ddvj.exe 2276 5rrllfl.exe 2292 9tbnbn.exe 2992 jdpdp.exe 4984 1rrfxxr.exe 744 rlfrfxr.exe 3932 ththtn.exe 632 vjpdj.exe 456 vjdpv.exe 2708 7xlxffx.exe 1484 hnnbnh.exe 4500 nttntn.exe 756 ffrfxlx.exe 2164 xrlxlfr.exe 3952 hhhnbt.exe 4900 jvpdv.exe 4748 frlfxrl.exe 3960 nnthtn.exe 2272 vpjvp.exe 964 3pdpd.exe 832 lffrrll.exe 3812 nnhtnt.exe 1756 nnnbth.exe 3364 1pjvj.exe 2684 1ffrxrr.exe 1148 7lxlrlx.exe 2412 nhbnbt.exe 3684 nbthth.exe 3732 jvvjd.exe 4844 lxxllfr.exe 4976 xffxxlx.exe 4352 nthttt.exe 4336 tbthbn.exe 3332 pjjpj.exe 4616 lxfrlfx.exe 4592 tnbtht.exe 2796 hhbnbn.exe 4260 dvpdp.exe 3808 lflrrll.exe 4580 ntnbtn.exe 2168 bnhnbn.exe 1520 dpjvv.exe 1200 7ffrlfx.exe 3916 lxrfxlf.exe 4008 ntthhb.exe 4292 tnnbbt.exe 3012 ppvpv.exe 2444 pjdvj.exe 3192 xflfffx.exe 4960 fflxlfx.exe -
resource yara_rule behavioral2/memory/2256-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-693-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-708-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lflxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 3140 2256 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 82 PID 2256 wrote to memory of 3140 2256 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 82 PID 2256 wrote to memory of 3140 2256 6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe 82 PID 3140 wrote to memory of 3388 3140 lxxfrlx.exe 83 PID 3140 wrote to memory of 3388 3140 lxxfrlx.exe 83 PID 3140 wrote to memory of 3388 3140 lxxfrlx.exe 83 PID 3388 wrote to memory of 3984 3388 5tbbnh.exe 84 PID 3388 wrote to memory of 3984 3388 5tbbnh.exe 84 PID 3388 wrote to memory of 3984 3388 5tbbnh.exe 84 PID 3984 wrote to memory of 3896 3984 lfrlrlf.exe 85 PID 3984 wrote to memory of 3896 3984 lfrlrlf.exe 85 PID 3984 wrote to memory of 3896 3984 lfrlrlf.exe 85 PID 3896 wrote to memory of 1396 3896 hbhbnb.exe 86 PID 3896 wrote to memory of 1396 3896 hbhbnb.exe 86 PID 3896 wrote to memory of 1396 3896 hbhbnb.exe 86 PID 1396 wrote to memory of 2688 1396 jpdvp.exe 87 PID 1396 wrote to memory of 2688 1396 jpdvp.exe 87 PID 1396 wrote to memory of 2688 1396 jpdvp.exe 87 PID 2688 wrote to memory of 2756 2688 rlfrxfr.exe 88 PID 2688 wrote to memory of 2756 2688 rlfrxfr.exe 88 PID 2688 wrote to memory of 2756 2688 rlfrxfr.exe 88 PID 2756 wrote to memory of 3636 2756 bhhbnh.exe 89 PID 2756 wrote to memory of 3636 2756 bhhbnh.exe 89 PID 2756 wrote to memory of 3636 2756 bhhbnh.exe 89 PID 3636 wrote to memory of 2444 3636 5ppjj.exe 90 PID 3636 wrote to memory of 2444 3636 5ppjj.exe 90 PID 3636 wrote to memory of 2444 3636 5ppjj.exe 90 PID 2444 wrote to memory of 3612 2444 5lxlrrr.exe 91 PID 2444 wrote to memory of 3612 2444 5lxlrrr.exe 91 PID 2444 wrote to memory of 3612 2444 5lxlrrr.exe 91 PID 3612 wrote to memory of 2584 3612 lrlxlxl.exe 92 PID 3612 wrote to memory of 2584 3612 lrlxlxl.exe 92 PID 3612 wrote to memory of 2584 3612 lrlxlxl.exe 92 PID 2584 wrote to memory of 3464 2584 ntbnbt.exe 93 PID 2584 wrote to memory of 3464 2584 ntbnbt.exe 93 PID 2584 wrote to memory of 3464 2584 ntbnbt.exe 93 PID 3464 wrote to memory of 2468 3464 9jdpd.exe 94 PID 3464 wrote to memory of 2468 3464 9jdpd.exe 94 PID 3464 wrote to memory of 2468 3464 9jdpd.exe 94 PID 2468 wrote to memory of 4216 2468 frxrfxr.exe 95 PID 2468 wrote to memory of 4216 2468 frxrfxr.exe 95 PID 2468 wrote to memory of 4216 2468 frxrfxr.exe 95 PID 4216 wrote to memory of 4296 4216 htnthn.exe 96 PID 4216 wrote to memory of 4296 4216 htnthn.exe 96 PID 4216 wrote to memory of 4296 4216 htnthn.exe 96 PID 4296 wrote to memory of 2276 4296 3ddvj.exe 97 PID 4296 wrote to memory of 2276 4296 3ddvj.exe 97 PID 4296 wrote to memory of 2276 4296 3ddvj.exe 97 PID 2276 wrote to memory of 2292 2276 5rrllfl.exe 98 PID 2276 wrote to memory of 2292 2276 5rrllfl.exe 98 PID 2276 wrote to memory of 2292 2276 5rrllfl.exe 98 PID 2292 wrote to memory of 2992 2292 9tbnbn.exe 99 PID 2292 wrote to memory of 2992 2292 9tbnbn.exe 99 PID 2292 wrote to memory of 2992 2292 9tbnbn.exe 99 PID 2992 wrote to memory of 4984 2992 jdpdp.exe 100 PID 2992 wrote to memory of 4984 2992 jdpdp.exe 100 PID 2992 wrote to memory of 4984 2992 jdpdp.exe 100 PID 4984 wrote to memory of 744 4984 1rrfxxr.exe 101 PID 4984 wrote to memory of 744 4984 1rrfxxr.exe 101 PID 4984 wrote to memory of 744 4984 1rrfxxr.exe 101 PID 744 wrote to memory of 3932 744 rlfrfxr.exe 102 PID 744 wrote to memory of 3932 744 rlfrfxr.exe 102 PID 744 wrote to memory of 3932 744 rlfrfxr.exe 102 PID 3932 wrote to memory of 632 3932 ththtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe"C:\Users\Admin\AppData\Local\Temp\6e8716bf837e0f39bc2c63a2ee9d27cf7108591caf169d74c574b473d651df4dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\lxxfrlx.exec:\lxxfrlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\5tbbnh.exec:\5tbbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\lfrlrlf.exec:\lfrlrlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\hbhbnb.exec:\hbhbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\jpdvp.exec:\jpdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\rlfrxfr.exec:\rlfrxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\bhhbnh.exec:\bhhbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\5ppjj.exec:\5ppjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\5lxlrrr.exec:\5lxlrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\lrlxlxl.exec:\lrlxlxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\ntbnbt.exec:\ntbnbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\9jdpd.exec:\9jdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\frxrfxr.exec:\frxrfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\htnthn.exec:\htnthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\3ddvj.exec:\3ddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\5rrllfl.exec:\5rrllfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\9tbnbn.exec:\9tbnbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\jdpdp.exec:\jdpdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\1rrfxxr.exec:\1rrfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\rlfrfxr.exec:\rlfrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\ththtn.exec:\ththtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\vjpdj.exec:\vjpdj.exe23⤵
- Executes dropped EXE
PID:632 -
\??\c:\vjdpv.exec:\vjdpv.exe24⤵
- Executes dropped EXE
PID:456 -
\??\c:\7xlxffx.exec:\7xlxffx.exe25⤵
- Executes dropped EXE
PID:2708 -
\??\c:\hnnbnh.exec:\hnnbnh.exe26⤵
- Executes dropped EXE
PID:1484 -
\??\c:\nttntn.exec:\nttntn.exe27⤵
- Executes dropped EXE
PID:4500 -
\??\c:\ffrfxlx.exec:\ffrfxlx.exe28⤵
- Executes dropped EXE
PID:756 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe29⤵
- Executes dropped EXE
PID:2164 -
\??\c:\hhhnbt.exec:\hhhnbt.exe30⤵
- Executes dropped EXE
PID:3952 -
\??\c:\jvpdv.exec:\jvpdv.exe31⤵
- Executes dropped EXE
PID:4900 -
\??\c:\frlfxrl.exec:\frlfxrl.exe32⤵
- Executes dropped EXE
PID:4748 -
\??\c:\nnthtn.exec:\nnthtn.exe33⤵
- Executes dropped EXE
PID:3960 -
\??\c:\vpjvp.exec:\vpjvp.exe34⤵
- Executes dropped EXE
PID:2272 -
\??\c:\3pdpd.exec:\3pdpd.exe35⤵
- Executes dropped EXE
PID:964 -
\??\c:\lffrrll.exec:\lffrrll.exe36⤵
- Executes dropped EXE
PID:832 -
\??\c:\nnhtnt.exec:\nnhtnt.exe37⤵
- Executes dropped EXE
PID:3812 -
\??\c:\nnnbth.exec:\nnnbth.exe38⤵
- Executes dropped EXE
PID:1756 -
\??\c:\1pjvj.exec:\1pjvj.exe39⤵
- Executes dropped EXE
PID:3364 -
\??\c:\1ffrxrr.exec:\1ffrxrr.exe40⤵
- Executes dropped EXE
PID:2684 -
\??\c:\7lxlrlx.exec:\7lxlrlx.exe41⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nhbnbt.exec:\nhbnbt.exe42⤵
- Executes dropped EXE
PID:2412 -
\??\c:\nbthth.exec:\nbthth.exe43⤵
- Executes dropped EXE
PID:3684 -
\??\c:\jvvjd.exec:\jvvjd.exe44⤵
- Executes dropped EXE
PID:3732 -
\??\c:\lxxllfr.exec:\lxxllfr.exe45⤵
- Executes dropped EXE
PID:4844 -
\??\c:\xffxxlx.exec:\xffxxlx.exe46⤵
- Executes dropped EXE
PID:4976 -
\??\c:\nthttt.exec:\nthttt.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\tbthbn.exec:\tbthbn.exe48⤵
- Executes dropped EXE
PID:4336 -
\??\c:\pjjpj.exec:\pjjpj.exe49⤵
- Executes dropped EXE
PID:3332 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe50⤵
- Executes dropped EXE
PID:4616 -
\??\c:\tnbtht.exec:\tnbtht.exe51⤵
- Executes dropped EXE
PID:4592 -
\??\c:\hhbnbn.exec:\hhbnbn.exe52⤵
- Executes dropped EXE
PID:2796 -
\??\c:\dvpdp.exec:\dvpdp.exe53⤵
- Executes dropped EXE
PID:4260 -
\??\c:\lflrrll.exec:\lflrrll.exe54⤵
- Executes dropped EXE
PID:3808 -
\??\c:\ntnbtn.exec:\ntnbtn.exe55⤵
- Executes dropped EXE
PID:4580 -
\??\c:\bnhnbn.exec:\bnhnbn.exe56⤵
- Executes dropped EXE
PID:2168 -
\??\c:\dpjvv.exec:\dpjvv.exe57⤵
- Executes dropped EXE
PID:1520 -
\??\c:\7ffrlfx.exec:\7ffrlfx.exe58⤵
- Executes dropped EXE
PID:1200 -
\??\c:\lxrfxlf.exec:\lxrfxlf.exe59⤵
- Executes dropped EXE
PID:3916 -
\??\c:\ntthhb.exec:\ntthhb.exe60⤵
- Executes dropped EXE
PID:4008 -
\??\c:\tnnbbt.exec:\tnnbbt.exe61⤵
- Executes dropped EXE
PID:4292 -
\??\c:\ppvpv.exec:\ppvpv.exe62⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pjdvj.exec:\pjdvj.exe63⤵
- Executes dropped EXE
PID:2444 -
\??\c:\xflfffx.exec:\xflfffx.exe64⤵
- Executes dropped EXE
PID:3192 -
\??\c:\fflxlfx.exec:\fflxlfx.exe65⤵
- Executes dropped EXE
PID:4960 -
\??\c:\tbbnbt.exec:\tbbnbt.exe66⤵PID:2896
-
\??\c:\5vjvp.exec:\5vjvp.exe67⤵PID:4120
-
\??\c:\pvdpd.exec:\pvdpd.exe68⤵PID:1464
-
\??\c:\xflxffr.exec:\xflxffr.exe69⤵PID:4280
-
\??\c:\1lflxrf.exec:\1lflxrf.exe70⤵
- System Location Discovery: System Language Discovery
PID:1316 -
\??\c:\htbtbt.exec:\htbtbt.exe71⤵PID:548
-
\??\c:\9nnbnh.exec:\9nnbnh.exe72⤵PID:4216
-
\??\c:\jppjv.exec:\jppjv.exe73⤵PID:3080
-
\??\c:\ppjvv.exec:\ppjvv.exe74⤵PID:2676
-
\??\c:\lrlxlfx.exec:\lrlxlfx.exe75⤵PID:4880
-
\??\c:\7thbnh.exec:\7thbnh.exe76⤵PID:3836
-
\??\c:\vdvpd.exec:\vdvpd.exe77⤵PID:4972
-
\??\c:\jpddv.exec:\jpddv.exe78⤵PID:644
-
\??\c:\pjjvd.exec:\pjjvd.exe79⤵PID:4856
-
\??\c:\5xfrfxr.exec:\5xfrfxr.exe80⤵PID:5004
-
\??\c:\vjpjp.exec:\vjpjp.exe81⤵PID:3932
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe82⤵PID:320
-
\??\c:\1jdpj.exec:\1jdpj.exe83⤵PID:2224
-
\??\c:\3bnhht.exec:\3bnhht.exe84⤵PID:4816
-
\??\c:\frrfrlf.exec:\frrfrlf.exe85⤵PID:2708
-
\??\c:\9bthtn.exec:\9bthtn.exe86⤵PID:2056
-
\??\c:\dpvpp.exec:\dpvpp.exe87⤵PID:1684
-
\??\c:\nbnhhh.exec:\nbnhhh.exe88⤵PID:2152
-
\??\c:\ffxrfrx.exec:\ffxrfrx.exe89⤵PID:3236
-
\??\c:\rxrxlrf.exec:\rxrxlrf.exe90⤵PID:3532
-
\??\c:\7ddjp.exec:\7ddjp.exe91⤵PID:3260
-
\??\c:\tntnhh.exec:\tntnhh.exe92⤵PID:1752
-
\??\c:\vvvjp.exec:\vvvjp.exe93⤵PID:1720
-
\??\c:\nbnnhh.exec:\nbnnhh.exe94⤵PID:2320
-
\??\c:\flrfxrf.exec:\flrfxrf.exe95⤵PID:1528
-
\??\c:\pjpjj.exec:\pjpjj.exe96⤵PID:2108
-
\??\c:\vvjjp.exec:\vvjjp.exe97⤵PID:4784
-
\??\c:\5lffrlf.exec:\5lffrlf.exe98⤵PID:4876
-
\??\c:\hhhtht.exec:\hhhtht.exe99⤵PID:2496
-
\??\c:\tbthtn.exec:\tbthtn.exe100⤵PID:1816
-
\??\c:\djjjp.exec:\djjjp.exe101⤵PID:4196
-
\??\c:\xxrfxfr.exec:\xxrfxfr.exe102⤵PID:5020
-
\??\c:\1bbnbn.exec:\1bbnbn.exe103⤵PID:4868
-
\??\c:\tbbnnn.exec:\tbbnnn.exe104⤵PID:860
-
\??\c:\vdpjv.exec:\vdpjv.exe105⤵PID:1148
-
\??\c:\lfxlrlf.exec:\lfxlrlf.exe106⤵PID:2432
-
\??\c:\5nhbtt.exec:\5nhbtt.exe107⤵PID:4016
-
\??\c:\bnnhbt.exec:\bnnhbt.exe108⤵PID:2160
-
\??\c:\djpdp.exec:\djpdp.exe109⤵PID:2944
-
\??\c:\xlxlxlx.exec:\xlxlxlx.exe110⤵PID:3732
-
\??\c:\tnnbtn.exec:\tnnbtn.exe111⤵PID:4708
-
\??\c:\9nbnbb.exec:\9nbnbb.exe112⤵PID:4944
-
\??\c:\pppdv.exec:\pppdv.exe113⤵PID:4320
-
\??\c:\xxlxllf.exec:\xxlxllf.exe114⤵PID:4380
-
\??\c:\tnhbnn.exec:\tnhbnn.exe115⤵PID:3044
-
\??\c:\hnthbn.exec:\hnthbn.exe116⤵PID:1112
-
\??\c:\vdvpd.exec:\vdvpd.exe117⤵PID:2228
-
\??\c:\vppjv.exec:\vppjv.exe118⤵PID:4592
-
\??\c:\lxfxrll.exec:\lxfxrll.exe119⤵PID:2796
-
\??\c:\1tnbtt.exec:\1tnbtt.exe120⤵PID:2016
-
\??\c:\hbnhbb.exec:\hbnhbb.exe121⤵PID:4624
-
\??\c:\5dvpd.exec:\5dvpd.exe122⤵PID:1732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-