Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2025, 00:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
-
Size
459KB
-
MD5
025fcad154267b8e880fdeb936d4194a
-
SHA1
ec3411cb6ebcb0b74a6779ed564653324e8d8c57
-
SHA256
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3
-
SHA512
789c9cb2221be032d3ea739618fa50cade06139452a1a80f36e946a734ef19058c58e93bd896f488b197c0cff655a2331e6281818dad6c5140eb32b867b03f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebv:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral1/memory/2520-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4896-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1352-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3480-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4972-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4948-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/432-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1244-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/464-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1712-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3968-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/940-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3452-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4308-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4604-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1972-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1980-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3572-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1852-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3580-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4304-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1376-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4344-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3852-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4544-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1144-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/544-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/112-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4184-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4008-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4688-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4028-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5092-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5084-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3868-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1496-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1068-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/5104-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3692-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3576-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4728-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3156-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1816-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/4304-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1636-1090-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1724-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3952-1157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1972 9hnnnt.exe 2336 vdjjd.exe 1076 5lfxxxr.exe 5084 hntnhb.exe 4896 pvjjp.exe 864 3xfxxxf.exe 1352 dvpdp.exe 3480 rfxxfrf.exe 2112 fxrrlll.exe 1812 rlfxrlf.exe 4428 ttthth.exe 4972 tnnnnn.exe 4728 lfffrlr.exe 2228 vjdvp.exe 4948 fxxrfxr.exe 4876 pvjvj.exe 432 lrrfxxr.exe 4780 jddvv.exe 1244 ddvpj.exe 4028 flffxlx.exe 464 nhhbbb.exe 2868 hhtnhh.exe 748 5pjdj.exe 1712 rlfrfrf.exe 3968 pjjdd.exe 4688 1hbttt.exe 3360 jjpdj.exe 4008 nntntn.exe 4840 vddvp.exe 940 ffrlflr.exe 1732 tntnhh.exe 5080 vjpjj.exe 3452 llrrllf.exe 1564 1nnhbb.exe 2880 1ntttn.exe 4308 3rxlfxr.exe 2984 5bbttt.exe 4572 jvjpd.exe 4736 pjdpj.exe 512 xllfxrl.exe 4604 hbhtnb.exe 2068 thnbtn.exe 2472 dvdpp.exe 1972 5vppj.exe 4184 rrrxlrf.exe 1968 tnbttt.exe 1980 nttnhn.exe 112 ppvpp.exe 2132 xxxxrll.exe 544 nhttbb.exe 3572 hbhtht.exe 1308 pjdvv.exe 3472 5fllfrf.exe 3668 9rrfxxr.exe 1304 9tbhhh.exe 212 7btnht.exe 1188 dvvpp.exe 1852 fllxxlx.exe 4428 tttnhh.exe 1144 tbhbbb.exe 3652 ddvvd.exe 4544 xlrlllf.exe 3580 3rlxrrl.exe 3852 pdjjj.exe -
resource yara_rule behavioral1/memory/2520-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1076-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4896-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3480-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4972-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4948-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/432-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1244-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/464-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4688-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3968-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/940-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3452-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4308-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4604-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1972-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1980-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3572-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3852-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3580-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4344-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4208-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4304-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1376-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4344-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3852-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4544-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/544-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4184-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4008-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4688-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4028-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5092-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5084-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3868-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4048-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5104-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3692-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3576-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4728-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3156-683-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1972 2520 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 85 PID 2520 wrote to memory of 1972 2520 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 85 PID 2520 wrote to memory of 1972 2520 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 85 PID 1972 wrote to memory of 2336 1972 9hnnnt.exe 86 PID 1972 wrote to memory of 2336 1972 9hnnnt.exe 86 PID 1972 wrote to memory of 2336 1972 9hnnnt.exe 86 PID 2336 wrote to memory of 1076 2336 vdjjd.exe 87 PID 2336 wrote to memory of 1076 2336 vdjjd.exe 87 PID 2336 wrote to memory of 1076 2336 vdjjd.exe 87 PID 1076 wrote to memory of 5084 1076 5lfxxxr.exe 88 PID 1076 wrote to memory of 5084 1076 5lfxxxr.exe 88 PID 1076 wrote to memory of 5084 1076 5lfxxxr.exe 88 PID 5084 wrote to memory of 4896 5084 hntnhb.exe 89 PID 5084 wrote to memory of 4896 5084 hntnhb.exe 89 PID 5084 wrote to memory of 4896 5084 hntnhb.exe 89 PID 4896 wrote to memory of 864 4896 pvjjp.exe 90 PID 4896 wrote to memory of 864 4896 pvjjp.exe 90 PID 4896 wrote to memory of 864 4896 pvjjp.exe 90 PID 864 wrote to memory of 1352 864 3xfxxxf.exe 91 PID 864 wrote to memory of 1352 864 3xfxxxf.exe 91 PID 864 wrote to memory of 1352 864 3xfxxxf.exe 91 PID 1352 wrote to memory of 3480 1352 dvpdp.exe 92 PID 1352 wrote to memory of 3480 1352 dvpdp.exe 92 PID 1352 wrote to memory of 3480 1352 dvpdp.exe 92 PID 3480 wrote to memory of 2112 3480 rfxxfrf.exe 95 PID 3480 wrote to memory of 2112 3480 rfxxfrf.exe 95 PID 3480 wrote to memory of 2112 3480 rfxxfrf.exe 95 PID 2112 wrote to memory of 1812 2112 fxrrlll.exe 96 PID 2112 wrote to memory of 1812 2112 fxrrlll.exe 96 PID 2112 wrote to memory of 1812 2112 fxrrlll.exe 96 PID 1812 wrote to memory of 4428 1812 rlfxrlf.exe 97 PID 1812 wrote to memory of 4428 1812 rlfxrlf.exe 97 PID 1812 wrote to memory of 4428 1812 rlfxrlf.exe 97 PID 4428 wrote to memory of 4972 4428 ttthth.exe 98 PID 4428 wrote to memory of 4972 4428 ttthth.exe 98 PID 4428 wrote to memory of 4972 4428 ttthth.exe 98 PID 4972 wrote to memory of 4728 4972 tnnnnn.exe 99 PID 4972 wrote to memory of 4728 4972 tnnnnn.exe 99 PID 4972 wrote to memory of 4728 4972 tnnnnn.exe 99 PID 4728 wrote to memory of 2228 4728 lfffrlr.exe 100 PID 4728 wrote to memory of 2228 4728 lfffrlr.exe 100 PID 4728 wrote to memory of 2228 4728 lfffrlr.exe 100 PID 2228 wrote to memory of 4948 2228 vjdvp.exe 102 PID 2228 wrote to memory of 4948 2228 vjdvp.exe 102 PID 2228 wrote to memory of 4948 2228 vjdvp.exe 102 PID 4948 wrote to memory of 4876 4948 fxxrfxr.exe 103 PID 4948 wrote to memory of 4876 4948 fxxrfxr.exe 103 PID 4948 wrote to memory of 4876 4948 fxxrfxr.exe 103 PID 4876 wrote to memory of 432 4876 pvjvj.exe 104 PID 4876 wrote to memory of 432 4876 pvjvj.exe 104 PID 4876 wrote to memory of 432 4876 pvjvj.exe 104 PID 432 wrote to memory of 4780 432 lrrfxxr.exe 105 PID 432 wrote to memory of 4780 432 lrrfxxr.exe 105 PID 432 wrote to memory of 4780 432 lrrfxxr.exe 105 PID 4780 wrote to memory of 1244 4780 jddvv.exe 106 PID 4780 wrote to memory of 1244 4780 jddvv.exe 106 PID 4780 wrote to memory of 1244 4780 jddvv.exe 106 PID 1244 wrote to memory of 4028 1244 ddvpj.exe 107 PID 1244 wrote to memory of 4028 1244 ddvpj.exe 107 PID 1244 wrote to memory of 4028 1244 ddvpj.exe 107 PID 4028 wrote to memory of 464 4028 flffxlx.exe 108 PID 4028 wrote to memory of 464 4028 flffxlx.exe 108 PID 4028 wrote to memory of 464 4028 flffxlx.exe 108 PID 464 wrote to memory of 2868 464 nhhbbb.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\9hnnnt.exec:\9hnnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\vdjjd.exec:\vdjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\5lfxxxr.exec:\5lfxxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\hntnhb.exec:\hntnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\pvjjp.exec:\pvjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\3xfxxxf.exec:\3xfxxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\dvpdp.exec:\dvpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\rfxxfrf.exec:\rfxxfrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\fxrrlll.exec:\fxrrlll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\ttthth.exec:\ttthth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\tnnnnn.exec:\tnnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\lfffrlr.exec:\lfffrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\vjdvp.exec:\vjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\fxxrfxr.exec:\fxxrfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\pvjvj.exec:\pvjvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\lrrfxxr.exec:\lrrfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\jddvv.exec:\jddvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\ddvpj.exec:\ddvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\flffxlx.exec:\flffxlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\nhhbbb.exec:\nhhbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\hhtnhh.exec:\hhtnhh.exe23⤵
- Executes dropped EXE
PID:2868 -
\??\c:\5pjdj.exec:\5pjdj.exe24⤵
- Executes dropped EXE
PID:748 -
\??\c:\rlfrfrf.exec:\rlfrfrf.exe25⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pjjdd.exec:\pjjdd.exe26⤵
- Executes dropped EXE
PID:3968 -
\??\c:\1hbttt.exec:\1hbttt.exe27⤵
- Executes dropped EXE
PID:4688 -
\??\c:\jjpdj.exec:\jjpdj.exe28⤵
- Executes dropped EXE
PID:3360 -
\??\c:\nntntn.exec:\nntntn.exe29⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vddvp.exec:\vddvp.exe30⤵
- Executes dropped EXE
PID:4840 -
\??\c:\ffrlflr.exec:\ffrlflr.exe31⤵
- Executes dropped EXE
PID:940 -
\??\c:\tntnhh.exec:\tntnhh.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
\??\c:\vjpjj.exec:\vjpjj.exe33⤵
- Executes dropped EXE
PID:5080 -
\??\c:\llrrllf.exec:\llrrllf.exe34⤵
- Executes dropped EXE
PID:3452 -
\??\c:\1nnhbb.exec:\1nnhbb.exe35⤵
- Executes dropped EXE
PID:1564 -
\??\c:\1ntttn.exec:\1ntttn.exe36⤵
- Executes dropped EXE
PID:2880 -
\??\c:\3rxlfxr.exec:\3rxlfxr.exe37⤵
- Executes dropped EXE
PID:4308 -
\??\c:\5bbttt.exec:\5bbttt.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jvjpd.exec:\jvjpd.exe39⤵
- Executes dropped EXE
PID:4572 -
\??\c:\pjdpj.exec:\pjdpj.exe40⤵
- Executes dropped EXE
PID:4736 -
\??\c:\xllfxrl.exec:\xllfxrl.exe41⤵
- Executes dropped EXE
PID:512 -
\??\c:\hbhtnb.exec:\hbhtnb.exe42⤵
- Executes dropped EXE
PID:4604 -
\??\c:\thnbtn.exec:\thnbtn.exe43⤵
- Executes dropped EXE
PID:2068 -
\??\c:\dvdpp.exec:\dvdpp.exe44⤵
- Executes dropped EXE
PID:2472 -
\??\c:\5vppj.exec:\5vppj.exe45⤵
- Executes dropped EXE
PID:1972 -
\??\c:\rrrxlrf.exec:\rrrxlrf.exe46⤵
- Executes dropped EXE
PID:4184 -
\??\c:\tnbttt.exec:\tnbttt.exe47⤵
- Executes dropped EXE
PID:1968 -
\??\c:\nttnhn.exec:\nttnhn.exe48⤵
- Executes dropped EXE
PID:1980 -
\??\c:\ppvpp.exec:\ppvpp.exe49⤵
- Executes dropped EXE
PID:112 -
\??\c:\xxxxrll.exec:\xxxxrll.exe50⤵
- Executes dropped EXE
PID:2132 -
\??\c:\nhttbb.exec:\nhttbb.exe51⤵
- Executes dropped EXE
PID:544 -
\??\c:\hbhtht.exec:\hbhtht.exe52⤵
- Executes dropped EXE
PID:3572 -
\??\c:\pjdvv.exec:\pjdvv.exe53⤵
- Executes dropped EXE
PID:1308 -
\??\c:\5fllfrf.exec:\5fllfrf.exe54⤵
- Executes dropped EXE
PID:3472 -
\??\c:\9rrfxxr.exec:\9rrfxxr.exe55⤵
- Executes dropped EXE
PID:3668 -
\??\c:\9tbhhh.exec:\9tbhhh.exe56⤵
- Executes dropped EXE
PID:1304 -
\??\c:\7btnht.exec:\7btnht.exe57⤵
- Executes dropped EXE
PID:212 -
\??\c:\dvvpp.exec:\dvvpp.exe58⤵
- Executes dropped EXE
PID:1188 -
\??\c:\fllxxlx.exec:\fllxxlx.exe59⤵
- Executes dropped EXE
PID:1852 -
\??\c:\tttnhh.exec:\tttnhh.exe60⤵
- Executes dropped EXE
PID:4428 -
\??\c:\tbhbbb.exec:\tbhbbb.exe61⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ddvvd.exec:\ddvvd.exe62⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xlrlllf.exec:\xlrlllf.exe63⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3rlxrrl.exec:\3rlxrrl.exe64⤵
- Executes dropped EXE
PID:3580 -
\??\c:\pdjjj.exec:\pdjjj.exe65⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jddvd.exec:\jddvd.exe66⤵PID:1748
-
\??\c:\lfxxrll.exec:\lfxxrll.exe67⤵PID:4844
-
\??\c:\nbhbtt.exec:\nbhbtt.exe68⤵PID:1700
-
\??\c:\tbbnhh.exec:\tbbnhh.exe69⤵
- System Location Discovery: System Language Discovery
PID:4208 -
\??\c:\ppjdv.exec:\ppjdv.exe70⤵PID:4344
-
\??\c:\pdpdj.exec:\pdpdj.exe71⤵PID:1396
-
\??\c:\llffxff.exec:\llffxff.exe72⤵PID:1376
-
\??\c:\nhtnbt.exec:\nhtnbt.exe73⤵PID:5112
-
\??\c:\nhnhbb.exec:\nhnhbb.exe74⤵PID:4556
-
\??\c:\5vpjj.exec:\5vpjj.exe75⤵PID:5028
-
\??\c:\llffxxr.exec:\llffxxr.exe76⤵PID:636
-
\??\c:\xlrllff.exec:\xlrllff.exe77⤵PID:4016
-
\??\c:\hhhnnb.exec:\hhhnnb.exe78⤵PID:1744
-
\??\c:\bbhbtn.exec:\bbhbtn.exe79⤵PID:2452
-
\??\c:\pvjdd.exec:\pvjdd.exe80⤵PID:4304
-
\??\c:\3llfrrf.exec:\3llfrrf.exe81⤵PID:2348
-
\??\c:\ttbtbt.exec:\ttbtbt.exe82⤵PID:2008
-
\??\c:\tbhhbt.exec:\tbhhbt.exe83⤵PID:4732
-
\??\c:\jjjdv.exec:\jjjdv.exe84⤵PID:632
-
\??\c:\lrfxffr.exec:\lrfxffr.exe85⤵PID:5080
-
\??\c:\1xfxxrr.exec:\1xfxxrr.exe86⤵PID:2456
-
\??\c:\hhnbtt.exec:\hhnbtt.exe87⤵PID:1084
-
\??\c:\9pjdv.exec:\9pjdv.exe88⤵PID:4492
-
\??\c:\vvjdv.exec:\vvjdv.exe89⤵PID:2828
-
\??\c:\lrxrrrl.exec:\lrxrrrl.exe90⤵PID:960
-
\??\c:\tbhbbb.exec:\tbhbbb.exe91⤵PID:448
-
\??\c:\ttnnhn.exec:\ttnnhn.exe92⤵PID:2984
-
\??\c:\dpvvv.exec:\dpvvv.exe93⤵PID:2676
-
\??\c:\rrxrfff.exec:\rrxrfff.exe94⤵PID:4736
-
\??\c:\btbbtt.exec:\btbbtt.exe95⤵PID:4436
-
\??\c:\vvdpp.exec:\vvdpp.exe96⤵PID:4604
-
\??\c:\xllrrrr.exec:\xllrrrr.exe97⤵PID:2520
-
\??\c:\httnhb.exec:\httnhb.exe98⤵PID:920
-
\??\c:\pdjdv.exec:\pdjdv.exe99⤵PID:5092
-
\??\c:\5rrlfxl.exec:\5rrlfxl.exe100⤵PID:4264
-
\??\c:\vjddv.exec:\vjddv.exe101⤵PID:4988
-
\??\c:\pjpjj.exec:\pjpjj.exe102⤵PID:2260
-
\??\c:\llrllll.exec:\llrllll.exe103⤵PID:3332
-
\??\c:\jpdvv.exec:\jpdvv.exe104⤵PID:864
-
\??\c:\9ppjv.exec:\9ppjv.exe105⤵PID:5084
-
\??\c:\ffrlrll.exec:\ffrlrll.exe106⤵PID:3940
-
\??\c:\nbbnhb.exec:\nbbnhb.exe107⤵PID:3468
-
\??\c:\3jjdv.exec:\3jjdv.exe108⤵PID:2488
-
\??\c:\fxrlfrl.exec:\fxrlfrl.exe109⤵PID:264
-
\??\c:\jpddv.exec:\jpddv.exe110⤵PID:3400
-
\??\c:\flrfxrl.exec:\flrfxrl.exe111⤵PID:3348
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe112⤵PID:3868
-
\??\c:\bnhbtn.exec:\bnhbtn.exe113⤵PID:1496
-
\??\c:\dvdvp.exec:\dvdvp.exe114⤵PID:4972
-
\??\c:\xffxllf.exec:\xffxllf.exe115⤵PID:1440
-
\??\c:\nhnhnh.exec:\nhnhnh.exe116⤵PID:4728
-
\??\c:\vvppj.exec:\vvppj.exe117⤵PID:2328
-
\??\c:\hbnhtb.exec:\hbnhtb.exe118⤵PID:4048
-
\??\c:\pddvj.exec:\pddvj.exe119⤵PID:1200
-
\??\c:\xrxrllf.exec:\xrxrllf.exe120⤵PID:432
-
\??\c:\hntnht.exec:\hntnht.exe121⤵PID:1068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-