Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe
-
Size
454KB
-
MD5
64489ceab14b7b091ec284e7e96615e0
-
SHA1
e0f2ab59df391bdf7add06ee49855639625ce381
-
SHA256
5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2
-
SHA512
8c483b9ae87f6d297eb3cbd5e58b8fdede1f9803f5379715d785a30ed9877ef72cefca3908c3b42142bdefdf7f7ebc1df7de14b2d4eda7f07d20632a63b99b08
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/320-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2872-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2624-122-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1952-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-140-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1192-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-172-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2900-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-181-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2492-204-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2492-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2152-214-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2152-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2120-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/768-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/552-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-336-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2632-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1760-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1964-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-469-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2904-485-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-492-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1948-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2108-512-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1868-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2268-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1684-665-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1776-702-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2792-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-846-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2892-847-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-854-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2800-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-880-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2604-900-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2360-1058-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2088-1062-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2692 1lflrfx.exe 320 ntttht.exe 2264 1pdjp.exe 2712 ppjpd.exe 2828 nnhtth.exe 2740 hhbntb.exe 2872 fxrxrrf.exe 2856 nhbhtn.exe 2624 nbtbhh.exe 2164 ffxrfrl.exe 1676 bthtnt.exe 272 llfrfrf.exe 1952 dvpdj.exe 1792 rrlllrx.exe 1192 hnbtnb.exe 2512 frlxlfx.exe 1332 dvvjv.exe 2900 jpjjd.exe 2944 nhhnbh.exe 2488 ddjjv.exe 2492 bbbnnt.exe 2152 jjdvp.exe 1344 lfrrlrl.exe 2316 vvjdv.exe 2120 hbtbhh.exe 2496 vpjjd.exe 768 jjdpv.exe 552 1lflllf.exe 2576 1btnnt.exe 3008 dpddp.exe 3028 djpjd.exe 3016 rrlfrfx.exe 2792 jppjp.exe 344 pddjv.exe 2832 flflxlr.exe 2860 hbhhnn.exe 572 jjdjd.exe 2632 pppvd.exe 2528 xxxlrff.exe 2880 btntbh.exe 2684 dvddj.exe 3040 5rflxxr.exe 1436 fxxrflf.exe 1512 3hbnnt.exe 1764 7djjj.exe 1988 9pjvj.exe 1856 1xxlrfr.exe 1708 3nbntb.exe 1892 jdddj.exe 2092 5vvjp.exe 1760 xxxlflf.exe 1964 1nttnt.exe 2668 1jjdd.exe 2592 dpvpv.exe 1104 rlrrxxl.exe 2472 nnhttt.exe 2936 djdjd.exe 960 9pvjd.exe 2904 lxfrlfr.exe 1948 hhhtnh.exe 2320 jpdjp.exe 2848 xfxlfxl.exe 2108 nhthtt.exe 776 tnnnhn.exe -
resource yara_rule behavioral1/memory/2372-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/320-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2624-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1192-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2152-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2120-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/768-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/552-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2092-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/960-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-492-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1948-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-512-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1868-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2268-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1684-665-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1776-702-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2132-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-846-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-854-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2800-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-887-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1760-949-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9frrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2692 2372 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 31 PID 2372 wrote to memory of 2692 2372 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 31 PID 2372 wrote to memory of 2692 2372 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 31 PID 2372 wrote to memory of 2692 2372 5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe 31 PID 2692 wrote to memory of 320 2692 1lflrfx.exe 32 PID 2692 wrote to memory of 320 2692 1lflrfx.exe 32 PID 2692 wrote to memory of 320 2692 1lflrfx.exe 32 PID 2692 wrote to memory of 320 2692 1lflrfx.exe 32 PID 320 wrote to memory of 2264 320 ntttht.exe 33 PID 320 wrote to memory of 2264 320 ntttht.exe 33 PID 320 wrote to memory of 2264 320 ntttht.exe 33 PID 320 wrote to memory of 2264 320 ntttht.exe 33 PID 2264 wrote to memory of 2712 2264 1pdjp.exe 34 PID 2264 wrote to memory of 2712 2264 1pdjp.exe 34 PID 2264 wrote to memory of 2712 2264 1pdjp.exe 34 PID 2264 wrote to memory of 2712 2264 1pdjp.exe 34 PID 2712 wrote to memory of 2828 2712 ppjpd.exe 35 PID 2712 wrote to memory of 2828 2712 ppjpd.exe 35 PID 2712 wrote to memory of 2828 2712 ppjpd.exe 35 PID 2712 wrote to memory of 2828 2712 ppjpd.exe 35 PID 2828 wrote to memory of 2740 2828 nnhtth.exe 36 PID 2828 wrote to memory of 2740 2828 nnhtth.exe 36 PID 2828 wrote to memory of 2740 2828 nnhtth.exe 36 PID 2828 wrote to memory of 2740 2828 nnhtth.exe 36 PID 2740 wrote to memory of 2872 2740 hhbntb.exe 37 PID 2740 wrote to memory of 2872 2740 hhbntb.exe 37 PID 2740 wrote to memory of 2872 2740 hhbntb.exe 37 PID 2740 wrote to memory of 2872 2740 hhbntb.exe 37 PID 2872 wrote to memory of 2856 2872 fxrxrrf.exe 38 PID 2872 wrote to memory of 2856 2872 fxrxrrf.exe 38 PID 2872 wrote to memory of 2856 2872 fxrxrrf.exe 38 PID 2872 wrote to memory of 2856 2872 fxrxrrf.exe 38 PID 2856 wrote to memory of 2624 2856 nhbhtn.exe 39 PID 2856 wrote to memory of 2624 2856 nhbhtn.exe 39 PID 2856 wrote to memory of 2624 2856 nhbhtn.exe 39 PID 2856 wrote to memory of 2624 2856 nhbhtn.exe 39 PID 2624 wrote to memory of 2164 2624 nbtbhh.exe 40 PID 2624 wrote to memory of 2164 2624 nbtbhh.exe 40 PID 2624 wrote to memory of 2164 2624 nbtbhh.exe 40 PID 2624 wrote to memory of 2164 2624 nbtbhh.exe 40 PID 2164 wrote to memory of 1676 2164 ffxrfrl.exe 41 PID 2164 wrote to memory of 1676 2164 ffxrfrl.exe 41 PID 2164 wrote to memory of 1676 2164 ffxrfrl.exe 41 PID 2164 wrote to memory of 1676 2164 ffxrfrl.exe 41 PID 1676 wrote to memory of 272 1676 bthtnt.exe 42 PID 1676 wrote to memory of 272 1676 bthtnt.exe 42 PID 1676 wrote to memory of 272 1676 bthtnt.exe 42 PID 1676 wrote to memory of 272 1676 bthtnt.exe 42 PID 272 wrote to memory of 1952 272 llfrfrf.exe 43 PID 272 wrote to memory of 1952 272 llfrfrf.exe 43 PID 272 wrote to memory of 1952 272 llfrfrf.exe 43 PID 272 wrote to memory of 1952 272 llfrfrf.exe 43 PID 1952 wrote to memory of 1792 1952 dvpdj.exe 44 PID 1952 wrote to memory of 1792 1952 dvpdj.exe 44 PID 1952 wrote to memory of 1792 1952 dvpdj.exe 44 PID 1952 wrote to memory of 1792 1952 dvpdj.exe 44 PID 1792 wrote to memory of 1192 1792 rrlllrx.exe 45 PID 1792 wrote to memory of 1192 1792 rrlllrx.exe 45 PID 1792 wrote to memory of 1192 1792 rrlllrx.exe 45 PID 1792 wrote to memory of 1192 1792 rrlllrx.exe 45 PID 1192 wrote to memory of 2512 1192 hnbtnb.exe 46 PID 1192 wrote to memory of 2512 1192 hnbtnb.exe 46 PID 1192 wrote to memory of 2512 1192 hnbtnb.exe 46 PID 1192 wrote to memory of 2512 1192 hnbtnb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe"C:\Users\Admin\AppData\Local\Temp\5d6f18020fe6effc6c556378d821319d8f274117b84b3c115a643a7a5ea91ca2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\1lflrfx.exec:\1lflrfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\ntttht.exec:\ntttht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\1pdjp.exec:\1pdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\ppjpd.exec:\ppjpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\nnhtth.exec:\nnhtth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\hhbntb.exec:\hhbntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\fxrxrrf.exec:\fxrxrrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\nhbhtn.exec:\nhbhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\nbtbhh.exec:\nbtbhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\ffxrfrl.exec:\ffxrfrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\bthtnt.exec:\bthtnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\llfrfrf.exec:\llfrfrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:272 -
\??\c:\dvpdj.exec:\dvpdj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\rrlllrx.exec:\rrlllrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\hnbtnb.exec:\hnbtnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\frlxlfx.exec:\frlxlfx.exe17⤵
- Executes dropped EXE
PID:2512 -
\??\c:\dvvjv.exec:\dvvjv.exe18⤵
- Executes dropped EXE
PID:1332 -
\??\c:\jpjjd.exec:\jpjjd.exe19⤵
- Executes dropped EXE
PID:2900 -
\??\c:\nhhnbh.exec:\nhhnbh.exe20⤵
- Executes dropped EXE
PID:2944 -
\??\c:\ddjjv.exec:\ddjjv.exe21⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bbbnnt.exec:\bbbnnt.exe22⤵
- Executes dropped EXE
PID:2492 -
\??\c:\jjdvp.exec:\jjdvp.exe23⤵
- Executes dropped EXE
PID:2152 -
\??\c:\lfrrlrl.exec:\lfrrlrl.exe24⤵
- Executes dropped EXE
PID:1344 -
\??\c:\vvjdv.exec:\vvjdv.exe25⤵
- Executes dropped EXE
PID:2316 -
\??\c:\hbtbhh.exec:\hbtbhh.exe26⤵
- Executes dropped EXE
PID:2120 -
\??\c:\vpjjd.exec:\vpjjd.exe27⤵
- Executes dropped EXE
PID:2496 -
\??\c:\jjdpv.exec:\jjdpv.exe28⤵
- Executes dropped EXE
PID:768 -
\??\c:\1lflllf.exec:\1lflllf.exe29⤵
- Executes dropped EXE
PID:552 -
\??\c:\1btnnt.exec:\1btnnt.exe30⤵
- Executes dropped EXE
PID:2576 -
\??\c:\dpddp.exec:\dpddp.exe31⤵
- Executes dropped EXE
PID:3008 -
\??\c:\djpjd.exec:\djpjd.exe32⤵
- Executes dropped EXE
PID:3028 -
\??\c:\rrlfrfx.exec:\rrlfrfx.exe33⤵
- Executes dropped EXE
PID:3016 -
\??\c:\jppjp.exec:\jppjp.exe34⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pddjv.exec:\pddjv.exe35⤵
- Executes dropped EXE
PID:344 -
\??\c:\flflxlr.exec:\flflxlr.exe36⤵
- Executes dropped EXE
PID:2832 -
\??\c:\hbhhnn.exec:\hbhhnn.exe37⤵
- Executes dropped EXE
PID:2860 -
\??\c:\jjdjd.exec:\jjdjd.exe38⤵
- Executes dropped EXE
PID:572 -
\??\c:\pppvd.exec:\pppvd.exe39⤵
- Executes dropped EXE
PID:2632 -
\??\c:\xxxlrff.exec:\xxxlrff.exe40⤵
- Executes dropped EXE
PID:2528 -
\??\c:\btntbh.exec:\btntbh.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dvddj.exec:\dvddj.exe42⤵
- Executes dropped EXE
PID:2684 -
\??\c:\5rflxxr.exec:\5rflxxr.exe43⤵
- Executes dropped EXE
PID:3040 -
\??\c:\fxxrflf.exec:\fxxrflf.exe44⤵
- Executes dropped EXE
PID:1436 -
\??\c:\3hbnnt.exec:\3hbnnt.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
\??\c:\7djjj.exec:\7djjj.exe46⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9pjvj.exec:\9pjvj.exe47⤵
- Executes dropped EXE
PID:1988 -
\??\c:\1xxlrfr.exec:\1xxlrfr.exe48⤵
- Executes dropped EXE
PID:1856 -
\??\c:\3nbntb.exec:\3nbntb.exe49⤵
- Executes dropped EXE
PID:1708 -
\??\c:\jdddj.exec:\jdddj.exe50⤵
- Executes dropped EXE
PID:1892 -
\??\c:\5vvjp.exec:\5vvjp.exe51⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xxxlflf.exec:\xxxlflf.exe52⤵
- Executes dropped EXE
PID:1760 -
\??\c:\1nttnt.exec:\1nttnt.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\1jjdd.exec:\1jjdd.exe54⤵
- Executes dropped EXE
PID:2668 -
\??\c:\dpvpv.exec:\dpvpv.exe55⤵
- Executes dropped EXE
PID:2592 -
\??\c:\rlrrxxl.exec:\rlrrxxl.exe56⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nnhttt.exec:\nnhttt.exe57⤵
- Executes dropped EXE
PID:2472 -
\??\c:\djdjd.exec:\djdjd.exe58⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9pvjd.exec:\9pvjd.exe59⤵
- Executes dropped EXE
PID:960 -
\??\c:\lxfrlfr.exec:\lxfrlfr.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\hhhtnh.exec:\hhhtnh.exe61⤵
- Executes dropped EXE
PID:1948 -
\??\c:\jpdjp.exec:\jpdjp.exe62⤵
- Executes dropped EXE
PID:2320 -
\??\c:\xfxlfxl.exec:\xfxlfxl.exe63⤵
- Executes dropped EXE
PID:2848 -
\??\c:\nhthtt.exec:\nhthtt.exe64⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tnnnhn.exec:\tnnnhn.exe65⤵
- Executes dropped EXE
PID:776 -
\??\c:\dddvj.exec:\dddvj.exe66⤵PID:1672
-
\??\c:\7xrxfrf.exec:\7xrxfrf.exe67⤵PID:1748
-
\??\c:\bthbhh.exec:\bthbhh.exe68⤵PID:1868
-
\??\c:\tttbth.exec:\tttbth.exe69⤵PID:2156
-
\??\c:\pvpdp.exec:\pvpdp.exe70⤵PID:1588
-
\??\c:\rxlxflr.exec:\rxlxflr.exe71⤵PID:3004
-
\??\c:\9nthtb.exec:\9nthtb.exe72⤵PID:3064
-
\??\c:\vjdvv.exec:\vjdvv.exe73⤵PID:2268
-
\??\c:\rxrffrx.exec:\rxrffrx.exe74⤵PID:2468
-
\??\c:\tnhnth.exec:\tnhnth.exe75⤵PID:2716
-
\??\c:\nnbbbt.exec:\nnbbbt.exe76⤵PID:2980
-
\??\c:\5vpdd.exec:\5vpdd.exe77⤵PID:2748
-
\??\c:\3llxrlx.exec:\3llxrlx.exe78⤵PID:2768
-
\??\c:\rfffxrf.exec:\rfffxrf.exe79⤵PID:2868
-
\??\c:\nnbtth.exec:\nnbtth.exe80⤵PID:2300
-
\??\c:\7nbtbh.exec:\7nbtbh.exe81⤵PID:2416
-
\??\c:\dvvdd.exec:\dvvdd.exe82⤵PID:2672
-
\??\c:\7xlrlxr.exec:\7xlrlxr.exe83⤵PID:2660
-
\??\c:\1bhbtn.exec:\1bhbtn.exe84⤵PID:1268
-
\??\c:\hbthbn.exec:\hbthbn.exe85⤵PID:1816
-
\??\c:\pdvdd.exec:\pdvdd.exe86⤵PID:1036
-
\??\c:\xxxfflr.exec:\xxxfflr.exe87⤵PID:1392
-
\??\c:\bbtbbh.exec:\bbtbbh.exe88⤵PID:1684
-
\??\c:\1ppdj.exec:\1ppdj.exe89⤵PID:1140
-
\??\c:\1ppvd.exec:\1ppvd.exe90⤵PID:1884
-
\??\c:\7fxlffl.exec:\7fxlffl.exe91⤵PID:2160
-
\??\c:\tnhnbn.exec:\tnhnbn.exe92⤵PID:1276
-
\??\c:\vpvvd.exec:\vpvvd.exe93⤵PID:1528
-
\??\c:\fxllxxx.exec:\fxllxxx.exe94⤵PID:1776
-
\??\c:\1fxrlxr.exec:\1fxrlxr.exe95⤵PID:296
-
\??\c:\thhthn.exec:\thhthn.exe96⤵PID:1680
-
\??\c:\jdjpd.exec:\jdjpd.exe97⤵PID:2480
-
\??\c:\5xlrrlf.exec:\5xlrrlf.exe98⤵PID:2944
-
\??\c:\1lllrxf.exec:\1lllrxf.exe99⤵PID:2488
-
\??\c:\tbtnht.exec:\tbtnht.exe100⤵PID:2492
-
\??\c:\jjpdd.exec:\jjpdd.exe101⤵PID:612
-
\??\c:\rrllrxl.exec:\rrllrxl.exe102⤵PID:1280
-
\??\c:\5nhtbh.exec:\5nhtbh.exe103⤵PID:1996
-
\??\c:\nnntht.exec:\nnntht.exe104⤵PID:2436
-
\??\c:\dvvjd.exec:\dvvjd.exe105⤵PID:2132
-
\??\c:\7rllllf.exec:\7rllllf.exe106⤵PID:2108
-
\??\c:\ffflfrr.exec:\ffflfrr.exe107⤵PID:2280
-
\??\c:\hbbhnt.exec:\hbbhnt.exe108⤵PID:2404
-
\??\c:\5pvdj.exec:\5pvdj.exe109⤵PID:2328
-
\??\c:\xrlffrl.exec:\xrlffrl.exe110⤵PID:552
-
\??\c:\bbtnbh.exec:\bbtnbh.exe111⤵PID:2372
-
\??\c:\ttbnbh.exec:\ttbnbh.exe112⤵PID:2220
-
\??\c:\3djjd.exec:\3djjd.exe113⤵PID:2524
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe114⤵PID:2892
-
\??\c:\tbttbn.exec:\tbttbn.exe115⤵PID:2700
-
\??\c:\nnhnhn.exec:\nnhnhn.exe116⤵PID:2792
-
\??\c:\ddvvv.exec:\ddvvv.exe117⤵PID:2824
-
\??\c:\xrrrffr.exec:\xrrrffr.exe118⤵PID:2760
-
\??\c:\3bhnbt.exec:\3bhnbt.exe119⤵PID:2732
-
\??\c:\jvvjp.exec:\jvvjp.exe120⤵PID:2916
-
\??\c:\3vvpj.exec:\3vvpj.exe121⤵PID:2800
-
\??\c:\llfxlxr.exec:\llfxlxr.exe122⤵PID:2604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-