Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 19:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe
-
Size
459KB
-
MD5
d64b05071ab0080438a78c78456565fd
-
SHA1
c017f81d2cb3e9ecb2db8faece9a1fcd7bd7cc9e
-
SHA256
483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc
-
SHA512
6191500fe8f025850fa0bddd969e29b04c6aee3ef9431dafb71abd32c8ad6a7537c1dbd28445397142c2e8633312a986214b674fb1b78132b9260da19a715cdb
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1420-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5952-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5364-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5176-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6116-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5456-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5872-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5304-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5476-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5436-1365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4868 5hbtnb.exe 3388 9hbtnn.exe 536 3bbbtn.exe 1156 ppdpp.exe 468 rffxrlf.exe 1352 dppdp.exe 60 xxlfffl.exe 5952 llrlffr.exe 2568 xrxrlfl.exe 3584 5ddvp.exe 3784 jvdvp.exe 4608 5xrlfxr.exe 4420 jddvj.exe 4572 lfllllx.exe 5676 vjdvv.exe 1360 1rxrlll.exe 5076 pjjdv.exe 1324 3fffflf.exe 4676 9tbtnh.exe 4768 jvdvp.exe 5300 jddjd.exe 4660 nhhbbb.exe 4360 vvpjd.exe 2692 fxxxrrl.exe 5364 hhhbhh.exe 4012 nhhbtn.exe 4612 frlxrrl.exe 2784 ttnhhb.exe 3596 9dvpp.exe 2360 ttnnht.exe 4208 rxxrllf.exe 2436 nhnhnn.exe 3056 djdvp.exe 3704 xxxrllf.exe 5452 3hnhbb.exe 3452 dddpp.exe 2648 pjpjd.exe 3592 rxffllr.exe 3024 htbnhb.exe 1036 7ddvd.exe 5176 ffrllxr.exe 6000 hntnhh.exe 4788 jdjvp.exe 3664 flxrllr.exe 2208 hnntnt.exe 1596 pjvpj.exe 3460 xlxrfxf.exe 5224 7ffxrrl.exe 1512 btbtnn.exe 6116 jvvpj.exe 5912 rflxlfr.exe 2740 xrlffxl.exe 5712 hbbhbt.exe 2672 dvpdj.exe 3012 dvdvv.exe 3064 lflfxrl.exe 4624 7nnhbb.exe 1748 pjpjv.exe 412 rrlfxxr.exe 5568 hntnhh.exe 5552 nbhttn.exe 5456 vpvpd.exe 1844 fxxrllx.exe 4536 ttbbtt.exe -
resource yara_rule behavioral2/memory/1420-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5952-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5364-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5176-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6116-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5568-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5456-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5872-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5304-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5180-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5476-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-596-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1420 wrote to memory of 4868 1420 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 88 PID 1420 wrote to memory of 4868 1420 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 88 PID 1420 wrote to memory of 4868 1420 483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe 88 PID 4868 wrote to memory of 3388 4868 5hbtnb.exe 89 PID 4868 wrote to memory of 3388 4868 5hbtnb.exe 89 PID 4868 wrote to memory of 3388 4868 5hbtnb.exe 89 PID 3388 wrote to memory of 536 3388 9hbtnn.exe 90 PID 3388 wrote to memory of 536 3388 9hbtnn.exe 90 PID 3388 wrote to memory of 536 3388 9hbtnn.exe 90 PID 536 wrote to memory of 1156 536 3bbbtn.exe 91 PID 536 wrote to memory of 1156 536 3bbbtn.exe 91 PID 536 wrote to memory of 1156 536 3bbbtn.exe 91 PID 1156 wrote to memory of 468 1156 ppdpp.exe 92 PID 1156 wrote to memory of 468 1156 ppdpp.exe 92 PID 1156 wrote to memory of 468 1156 ppdpp.exe 92 PID 468 wrote to memory of 1352 468 rffxrlf.exe 93 PID 468 wrote to memory of 1352 468 rffxrlf.exe 93 PID 468 wrote to memory of 1352 468 rffxrlf.exe 93 PID 1352 wrote to memory of 60 1352 dppdp.exe 94 PID 1352 wrote to memory of 60 1352 dppdp.exe 94 PID 1352 wrote to memory of 60 1352 dppdp.exe 94 PID 60 wrote to memory of 5952 60 xxlfffl.exe 95 PID 60 wrote to memory of 5952 60 xxlfffl.exe 95 PID 60 wrote to memory of 5952 60 xxlfffl.exe 95 PID 5952 wrote to memory of 2568 5952 llrlffr.exe 96 PID 5952 wrote to memory of 2568 5952 llrlffr.exe 96 PID 5952 wrote to memory of 2568 5952 llrlffr.exe 96 PID 2568 wrote to memory of 3584 2568 xrxrlfl.exe 97 PID 2568 wrote to memory of 3584 2568 xrxrlfl.exe 97 PID 2568 wrote to memory of 3584 2568 xrxrlfl.exe 97 PID 3584 wrote to memory of 3784 3584 5ddvp.exe 99 PID 3584 wrote to memory of 3784 3584 5ddvp.exe 99 PID 3584 wrote to memory of 3784 3584 5ddvp.exe 99 PID 3784 wrote to memory of 4608 3784 jvdvp.exe 101 PID 3784 wrote to memory of 4608 3784 jvdvp.exe 101 PID 3784 wrote to memory of 4608 3784 jvdvp.exe 101 PID 4608 wrote to memory of 4420 4608 5xrlfxr.exe 102 PID 4608 wrote to memory of 4420 4608 5xrlfxr.exe 102 PID 4608 wrote to memory of 4420 4608 5xrlfxr.exe 102 PID 4420 wrote to memory of 4572 4420 jddvj.exe 103 PID 4420 wrote to memory of 4572 4420 jddvj.exe 103 PID 4420 wrote to memory of 4572 4420 jddvj.exe 103 PID 4572 wrote to memory of 5676 4572 lfllllx.exe 105 PID 4572 wrote to memory of 5676 4572 lfllllx.exe 105 PID 4572 wrote to memory of 5676 4572 lfllllx.exe 105 PID 5676 wrote to memory of 1360 5676 vjdvv.exe 106 PID 5676 wrote to memory of 1360 5676 vjdvv.exe 106 PID 5676 wrote to memory of 1360 5676 vjdvv.exe 106 PID 1360 wrote to memory of 5076 1360 1rxrlll.exe 107 PID 1360 wrote to memory of 5076 1360 1rxrlll.exe 107 PID 1360 wrote to memory of 5076 1360 1rxrlll.exe 107 PID 5076 wrote to memory of 1324 5076 pjjdv.exe 108 PID 5076 wrote to memory of 1324 5076 pjjdv.exe 108 PID 5076 wrote to memory of 1324 5076 pjjdv.exe 108 PID 1324 wrote to memory of 4676 1324 3fffflf.exe 109 PID 1324 wrote to memory of 4676 1324 3fffflf.exe 109 PID 1324 wrote to memory of 4676 1324 3fffflf.exe 109 PID 4676 wrote to memory of 4768 4676 9tbtnh.exe 110 PID 4676 wrote to memory of 4768 4676 9tbtnh.exe 110 PID 4676 wrote to memory of 4768 4676 9tbtnh.exe 110 PID 4768 wrote to memory of 5300 4768 jvdvp.exe 111 PID 4768 wrote to memory of 5300 4768 jvdvp.exe 111 PID 4768 wrote to memory of 5300 4768 jvdvp.exe 111 PID 5300 wrote to memory of 4660 5300 jddjd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"C:\Users\Admin\AppData\Local\Temp\483f039b0f92eb151472b1176352cf11aec7467014e4336451153ea8424890bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\5hbtnb.exec:\5hbtnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\9hbtnn.exec:\9hbtnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\3bbbtn.exec:\3bbbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\ppdpp.exec:\ppdpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\rffxrlf.exec:\rffxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\dppdp.exec:\dppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\xxlfffl.exec:\xxlfffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\llrlffr.exec:\llrlffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5952 -
\??\c:\xrxrlfl.exec:\xrxrlfl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\5ddvp.exec:\5ddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\jvdvp.exec:\jvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\5xrlfxr.exec:\5xrlfxr.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\jddvj.exec:\jddvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\lfllllx.exec:\lfllllx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\vjdvv.exec:\vjdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5676 -
\??\c:\1rxrlll.exec:\1rxrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\pjjdv.exec:\pjjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\3fffflf.exec:\3fffflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\9tbtnh.exec:\9tbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\jvdvp.exec:\jvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\jddjd.exec:\jddjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5300 -
\??\c:\nhhbbb.exec:\nhhbbb.exe23⤵
- Executes dropped EXE
PID:4660 -
\??\c:\vvpjd.exec:\vvpjd.exe24⤵
- Executes dropped EXE
PID:4360 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe25⤵
- Executes dropped EXE
PID:2692 -
\??\c:\hhhbhh.exec:\hhhbhh.exe26⤵
- Executes dropped EXE
PID:5364 -
\??\c:\nhhbtn.exec:\nhhbtn.exe27⤵
- Executes dropped EXE
PID:4012 -
\??\c:\frlxrrl.exec:\frlxrrl.exe28⤵
- Executes dropped EXE
PID:4612 -
\??\c:\ttnhhb.exec:\ttnhhb.exe29⤵
- Executes dropped EXE
PID:2784 -
\??\c:\9dvpp.exec:\9dvpp.exe30⤵
- Executes dropped EXE
PID:3596 -
\??\c:\ttnnht.exec:\ttnnht.exe31⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rxxrllf.exec:\rxxrllf.exe32⤵
- Executes dropped EXE
PID:4208 -
\??\c:\nhnhnn.exec:\nhnhnn.exe33⤵
- Executes dropped EXE
PID:2436 -
\??\c:\djdvp.exec:\djdvp.exe34⤵
- Executes dropped EXE
PID:3056 -
\??\c:\xxxrllf.exec:\xxxrllf.exe35⤵
- Executes dropped EXE
PID:3704 -
\??\c:\3hnhbb.exec:\3hnhbb.exe36⤵
- Executes dropped EXE
PID:5452 -
\??\c:\dddpp.exec:\dddpp.exe37⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pjpjd.exec:\pjpjd.exe38⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rxffllr.exec:\rxffllr.exe39⤵
- Executes dropped EXE
PID:3592 -
\??\c:\htbnhb.exec:\htbnhb.exe40⤵
- Executes dropped EXE
PID:3024 -
\??\c:\7ddvd.exec:\7ddvd.exe41⤵
- Executes dropped EXE
PID:1036 -
\??\c:\ffrllxr.exec:\ffrllxr.exe42⤵
- Executes dropped EXE
PID:5176 -
\??\c:\hntnhh.exec:\hntnhh.exe43⤵
- Executes dropped EXE
PID:6000 -
\??\c:\jdjvp.exec:\jdjvp.exe44⤵
- Executes dropped EXE
PID:4788 -
\??\c:\flxrllr.exec:\flxrllr.exe45⤵
- Executes dropped EXE
PID:3664 -
\??\c:\hnntnt.exec:\hnntnt.exe46⤵
- Executes dropped EXE
PID:2208 -
\??\c:\pjvpj.exec:\pjvpj.exe47⤵
- Executes dropped EXE
PID:1596 -
\??\c:\xlxrfxf.exec:\xlxrfxf.exe48⤵
- Executes dropped EXE
PID:3460 -
\??\c:\7ffxrrl.exec:\7ffxrrl.exe49⤵
- Executes dropped EXE
PID:5224 -
\??\c:\btbtnn.exec:\btbtnn.exe50⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jvvpj.exec:\jvvpj.exe51⤵
- Executes dropped EXE
PID:6116 -
\??\c:\rflxlfr.exec:\rflxlfr.exe52⤵
- Executes dropped EXE
PID:5912 -
\??\c:\xrlffxl.exec:\xrlffxl.exe53⤵
- Executes dropped EXE
PID:2740 -
\??\c:\hbbhbt.exec:\hbbhbt.exe54⤵
- Executes dropped EXE
PID:5712 -
\??\c:\dvpdj.exec:\dvpdj.exe55⤵
- Executes dropped EXE
PID:2672 -
\??\c:\dvdvv.exec:\dvdvv.exe56⤵
- Executes dropped EXE
PID:3012 -
\??\c:\lflfxrl.exec:\lflfxrl.exe57⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7nnhbb.exec:\7nnhbb.exe58⤵
- Executes dropped EXE
PID:4624 -
\??\c:\pjpjv.exec:\pjpjv.exe59⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe60⤵
- Executes dropped EXE
PID:412 -
\??\c:\hntnhh.exec:\hntnhh.exe61⤵
- Executes dropped EXE
PID:5568 -
\??\c:\nbhttn.exec:\nbhttn.exe62⤵
- Executes dropped EXE
PID:5552 -
\??\c:\vpvpd.exec:\vpvpd.exe63⤵
- Executes dropped EXE
PID:5456 -
\??\c:\fxxrllx.exec:\fxxrllx.exe64⤵
- Executes dropped EXE
PID:1844 -
\??\c:\ttbbtt.exec:\ttbbtt.exe65⤵
- Executes dropped EXE
PID:4536 -
\??\c:\3jjdv.exec:\3jjdv.exe66⤵PID:4256
-
\??\c:\3pjdp.exec:\3pjdp.exe67⤵PID:5872
-
\??\c:\1lffxxl.exec:\1lffxxl.exe68⤵PID:1644
-
\??\c:\vddpj.exec:\vddpj.exe69⤵PID:3068
-
\??\c:\rlllfxl.exec:\rlllfxl.exe70⤵PID:3616
-
\??\c:\bbtnhb.exec:\bbtnhb.exe71⤵PID:3600
-
\??\c:\ddjvp.exec:\ddjvp.exe72⤵PID:692
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe73⤵PID:440
-
\??\c:\jdpjd.exec:\jdpjd.exe74⤵PID:5476
-
\??\c:\djvjd.exec:\djvjd.exe75⤵PID:2944
-
\??\c:\xxxrrlx.exec:\xxxrrlx.exe76⤵PID:1496
-
\??\c:\tbnhbb.exec:\tbnhbb.exe77⤵PID:2568
-
\??\c:\7jjdd.exec:\7jjdd.exe78⤵PID:1456
-
\??\c:\1xxrxrr.exec:\1xxrxrr.exe79⤵PID:1092
-
\??\c:\7hnbtt.exec:\7hnbtt.exe80⤵PID:3284
-
\??\c:\nnbtnt.exec:\nnbtnt.exe81⤵PID:4468
-
\??\c:\vjvpp.exec:\vjvpp.exe82⤵PID:4472
-
\??\c:\xfrlllf.exec:\xfrlllf.exe83⤵PID:4420
-
\??\c:\bnhbhh.exec:\bnhbhh.exe84⤵PID:3740
-
\??\c:\dvdjd.exec:\dvdjd.exe85⤵PID:4592
-
\??\c:\xlrlffx.exec:\xlrlffx.exe86⤵PID:4328
-
\??\c:\btbttt.exec:\btbttt.exe87⤵PID:4520
-
\??\c:\jdjpp.exec:\jdjpp.exe88⤵PID:5676
-
\??\c:\pjvvp.exec:\pjvvp.exe89⤵PID:5984
-
\??\c:\rrrlrrx.exec:\rrrlrrx.exe90⤵PID:4928
-
\??\c:\7bhbtt.exec:\7bhbtt.exe91⤵PID:5076
-
\??\c:\jvdvv.exec:\jvdvv.exe92⤵PID:2284
-
\??\c:\ffrlffl.exec:\ffrlffl.exe93⤵PID:4828
-
\??\c:\nbnhhb.exec:\nbnhhb.exe94⤵PID:3324
-
\??\c:\bnbtnh.exec:\bnbtnh.exe95⤵PID:2148
-
\??\c:\vvjpj.exec:\vvjpj.exe96⤵PID:876
-
\??\c:\3lrlffx.exec:\3lrlffx.exe97⤵PID:5900
-
\??\c:\btnhbb.exec:\btnhbb.exe98⤵PID:5316
-
\??\c:\tthnth.exec:\tthnth.exe99⤵PID:4360
-
\??\c:\1vvpp.exec:\1vvpp.exe100⤵PID:2500
-
\??\c:\xxxrlrl.exec:\xxxrlrl.exe101⤵PID:4012
-
\??\c:\bnbbtt.exec:\bnbbtt.exe102⤵PID:960
-
\??\c:\vdvdv.exec:\vdvdv.exe103⤵PID:2496
-
\??\c:\ddjjd.exec:\ddjjd.exe104⤵PID:2816
-
\??\c:\5xfxllf.exec:\5xfxllf.exe105⤵PID:5272
-
\??\c:\nnnnhh.exec:\nnnnhh.exe106⤵PID:1380
-
\??\c:\pjdvp.exec:\pjdvp.exe107⤵PID:5828
-
\??\c:\jjjdv.exec:\jjjdv.exe108⤵PID:5336
-
\??\c:\lxfxrrf.exec:\lxfxrrf.exe109⤵PID:2732
-
\??\c:\nnbttn.exec:\nnbttn.exe110⤵PID:5056
-
\??\c:\thnnhh.exec:\thnnhh.exe111⤵PID:1372
-
\??\c:\pdjdv.exec:\pdjdv.exe112⤵PID:5044
-
\??\c:\rllfllf.exec:\rllfllf.exe113⤵PID:1776
-
\??\c:\lfrrrfx.exec:\lfrrrfx.exe114⤵PID:3972
-
\??\c:\vdvvd.exec:\vdvvd.exe115⤵PID:5608
-
\??\c:\dvjdp.exec:\dvjdp.exe116⤵PID:4788
-
\??\c:\rrfllxr.exec:\rrfllxr.exe117⤵PID:3664
-
\??\c:\frlxfxf.exec:\frlxfxf.exe118⤵PID:2120
-
\??\c:\bhbtnh.exec:\bhbtnh.exe119⤵PID:2320
-
\??\c:\dpvvv.exec:\dpvvv.exe120⤵PID:664
-
\??\c:\rrrlxxl.exec:\rrrlxxl.exe121⤵PID:4904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-