Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/04/2025, 00:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
-
Size
459KB
-
MD5
025fcad154267b8e880fdeb936d4194a
-
SHA1
ec3411cb6ebcb0b74a6779ed564653324e8d8c57
-
SHA256
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3
-
SHA512
789c9cb2221be032d3ea739618fa50cade06139452a1a80f36e946a734ef19058c58e93bd896f488b197c0cff655a2331e6281818dad6c5140eb32b867b03f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebv:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral2/memory/5292-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5868-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5844-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5160-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5192-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5172-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5616-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5752-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5804-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5208-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5320-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/572-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5524-964-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5384-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5292-1377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-1826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1016 9thbhh.exe 5868 ffrllff.exe 5844 thntnh.exe 5084 vdvpp.exe 1608 frxrfxr.exe 3164 hbbntn.exe 3496 jjpdj.exe 1392 rlffxlf.exe 232 ttnbtt.exe 5104 pdvpj.exe 5068 rfrfxrl.exe 4584 xfxrfxr.exe 4472 ppjvp.exe 5208 pjpdv.exe 4672 xrxlffx.exe 1524 1bbtnt.exe 4876 ddpjd.exe 5044 dpppp.exe 5160 fxxxxrr.exe 4288 pjjvv.exe 5192 rlxxrll.exe 1948 hbthtn.exe 1256 rrlfxxl.exe 5048 tbbttb.exe 5284 rllfrlf.exe 5804 xlxllxr.exe 4832 hhbtnn.exe 2896 jvvpj.exe 2444 llfxfxf.exe 1316 7bbtnh.exe 5172 bhhbtb.exe 576 pjpjj.exe 2840 llxfxxr.exe 1992 djjdp.exe 1776 vvpjd.exe 1856 9flfxxr.exe 1444 nhhbtt.exe 2860 5bhbtt.exe 4388 5vvvd.exe 5580 lxrrrrl.exe 5228 bnbthn.exe 5908 jppjd.exe 5396 vpvpp.exe 5744 frxrfxr.exe 4736 hnbhtb.exe 2188 bbbtnn.exe 4592 dvvpj.exe 6004 1xxxfrl.exe 3816 1ffxflr.exe 2508 bnnhbb.exe 2820 jdjdv.exe 2280 rllrxrx.exe 3736 ffrxfxl.exe 2944 hhnhbb.exe 3828 vddvv.exe 2652 vpjvp.exe 4864 rfffrrf.exe 5416 ntnbth.exe 916 hhbbtt.exe 4692 vvdvp.exe 2892 ffrllff.exe 4712 ffxrlll.exe 1724 hntthn.exe 1588 vpddp.exe -
resource yara_rule behavioral2/memory/5292-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5868-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5844-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5160-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5192-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5172-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5616-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5752-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5172-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5804-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5208-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5320-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/572-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-884-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5524-964-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5384-1022-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5292-1377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-1826-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7btttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxflllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbbh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5292 wrote to memory of 1016 5292 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 78 PID 5292 wrote to memory of 1016 5292 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 78 PID 5292 wrote to memory of 1016 5292 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 78 PID 1016 wrote to memory of 5868 1016 9thbhh.exe 79 PID 1016 wrote to memory of 5868 1016 9thbhh.exe 79 PID 1016 wrote to memory of 5868 1016 9thbhh.exe 79 PID 5868 wrote to memory of 5844 5868 ffrllff.exe 80 PID 5868 wrote to memory of 5844 5868 ffrllff.exe 80 PID 5868 wrote to memory of 5844 5868 ffrllff.exe 80 PID 5844 wrote to memory of 5084 5844 thntnh.exe 81 PID 5844 wrote to memory of 5084 5844 thntnh.exe 81 PID 5844 wrote to memory of 5084 5844 thntnh.exe 81 PID 5084 wrote to memory of 1608 5084 vdvpp.exe 82 PID 5084 wrote to memory of 1608 5084 vdvpp.exe 82 PID 5084 wrote to memory of 1608 5084 vdvpp.exe 82 PID 1608 wrote to memory of 3164 1608 frxrfxr.exe 83 PID 1608 wrote to memory of 3164 1608 frxrfxr.exe 83 PID 1608 wrote to memory of 3164 1608 frxrfxr.exe 83 PID 3164 wrote to memory of 3496 3164 hbbntn.exe 84 PID 3164 wrote to memory of 3496 3164 hbbntn.exe 84 PID 3164 wrote to memory of 3496 3164 hbbntn.exe 84 PID 3496 wrote to memory of 1392 3496 jjpdj.exe 85 PID 3496 wrote to memory of 1392 3496 jjpdj.exe 85 PID 3496 wrote to memory of 1392 3496 jjpdj.exe 85 PID 1392 wrote to memory of 232 1392 rlffxlf.exe 86 PID 1392 wrote to memory of 232 1392 rlffxlf.exe 86 PID 1392 wrote to memory of 232 1392 rlffxlf.exe 86 PID 232 wrote to memory of 5104 232 ttnbtt.exe 87 PID 232 wrote to memory of 5104 232 ttnbtt.exe 87 PID 232 wrote to memory of 5104 232 ttnbtt.exe 87 PID 5104 wrote to memory of 5068 5104 pdvpj.exe 88 PID 5104 wrote to memory of 5068 5104 pdvpj.exe 88 PID 5104 wrote to memory of 5068 5104 pdvpj.exe 88 PID 5068 wrote to memory of 4584 5068 rfrfxrl.exe 89 PID 5068 wrote to memory of 4584 5068 rfrfxrl.exe 89 PID 5068 wrote to memory of 4584 5068 rfrfxrl.exe 89 PID 4584 wrote to memory of 4472 4584 xfxrfxr.exe 90 PID 4584 wrote to memory of 4472 4584 xfxrfxr.exe 90 PID 4584 wrote to memory of 4472 4584 xfxrfxr.exe 90 PID 4472 wrote to memory of 5208 4472 ppjvp.exe 91 PID 4472 wrote to memory of 5208 4472 ppjvp.exe 91 PID 4472 wrote to memory of 5208 4472 ppjvp.exe 91 PID 5208 wrote to memory of 4672 5208 pjpdv.exe 92 PID 5208 wrote to memory of 4672 5208 pjpdv.exe 92 PID 5208 wrote to memory of 4672 5208 pjpdv.exe 92 PID 4672 wrote to memory of 1524 4672 xrxlffx.exe 93 PID 4672 wrote to memory of 1524 4672 xrxlffx.exe 93 PID 4672 wrote to memory of 1524 4672 xrxlffx.exe 93 PID 1524 wrote to memory of 4876 1524 1bbtnt.exe 94 PID 1524 wrote to memory of 4876 1524 1bbtnt.exe 94 PID 1524 wrote to memory of 4876 1524 1bbtnt.exe 94 PID 4876 wrote to memory of 5044 4876 ddpjd.exe 95 PID 4876 wrote to memory of 5044 4876 ddpjd.exe 95 PID 4876 wrote to memory of 5044 4876 ddpjd.exe 95 PID 5044 wrote to memory of 5160 5044 dpppp.exe 96 PID 5044 wrote to memory of 5160 5044 dpppp.exe 96 PID 5044 wrote to memory of 5160 5044 dpppp.exe 96 PID 5160 wrote to memory of 4288 5160 fxxxxrr.exe 97 PID 5160 wrote to memory of 4288 5160 fxxxxrr.exe 97 PID 5160 wrote to memory of 4288 5160 fxxxxrr.exe 97 PID 4288 wrote to memory of 5192 4288 pjjvv.exe 98 PID 4288 wrote to memory of 5192 4288 pjjvv.exe 98 PID 4288 wrote to memory of 5192 4288 pjjvv.exe 98 PID 5192 wrote to memory of 1948 5192 rlxxrll.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5292 -
\??\c:\9thbhh.exec:\9thbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\ffrllff.exec:\ffrllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5868 -
\??\c:\thntnh.exec:\thntnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5844 -
\??\c:\vdvpp.exec:\vdvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\frxrfxr.exec:\frxrfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
\??\c:\hbbntn.exec:\hbbntn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\jjpdj.exec:\jjpdj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\rlffxlf.exec:\rlffxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\ttnbtt.exec:\ttnbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\pdvpj.exec:\pdvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\rfrfxrl.exec:\rfrfxrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ppjvp.exec:\ppjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\pjpdv.exec:\pjpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5208 -
\??\c:\xrxlffx.exec:\xrxlffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\1bbtnt.exec:\1bbtnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\ddpjd.exec:\ddpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\dpppp.exec:\dpppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\fxxxxrr.exec:\fxxxxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5160 -
\??\c:\pjjvv.exec:\pjjvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\rlxxrll.exec:\rlxxrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5192 -
\??\c:\hbthtn.exec:\hbthtn.exe23⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rrlfxxl.exec:\rrlfxxl.exe24⤵
- Executes dropped EXE
PID:1256 -
\??\c:\tbbttb.exec:\tbbttb.exe25⤵
- Executes dropped EXE
PID:5048 -
\??\c:\rllfrlf.exec:\rllfrlf.exe26⤵
- Executes dropped EXE
PID:5284 -
\??\c:\xlxllxr.exec:\xlxllxr.exe27⤵
- Executes dropped EXE
PID:5804 -
\??\c:\hhbtnn.exec:\hhbtnn.exe28⤵
- Executes dropped EXE
PID:4832 -
\??\c:\jvvpj.exec:\jvvpj.exe29⤵
- Executes dropped EXE
PID:2896 -
\??\c:\llfxfxf.exec:\llfxfxf.exe30⤵
- Executes dropped EXE
PID:2444 -
\??\c:\7bbtnh.exec:\7bbtnh.exe31⤵
- Executes dropped EXE
PID:1316 -
\??\c:\bhhbtb.exec:\bhhbtb.exe32⤵
- Executes dropped EXE
PID:5172 -
\??\c:\pjpjj.exec:\pjpjj.exe33⤵
- Executes dropped EXE
PID:576 -
\??\c:\llxfxxr.exec:\llxfxxr.exe34⤵
- Executes dropped EXE
PID:2840 -
\??\c:\djjdp.exec:\djjdp.exe35⤵
- Executes dropped EXE
PID:1992 -
\??\c:\vvpjd.exec:\vvpjd.exe36⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9flfxxr.exec:\9flfxxr.exe37⤵
- Executes dropped EXE
PID:1856 -
\??\c:\nhhbtt.exec:\nhhbtt.exe38⤵
- Executes dropped EXE
PID:1444 -
\??\c:\5bhbtt.exec:\5bhbtt.exe39⤵
- Executes dropped EXE
PID:2860 -
\??\c:\5vvvd.exec:\5vvvd.exe40⤵
- Executes dropped EXE
PID:4388 -
\??\c:\lxrrrrl.exec:\lxrrrrl.exe41⤵
- Executes dropped EXE
PID:5580 -
\??\c:\bnbthn.exec:\bnbthn.exe42⤵
- Executes dropped EXE
PID:5228 -
\??\c:\jppjd.exec:\jppjd.exe43⤵
- Executes dropped EXE
PID:5908 -
\??\c:\vpvpp.exec:\vpvpp.exe44⤵
- Executes dropped EXE
PID:5396 -
\??\c:\frxrfxr.exec:\frxrfxr.exe45⤵
- Executes dropped EXE
PID:5744 -
\??\c:\hnbhtb.exec:\hnbhtb.exe46⤵
- Executes dropped EXE
PID:4736 -
\??\c:\bbbtnn.exec:\bbbtnn.exe47⤵
- Executes dropped EXE
PID:2188 -
\??\c:\dvvpj.exec:\dvvpj.exe48⤵
- Executes dropped EXE
PID:4592 -
\??\c:\1xxxfrl.exec:\1xxxfrl.exe49⤵
- Executes dropped EXE
PID:6004 -
\??\c:\1ffxflr.exec:\1ffxflr.exe50⤵
- Executes dropped EXE
PID:3816 -
\??\c:\bnnhbb.exec:\bnnhbb.exe51⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jdjdv.exec:\jdjdv.exe52⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rllrxrx.exec:\rllrxrx.exe53⤵
- Executes dropped EXE
PID:2280 -
\??\c:\ffrxfxl.exec:\ffrxfxl.exe54⤵
- Executes dropped EXE
PID:3736 -
\??\c:\hhnhbb.exec:\hhnhbb.exe55⤵
- Executes dropped EXE
PID:2944 -
\??\c:\vddvv.exec:\vddvv.exe56⤵
- Executes dropped EXE
PID:3828 -
\??\c:\vpjvp.exec:\vpjvp.exe57⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rfffrrf.exec:\rfffrrf.exe58⤵
- Executes dropped EXE
PID:4864 -
\??\c:\ntnbth.exec:\ntnbth.exe59⤵
- Executes dropped EXE
PID:5416 -
\??\c:\hhbbtt.exec:\hhbbtt.exe60⤵
- Executes dropped EXE
PID:916 -
\??\c:\vvdvp.exec:\vvdvp.exe61⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ffrllff.exec:\ffrllff.exe62⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ffxrlll.exec:\ffxrlll.exe63⤵
- Executes dropped EXE
PID:4712 -
\??\c:\hntthn.exec:\hntthn.exe64⤵
- Executes dropped EXE
PID:1724 -
\??\c:\vpddp.exec:\vpddp.exe65⤵
- Executes dropped EXE
PID:1588 -
\??\c:\vjpdv.exec:\vjpdv.exe66⤵PID:1364
-
\??\c:\rrflfxr.exec:\rrflfxr.exe67⤵PID:888
-
\??\c:\hnntnn.exec:\hnntnn.exe68⤵PID:2136
-
\??\c:\hhhhbn.exec:\hhhhbn.exe69⤵PID:2808
-
\??\c:\vjddd.exec:\vjddd.exe70⤵PID:5856
-
\??\c:\pdddv.exec:\pdddv.exe71⤵PID:2324
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe72⤵PID:2244
-
\??\c:\btttnn.exec:\btttnn.exe73⤵PID:3216
-
\??\c:\9tbttt.exec:\9tbttt.exe74⤵PID:4960
-
\??\c:\jjpvv.exec:\jjpvv.exe75⤵PID:5852
-
\??\c:\jvpjd.exec:\jvpjd.exe76⤵PID:1004
-
\??\c:\rrxrlll.exec:\rrxrlll.exe77⤵PID:1180
-
\??\c:\hnhhhh.exec:\hnhhhh.exe78⤵PID:1264
-
\??\c:\tntttt.exec:\tntttt.exe79⤵PID:2392
-
\??\c:\djvpd.exec:\djvpd.exe80⤵PID:4120
-
\??\c:\dppvv.exec:\dppvv.exe81⤵PID:4856
-
\??\c:\rrlfxfx.exec:\rrlfxfx.exe82⤵PID:3916
-
\??\c:\ttbttb.exec:\ttbttb.exe83⤵PID:5404
-
\??\c:\nnnhhh.exec:\nnnhhh.exe84⤵PID:2384
-
\??\c:\jjjjj.exec:\jjjjj.exe85⤵PID:4004
-
\??\c:\rrxrrrl.exec:\rrxrrrl.exe86⤵PID:5980
-
\??\c:\lfllffx.exec:\lfllffx.exe87⤵PID:5616
-
\??\c:\nhtnnn.exec:\nhtnnn.exe88⤵PID:5752
-
\??\c:\hnhhht.exec:\hnhhht.exe89⤵PID:4260
-
\??\c:\ppdvv.exec:\ppdvv.exe90⤵PID:2220
-
\??\c:\ffflffx.exec:\ffflffx.exe91⤵PID:4396
-
\??\c:\hhnhtt.exec:\hhnhtt.exe92⤵PID:4020
-
\??\c:\hnhnhh.exec:\hnhnhh.exe93⤵PID:4724
-
\??\c:\jvddv.exec:\jvddv.exe94⤵PID:4680
-
\??\c:\nthhnh.exec:\nthhnh.exe95⤵PID:1012
-
\??\c:\9dvjd.exec:\9dvjd.exe96⤵PID:5276
-
\??\c:\vdpjp.exec:\vdpjp.exe97⤵PID:4368
-
\??\c:\lrfxxrl.exec:\lrfxxrl.exe98⤵PID:3272
-
\??\c:\ffxxfff.exec:\ffxxfff.exe99⤵PID:5844
-
\??\c:\vvvvv.exec:\vvvvv.exe100⤵PID:5084
-
\??\c:\rlffxfx.exec:\rlffxfx.exe101⤵PID:768
-
\??\c:\djppd.exec:\djppd.exe102⤵PID:5884
-
\??\c:\vpvvv.exec:\vpvvv.exe103⤵PID:2228
-
\??\c:\fxflllf.exec:\fxflllf.exe104⤵
- System Location Discovery: System Language Discovery
PID:2480 -
\??\c:\vpvpj.exec:\vpvpj.exe105⤵PID:1668
-
\??\c:\rlfffff.exec:\rlfffff.exe106⤵PID:232
-
\??\c:\ppdvv.exec:\ppdvv.exe107⤵PID:5060
-
\??\c:\ffxrllf.exec:\ffxrllf.exe108⤵PID:6120
-
\??\c:\pvppv.exec:\pvppv.exe109⤵PID:1108
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe110⤵PID:4980
-
\??\c:\dvvpp.exec:\dvvpp.exe111⤵PID:2464
-
\??\c:\5vppp.exec:\5vppp.exe112⤵PID:2320
-
\??\c:\pdvjd.exec:\pdvjd.exe113⤵PID:5076
-
\??\c:\tnttbb.exec:\tnttbb.exe114⤵PID:4492
-
\??\c:\hhhbbb.exec:\hhhbbb.exe115⤵PID:5572
-
\??\c:\jdpjp.exec:\jdpjp.exe116⤵PID:3760
-
\??\c:\hthhhh.exec:\hthhhh.exe117⤵PID:5156
-
\??\c:\jdjdj.exec:\jdjdj.exe118⤵PID:2304
-
\??\c:\bbnhhb.exec:\bbnhhb.exe119⤵PID:5196
-
\??\c:\5thbtb.exec:\5thbtb.exe120⤵PID:4896
-
\??\c:\jdpjv.exec:\jdpjv.exe121⤵PID:4288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-