Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe
Resource
win7-20240729-en
7 signatures
120 seconds
General
-
Target
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe
-
Size
454KB
-
MD5
39f67547e416866cb7e717fb5a368e83
-
SHA1
7dc92774d1b7736d20f8f69f2061d30aaa8515d3
-
SHA256
581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b
-
SHA512
5eaf981ba02e66cccc6e72c53e83845dec39effd77bd4c50c7e1b3f763bc79abb3e8eb360102dc44c5969d64c3eba24594f55016e54fe4c5a1d8a2f997c06a08
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeM:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2692-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2064-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2060-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2056-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1432-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1432-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2444-114-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/764-135-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1164-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2016-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-184-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2364-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2364-189-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3028-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1656-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1160-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1788-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-314-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1904-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-440-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1888-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/524-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/564-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-553-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2644-560-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/3056-615-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2100-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3016-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2068-821-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2756 bbbhnb.exe 2676 thhhbt.exe 2668 5lflfrx.exe 2064 5hbnbh.exe 1716 1rlflrf.exe 2628 hntttb.exe 2060 rxrrlxl.exe 2056 bththt.exe 2992 rxfflrf.exe 1432 vvvdj.exe 2444 xxrrfll.exe 872 thhtht.exe 764 xlfflrx.exe 2128 ntntbn.exe 1952 vddjd.exe 1164 rxrlxll.exe 264 bnnhbn.exe 2016 jdpvj.exe 2364 9bbnbn.exe 1900 pvpdp.exe 3028 bbhbhh.exe 860 xxrlflx.exe 1656 hbtbhh.exe 2912 jvpvd.exe 2432 3hnnbh.exe 1400 tbntbh.exe 2484 xfrflrx.exe 2216 rrflxlf.exe 1160 nnhbnh.exe 1788 djvpd.exe 1064 flxxllr.exe 2788 xfrrfrx.exe 2792 5lfrrfx.exe 2676 pdjjv.exe 2732 xxrxrxl.exe 2720 thntbh.exe 2556 3thhnt.exe 2596 pvppd.exe 2152 fflrfrl.exe 3068 tbtbtb.exe 1904 pppvj.exe 1100 ffrxfrf.exe 2524 bthbht.exe 1764 7btthn.exe 3032 jjjpj.exe 1212 rfxlxff.exe 2540 1bbhbh.exe 2824 tbtbtb.exe 1960 pvjpd.exe 444 flflxlx.exe 2516 tnbtnb.exe 1484 dpjdv.exe 1116 3dppd.exe 2072 1lflrrr.exe 1888 nbnbnt.exe 2248 ddjpv.exe 2004 xlllfxl.exe 2232 tbntbn.exe 2968 vjjpp.exe 1632 jvpvp.exe 1372 1xxlrfr.exe 920 bttbth.exe 524 pvpdj.exe 2868 9jddj.exe -
resource yara_rule behavioral1/memory/2692-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2064-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2060-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2992-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1432-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1164-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2016-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1656-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1160-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-440-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/1888-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/524-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/564-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2644-560-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3056-615-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2100-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1932-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3016-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-821-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2756 2692 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 30 PID 2692 wrote to memory of 2756 2692 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 30 PID 2692 wrote to memory of 2756 2692 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 30 PID 2692 wrote to memory of 2756 2692 581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe 30 PID 2756 wrote to memory of 2676 2756 bbbhnb.exe 31 PID 2756 wrote to memory of 2676 2756 bbbhnb.exe 31 PID 2756 wrote to memory of 2676 2756 bbbhnb.exe 31 PID 2756 wrote to memory of 2676 2756 bbbhnb.exe 31 PID 2676 wrote to memory of 2668 2676 thhhbt.exe 32 PID 2676 wrote to memory of 2668 2676 thhhbt.exe 32 PID 2676 wrote to memory of 2668 2676 thhhbt.exe 32 PID 2676 wrote to memory of 2668 2676 thhhbt.exe 32 PID 2668 wrote to memory of 2064 2668 5lflfrx.exe 33 PID 2668 wrote to memory of 2064 2668 5lflfrx.exe 33 PID 2668 wrote to memory of 2064 2668 5lflfrx.exe 33 PID 2668 wrote to memory of 2064 2668 5lflfrx.exe 33 PID 2064 wrote to memory of 1716 2064 5hbnbh.exe 34 PID 2064 wrote to memory of 1716 2064 5hbnbh.exe 34 PID 2064 wrote to memory of 1716 2064 5hbnbh.exe 34 PID 2064 wrote to memory of 1716 2064 5hbnbh.exe 34 PID 1716 wrote to memory of 2628 1716 1rlflrf.exe 35 PID 1716 wrote to memory of 2628 1716 1rlflrf.exe 35 PID 1716 wrote to memory of 2628 1716 1rlflrf.exe 35 PID 1716 wrote to memory of 2628 1716 1rlflrf.exe 35 PID 2628 wrote to memory of 2060 2628 hntttb.exe 36 PID 2628 wrote to memory of 2060 2628 hntttb.exe 36 PID 2628 wrote to memory of 2060 2628 hntttb.exe 36 PID 2628 wrote to memory of 2060 2628 hntttb.exe 36 PID 2060 wrote to memory of 2056 2060 rxrrlxl.exe 37 PID 2060 wrote to memory of 2056 2060 rxrrlxl.exe 37 PID 2060 wrote to memory of 2056 2060 rxrrlxl.exe 37 PID 2060 wrote to memory of 2056 2060 rxrrlxl.exe 37 PID 2056 wrote to memory of 2992 2056 bththt.exe 38 PID 2056 wrote to memory of 2992 2056 bththt.exe 38 PID 2056 wrote to memory of 2992 2056 bththt.exe 38 PID 2056 wrote to memory of 2992 2056 bththt.exe 38 PID 2992 wrote to memory of 1432 2992 rxfflrf.exe 39 PID 2992 wrote to memory of 1432 2992 rxfflrf.exe 39 PID 2992 wrote to memory of 1432 2992 rxfflrf.exe 39 PID 2992 wrote to memory of 1432 2992 rxfflrf.exe 39 PID 1432 wrote to memory of 2444 1432 vvvdj.exe 40 PID 1432 wrote to memory of 2444 1432 vvvdj.exe 40 PID 1432 wrote to memory of 2444 1432 vvvdj.exe 40 PID 1432 wrote to memory of 2444 1432 vvvdj.exe 40 PID 2444 wrote to memory of 872 2444 xxrrfll.exe 41 PID 2444 wrote to memory of 872 2444 xxrrfll.exe 41 PID 2444 wrote to memory of 872 2444 xxrrfll.exe 41 PID 2444 wrote to memory of 872 2444 xxrrfll.exe 41 PID 872 wrote to memory of 764 872 thhtht.exe 42 PID 872 wrote to memory of 764 872 thhtht.exe 42 PID 872 wrote to memory of 764 872 thhtht.exe 42 PID 872 wrote to memory of 764 872 thhtht.exe 42 PID 764 wrote to memory of 2128 764 xlfflrx.exe 43 PID 764 wrote to memory of 2128 764 xlfflrx.exe 43 PID 764 wrote to memory of 2128 764 xlfflrx.exe 43 PID 764 wrote to memory of 2128 764 xlfflrx.exe 43 PID 2128 wrote to memory of 1952 2128 ntntbn.exe 44 PID 2128 wrote to memory of 1952 2128 ntntbn.exe 44 PID 2128 wrote to memory of 1952 2128 ntntbn.exe 44 PID 2128 wrote to memory of 1952 2128 ntntbn.exe 44 PID 1952 wrote to memory of 1164 1952 vddjd.exe 45 PID 1952 wrote to memory of 1164 1952 vddjd.exe 45 PID 1952 wrote to memory of 1164 1952 vddjd.exe 45 PID 1952 wrote to memory of 1164 1952 vddjd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe"C:\Users\Admin\AppData\Local\Temp\581eb5dae142e06c8d9b97de0514825e281caa4369e82d452ba70544d3f8457b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\bbbhnb.exec:\bbbhnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\thhhbt.exec:\thhhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\5lflfrx.exec:\5lflfrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\5hbnbh.exec:\5hbnbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\1rlflrf.exec:\1rlflrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\hntttb.exec:\hntttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\rxrrlxl.exec:\rxrrlxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\bththt.exec:\bththt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\rxfflrf.exec:\rxfflrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\vvvdj.exec:\vvvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\xxrrfll.exec:\xxrrfll.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\thhtht.exec:\thhtht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\xlfflrx.exec:\xlfflrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\ntntbn.exec:\ntntbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\vddjd.exec:\vddjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\rxrlxll.exec:\rxrlxll.exe17⤵
- Executes dropped EXE
PID:1164 -
\??\c:\bnnhbn.exec:\bnnhbn.exe18⤵
- Executes dropped EXE
PID:264 -
\??\c:\jdpvj.exec:\jdpvj.exe19⤵
- Executes dropped EXE
PID:2016 -
\??\c:\9bbnbn.exec:\9bbnbn.exe20⤵
- Executes dropped EXE
PID:2364 -
\??\c:\pvpdp.exec:\pvpdp.exe21⤵
- Executes dropped EXE
PID:1900 -
\??\c:\bbhbhh.exec:\bbhbhh.exe22⤵
- Executes dropped EXE
PID:3028 -
\??\c:\xxrlflx.exec:\xxrlflx.exe23⤵
- Executes dropped EXE
PID:860 -
\??\c:\hbtbhh.exec:\hbtbhh.exe24⤵
- Executes dropped EXE
PID:1656 -
\??\c:\jvpvd.exec:\jvpvd.exe25⤵
- Executes dropped EXE
PID:2912 -
\??\c:\3hnnbh.exec:\3hnnbh.exe26⤵
- Executes dropped EXE
PID:2432 -
\??\c:\tbntbh.exec:\tbntbh.exe27⤵
- Executes dropped EXE
PID:1400 -
\??\c:\xfrflrx.exec:\xfrflrx.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\rrflxlf.exec:\rrflxlf.exe29⤵
- Executes dropped EXE
PID:2216 -
\??\c:\nnhbnh.exec:\nnhbnh.exe30⤵
- Executes dropped EXE
PID:1160 -
\??\c:\djvpd.exec:\djvpd.exe31⤵
- Executes dropped EXE
PID:1788 -
\??\c:\flxxllr.exec:\flxxllr.exe32⤵
- Executes dropped EXE
PID:1064 -
\??\c:\xfrrfrx.exec:\xfrrfrx.exe33⤵
- Executes dropped EXE
PID:2788 -
\??\c:\5lfrrfx.exec:\5lfrrfx.exe34⤵
- Executes dropped EXE
PID:2792 -
\??\c:\pdjjv.exec:\pdjjv.exe35⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xxrxrxl.exec:\xxrxrxl.exe36⤵
- Executes dropped EXE
PID:2732 -
\??\c:\thntbh.exec:\thntbh.exe37⤵
- Executes dropped EXE
PID:2720 -
\??\c:\3thhnt.exec:\3thhnt.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pvppd.exec:\pvppd.exe39⤵
- Executes dropped EXE
PID:2596 -
\??\c:\fflrfrl.exec:\fflrfrl.exe40⤵
- Executes dropped EXE
PID:2152 -
\??\c:\tbtbtb.exec:\tbtbtb.exe41⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pppvj.exec:\pppvj.exe42⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ffrxfrf.exec:\ffrxfrf.exe43⤵
- Executes dropped EXE
PID:1100 -
\??\c:\bthbht.exec:\bthbht.exe44⤵
- Executes dropped EXE
PID:2524 -
\??\c:\7btthn.exec:\7btthn.exe45⤵
- Executes dropped EXE
PID:1764 -
\??\c:\jjjpj.exec:\jjjpj.exe46⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rfxlxff.exec:\rfxlxff.exe47⤵
- Executes dropped EXE
PID:1212 -
\??\c:\1bbhbh.exec:\1bbhbh.exe48⤵
- Executes dropped EXE
PID:2540 -
\??\c:\tbtbtb.exec:\tbtbtb.exe49⤵
- Executes dropped EXE
PID:2824 -
\??\c:\pvjpd.exec:\pvjpd.exe50⤵
- Executes dropped EXE
PID:1960 -
\??\c:\flflxlx.exec:\flflxlx.exe51⤵
- Executes dropped EXE
PID:444 -
\??\c:\tnbtnb.exec:\tnbtnb.exe52⤵
- Executes dropped EXE
PID:2516 -
\??\c:\dpjdv.exec:\dpjdv.exe53⤵
- Executes dropped EXE
PID:1484 -
\??\c:\3dppd.exec:\3dppd.exe54⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1lflrrr.exec:\1lflrrr.exe55⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nbnbnt.exec:\nbnbnt.exe56⤵
- Executes dropped EXE
PID:1888 -
\??\c:\ddjpv.exec:\ddjpv.exe57⤵
- Executes dropped EXE
PID:2248 -
\??\c:\xlllfxl.exec:\xlllfxl.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\tbntbn.exec:\tbntbn.exe59⤵
- Executes dropped EXE
PID:2232 -
\??\c:\vjjpp.exec:\vjjpp.exe60⤵
- Executes dropped EXE
PID:2968 -
\??\c:\jvpvp.exec:\jvpvp.exe61⤵
- Executes dropped EXE
PID:1632 -
\??\c:\1xxlrfr.exec:\1xxlrfr.exe62⤵
- Executes dropped EXE
PID:1372 -
\??\c:\bttbth.exec:\bttbth.exe63⤵
- Executes dropped EXE
PID:920 -
\??\c:\pvpdj.exec:\pvpdj.exe64⤵
- Executes dropped EXE
PID:524 -
\??\c:\9jddj.exec:\9jddj.exe65⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe66⤵PID:1556
-
\??\c:\hntbbh.exec:\hntbbh.exe67⤵PID:2940
-
\??\c:\9pppd.exec:\9pppd.exe68⤵PID:564
-
\??\c:\5vpjd.exec:\5vpjd.exe69⤵PID:2492
-
\??\c:\rfxfrxl.exec:\rfxfrxl.exe70⤵PID:2964
-
\??\c:\tthbht.exec:\tthbht.exe71⤵PID:892
-
\??\c:\pvppv.exec:\pvppv.exe72⤵PID:2644
-
\??\c:\vvjpv.exec:\vvjpv.exe73⤵PID:2472
-
\??\c:\frllxfx.exec:\frllxfx.exe74⤵PID:2784
-
\??\c:\7htbht.exec:\7htbht.exe75⤵
- System Location Discovery: System Language Discovery
PID:1588 -
\??\c:\ddjpd.exec:\ddjpd.exe76⤵PID:2704
-
\??\c:\jpddj.exec:\jpddj.exe77⤵PID:2828
-
\??\c:\lrlrxlr.exec:\lrlrxlr.exe78⤵PID:2224
-
\??\c:\1rllrfl.exec:\1rllrfl.exe79⤵PID:2668
-
\??\c:\hhnbht.exec:\hhnbht.exe80⤵PID:2776
-
\??\c:\9pjpd.exec:\9pjpd.exe81⤵PID:3056
-
\??\c:\llrfrrf.exec:\llrfrrf.exe82⤵PID:3064
-
\??\c:\nbttbb.exec:\nbttbb.exe83⤵PID:1204
-
\??\c:\jpjpd.exec:\jpjpd.exe84⤵PID:1408
-
\??\c:\5xxfrfx.exec:\5xxfrfx.exe85⤵PID:1104
-
\??\c:\bbnhtb.exec:\bbnhtb.exe86⤵PID:3004
-
\??\c:\hnhnbh.exec:\hnhnbh.exe87⤵PID:336
-
\??\c:\pdvdp.exec:\pdvdp.exe88⤵PID:792
-
\??\c:\rxxxflx.exec:\rxxxflx.exe89⤵PID:2148
-
\??\c:\htthhb.exec:\htthhb.exe90⤵PID:2444
-
\??\c:\thbhtb.exec:\thbhtb.exe91⤵PID:2100
-
\??\c:\vdvdp.exec:\vdvdp.exe92⤵PID:2824
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe93⤵PID:2592
-
\??\c:\nnhbnn.exec:\nnhbnn.exe94⤵PID:2384
-
\??\c:\jpjjv.exec:\jpjjv.exe95⤵PID:2516
-
\??\c:\3jvdd.exec:\3jvdd.exe96⤵PID:1484
-
\??\c:\rxfrxxl.exec:\rxfrxxl.exe97⤵
- System Location Discovery: System Language Discovery
PID:2740 -
\??\c:\hntnhb.exec:\hntnhb.exe98⤵PID:2112
-
\??\c:\1dvpv.exec:\1dvpv.exe99⤵PID:1888
-
\??\c:\vjvvd.exec:\vjvvd.exe100⤵PID:2248
-
\??\c:\llffxxx.exec:\llffxxx.exe101⤵PID:3012
-
\??\c:\bhhnbh.exec:\bhhnbh.exe102⤵PID:2232
-
\??\c:\bnhhbh.exec:\bnhhbh.exe103⤵PID:1932
-
\??\c:\jjjjv.exec:\jjjjv.exe104⤵PID:860
-
\??\c:\rlxxfrx.exec:\rlxxfrx.exe105⤵PID:1372
-
\??\c:\7bbbnn.exec:\7bbbnn.exe106⤵PID:876
-
\??\c:\hhnbtt.exec:\hhnbtt.exe107⤵
- System Location Discovery: System Language Discovery
PID:524 -
\??\c:\7vvjp.exec:\7vvjp.exe108⤵PID:2868
-
\??\c:\xffffff.exec:\xffffff.exe109⤵PID:3016
-
\??\c:\ttnhhn.exec:\ttnhhn.exe110⤵PID:2468
-
\??\c:\jpvjp.exec:\jpvjp.exe111⤵PID:2484
-
\??\c:\xxlrfxl.exec:\xxlrfxl.exe112⤵PID:2068
-
\??\c:\bbhhhn.exec:\bbhhhn.exe113⤵PID:1080
-
\??\c:\hbnnbh.exec:\hbnnbh.exe114⤵PID:3048
-
\??\c:\7fflxfr.exec:\7fflxfr.exe115⤵PID:2644
-
\??\c:\nntbhh.exec:\nntbhh.exe116⤵
- System Location Discovery: System Language Discovery
PID:2472 -
\??\c:\7nhnbn.exec:\7nhnbn.exe117⤵PID:2784
-
\??\c:\djppv.exec:\djppv.exe118⤵PID:1588
-
\??\c:\1xrrxfl.exec:\1xrrxfl.exe119⤵PID:2744
-
\??\c:\xxxxxxl.exec:\xxxxxxl.exe120⤵PID:2712
-
\??\c:\hhbnhn.exec:\hhbnhn.exe121⤵PID:2688
-
\??\c:\pvpjp.exec:\pvpjp.exe122⤵PID:2716
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-