Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2025, 00:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
-
Size
459KB
-
MD5
025fcad154267b8e880fdeb936d4194a
-
SHA1
ec3411cb6ebcb0b74a6779ed564653324e8d8c57
-
SHA256
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3
-
SHA512
789c9cb2221be032d3ea739618fa50cade06139452a1a80f36e946a734ef19058c58e93bd896f488b197c0cff655a2331e6281818dad6c5140eb32b867b03f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebv:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral1/memory/3268-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3120-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5664-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2208-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1080-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3408-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3544-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/8-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4352-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3484-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4696-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4516-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4620-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4808-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4792-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4208-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4864-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5736-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5788-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5752-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5608-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/396-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5112-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/64-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1052-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5452-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5428-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5668-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3128-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4936-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3148-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4084-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5964-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5572-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1228-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4748-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5128-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1420-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4364-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5664-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4544-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4776-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4816-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5500-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4980-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3128-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/804-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3688-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4540-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5872-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4528-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4772-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/684-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1864-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/6028-1470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3120 xlfrlfr.exe 2208 5htnbb.exe 5664 tnnhbb.exe 1080 djvpj.exe 3408 1xlxxff.exe 3544 5thbnt.exe 8 hbbtnh.exe 4352 llfxxlf.exe 3484 lfrlfff.exe 4696 nhnhnn.exe 4516 vpvvv.exe 4620 flffxxr.exe 4808 xxxxxxf.exe 4556 xrxxrxx.exe 5284 pdjvv.exe 4792 xlxxxfx.exe 4948 bnnhbt.exe 4208 djvjd.exe 4864 btbtnh.exe 5736 jdpjd.exe 4684 ddvvv.exe 5788 xrrfxrl.exe 4392 tbnhbt.exe 4492 3bbtnn.exe 5752 xffxlfl.exe 5608 httnbt.exe 396 dpjvd.exe 5112 nhhbhh.exe 64 pvjdd.exe 2916 jjdvp.exe 212 5lfrlll.exe 1052 tnnnhb.exe 5452 xrrxffl.exe 2896 dvvvv.exe 1568 vjpvp.exe 1664 rxrrfxr.exe 1472 5nthtt.exe 5660 vpvvj.exe 5428 lxfxxxr.exe 1904 htbttn.exe 2816 dvvpj.exe 3608 frxxxrr.exe 1184 9hnhnt.exe 944 vjpjv.exe 2472 5xlxfff.exe 5668 nbbbtt.exe 3128 pdjjj.exe 4936 xlxlrrr.exe 888 ntbnhn.exe 3148 5dvjd.exe 4084 3dpjj.exe 2736 fxxllfx.exe 5964 bhnhbt.exe 5572 5nbhbh.exe 1228 5dppd.exe 732 7xllxrr.exe 2672 btbttt.exe 6084 vdddj.exe 3572 7xxfxxr.exe 5528 ppdvp.exe 4748 1pvvd.exe 1164 btthbt.exe 5128 9rxrlrl.exe 2988 tbbbbt.exe -
resource yara_rule behavioral1/memory/3268-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3120-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5664-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5664-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2208-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1080-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3408-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3544-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/8-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4352-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3484-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4696-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4516-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4620-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4808-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4792-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4208-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4864-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5736-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5788-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5608-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5752-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5608-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/396-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5112-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/64-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1052-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5452-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1664-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5428-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5668-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4936-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3128-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4936-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3148-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4084-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5964-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5572-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1228-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4748-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5128-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1420-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4364-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5664-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4544-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4776-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4816-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5500-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4980-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3128-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3688-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4540-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5872-646-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3268 wrote to memory of 3120 3268 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 87 PID 3268 wrote to memory of 3120 3268 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 87 PID 3268 wrote to memory of 3120 3268 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 87 PID 3120 wrote to memory of 2208 3120 xlfrlfr.exe 88 PID 3120 wrote to memory of 2208 3120 xlfrlfr.exe 88 PID 3120 wrote to memory of 2208 3120 xlfrlfr.exe 88 PID 2208 wrote to memory of 5664 2208 5htnbb.exe 89 PID 2208 wrote to memory of 5664 2208 5htnbb.exe 89 PID 2208 wrote to memory of 5664 2208 5htnbb.exe 89 PID 5664 wrote to memory of 1080 5664 tnnhbb.exe 90 PID 5664 wrote to memory of 1080 5664 tnnhbb.exe 90 PID 5664 wrote to memory of 1080 5664 tnnhbb.exe 90 PID 1080 wrote to memory of 3408 1080 djvpj.exe 91 PID 1080 wrote to memory of 3408 1080 djvpj.exe 91 PID 1080 wrote to memory of 3408 1080 djvpj.exe 91 PID 3408 wrote to memory of 3544 3408 1xlxxff.exe 92 PID 3408 wrote to memory of 3544 3408 1xlxxff.exe 92 PID 3408 wrote to memory of 3544 3408 1xlxxff.exe 92 PID 3544 wrote to memory of 8 3544 5thbnt.exe 94 PID 3544 wrote to memory of 8 3544 5thbnt.exe 94 PID 3544 wrote to memory of 8 3544 5thbnt.exe 94 PID 8 wrote to memory of 4352 8 hbbtnh.exe 96 PID 8 wrote to memory of 4352 8 hbbtnh.exe 96 PID 8 wrote to memory of 4352 8 hbbtnh.exe 96 PID 4352 wrote to memory of 3484 4352 llfxxlf.exe 97 PID 4352 wrote to memory of 3484 4352 llfxxlf.exe 97 PID 4352 wrote to memory of 3484 4352 llfxxlf.exe 97 PID 3484 wrote to memory of 4696 3484 lfrlfff.exe 99 PID 3484 wrote to memory of 4696 3484 lfrlfff.exe 99 PID 3484 wrote to memory of 4696 3484 lfrlfff.exe 99 PID 4696 wrote to memory of 4516 4696 nhnhnn.exe 100 PID 4696 wrote to memory of 4516 4696 nhnhnn.exe 100 PID 4696 wrote to memory of 4516 4696 nhnhnn.exe 100 PID 4516 wrote to memory of 4620 4516 vpvvv.exe 101 PID 4516 wrote to memory of 4620 4516 vpvvv.exe 101 PID 4516 wrote to memory of 4620 4516 vpvvv.exe 101 PID 4620 wrote to memory of 4808 4620 flffxxr.exe 102 PID 4620 wrote to memory of 4808 4620 flffxxr.exe 102 PID 4620 wrote to memory of 4808 4620 flffxxr.exe 102 PID 4808 wrote to memory of 4556 4808 xxxxxxf.exe 103 PID 4808 wrote to memory of 4556 4808 xxxxxxf.exe 103 PID 4808 wrote to memory of 4556 4808 xxxxxxf.exe 103 PID 4556 wrote to memory of 5284 4556 xrxxrxx.exe 104 PID 4556 wrote to memory of 5284 4556 xrxxrxx.exe 104 PID 4556 wrote to memory of 5284 4556 xrxxrxx.exe 104 PID 5284 wrote to memory of 4792 5284 pdjvv.exe 105 PID 5284 wrote to memory of 4792 5284 pdjvv.exe 105 PID 5284 wrote to memory of 4792 5284 pdjvv.exe 105 PID 4792 wrote to memory of 4948 4792 xlxxxfx.exe 106 PID 4792 wrote to memory of 4948 4792 xlxxxfx.exe 106 PID 4792 wrote to memory of 4948 4792 xlxxxfx.exe 106 PID 4948 wrote to memory of 4208 4948 bnnhbt.exe 107 PID 4948 wrote to memory of 4208 4948 bnnhbt.exe 107 PID 4948 wrote to memory of 4208 4948 bnnhbt.exe 107 PID 4208 wrote to memory of 4864 4208 djvjd.exe 108 PID 4208 wrote to memory of 4864 4208 djvjd.exe 108 PID 4208 wrote to memory of 4864 4208 djvjd.exe 108 PID 4864 wrote to memory of 5736 4864 btbtnh.exe 109 PID 4864 wrote to memory of 5736 4864 btbtnh.exe 109 PID 4864 wrote to memory of 5736 4864 btbtnh.exe 109 PID 5736 wrote to memory of 4684 5736 jdpjd.exe 110 PID 5736 wrote to memory of 4684 5736 jdpjd.exe 110 PID 5736 wrote to memory of 4684 5736 jdpjd.exe 110 PID 4684 wrote to memory of 5788 4684 ddvvv.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\xlfrlfr.exec:\xlfrlfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\5htnbb.exec:\5htnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\tnnhbb.exec:\tnnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5664 -
\??\c:\djvpj.exec:\djvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\1xlxxff.exec:\1xlxxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\5thbnt.exec:\5thbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\hbbtnh.exec:\hbbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\llfxxlf.exec:\llfxxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\lfrlfff.exec:\lfrlfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\nhnhnn.exec:\nhnhnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\vpvvv.exec:\vpvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\flffxxr.exec:\flffxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\xxxxxxf.exec:\xxxxxxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\pdjvv.exec:\pdjvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5284 -
\??\c:\xlxxxfx.exec:\xlxxxfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\bnnhbt.exec:\bnnhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\djvjd.exec:\djvjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\btbtnh.exec:\btbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\jdpjd.exec:\jdpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5736 -
\??\c:\ddvvv.exec:\ddvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe23⤵
- Executes dropped EXE
PID:5788 -
\??\c:\tbnhbt.exec:\tbnhbt.exe24⤵
- Executes dropped EXE
PID:4392 -
\??\c:\3bbtnn.exec:\3bbtnn.exe25⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xffxlfl.exec:\xffxlfl.exe26⤵
- Executes dropped EXE
PID:5752 -
\??\c:\httnbt.exec:\httnbt.exe27⤵
- Executes dropped EXE
PID:5608 -
\??\c:\dpjvd.exec:\dpjvd.exe28⤵
- Executes dropped EXE
PID:396 -
\??\c:\nhhbhh.exec:\nhhbhh.exe29⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pvjdd.exec:\pvjdd.exe30⤵
- Executes dropped EXE
PID:64 -
\??\c:\jjdvp.exec:\jjdvp.exe31⤵
- Executes dropped EXE
PID:2916 -
\??\c:\5lfrlll.exec:\5lfrlll.exe32⤵
- Executes dropped EXE
PID:212 -
\??\c:\tnnnhb.exec:\tnnnhb.exe33⤵
- Executes dropped EXE
PID:1052 -
\??\c:\xrrxffl.exec:\xrrxffl.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5452 -
\??\c:\dvvvv.exec:\dvvvv.exe35⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vjpvp.exec:\vjpvp.exe36⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rxrrfxr.exec:\rxrrfxr.exe37⤵
- Executes dropped EXE
PID:1664 -
\??\c:\5nthtt.exec:\5nthtt.exe38⤵
- Executes dropped EXE
PID:1472 -
\??\c:\vpvvj.exec:\vpvvj.exe39⤵
- Executes dropped EXE
PID:5660 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe40⤵
- Executes dropped EXE
PID:5428 -
\??\c:\htbttn.exec:\htbttn.exe41⤵
- Executes dropped EXE
PID:1904 -
\??\c:\dvvpj.exec:\dvvpj.exe42⤵
- Executes dropped EXE
PID:2816 -
\??\c:\frxxxrr.exec:\frxxxrr.exe43⤵
- Executes dropped EXE
PID:3608 -
\??\c:\9hnhnt.exec:\9hnhnt.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184 -
\??\c:\vjpjv.exec:\vjpjv.exe45⤵
- Executes dropped EXE
PID:944 -
\??\c:\5xlxfff.exec:\5xlxfff.exe46⤵
- Executes dropped EXE
PID:2472 -
\??\c:\nbbbtt.exec:\nbbbtt.exe47⤵
- Executes dropped EXE
PID:5668 -
\??\c:\pdjjj.exec:\pdjjj.exe48⤵
- Executes dropped EXE
PID:3128 -
\??\c:\xlxlrrr.exec:\xlxlrrr.exe49⤵
- Executes dropped EXE
PID:4936 -
\??\c:\ntbnhn.exec:\ntbnhn.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888 -
\??\c:\5dvjd.exec:\5dvjd.exe51⤵
- Executes dropped EXE
PID:3148 -
\??\c:\3dpjj.exec:\3dpjj.exe52⤵
- Executes dropped EXE
PID:4084 -
\??\c:\fxxllfx.exec:\fxxllfx.exe53⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bhnhbt.exec:\bhnhbt.exe54⤵
- Executes dropped EXE
PID:5964 -
\??\c:\5nbhbh.exec:\5nbhbh.exe55⤵
- Executes dropped EXE
PID:5572 -
\??\c:\5dppd.exec:\5dppd.exe56⤵
- Executes dropped EXE
PID:1228 -
\??\c:\7xllxrr.exec:\7xllxrr.exe57⤵
- Executes dropped EXE
PID:732 -
\??\c:\btbttt.exec:\btbttt.exe58⤵
- Executes dropped EXE
PID:2672 -
\??\c:\vdddj.exec:\vdddj.exe59⤵
- Executes dropped EXE
PID:6084 -
\??\c:\7xxfxxr.exec:\7xxfxxr.exe60⤵
- Executes dropped EXE
PID:3572 -
\??\c:\ppdvp.exec:\ppdvp.exe61⤵
- Executes dropped EXE
PID:5528 -
\??\c:\1pvvd.exec:\1pvvd.exe62⤵
- Executes dropped EXE
PID:4748 -
\??\c:\btthbt.exec:\btthbt.exe63⤵
- Executes dropped EXE
PID:1164 -
\??\c:\9rxrlrl.exec:\9rxrlrl.exe64⤵
- Executes dropped EXE
PID:5128 -
\??\c:\tbbbbt.exec:\tbbbbt.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\vvvjp.exec:\vvvjp.exe66⤵PID:1420
-
\??\c:\xfrlllx.exec:\xfrlllx.exe67⤵PID:4364
-
\??\c:\bbhbbb.exec:\bbhbbb.exe68⤵PID:5604
-
\??\c:\1hnnnn.exec:\1hnnnn.exe69⤵PID:2676
-
\??\c:\pjvpj.exec:\pjvpj.exe70⤵PID:3016
-
\??\c:\ppvvv.exec:\ppvvv.exe71⤵PID:5796
-
\??\c:\rlrlffx.exec:\rlrlffx.exe72⤵PID:5664
-
\??\c:\ttnntb.exec:\ttnntb.exe73⤵PID:3480
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe74⤵PID:6092
-
\??\c:\9hhttb.exec:\9hhttb.exe75⤵PID:4504
-
\??\c:\dvdvv.exec:\dvdvv.exe76⤵PID:980
-
\??\c:\vjpjv.exec:\vjpjv.exe77⤵PID:388
-
\??\c:\lrllfxr.exec:\lrllfxr.exe78⤵PID:528
-
\??\c:\hhnhtn.exec:\hhnhtn.exe79⤵PID:4888
-
\??\c:\pdjjd.exec:\pdjjd.exe80⤵PID:3400
-
\??\c:\xflxfxf.exec:\xflxfxf.exe81⤵PID:1592
-
\??\c:\rfllfxr.exec:\rfllfxr.exe82⤵PID:4452
-
\??\c:\3bnnhb.exec:\3bnnhb.exe83⤵PID:2252
-
\??\c:\7dvpj.exec:\7dvpj.exe84⤵PID:4544
-
\??\c:\3lfxffx.exec:\3lfxffx.exe85⤵PID:4776
-
\??\c:\hnnnhn.exec:\hnnnhn.exe86⤵PID:4560
-
\??\c:\ttbbhn.exec:\ttbbhn.exe87⤵PID:3140
-
\??\c:\7pddp.exec:\7pddp.exe88⤵PID:4580
-
\??\c:\3xffllx.exec:\3xffllx.exe89⤵PID:5288
-
\??\c:\3bbtnn.exec:\3bbtnn.exe90⤵PID:4788
-
\??\c:\5tbtnn.exec:\5tbtnn.exe91⤵PID:4772
-
\??\c:\jvddd.exec:\jvddd.exe92⤵PID:4996
-
\??\c:\fflfxxr.exec:\fflfxxr.exe93⤵PID:4892
-
\??\c:\xfxxffl.exec:\xfxxffl.exe94⤵PID:4816
-
\??\c:\nbhbbt.exec:\nbhbbt.exe95⤵PID:5996
-
\??\c:\ddvvv.exec:\ddvvv.exe96⤵PID:5500
-
\??\c:\lllfflf.exec:\lllfflf.exe97⤵PID:3680
-
\??\c:\hnnhhb.exec:\hnnhhb.exe98⤵PID:4324
-
\??\c:\1nbbnt.exec:\1nbbnt.exe99⤵PID:4980
-
\??\c:\9ddvp.exec:\9ddvp.exe100⤵PID:5296
-
\??\c:\xfrrlrl.exec:\xfrrlrl.exe101⤵PID:2748
-
\??\c:\ffrrlll.exec:\ffrrlll.exe102⤵PID:1556
-
\??\c:\tnhhhh.exec:\tnhhhh.exe103⤵PID:2576
-
\??\c:\vppdd.exec:\vppdd.exe104⤵PID:4008
-
\??\c:\fxxrrlr.exec:\fxxrrlr.exe105⤵PID:5540
-
\??\c:\tbhbtt.exec:\tbhbtt.exe106⤵PID:4320
-
\??\c:\htthtb.exec:\htthtb.exe107⤵PID:5300
-
\??\c:\vpvpp.exec:\vpvpp.exe108⤵PID:2916
-
\??\c:\xrrlxrr.exec:\xrrlxrr.exe109⤵PID:212
-
\??\c:\5ntnbt.exec:\5ntnbt.exe110⤵PID:1292
-
\??\c:\nnhhbb.exec:\nnhhbb.exe111⤵PID:5336
-
\??\c:\pvvpd.exec:\pvvpd.exe112⤵PID:1664
-
\??\c:\7flfxxr.exec:\7flfxxr.exe113⤵PID:2084
-
\??\c:\hthttb.exec:\hthttb.exe114⤵PID:3208
-
\??\c:\jdppj.exec:\jdppj.exe115⤵PID:5768
-
\??\c:\jvvpj.exec:\jvvpj.exe116⤵PID:1388
-
\??\c:\1lrllfr.exec:\1lrllfr.exe117⤵PID:1536
-
\??\c:\7vvvp.exec:\7vvvp.exe118⤵PID:6100
-
\??\c:\fxxrffr.exec:\fxxrffr.exe119⤵PID:264
-
\??\c:\nbbbbt.exec:\nbbbbt.exe120⤵PID:4592
-
\??\c:\dvddd.exec:\dvddd.exe121⤵PID:2712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-