Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe
-
Size
454KB
-
MD5
ebbc7ccdbe77302d85e1ce912f147110
-
SHA1
f13f4dbbe542c974c350108f4555338c979fa0b4
-
SHA256
4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61
-
SHA512
cf4ff1e1a631a3530905137fd709884ac0bab5b2f6d7850e0106cb224ce45ec8c52f393226ed61938dadabcd5250cb7092db60440933276d507f0a6a777d3239
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6i:q7Tc2NYHUrAwfMp3CD6i
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 44 IoCs
resource yara_rule behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1488-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1292-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/292-115-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/1768-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/572-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3048-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1556-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-234-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2028-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1984-300-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2796-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2176-322-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2408-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2960-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1332-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2036-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/712-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/596-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1296-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2932-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1600-581-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2856-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-684-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2960-924-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/572-988-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/3016-1002-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1972-1029-0x00000000001E0000-0x000000000020A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2696 nnnttb.exe 2692 djjvp.exe 2812 pppjd.exe 2856 rlxlrfr.exe 1488 dvpvp.exe 2604 hbtnnh.exe 1764 ppvpv.exe 2388 flfrrfr.exe 2360 9xrxxxl.exe 1292 xrllxxr.exe 292 tnhntb.exe 1768 dpjpd.exe 832 9thhbh.exe 572 lrlxlrf.exe 1772 nhtnbt.exe 2252 dddvv.exe 2200 fxrfrxr.exe 3048 xflxlfl.exe 2524 nbnhnn.exe 1088 7lfrxxr.exe 1620 nhnhbh.exe 1996 9xxfxlf.exe 1484 tnntnt.exe 1556 pdppd.exe 2724 lrlxfrx.exe 2028 9vpvp.exe 564 5hbtht.exe 2940 xxxlxxl.exe 1984 nhtbth.exe 2464 flfxrff.exe 996 7nbnnh.exe 1516 flxlrxr.exe 2456 htthbn.exe 1608 9frrllr.exe 2796 bhtbth.exe 2176 ddppv.exe 3040 djddv.exe 2768 tnbntb.exe 2408 tbnbnt.exe 2556 9xrrlxx.exe 2960 lfxxffx.exe 1332 nnbtnt.exe 2064 dvpdp.exe 2180 1xrxfrx.exe 2112 3hthhn.exe 2360 fxrxlxl.exe 1552 ffxfrfx.exe 2008 9bnbbt.exe 2036 3jvjp.exe 1744 5fxlffr.exe 1352 9nhhnt.exe 784 ppvdd.exe 1792 lrlfflr.exe 2136 vppvj.exe 712 llflrxx.exe 1856 tbbhbb.exe 596 5vpvp.exe 804 rrlxfrf.exe 1296 ntnbnb.exe 1592 9pdjv.exe 1620 lffrlxx.exe 2492 htnnhb.exe 2896 dpvjv.exe 1556 lfxrxrr.exe -
resource yara_rule behavioral1/memory/2680-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1488-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1764-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1292-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3048-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1556-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1332-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2036-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/712-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/596-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-828-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2960-924-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3016-1002-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfrfr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2696 2680 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 30 PID 2680 wrote to memory of 2696 2680 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 30 PID 2680 wrote to memory of 2696 2680 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 30 PID 2680 wrote to memory of 2696 2680 4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe 30 PID 2696 wrote to memory of 2692 2696 nnnttb.exe 31 PID 2696 wrote to memory of 2692 2696 nnnttb.exe 31 PID 2696 wrote to memory of 2692 2696 nnnttb.exe 31 PID 2696 wrote to memory of 2692 2696 nnnttb.exe 31 PID 2692 wrote to memory of 2812 2692 djjvp.exe 32 PID 2692 wrote to memory of 2812 2692 djjvp.exe 32 PID 2692 wrote to memory of 2812 2692 djjvp.exe 32 PID 2692 wrote to memory of 2812 2692 djjvp.exe 32 PID 2812 wrote to memory of 2856 2812 pppjd.exe 33 PID 2812 wrote to memory of 2856 2812 pppjd.exe 33 PID 2812 wrote to memory of 2856 2812 pppjd.exe 33 PID 2812 wrote to memory of 2856 2812 pppjd.exe 33 PID 2856 wrote to memory of 1488 2856 rlxlrfr.exe 34 PID 2856 wrote to memory of 1488 2856 rlxlrfr.exe 34 PID 2856 wrote to memory of 1488 2856 rlxlrfr.exe 34 PID 2856 wrote to memory of 1488 2856 rlxlrfr.exe 34 PID 1488 wrote to memory of 2604 1488 dvpvp.exe 35 PID 1488 wrote to memory of 2604 1488 dvpvp.exe 35 PID 1488 wrote to memory of 2604 1488 dvpvp.exe 35 PID 1488 wrote to memory of 2604 1488 dvpvp.exe 35 PID 2604 wrote to memory of 1764 2604 hbtnnh.exe 36 PID 2604 wrote to memory of 1764 2604 hbtnnh.exe 36 PID 2604 wrote to memory of 1764 2604 hbtnnh.exe 36 PID 2604 wrote to memory of 1764 2604 hbtnnh.exe 36 PID 1764 wrote to memory of 2388 1764 ppvpv.exe 37 PID 1764 wrote to memory of 2388 1764 ppvpv.exe 37 PID 1764 wrote to memory of 2388 1764 ppvpv.exe 37 PID 1764 wrote to memory of 2388 1764 ppvpv.exe 37 PID 2388 wrote to memory of 2360 2388 flfrrfr.exe 38 PID 2388 wrote to memory of 2360 2388 flfrrfr.exe 38 PID 2388 wrote to memory of 2360 2388 flfrrfr.exe 38 PID 2388 wrote to memory of 2360 2388 flfrrfr.exe 38 PID 2360 wrote to memory of 1292 2360 9xrxxxl.exe 39 PID 2360 wrote to memory of 1292 2360 9xrxxxl.exe 39 PID 2360 wrote to memory of 1292 2360 9xrxxxl.exe 39 PID 2360 wrote to memory of 1292 2360 9xrxxxl.exe 39 PID 1292 wrote to memory of 292 1292 xrllxxr.exe 40 PID 1292 wrote to memory of 292 1292 xrllxxr.exe 40 PID 1292 wrote to memory of 292 1292 xrllxxr.exe 40 PID 1292 wrote to memory of 292 1292 xrllxxr.exe 40 PID 292 wrote to memory of 1768 292 tnhntb.exe 41 PID 292 wrote to memory of 1768 292 tnhntb.exe 41 PID 292 wrote to memory of 1768 292 tnhntb.exe 41 PID 292 wrote to memory of 1768 292 tnhntb.exe 41 PID 1768 wrote to memory of 832 1768 dpjpd.exe 42 PID 1768 wrote to memory of 832 1768 dpjpd.exe 42 PID 1768 wrote to memory of 832 1768 dpjpd.exe 42 PID 1768 wrote to memory of 832 1768 dpjpd.exe 42 PID 832 wrote to memory of 572 832 9thhbh.exe 43 PID 832 wrote to memory of 572 832 9thhbh.exe 43 PID 832 wrote to memory of 572 832 9thhbh.exe 43 PID 832 wrote to memory of 572 832 9thhbh.exe 43 PID 572 wrote to memory of 1772 572 lrlxlrf.exe 44 PID 572 wrote to memory of 1772 572 lrlxlrf.exe 44 PID 572 wrote to memory of 1772 572 lrlxlrf.exe 44 PID 572 wrote to memory of 1772 572 lrlxlrf.exe 44 PID 1772 wrote to memory of 2252 1772 nhtnbt.exe 45 PID 1772 wrote to memory of 2252 1772 nhtnbt.exe 45 PID 1772 wrote to memory of 2252 1772 nhtnbt.exe 45 PID 1772 wrote to memory of 2252 1772 nhtnbt.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe"C:\Users\Admin\AppData\Local\Temp\4d5ffe4f99fad36e7c485c9dad9066178962abed0f16d626f9b05619d71ecb61N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\nnnttb.exec:\nnnttb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\djjvp.exec:\djjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\pppjd.exec:\pppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\rlxlrfr.exec:\rlxlrfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\dvpvp.exec:\dvpvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\hbtnnh.exec:\hbtnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\ppvpv.exec:\ppvpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\flfrrfr.exec:\flfrrfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\9xrxxxl.exec:\9xrxxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\xrllxxr.exec:\xrllxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\tnhntb.exec:\tnhntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:292 -
\??\c:\dpjpd.exec:\dpjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\9thhbh.exec:\9thhbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\lrlxlrf.exec:\lrlxlrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\nhtnbt.exec:\nhtnbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\dddvv.exec:\dddvv.exe17⤵
- Executes dropped EXE
PID:2252 -
\??\c:\fxrfrxr.exec:\fxrfrxr.exe18⤵
- Executes dropped EXE
PID:2200 -
\??\c:\xflxlfl.exec:\xflxlfl.exe19⤵
- Executes dropped EXE
PID:3048 -
\??\c:\nbnhnn.exec:\nbnhnn.exe20⤵
- Executes dropped EXE
PID:2524 -
\??\c:\7lfrxxr.exec:\7lfrxxr.exe21⤵
- Executes dropped EXE
PID:1088 -
\??\c:\nhnhbh.exec:\nhnhbh.exe22⤵
- Executes dropped EXE
PID:1620 -
\??\c:\9xxfxlf.exec:\9xxfxlf.exe23⤵
- Executes dropped EXE
PID:1996 -
\??\c:\tnntnt.exec:\tnntnt.exe24⤵
- Executes dropped EXE
PID:1484 -
\??\c:\pdppd.exec:\pdppd.exe25⤵
- Executes dropped EXE
PID:1556 -
\??\c:\lrlxfrx.exec:\lrlxfrx.exe26⤵
- Executes dropped EXE
PID:2724 -
\??\c:\9vpvp.exec:\9vpvp.exe27⤵
- Executes dropped EXE
PID:2028 -
\??\c:\5hbtht.exec:\5hbtht.exe28⤵
- Executes dropped EXE
PID:564 -
\??\c:\xxxlxxl.exec:\xxxlxxl.exe29⤵
- Executes dropped EXE
PID:2940 -
\??\c:\nhtbth.exec:\nhtbth.exe30⤵
- Executes dropped EXE
PID:1984 -
\??\c:\flfxrff.exec:\flfxrff.exe31⤵
- Executes dropped EXE
PID:2464 -
\??\c:\7nbnnh.exec:\7nbnnh.exe32⤵
- Executes dropped EXE
PID:996 -
\??\c:\flxlrxr.exec:\flxlrxr.exe33⤵
- Executes dropped EXE
PID:1516 -
\??\c:\htthbn.exec:\htthbn.exe34⤵
- Executes dropped EXE
PID:2456 -
\??\c:\9frrllr.exec:\9frrllr.exe35⤵
- Executes dropped EXE
PID:1608 -
\??\c:\bhtbth.exec:\bhtbth.exe36⤵
- Executes dropped EXE
PID:2796 -
\??\c:\ddppv.exec:\ddppv.exe37⤵
- Executes dropped EXE
PID:2176 -
\??\c:\djddv.exec:\djddv.exe38⤵
- Executes dropped EXE
PID:3040 -
\??\c:\tnbntb.exec:\tnbntb.exe39⤵
- Executes dropped EXE
PID:2768 -
\??\c:\tbnbnt.exec:\tbnbnt.exe40⤵
- Executes dropped EXE
PID:2408 -
\??\c:\9xrrlxx.exec:\9xrrlxx.exe41⤵
- Executes dropped EXE
PID:2556 -
\??\c:\lfxxffx.exec:\lfxxffx.exe42⤵
- Executes dropped EXE
PID:2960 -
\??\c:\nnbtnt.exec:\nnbtnt.exe43⤵
- Executes dropped EXE
PID:1332 -
\??\c:\dvpdp.exec:\dvpdp.exe44⤵
- Executes dropped EXE
PID:2064 -
\??\c:\1xrxfrx.exec:\1xrxfrx.exe45⤵
- Executes dropped EXE
PID:2180 -
\??\c:\3hthhn.exec:\3hthhn.exe46⤵
- Executes dropped EXE
PID:2112 -
\??\c:\fxrxlxl.exec:\fxrxlxl.exe47⤵
- Executes dropped EXE
PID:2360 -
\??\c:\ffxfrfx.exec:\ffxfrfx.exe48⤵
- Executes dropped EXE
PID:1552 -
\??\c:\9bnbbt.exec:\9bnbbt.exe49⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3jvjp.exec:\3jvjp.exe50⤵
- Executes dropped EXE
PID:2036 -
\??\c:\5fxlffr.exec:\5fxlffr.exe51⤵
- Executes dropped EXE
PID:1744 -
\??\c:\9nhhnt.exec:\9nhhnt.exe52⤵
- Executes dropped EXE
PID:1352 -
\??\c:\ppvdd.exec:\ppvdd.exe53⤵
- Executes dropped EXE
PID:784 -
\??\c:\lrlfflr.exec:\lrlfflr.exe54⤵
- Executes dropped EXE
PID:1792 -
\??\c:\vppvj.exec:\vppvj.exe55⤵
- Executes dropped EXE
PID:2136 -
\??\c:\llflrxx.exec:\llflrxx.exe56⤵
- Executes dropped EXE
PID:712 -
\??\c:\tbbhbb.exec:\tbbhbb.exe57⤵
- Executes dropped EXE
PID:1856 -
\??\c:\5vpvp.exec:\5vpvp.exe58⤵
- Executes dropped EXE
PID:596 -
\??\c:\rrlxfrf.exec:\rrlxfrf.exe59⤵
- Executes dropped EXE
PID:804 -
\??\c:\ntnbnb.exec:\ntnbnb.exe60⤵
- Executes dropped EXE
PID:1296 -
\??\c:\9pdjv.exec:\9pdjv.exe61⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lffrlxx.exec:\lffrlxx.exe62⤵
- Executes dropped EXE
PID:1620 -
\??\c:\htnnhb.exec:\htnnhb.exe63⤵
- Executes dropped EXE
PID:2492 -
\??\c:\dpvjv.exec:\dpvjv.exe64⤵
- Executes dropped EXE
PID:2896 -
\??\c:\lfxrxrr.exec:\lfxrxrr.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\nnnbbn.exec:\nnnbbn.exe66⤵PID:2832
-
\??\c:\7vpvp.exec:\7vpvp.exe67⤵PID:1920
-
\??\c:\rrllflx.exec:\rrllflx.exe68⤵PID:2932
-
\??\c:\3bnhnn.exec:\3bnhnn.exe69⤵PID:2920
-
\??\c:\ddjvj.exec:\ddjvj.exe70⤵PID:2340
-
\??\c:\ffxfrxr.exec:\ffxfrxr.exe71⤵PID:1700
-
\??\c:\btnnth.exec:\btnnth.exe72⤵PID:1984
-
\??\c:\ddvjj.exec:\ddvjj.exe73⤵PID:2464
-
\??\c:\rllfrrl.exec:\rllfrrl.exe74⤵PID:876
-
\??\c:\bhthht.exec:\bhthht.exe75⤵PID:2668
-
\??\c:\9jvvd.exec:\9jvvd.exe76⤵PID:1600
-
\??\c:\rxrxlxl.exec:\rxrxlxl.exe77⤵PID:2752
-
\??\c:\nnnbnb.exec:\nnnbnb.exe78⤵PID:2696
-
\??\c:\pppdj.exec:\pppdj.exe79⤵PID:2688
-
\??\c:\lrrxlfx.exec:\lrrxlfx.exe80⤵PID:2176
-
\??\c:\hhhbtt.exec:\hhhbtt.exe81⤵PID:2824
-
\??\c:\vpjvv.exec:\vpjvv.exe82⤵PID:2768
-
\??\c:\xxrfrfx.exec:\xxrfrfx.exe83⤵PID:2856
-
\??\c:\hhbbnn.exec:\hhbbnn.exe84⤵PID:2612
-
\??\c:\bhtthn.exec:\bhtthn.exe85⤵PID:2996
-
\??\c:\jvdpp.exec:\jvdpp.exe86⤵PID:2976
-
\??\c:\llllxxx.exec:\llllxxx.exe87⤵PID:2044
-
\??\c:\3ttntb.exec:\3ttntb.exe88⤵PID:2388
-
\??\c:\fxxrrxx.exec:\fxxrrxx.exe89⤵PID:2184
-
\??\c:\tntnbh.exec:\tntnbh.exe90⤵PID:2236
-
\??\c:\nbbhtn.exec:\nbbhtn.exe91⤵PID:1864
-
\??\c:\5lrrxxf.exec:\5lrrxxf.exe92⤵PID:2428
-
\??\c:\bnttbn.exec:\bnttbn.exe93⤵
- System Location Discovery: System Language Discovery
PID:2864 -
\??\c:\djvdj.exec:\djvdj.exe94⤵PID:2644
-
\??\c:\5vpdd.exec:\5vpdd.exe95⤵PID:2228
-
\??\c:\rlxxlrl.exec:\rlxxlrl.exe96⤵PID:1740
-
\??\c:\btbbbt.exec:\btbbbt.exe97⤵PID:288
-
\??\c:\vdpdv.exec:\vdpdv.exe98⤵PID:2252
-
\??\c:\rrfrxff.exec:\rrfrxff.exe99⤵PID:1668
-
\??\c:\nnnnhh.exec:\nnnnhh.exe100⤵PID:344
-
\??\c:\dvvjd.exec:\dvvjd.exe101⤵PID:1044
-
\??\c:\rrrfrfr.exec:\rrrfrfr.exe102⤵PID:2524
-
\??\c:\thbbbn.exec:\thbbbn.exe103⤵PID:1492
-
\??\c:\nhhnhn.exec:\nhhnhn.exe104⤵PID:2100
-
\??\c:\ffrfrfx.exec:\ffrfrfx.exe105⤵PID:680
-
\??\c:\1lflxlx.exec:\1lflxlx.exe106⤵PID:904
-
\??\c:\bbbbhn.exec:\bbbbhn.exe107⤵PID:2492
-
\??\c:\djpdd.exec:\djpdd.exe108⤵PID:1484
-
\??\c:\xrrrfrf.exec:\xrrrfrf.exe109⤵PID:2032
-
\??\c:\ttbhbh.exec:\ttbhbh.exe110⤵PID:1548
-
\??\c:\btnthh.exec:\btnthh.exe111⤵PID:1644
-
\??\c:\3vdjj.exec:\3vdjj.exe112⤵PID:2460
-
\??\c:\xxrxllx.exec:\xxrxllx.exe113⤵PID:1932
-
\??\c:\9lfrlrx.exec:\9lfrlrx.exe114⤵PID:1228
-
\??\c:\pjjpp.exec:\pjjpp.exe115⤵PID:3008
-
\??\c:\vpjvp.exec:\vpjvp.exe116⤵PID:1984
-
\??\c:\7rxlxfr.exec:\7rxlxfr.exe117⤵PID:996
-
\??\c:\3nhhtt.exec:\3nhhtt.exe118⤵PID:2748
-
\??\c:\1djpp.exec:\1djpp.exe119⤵PID:1580
-
\??\c:\xxfllrl.exec:\xxfllrl.exe120⤵PID:2772
-
\??\c:\tbhhth.exec:\tbhhth.exe121⤵PID:2880
-
\??\c:\pvvjv.exec:\pvvjv.exe122⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-