Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/04/2025, 00:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe
-
Size
459KB
-
MD5
025fcad154267b8e880fdeb936d4194a
-
SHA1
ec3411cb6ebcb0b74a6779ed564653324e8d8c57
-
SHA256
a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3
-
SHA512
789c9cb2221be032d3ea739618fa50cade06139452a1a80f36e946a734ef19058c58e93bd896f488b197c0cff655a2331e6281818dad6c5140eb32b867b03f71
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebv:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral2/memory/1236-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5556-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5516-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5300-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5700-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5864-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5740-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5332-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5556-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5548-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5136-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/484-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5616-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5304-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6096-905-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4652 jdvpv.exe 4548 ntbttt.exe 5556 jjjvv.exe 3620 3ffrlfr.exe 5516 djpjd.exe 1396 pppvj.exe 4560 frrllff.exe 3660 ttbbbb.exe 3628 xrrrllx.exe 5300 nbtnbh.exe 1736 bhnbtt.exe 4880 lrrrrrr.exe 5088 3nnnhh.exe 4924 nbhbbt.exe 5052 pjjdv.exe 3236 bttntn.exe 5700 ppvdp.exe 5136 dpdvp.exe 6040 nnhnhb.exe 2332 ppvjj.exe 4444 9rxrllf.exe 4408 9bhtnn.exe 4796 thnhbn.exe 5132 1xxlfff.exe 5612 nhnbht.exe 1000 1vdvp.exe 444 hbbbtt.exe 3948 1vdvp.exe 3528 vpjdp.exe 2628 hhhbtn.exe 2208 9pvpj.exe 3112 frxxxrl.exe 6108 ththbb.exe 2128 vpvpp.exe 864 xfxrlfr.exe 2956 nnnnbb.exe 3668 hbtnbb.exe 3568 dpvpd.exe 688 rffxrfx.exe 2192 5nnnhb.exe 2728 nbbnht.exe 244 pjvvp.exe 2140 xxlfxxx.exe 3560 xlxfxxr.exe 1168 3bhbtn.exe 5864 dvjdp.exe 492 dpvpj.exe 5804 xxxrllf.exe 992 5htnhb.exe 3308 ppvpp.exe 5736 pvvjd.exe 6096 rlfxrrl.exe 1264 hhhtnh.exe 2296 jdjdv.exe 772 rlxrrll.exe 2104 rxffffx.exe 1368 tntnnn.exe 5748 jpvpj.exe 5880 xrrlffx.exe 5212 tbhbtn.exe 1300 7bbnbt.exe 2960 vvdpj.exe 744 rxrfxrl.exe 3936 fxlfllx.exe -
resource yara_rule behavioral2/memory/1236-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5556-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5516-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5300-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5700-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5864-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5740-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5332-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5556-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5548-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5136-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/484-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5616-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5304-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6096-905-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-948-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1236 wrote to memory of 4652 1236 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 79 PID 1236 wrote to memory of 4652 1236 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 79 PID 1236 wrote to memory of 4652 1236 a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe 79 PID 4652 wrote to memory of 4548 4652 jdvpv.exe 80 PID 4652 wrote to memory of 4548 4652 jdvpv.exe 80 PID 4652 wrote to memory of 4548 4652 jdvpv.exe 80 PID 4548 wrote to memory of 5556 4548 ntbttt.exe 81 PID 4548 wrote to memory of 5556 4548 ntbttt.exe 81 PID 4548 wrote to memory of 5556 4548 ntbttt.exe 81 PID 5556 wrote to memory of 3620 5556 jjjvv.exe 82 PID 5556 wrote to memory of 3620 5556 jjjvv.exe 82 PID 5556 wrote to memory of 3620 5556 jjjvv.exe 82 PID 3620 wrote to memory of 5516 3620 3ffrlfr.exe 83 PID 3620 wrote to memory of 5516 3620 3ffrlfr.exe 83 PID 3620 wrote to memory of 5516 3620 3ffrlfr.exe 83 PID 5516 wrote to memory of 1396 5516 djpjd.exe 84 PID 5516 wrote to memory of 1396 5516 djpjd.exe 84 PID 5516 wrote to memory of 1396 5516 djpjd.exe 84 PID 1396 wrote to memory of 4560 1396 pppvj.exe 85 PID 1396 wrote to memory of 4560 1396 pppvj.exe 85 PID 1396 wrote to memory of 4560 1396 pppvj.exe 85 PID 4560 wrote to memory of 3660 4560 frrllff.exe 86 PID 4560 wrote to memory of 3660 4560 frrllff.exe 86 PID 4560 wrote to memory of 3660 4560 frrllff.exe 86 PID 3660 wrote to memory of 3628 3660 ttbbbb.exe 87 PID 3660 wrote to memory of 3628 3660 ttbbbb.exe 87 PID 3660 wrote to memory of 3628 3660 ttbbbb.exe 87 PID 3628 wrote to memory of 5300 3628 xrrrllx.exe 88 PID 3628 wrote to memory of 5300 3628 xrrrllx.exe 88 PID 3628 wrote to memory of 5300 3628 xrrrllx.exe 88 PID 5300 wrote to memory of 1736 5300 nbtnbh.exe 89 PID 5300 wrote to memory of 1736 5300 nbtnbh.exe 89 PID 5300 wrote to memory of 1736 5300 nbtnbh.exe 89 PID 1736 wrote to memory of 4880 1736 bhnbtt.exe 90 PID 1736 wrote to memory of 4880 1736 bhnbtt.exe 90 PID 1736 wrote to memory of 4880 1736 bhnbtt.exe 90 PID 4880 wrote to memory of 5088 4880 lrrrrrr.exe 91 PID 4880 wrote to memory of 5088 4880 lrrrrrr.exe 91 PID 4880 wrote to memory of 5088 4880 lrrrrrr.exe 91 PID 5088 wrote to memory of 4924 5088 3nnnhh.exe 92 PID 5088 wrote to memory of 4924 5088 3nnnhh.exe 92 PID 5088 wrote to memory of 4924 5088 3nnnhh.exe 92 PID 4924 wrote to memory of 5052 4924 nbhbbt.exe 93 PID 4924 wrote to memory of 5052 4924 nbhbbt.exe 93 PID 4924 wrote to memory of 5052 4924 nbhbbt.exe 93 PID 5052 wrote to memory of 3236 5052 pjjdv.exe 94 PID 5052 wrote to memory of 3236 5052 pjjdv.exe 94 PID 5052 wrote to memory of 3236 5052 pjjdv.exe 94 PID 3236 wrote to memory of 5700 3236 bttntn.exe 95 PID 3236 wrote to memory of 5700 3236 bttntn.exe 95 PID 3236 wrote to memory of 5700 3236 bttntn.exe 95 PID 5700 wrote to memory of 5136 5700 ppvdp.exe 96 PID 5700 wrote to memory of 5136 5700 ppvdp.exe 96 PID 5700 wrote to memory of 5136 5700 ppvdp.exe 96 PID 5136 wrote to memory of 6040 5136 dpdvp.exe 97 PID 5136 wrote to memory of 6040 5136 dpdvp.exe 97 PID 5136 wrote to memory of 6040 5136 dpdvp.exe 97 PID 6040 wrote to memory of 2332 6040 nnhnhb.exe 98 PID 6040 wrote to memory of 2332 6040 nnhnhb.exe 98 PID 6040 wrote to memory of 2332 6040 nnhnhb.exe 98 PID 2332 wrote to memory of 4444 2332 ppvjj.exe 99 PID 2332 wrote to memory of 4444 2332 ppvjj.exe 99 PID 2332 wrote to memory of 4444 2332 ppvjj.exe 99 PID 4444 wrote to memory of 4408 4444 9rxrllf.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"C:\Users\Admin\AppData\Local\Temp\a6b75752da1c9c883a1dd3f567f6130666943a2a35e308862c1d9a7c3bee8cc3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\jdvpv.exec:\jdvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\ntbttt.exec:\ntbttt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\jjjvv.exec:\jjjvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5556 -
\??\c:\3ffrlfr.exec:\3ffrlfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\djpjd.exec:\djpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5516 -
\??\c:\pppvj.exec:\pppvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\frrllff.exec:\frrllff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\ttbbbb.exec:\ttbbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\xrrrllx.exec:\xrrrllx.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\nbtnbh.exec:\nbtnbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5300 -
\??\c:\bhnbtt.exec:\bhnbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\lrrrrrr.exec:\lrrrrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\3nnnhh.exec:\3nnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\nbhbbt.exec:\nbhbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\pjjdv.exec:\pjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\bttntn.exec:\bttntn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\ppvdp.exec:\ppvdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5700 -
\??\c:\dpdvp.exec:\dpdvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5136 -
\??\c:\nnhnhb.exec:\nnhnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6040 -
\??\c:\ppvjj.exec:\ppvjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\9rxrllf.exec:\9rxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\9bhtnn.exec:\9bhtnn.exe23⤵
- Executes dropped EXE
PID:4408 -
\??\c:\thnhbn.exec:\thnhbn.exe24⤵
- Executes dropped EXE
PID:4796 -
\??\c:\1xxlfff.exec:\1xxlfff.exe25⤵
- Executes dropped EXE
PID:5132 -
\??\c:\nhnbht.exec:\nhnbht.exe26⤵
- Executes dropped EXE
PID:5612 -
\??\c:\1vdvp.exec:\1vdvp.exe27⤵
- Executes dropped EXE
PID:1000 -
\??\c:\hbbbtt.exec:\hbbbtt.exe28⤵
- Executes dropped EXE
PID:444 -
\??\c:\1vdvp.exec:\1vdvp.exe29⤵
- Executes dropped EXE
PID:3948 -
\??\c:\vpjdp.exec:\vpjdp.exe30⤵
- Executes dropped EXE
PID:3528 -
\??\c:\hhhbtn.exec:\hhhbtn.exe31⤵
- Executes dropped EXE
PID:2628 -
\??\c:\9pvpj.exec:\9pvpj.exe32⤵
- Executes dropped EXE
PID:2208 -
\??\c:\frxxxrl.exec:\frxxxrl.exe33⤵
- Executes dropped EXE
PID:3112 -
\??\c:\ththbb.exec:\ththbb.exe34⤵
- Executes dropped EXE
PID:6108 -
\??\c:\vpvpp.exec:\vpvpp.exe35⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xfxrlfr.exec:\xfxrlfr.exe36⤵
- Executes dropped EXE
PID:864 -
\??\c:\nnnnbb.exec:\nnnnbb.exe37⤵
- Executes dropped EXE
PID:2956 -
\??\c:\hbtnbb.exec:\hbtnbb.exe38⤵
- Executes dropped EXE
PID:3668 -
\??\c:\dpvpd.exec:\dpvpd.exe39⤵
- Executes dropped EXE
PID:3568 -
\??\c:\rffxrfx.exec:\rffxrfx.exe40⤵
- Executes dropped EXE
PID:688 -
\??\c:\5nnnhb.exec:\5nnnhb.exe41⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nbbnht.exec:\nbbnht.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\pjvvp.exec:\pjvvp.exe43⤵
- Executes dropped EXE
PID:244 -
\??\c:\xxlfxxx.exec:\xxlfxxx.exe44⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xlxfxxr.exec:\xlxfxxr.exe45⤵
- Executes dropped EXE
PID:3560 -
\??\c:\3bhbtn.exec:\3bhbtn.exe46⤵
- Executes dropped EXE
PID:1168 -
\??\c:\dvjdp.exec:\dvjdp.exe47⤵
- Executes dropped EXE
PID:5864 -
\??\c:\dpvpj.exec:\dpvpj.exe48⤵
- Executes dropped EXE
PID:492 -
\??\c:\xxxrllf.exec:\xxxrllf.exe49⤵
- Executes dropped EXE
PID:5804 -
\??\c:\5htnhb.exec:\5htnhb.exe50⤵
- Executes dropped EXE
PID:992 -
\??\c:\ppvpp.exec:\ppvpp.exe51⤵
- Executes dropped EXE
PID:3308 -
\??\c:\pvvjd.exec:\pvvjd.exe52⤵
- Executes dropped EXE
PID:5736 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe53⤵
- Executes dropped EXE
PID:6096 -
\??\c:\hhhtnh.exec:\hhhtnh.exe54⤵
- Executes dropped EXE
PID:1264 -
\??\c:\jdjdv.exec:\jdjdv.exe55⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rlxrrll.exec:\rlxrrll.exe56⤵
- Executes dropped EXE
PID:772 -
\??\c:\rxffffx.exec:\rxffffx.exe57⤵
- Executes dropped EXE
PID:2104 -
\??\c:\tntnnn.exec:\tntnnn.exe58⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jpvpj.exec:\jpvpj.exe59⤵
- Executes dropped EXE
PID:5748 -
\??\c:\xrrlffx.exec:\xrrlffx.exe60⤵
- Executes dropped EXE
PID:5880 -
\??\c:\tbhbtn.exec:\tbhbtn.exe61⤵
- Executes dropped EXE
PID:5212 -
\??\c:\7bbnbt.exec:\7bbnbt.exe62⤵
- Executes dropped EXE
PID:1300 -
\??\c:\vvdpj.exec:\vvdpj.exe63⤵
- Executes dropped EXE
PID:2960 -
\??\c:\rxrfxrl.exec:\rxrfxrl.exe64⤵
- Executes dropped EXE
PID:744 -
\??\c:\fxlfllx.exec:\fxlfllx.exe65⤵
- Executes dropped EXE
PID:3936 -
\??\c:\bnbnnh.exec:\bnbnnh.exe66⤵PID:3500
-
\??\c:\hbnbbb.exec:\hbnbbb.exe67⤵PID:2016
-
\??\c:\ppppj.exec:\ppppj.exe68⤵PID:5280
-
\??\c:\lllfrlf.exec:\lllfrlf.exe69⤵PID:3008
-
\??\c:\1rrlffr.exec:\1rrlffr.exe70⤵PID:5572
-
\??\c:\hhnhhh.exec:\hhnhhh.exe71⤵PID:2212
-
\??\c:\jvddj.exec:\jvddj.exe72⤵PID:3760
-
\??\c:\dddpj.exec:\dddpj.exe73⤵PID:4576
-
\??\c:\rrflxxr.exec:\rrflxxr.exe74⤵PID:2832
-
\??\c:\5nhthb.exec:\5nhthb.exe75⤵PID:872
-
\??\c:\hnnnnn.exec:\hnnnnn.exe76⤵PID:1028
-
\??\c:\pppdv.exec:\pppdv.exe77⤵PID:5740
-
\??\c:\lxfxllf.exec:\lxfxllf.exe78⤵PID:2420
-
\??\c:\1xfxxrf.exec:\1xfxxrf.exe79⤵PID:3940
-
\??\c:\tbbtnh.exec:\tbbtnh.exe80⤵PID:4120
-
\??\c:\hbhbhh.exec:\hbhbhh.exe81⤵PID:1344
-
\??\c:\pjjdv.exec:\pjjdv.exe82⤵PID:2512
-
\??\c:\3rlffff.exec:\3rlffff.exe83⤵PID:4828
-
\??\c:\5rfxxxx.exec:\5rfxxxx.exe84⤵PID:1628
-
\??\c:\btttnh.exec:\btttnh.exe85⤵PID:2608
-
\??\c:\thnhbt.exec:\thnhbt.exe86⤵PID:3160
-
\??\c:\jddvj.exec:\jddvj.exe87⤵PID:6136
-
\??\c:\xflxrrf.exec:\xflxrrf.exe88⤵PID:2996
-
\??\c:\rllxxlf.exec:\rllxxlf.exe89⤵PID:5236
-
\??\c:\btttnh.exec:\btttnh.exe90⤵PID:4884
-
\??\c:\3nhbtn.exec:\3nhbtn.exe91⤵PID:1564
-
\??\c:\vvvpj.exec:\vvvpj.exe92⤵PID:3592
-
\??\c:\rxxxfxx.exec:\rxxxfxx.exe93⤵PID:5548
-
\??\c:\xrxrrlr.exec:\xrxrrlr.exe94⤵PID:5224
-
\??\c:\bnbttb.exec:\bnbttb.exe95⤵PID:5556
-
\??\c:\jvvpj.exec:\jvvpj.exe96⤵PID:1688
-
\??\c:\vdjdv.exec:\vdjdv.exe97⤵PID:3636
-
\??\c:\xlxrllf.exec:\xlxrllf.exe98⤵PID:5332
-
\??\c:\9thbhn.exec:\9thbhn.exe99⤵PID:3088
-
\??\c:\nnhhnn.exec:\nnhhnn.exe100⤵PID:4568
-
\??\c:\djppj.exec:\djppj.exe101⤵PID:5732
-
\??\c:\1flfxrl.exec:\1flfxrl.exe102⤵PID:2472
-
\??\c:\lfxlfrf.exec:\lfxlfrf.exe103⤵PID:4696
-
\??\c:\nnnhhh.exec:\nnnhhh.exe104⤵PID:5308
-
\??\c:\jjjdj.exec:\jjjdj.exe105⤵PID:4268
-
\??\c:\jdvpd.exec:\jdvpd.exe106⤵PID:4836
-
\??\c:\rlrrrfr.exec:\rlrrrfr.exe107⤵PID:4396
-
\??\c:\thhbtt.exec:\thhbtt.exe108⤵PID:5092
-
\??\c:\9vvvp.exec:\9vvvp.exe109⤵PID:5048
-
\??\c:\pvddd.exec:\pvddd.exe110⤵PID:5148
-
\??\c:\7lfxxxr.exec:\7lfxxxr.exe111⤵PID:4976
-
\??\c:\ttnnth.exec:\ttnnth.exe112⤵PID:5084
-
\??\c:\tnnhbb.exec:\tnnhbb.exe113⤵PID:4780
-
\??\c:\djjjd.exec:\djjjd.exe114⤵PID:3460
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe115⤵PID:2028
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe116⤵PID:2060
-
\??\c:\hhhhbb.exec:\hhhhbb.exe117⤵PID:3680
-
\??\c:\7nhbbh.exec:\7nhbbh.exe118⤵PID:4484
-
\??\c:\dpppd.exec:\dpppd.exe119⤵PID:4644
-
\??\c:\rflfxrl.exec:\rflfxrl.exe120⤵PID:4344
-
\??\c:\rfllffx.exec:\rfllffx.exe121⤵PID:3684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-