Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe
-
Size
455KB
-
MD5
dcce3c3520ec8d9d768008b7e0e8697b
-
SHA1
0e5cacaa1bd7f16ac3ff412536bbf9acd50f7863
-
SHA256
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3
-
SHA512
09259032938bb14a24a6d2b09c37f3e6267d74818999d6c3642bfcc2490c922340bb9221b007394dc1f381a6f0666e4e2e58edb97c3d45e4c22a5645a7cabd85
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTM:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2504-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2516-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2704-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2400-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2388-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2724-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2632-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2836-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/692-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1156-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/848-735-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1596-923-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2312-996-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2820-763-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1620-749-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2764-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-581-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2676-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2196-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/548-290-0x0000000076E20000-0x0000000076F3F000-memory.dmp family_blackmoon behavioral1/memory/752-286-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2400-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1592-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2192-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/376-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1348-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/536-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1784-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1096-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2580-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2992-1243-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2288-1280-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2288-1282-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2468-1334-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2060-1347-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2516 nhtbnt.exe 2240 xlrrrlx.exe 2480 9rrlrrx.exe 2196 vvvvv.exe 2716 pjddj.exe 2720 7frrrll.exe 2700 nhnntn.exe 2148 9vdpd.exe 2704 5rllxfr.exe 2580 5nbtbb.exe 3024 pjvpd.exe 2044 jdjpv.exe 1096 fxllrlr.exe 1784 hbhbnh.exe 1908 pjjpv.exe 536 jjjpj.exe 1348 7nntnn.exe 1756 nnhnbb.exe 376 5vvdd.exe 2192 ffflllr.exe 2268 bttttn.exe 1592 9jddj.exe 1516 lfrrxrr.exe 900 fxlllfl.exe 1336 hbhhnh.exe 2216 hbnbnn.exe 2304 3dppv.exe 2956 lxrrxxf.exe 2400 5thhhh.exe 752 djddd.exe 548 frflrfr.exe 2388 dvddj.exe 1800 jvddj.exe 2856 fxrxffr.exe 2480 7thbbt.exe 2196 jvjjp.exe 2676 lfflxfx.exe 2724 xrrxffr.exe 2808 nhbbnn.exe 2596 dpvpp.exe 2616 jdpvp.exe 2632 lfrrffr.exe 2836 lfxrxxf.exe 2292 dvjpv.exe 1488 jjvvj.exe 1740 nntnnb.exe 692 vvvdp.exe 2460 dpjdp.exe 2272 3fxxxff.exe 1156 rllrllx.exe 1532 nhtbhh.exe 2880 vjddp.exe 1756 pdpjp.exe 2876 dvjdp.exe 2984 rfrllfx.exe 2376 htnnbb.exe 920 nbhbht.exe 1592 jdpjv.exe 1952 pdjjj.exe 1080 xrfffxf.exe 1860 ffflxxf.exe 764 hbhhnb.exe 784 pdjjj.exe 1284 ppjjv.exe -
resource yara_rule behavioral1/memory/2516-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2516-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2704-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1908-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2388-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2632-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2836-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/692-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1596-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2764-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/548-290-0x0000000076E20000-0x0000000076F3F000-memory.dmp upx behavioral1/memory/548-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2400-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2216-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1592-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/376-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1348-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1096-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2044-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2580-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-1185-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2516 2504 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 143 PID 2504 wrote to memory of 2516 2504 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 143 PID 2504 wrote to memory of 2516 2504 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 143 PID 2504 wrote to memory of 2516 2504 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 143 PID 2516 wrote to memory of 2240 2516 nhtbnt.exe 31 PID 2516 wrote to memory of 2240 2516 nhtbnt.exe 31 PID 2516 wrote to memory of 2240 2516 nhtbnt.exe 31 PID 2516 wrote to memory of 2240 2516 nhtbnt.exe 31 PID 2240 wrote to memory of 2480 2240 xlrrrlx.exe 65 PID 2240 wrote to memory of 2480 2240 xlrrrlx.exe 65 PID 2240 wrote to memory of 2480 2240 xlrrrlx.exe 65 PID 2240 wrote to memory of 2480 2240 xlrrrlx.exe 65 PID 2480 wrote to memory of 2196 2480 9rrlrrx.exe 33 PID 2480 wrote to memory of 2196 2480 9rrlrrx.exe 33 PID 2480 wrote to memory of 2196 2480 9rrlrrx.exe 33 PID 2480 wrote to memory of 2196 2480 9rrlrrx.exe 33 PID 2196 wrote to memory of 2716 2196 vvvvv.exe 34 PID 2196 wrote to memory of 2716 2196 vvvvv.exe 34 PID 2196 wrote to memory of 2716 2196 vvvvv.exe 34 PID 2196 wrote to memory of 2716 2196 vvvvv.exe 34 PID 2716 wrote to memory of 2720 2716 pjddj.exe 35 PID 2716 wrote to memory of 2720 2716 pjddj.exe 35 PID 2716 wrote to memory of 2720 2716 pjddj.exe 35 PID 2716 wrote to memory of 2720 2716 pjddj.exe 35 PID 2720 wrote to memory of 2700 2720 7frrrll.exe 36 PID 2720 wrote to memory of 2700 2720 7frrrll.exe 36 PID 2720 wrote to memory of 2700 2720 7frrrll.exe 36 PID 2720 wrote to memory of 2700 2720 7frrrll.exe 36 PID 2700 wrote to memory of 2148 2700 nhnntn.exe 196 PID 2700 wrote to memory of 2148 2700 nhnntn.exe 196 PID 2700 wrote to memory of 2148 2700 nhnntn.exe 196 PID 2700 wrote to memory of 2148 2700 nhnntn.exe 196 PID 2148 wrote to memory of 2704 2148 9vdpd.exe 38 PID 2148 wrote to memory of 2704 2148 9vdpd.exe 38 PID 2148 wrote to memory of 2704 2148 9vdpd.exe 38 PID 2148 wrote to memory of 2704 2148 9vdpd.exe 38 PID 2704 wrote to memory of 2580 2704 5rllxfr.exe 39 PID 2704 wrote to memory of 2580 2704 5rllxfr.exe 39 PID 2704 wrote to memory of 2580 2704 5rllxfr.exe 39 PID 2704 wrote to memory of 2580 2704 5rllxfr.exe 39 PID 2580 wrote to memory of 3024 2580 5nbtbb.exe 40 PID 2580 wrote to memory of 3024 2580 5nbtbb.exe 40 PID 2580 wrote to memory of 3024 2580 5nbtbb.exe 40 PID 2580 wrote to memory of 3024 2580 5nbtbb.exe 40 PID 3024 wrote to memory of 2044 3024 pjvpd.exe 41 PID 3024 wrote to memory of 2044 3024 pjvpd.exe 41 PID 3024 wrote to memory of 2044 3024 pjvpd.exe 41 PID 3024 wrote to memory of 2044 3024 pjvpd.exe 41 PID 2044 wrote to memory of 1096 2044 jdjpv.exe 42 PID 2044 wrote to memory of 1096 2044 jdjpv.exe 42 PID 2044 wrote to memory of 1096 2044 jdjpv.exe 42 PID 2044 wrote to memory of 1096 2044 jdjpv.exe 42 PID 1096 wrote to memory of 1784 1096 fxllrlr.exe 206 PID 1096 wrote to memory of 1784 1096 fxllrlr.exe 206 PID 1096 wrote to memory of 1784 1096 fxllrlr.exe 206 PID 1096 wrote to memory of 1784 1096 fxllrlr.exe 206 PID 1784 wrote to memory of 1908 1784 hbhbnh.exe 44 PID 1784 wrote to memory of 1908 1784 hbhbnh.exe 44 PID 1784 wrote to memory of 1908 1784 hbhbnh.exe 44 PID 1784 wrote to memory of 1908 1784 hbhbnh.exe 44 PID 1908 wrote to memory of 536 1908 pjjpv.exe 45 PID 1908 wrote to memory of 536 1908 pjjpv.exe 45 PID 1908 wrote to memory of 536 1908 pjjpv.exe 45 PID 1908 wrote to memory of 536 1908 pjjpv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe"C:\Users\Admin\AppData\Local\Temp\b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\nhtbnt.exec:\nhtbnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\xlrrrlx.exec:\xlrrrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\9rrlrrx.exec:\9rrlrrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\vvvvv.exec:\vvvvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\pjddj.exec:\pjddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\7frrrll.exec:\7frrrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\nhnntn.exec:\nhnntn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9vdpd.exec:\9vdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\5rllxfr.exec:\5rllxfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\5nbtbb.exec:\5nbtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\pjvpd.exec:\pjvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\jdjpv.exec:\jdjpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\fxllrlr.exec:\fxllrlr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\hbhbnh.exec:\hbhbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\pjjpv.exec:\pjjpv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\jjjpj.exec:\jjjpj.exe17⤵
- Executes dropped EXE
PID:536 -
\??\c:\7nntnn.exec:\7nntnn.exe18⤵
- Executes dropped EXE
PID:1348 -
\??\c:\nnhnbb.exec:\nnhnbb.exe19⤵
- Executes dropped EXE
PID:1756 -
\??\c:\5vvdd.exec:\5vvdd.exe20⤵
- Executes dropped EXE
PID:376 -
\??\c:\ffflllr.exec:\ffflllr.exe21⤵
- Executes dropped EXE
PID:2192 -
\??\c:\bttttn.exec:\bttttn.exe22⤵
- Executes dropped EXE
PID:2268 -
\??\c:\9jddj.exec:\9jddj.exe23⤵
- Executes dropped EXE
PID:1592 -
\??\c:\lfrrxrr.exec:\lfrrxrr.exe24⤵
- Executes dropped EXE
PID:1516 -
\??\c:\fxlllfl.exec:\fxlllfl.exe25⤵
- Executes dropped EXE
PID:900 -
\??\c:\hbhhnh.exec:\hbhhnh.exe26⤵
- Executes dropped EXE
PID:1336 -
\??\c:\hbnbnn.exec:\hbnbnn.exe27⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3dppv.exec:\3dppv.exe28⤵
- Executes dropped EXE
PID:2304 -
\??\c:\lxrrxxf.exec:\lxrrxxf.exe29⤵
- Executes dropped EXE
PID:2956 -
\??\c:\5thhhh.exec:\5thhhh.exe30⤵
- Executes dropped EXE
PID:2400 -
\??\c:\djddd.exec:\djddd.exe31⤵
- Executes dropped EXE
PID:752 -
\??\c:\frflrfr.exec:\frflrfr.exe32⤵
- Executes dropped EXE
PID:548 -
\??\c:\nhtthh.exec:\nhtthh.exe33⤵PID:1720
-
\??\c:\dvddj.exec:\dvddj.exe34⤵
- Executes dropped EXE
PID:2388 -
\??\c:\jvddj.exec:\jvddj.exe35⤵
- Executes dropped EXE
PID:1800 -
\??\c:\fxrxffr.exec:\fxrxffr.exe36⤵
- Executes dropped EXE
PID:2856 -
\??\c:\7thbbt.exec:\7thbbt.exe37⤵
- Executes dropped EXE
PID:2480 -
\??\c:\jvjjp.exec:\jvjjp.exe38⤵
- Executes dropped EXE
PID:2196 -
\??\c:\lfflxfx.exec:\lfflxfx.exe39⤵
- Executes dropped EXE
PID:2676 -
\??\c:\xrrxffr.exec:\xrrxffr.exe40⤵
- Executes dropped EXE
PID:2724 -
\??\c:\nhbbnn.exec:\nhbbnn.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dpvpp.exec:\dpvpp.exe42⤵
- Executes dropped EXE
PID:2596 -
\??\c:\jdpvp.exec:\jdpvp.exe43⤵
- Executes dropped EXE
PID:2616 -
\??\c:\lfrrffr.exec:\lfrrffr.exe44⤵
- Executes dropped EXE
PID:2632 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe45⤵
- Executes dropped EXE
PID:2836 -
\??\c:\dvjpv.exec:\dvjpv.exe46⤵
- Executes dropped EXE
PID:2292 -
\??\c:\jjvvj.exec:\jjvvj.exe47⤵
- Executes dropped EXE
PID:1488 -
\??\c:\nntnnb.exec:\nntnnb.exe48⤵
- Executes dropped EXE
PID:1740 -
\??\c:\vvvdp.exec:\vvvdp.exe49⤵
- Executes dropped EXE
PID:692 -
\??\c:\dpjdp.exec:\dpjdp.exe50⤵
- Executes dropped EXE
PID:2460 -
\??\c:\3fxxxff.exec:\3fxxxff.exe51⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rllrllx.exec:\rllrllx.exe52⤵
- Executes dropped EXE
PID:1156 -
\??\c:\nhtbhh.exec:\nhtbhh.exe53⤵
- Executes dropped EXE
PID:1532 -
\??\c:\vjddp.exec:\vjddp.exe54⤵
- Executes dropped EXE
PID:2880 -
\??\c:\pdpjp.exec:\pdpjp.exe55⤵
- Executes dropped EXE
PID:1756 -
\??\c:\dvjdp.exec:\dvjdp.exe56⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rfrllfx.exec:\rfrllfx.exe57⤵
- Executes dropped EXE
PID:2984 -
\??\c:\htnnbb.exec:\htnnbb.exe58⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbhbht.exec:\nbhbht.exe59⤵
- Executes dropped EXE
PID:920 -
\??\c:\jdpjv.exec:\jdpjv.exe60⤵
- Executes dropped EXE
PID:1592 -
\??\c:\pdjjj.exec:\pdjjj.exe61⤵
- Executes dropped EXE
PID:1952 -
\??\c:\xrfffxf.exec:\xrfffxf.exe62⤵
- Executes dropped EXE
PID:1080 -
\??\c:\ffflxxf.exec:\ffflxxf.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hbhhnb.exec:\hbhhnb.exe64⤵
- Executes dropped EXE
PID:764 -
\??\c:\pdjjj.exec:\pdjjj.exe65⤵
- Executes dropped EXE
PID:784 -
\??\c:\ppjjv.exec:\ppjjv.exe66⤵
- Executes dropped EXE
PID:1284 -
\??\c:\frlfllr.exec:\frlfllr.exe67⤵PID:1904
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe68⤵PID:2868
-
\??\c:\thtbnn.exec:\thtbnn.exe69⤵PID:2488
-
\??\c:\7hbntn.exec:\7hbntn.exe70⤵PID:2492
-
\??\c:\vvppv.exec:\vvppv.exe71⤵PID:2392
-
\??\c:\3vjdv.exec:\3vjdv.exe72⤵PID:2084
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe73⤵PID:1980
-
\??\c:\7frxffr.exec:\7frxffr.exe74⤵PID:2852
-
\??\c:\hthhnn.exec:\hthhnn.exe75⤵PID:2284
-
\??\c:\pjvvd.exec:\pjvvd.exe76⤵PID:2424
-
\??\c:\jvjdp.exec:\jvjdp.exe77⤵PID:2764
-
\??\c:\7xrrrxx.exec:\7xrrrxx.exe78⤵PID:2480
-
\??\c:\fxrrxfl.exec:\fxrrxfl.exe79⤵PID:2692
-
\??\c:\1nnntn.exec:\1nnntn.exe80⤵PID:2220
-
\??\c:\nnttbt.exec:\nnttbt.exe81⤵PID:2780
-
\??\c:\3djjd.exec:\3djjd.exe82⤵PID:2188
-
\??\c:\3dpjp.exec:\3dpjp.exe83⤵PID:3056
-
\??\c:\rxlffxx.exec:\rxlffxx.exe84⤵PID:3036
-
\??\c:\nbttbb.exec:\nbttbb.exe85⤵PID:2784
-
\??\c:\htnntt.exec:\htnntt.exe86⤵PID:2632
-
\??\c:\9jpjd.exec:\9jpjd.exe87⤵PID:1672
-
\??\c:\5jvvv.exec:\5jvvv.exe88⤵PID:860
-
\??\c:\frffllr.exec:\frffllr.exe89⤵PID:600
-
\??\c:\3flrxxx.exec:\3flrxxx.exe90⤵PID:1352
-
\??\c:\3tbbbt.exec:\3tbbbt.exe91⤵PID:2976
-
\??\c:\bntntt.exec:\bntntt.exe92⤵PID:1248
-
\??\c:\9pvvv.exec:\9pvvv.exe93⤵PID:2476
-
\??\c:\jjdvd.exec:\jjdvd.exe94⤵PID:1944
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe95⤵PID:2816
-
\??\c:\rfrlxxl.exec:\rfrlxxl.exe96⤵PID:2624
-
\??\c:\nbnhhb.exec:\nbnhhb.exe97⤵PID:1644
-
\??\c:\btnntn.exec:\btnntn.exe98⤵PID:2312
-
\??\c:\1jdvp.exec:\1jdvp.exe99⤵PID:2136
-
\??\c:\5vjjp.exec:\5vjjp.exe100⤵PID:2140
-
\??\c:\frflrrf.exec:\frflrrf.exe101⤵PID:2864
-
\??\c:\rxllrrx.exec:\rxllrrx.exe102⤵PID:1772
-
\??\c:\btbtbt.exec:\btbtbt.exe103⤵PID:848
-
\??\c:\5dpdd.exec:\5dpdd.exe104⤵PID:1592
-
\??\c:\vjppv.exec:\vjppv.exe105⤵PID:1620
-
\??\c:\rlllrrf.exec:\rlllrrf.exe106⤵PID:1584
-
\??\c:\xrxfxxl.exec:\xrxfxxl.exe107⤵PID:2820
-
\??\c:\tnbbbh.exec:\tnbbbh.exe108⤵PID:2576
-
\??\c:\btnntn.exec:\btnntn.exe109⤵PID:1732
-
\??\c:\9jppj.exec:\9jppj.exe110⤵PID:1512
-
\??\c:\fxrxllx.exec:\fxrxllx.exe111⤵PID:1688
-
\??\c:\3rxfflr.exec:\3rxfflr.exe112⤵PID:836
-
\??\c:\nhtthb.exec:\nhtthb.exe113⤵PID:1600
-
\??\c:\7tnnnh.exec:\7tnnnh.exe114⤵PID:2336
-
\??\c:\7pddj.exec:\7pddj.exe115⤵PID:2516
-
\??\c:\3dvvv.exec:\3dvvv.exe116⤵PID:2388
-
\??\c:\rrflxrf.exec:\rrflxrf.exe117⤵PID:2092
-
\??\c:\lfxfllr.exec:\lfxfllr.exe118⤵PID:776
-
\??\c:\3htttn.exec:\3htttn.exe119⤵PID:2856
-
\??\c:\tthhnh.exec:\tthhnh.exe120⤵PID:2296
-
\??\c:\jdppj.exec:\jdppj.exe121⤵PID:2764
-
\??\c:\dpdvj.exec:\dpdvj.exe122⤵PID:2196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-