Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe
-
Size
454KB
-
MD5
9df97c5b8a10b0616cd57cf7158d5ea0
-
SHA1
44695dd6ae18283a8a45637c5ce5af4f1cd7d4a1
-
SHA256
1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cf
-
SHA512
7b4088811f61c74f4e14e4e9f8e1ecc5235bc597b878ae612726ac02d6282e6da489538c2def36fc5ae818d869ef48836f533d984af48635e82cca2a440b0c58
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral1/memory/2196-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2524-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2376-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2032-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2288-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2768-63-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2976-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-84-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2024-88-0x0000000000270000-0x000000000029A000-memory.dmp family_blackmoon behavioral1/memory/2728-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1960-92-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-82-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-105-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/676-123-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1108-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3056-142-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2392-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-143-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/780-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/780-155-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-162-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1108-167-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-174-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2808-188-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2148-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-207-0x0000000001C70000-0x0000000001C9A000-memory.dmp family_blackmoon behavioral1/memory/1044-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1536-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1536-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/612-232-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1688-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1772-247-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/560-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-265-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2200-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-284-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2428-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2228-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2312-299-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/344-343-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2700-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-383-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/2472-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-433-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/372-465-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1744-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2216-576-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2272-583-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1588-596-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2272-603-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-610-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-630-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2772-628-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2980-634-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/804-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2524 nthnnt.exe 2032 dppdp.exe 2376 jjdjj.exe 2288 3frlrlf.exe 2024 djjpj.exe 2768 bhtbbt.exe 2976 9pjvj.exe 2728 tthhnn.exe 1960 ffrlxll.exe 2584 7xrxfrx.exe 3056 flrrfrr.exe 676 tnbnbh.exe 1108 lllxlrl.exe 2392 5hthtt.exe 780 xxxlxlf.exe 1732 7jjdv.exe 1412 llfxrrl.exe 1764 tbhhbt.exe 2808 7lxxlrf.exe 2148 hnhnnt.exe 1044 rrlxrrl.exe 1536 rlxfrlx.exe 612 vpvvj.exe 1688 rflxxxl.exe 1772 btbthn.exe 560 llrxlrl.exe 2200 jdpjd.exe 1724 pjjdj.exe 2428 hhtbht.exe 2312 tthttt.exe 2228 vpjpd.exe 2488 jpvvp.exe 344 7dvvp.exe 2648 rlfrlrf.exe 2960 tththh.exe 2172 5hbbht.exe 2696 vvvjd.exe 2792 5rlfxfr.exe 2700 3hbnbh.exe 2880 nthbnt.exe 2920 dddjp.exe 2736 9rfrxrf.exe 2572 bbbthn.exe 2788 tnhhht.exe 2800 ddvjd.exe 1820 rllfllf.exe 2824 rflfxlr.exe 2388 ntthbb.exe 2472 dddvp.exe 596 jdjdp.exe 272 lfrfrfl.exe 1164 nnhntb.exe 2184 dppdd.exe 1516 1jjpd.exe 372 xxrxrxl.exe 2812 btthth.exe 2176 5ddpj.exe 2260 dvvdp.exe 2816 7flrxlf.exe 1496 nnnhht.exe 2320 nhnnnn.exe 1536 jdvvj.exe 2152 lfflxxl.exe 1672 bhbhbh.exe -
resource yara_rule behavioral1/memory/2196-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2524-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2376-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2032-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2288-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2024-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/676-123-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1108-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/780-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-207-0x0000000001C70000-0x0000000001C9A000-memory.dmp upx behavioral1/memory/1044-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1536-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/612-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/560-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2200-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2228-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/344-343-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2960-356-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2700-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2472-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2184-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-472-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2152-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1744-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-628-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/3060-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/804-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-796-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2524 2196 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 30 PID 2196 wrote to memory of 2524 2196 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 30 PID 2196 wrote to memory of 2524 2196 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 30 PID 2196 wrote to memory of 2524 2196 1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe 30 PID 2524 wrote to memory of 2032 2524 nthnnt.exe 31 PID 2524 wrote to memory of 2032 2524 nthnnt.exe 31 PID 2524 wrote to memory of 2032 2524 nthnnt.exe 31 PID 2524 wrote to memory of 2032 2524 nthnnt.exe 31 PID 2032 wrote to memory of 2376 2032 dppdp.exe 32 PID 2032 wrote to memory of 2376 2032 dppdp.exe 32 PID 2032 wrote to memory of 2376 2032 dppdp.exe 32 PID 2032 wrote to memory of 2376 2032 dppdp.exe 32 PID 2376 wrote to memory of 2288 2376 jjdjj.exe 33 PID 2376 wrote to memory of 2288 2376 jjdjj.exe 33 PID 2376 wrote to memory of 2288 2376 jjdjj.exe 33 PID 2376 wrote to memory of 2288 2376 jjdjj.exe 33 PID 2288 wrote to memory of 2024 2288 3frlrlf.exe 34 PID 2288 wrote to memory of 2024 2288 3frlrlf.exe 34 PID 2288 wrote to memory of 2024 2288 3frlrlf.exe 34 PID 2288 wrote to memory of 2024 2288 3frlrlf.exe 34 PID 2024 wrote to memory of 2768 2024 djjpj.exe 35 PID 2024 wrote to memory of 2768 2024 djjpj.exe 35 PID 2024 wrote to memory of 2768 2024 djjpj.exe 35 PID 2024 wrote to memory of 2768 2024 djjpj.exe 35 PID 2768 wrote to memory of 2976 2768 bhtbbt.exe 36 PID 2768 wrote to memory of 2976 2768 bhtbbt.exe 36 PID 2768 wrote to memory of 2976 2768 bhtbbt.exe 36 PID 2768 wrote to memory of 2976 2768 bhtbbt.exe 36 PID 2976 wrote to memory of 2728 2976 9pjvj.exe 37 PID 2976 wrote to memory of 2728 2976 9pjvj.exe 37 PID 2976 wrote to memory of 2728 2976 9pjvj.exe 37 PID 2976 wrote to memory of 2728 2976 9pjvj.exe 37 PID 2728 wrote to memory of 1960 2728 tthhnn.exe 38 PID 2728 wrote to memory of 1960 2728 tthhnn.exe 38 PID 2728 wrote to memory of 1960 2728 tthhnn.exe 38 PID 2728 wrote to memory of 1960 2728 tthhnn.exe 38 PID 1960 wrote to memory of 2584 1960 ffrlxll.exe 39 PID 1960 wrote to memory of 2584 1960 ffrlxll.exe 39 PID 1960 wrote to memory of 2584 1960 ffrlxll.exe 39 PID 1960 wrote to memory of 2584 1960 ffrlxll.exe 39 PID 2584 wrote to memory of 3056 2584 7xrxfrx.exe 40 PID 2584 wrote to memory of 3056 2584 7xrxfrx.exe 40 PID 2584 wrote to memory of 3056 2584 7xrxfrx.exe 40 PID 2584 wrote to memory of 3056 2584 7xrxfrx.exe 40 PID 3056 wrote to memory of 676 3056 flrrfrr.exe 41 PID 3056 wrote to memory of 676 3056 flrrfrr.exe 41 PID 3056 wrote to memory of 676 3056 flrrfrr.exe 41 PID 3056 wrote to memory of 676 3056 flrrfrr.exe 41 PID 676 wrote to memory of 1108 676 tnbnbh.exe 42 PID 676 wrote to memory of 1108 676 tnbnbh.exe 42 PID 676 wrote to memory of 1108 676 tnbnbh.exe 42 PID 676 wrote to memory of 1108 676 tnbnbh.exe 42 PID 1108 wrote to memory of 2392 1108 lllxlrl.exe 43 PID 1108 wrote to memory of 2392 1108 lllxlrl.exe 43 PID 1108 wrote to memory of 2392 1108 lllxlrl.exe 43 PID 1108 wrote to memory of 2392 1108 lllxlrl.exe 43 PID 2392 wrote to memory of 780 2392 5hthtt.exe 44 PID 2392 wrote to memory of 780 2392 5hthtt.exe 44 PID 2392 wrote to memory of 780 2392 5hthtt.exe 44 PID 2392 wrote to memory of 780 2392 5hthtt.exe 44 PID 780 wrote to memory of 1732 780 xxxlxlf.exe 45 PID 780 wrote to memory of 1732 780 xxxlxlf.exe 45 PID 780 wrote to memory of 1732 780 xxxlxlf.exe 45 PID 780 wrote to memory of 1732 780 xxxlxlf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe"C:\Users\Admin\AppData\Local\Temp\1e34f82f900a35b601cbbbece7f00fef8ce03f7551a7977b7975eba80a3d01cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\nthnnt.exec:\nthnnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\dppdp.exec:\dppdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\jjdjj.exec:\jjdjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\3frlrlf.exec:\3frlrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\djjpj.exec:\djjpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\bhtbbt.exec:\bhtbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\9pjvj.exec:\9pjvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\tthhnn.exec:\tthhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\ffrlxll.exec:\ffrlxll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\7xrxfrx.exec:\7xrxfrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\flrrfrr.exec:\flrrfrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\tnbnbh.exec:\tnbnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\lllxlrl.exec:\lllxlrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\5hthtt.exec:\5hthtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\xxxlxlf.exec:\xxxlxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:780 -
\??\c:\7jjdv.exec:\7jjdv.exe17⤵
- Executes dropped EXE
PID:1732 -
\??\c:\llfxrrl.exec:\llfxrrl.exe18⤵
- Executes dropped EXE
PID:1412 -
\??\c:\tbhhbt.exec:\tbhhbt.exe19⤵
- Executes dropped EXE
PID:1764 -
\??\c:\7lxxlrf.exec:\7lxxlrf.exe20⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hnhnnt.exec:\hnhnnt.exe21⤵
- Executes dropped EXE
PID:2148 -
\??\c:\rrlxrrl.exec:\rrlxrrl.exe22⤵
- Executes dropped EXE
PID:1044 -
\??\c:\rlxfrlx.exec:\rlxfrlx.exe23⤵
- Executes dropped EXE
PID:1536 -
\??\c:\vpvvj.exec:\vpvvj.exe24⤵
- Executes dropped EXE
PID:612 -
\??\c:\rflxxxl.exec:\rflxxxl.exe25⤵
- Executes dropped EXE
PID:1688 -
\??\c:\btbthn.exec:\btbthn.exe26⤵
- Executes dropped EXE
PID:1772 -
\??\c:\llrxlrl.exec:\llrxlrl.exe27⤵
- Executes dropped EXE
PID:560 -
\??\c:\jdpjd.exec:\jdpjd.exe28⤵
- Executes dropped EXE
PID:2200 -
\??\c:\pjjdj.exec:\pjjdj.exe29⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhtbht.exec:\hhtbht.exe30⤵
- Executes dropped EXE
PID:2428 -
\??\c:\tthttt.exec:\tthttt.exe31⤵
- Executes dropped EXE
PID:2312 -
\??\c:\vpjpd.exec:\vpjpd.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\jpvvp.exec:\jpvvp.exe33⤵
- Executes dropped EXE
PID:2488 -
\??\c:\7dvvp.exec:\7dvvp.exe34⤵
- Executes dropped EXE
PID:344 -
\??\c:\rlfrlrf.exec:\rlfrlrf.exe35⤵
- Executes dropped EXE
PID:2648 -
\??\c:\tththh.exec:\tththh.exe36⤵
- Executes dropped EXE
PID:2960 -
\??\c:\5hbbht.exec:\5hbbht.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\vvvjd.exec:\vvvjd.exe38⤵
- Executes dropped EXE
PID:2696 -
\??\c:\5rlfxfr.exec:\5rlfxfr.exe39⤵
- Executes dropped EXE
PID:2792 -
\??\c:\3hbnbh.exec:\3hbnbh.exe40⤵
- Executes dropped EXE
PID:2700 -
\??\c:\nthbnt.exec:\nthbnt.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\dddjp.exec:\dddjp.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\9rfrxrf.exec:\9rfrxrf.exe43⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bbbthn.exec:\bbbthn.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
\??\c:\tnhhht.exec:\tnhhht.exe45⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ddvjd.exec:\ddvjd.exe46⤵
- Executes dropped EXE
PID:2800 -
\??\c:\rllfllf.exec:\rllfllf.exe47⤵
- Executes dropped EXE
PID:1820 -
\??\c:\rflfxlr.exec:\rflfxlr.exe48⤵
- Executes dropped EXE
PID:2824 -
\??\c:\ntthbb.exec:\ntthbb.exe49⤵
- Executes dropped EXE
PID:2388 -
\??\c:\dddvp.exec:\dddvp.exe50⤵
- Executes dropped EXE
PID:2472 -
\??\c:\jdjdp.exec:\jdjdp.exe51⤵
- Executes dropped EXE
PID:596 -
\??\c:\lfrfrfl.exec:\lfrfrfl.exe52⤵
- Executes dropped EXE
PID:272 -
\??\c:\nnhntb.exec:\nnhntb.exe53⤵
- Executes dropped EXE
PID:1164 -
\??\c:\dppdd.exec:\dppdd.exe54⤵
- Executes dropped EXE
PID:2184 -
\??\c:\1jjpd.exec:\1jjpd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
\??\c:\xxrxrxl.exec:\xxrxrxl.exe56⤵
- Executes dropped EXE
PID:372 -
\??\c:\btthth.exec:\btthth.exe57⤵
- Executes dropped EXE
PID:2812 -
\??\c:\5ddpj.exec:\5ddpj.exe58⤵
- Executes dropped EXE
PID:2176 -
\??\c:\dvvdp.exec:\dvvdp.exe59⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7flrxlf.exec:\7flrxlf.exe60⤵
- Executes dropped EXE
PID:2816 -
\??\c:\nnnhht.exec:\nnnhht.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\nhnnnn.exec:\nhnnnn.exe62⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jdvvj.exec:\jdvvj.exe63⤵
- Executes dropped EXE
PID:1536 -
\??\c:\lfflxxl.exec:\lfflxxl.exe64⤵
- Executes dropped EXE
PID:2152 -
\??\c:\bhbhbh.exec:\bhbhbh.exe65⤵
- Executes dropped EXE
PID:1672 -
\??\c:\7bhnhb.exec:\7bhnhb.exe66⤵PID:1376
-
\??\c:\ddppp.exec:\ddppp.exe67⤵PID:1148
-
\??\c:\ffflrfx.exec:\ffflrfx.exe68⤵PID:1528
-
\??\c:\bbthbn.exec:\bbthbn.exe69⤵PID:1332
-
\??\c:\vvvpj.exec:\vvvpj.exe70⤵PID:2216
-
\??\c:\jppjd.exec:\jppjd.exe71⤵PID:1744
-
\??\c:\llfrfxr.exec:\llfrfxr.exe72⤵PID:896
-
\??\c:\nhnhnh.exec:\nhnhnh.exe73⤵PID:2416
-
\??\c:\jpvpv.exec:\jpvpv.exe74⤵PID:2272
-
\??\c:\pvvpj.exec:\pvvpj.exe75⤵PID:2332
-
\??\c:\fxlrlrl.exec:\fxlrlrl.exe76⤵PID:1588
-
\??\c:\bhhtth.exec:\bhhtth.exe77⤵PID:1752
-
\??\c:\jjjpj.exec:\jjjpj.exe78⤵PID:2280
-
\??\c:\rxrlxlx.exec:\rxrlxlx.exe79⤵PID:2008
-
\??\c:\nttnhn.exec:\nttnhn.exe80⤵PID:2708
-
\??\c:\vdvdp.exec:\vdvdp.exe81⤵PID:2772
-
\??\c:\ddpvj.exec:\ddpvj.exe82⤵PID:2980
-
\??\c:\rxxlxxx.exec:\rxxlxxx.exe83⤵PID:2864
-
\??\c:\9hhnht.exec:\9hhnht.exe84⤵PID:2912
-
\??\c:\dpjpj.exec:\dpjpj.exe85⤵PID:2592
-
\??\c:\1rxrrrl.exec:\1rxrrrl.exe86⤵PID:2680
-
\??\c:\1fxxlrx.exec:\1fxxlrx.exe87⤵PID:1960
-
\??\c:\ntnbnb.exec:\ntnbnb.exe88⤵PID:3060
-
\??\c:\pdpdp.exec:\pdpdp.exe89⤵PID:480
-
\??\c:\5rxxxrx.exec:\5rxxxrx.exe90⤵PID:568
-
\??\c:\rrfflxx.exec:\rrfflxx.exe91⤵PID:2636
-
\??\c:\htnhth.exec:\htnhth.exe92⤵PID:2100
-
\??\c:\pjdpd.exec:\pjdpd.exe93⤵PID:804
-
\??\c:\djdpd.exec:\djdpd.exe94⤵PID:704
-
\??\c:\5rlrfxl.exec:\5rlrfxl.exe95⤵PID:1088
-
\??\c:\5nbbtb.exec:\5nbbtb.exe96⤵PID:2820
-
\??\c:\nnhhbh.exec:\nnhhbh.exe97⤵PID:2668
-
\??\c:\jvdvv.exec:\jvdvv.exe98⤵PID:2908
-
\??\c:\frrlxxf.exec:\frrlxxf.exe99⤵PID:1836
-
\??\c:\bbnbbn.exec:\bbnbbn.exe100⤵PID:2248
-
\??\c:\3tnnhn.exec:\3tnnhn.exe101⤵PID:2808
-
\??\c:\pjpjv.exec:\pjpjv.exe102⤵PID:2148
-
\??\c:\xllxlxf.exec:\xllxlxf.exe103⤵PID:1044
-
\??\c:\btttnb.exec:\btttnb.exe104⤵
- System Location Discovery: System Language Discovery
PID:848 -
\??\c:\jjddp.exec:\jjddp.exe105⤵PID:868
-
\??\c:\ppjvj.exec:\ppjvj.exe106⤵PID:2068
-
\??\c:\rffflfl.exec:\rffflfl.exe107⤵PID:1072
-
\??\c:\nnhbth.exec:\nnhbth.exe108⤵PID:1688
-
\??\c:\7jdjp.exec:\7jdjp.exe109⤵PID:1776
-
\??\c:\xrlrlxl.exec:\xrlrlxl.exe110⤵PID:1064
-
\??\c:\thnntn.exec:\thnntn.exe111⤵PID:3008
-
\??\c:\dddpp.exec:\dddpp.exe112⤵PID:2192
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe113⤵PID:2212
-
\??\c:\ntnbnh.exec:\ntnbnh.exe114⤵
- System Location Discovery: System Language Discovery
PID:1700 -
\??\c:\vvjpj.exec:\vvjpj.exe115⤵PID:1744
-
\??\c:\dddjd.exec:\dddjd.exe116⤵
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\lflxlfl.exec:\lflxlfl.exe117⤵PID:2308
-
\??\c:\hbbnnt.exec:\hbbnnt.exe118⤵PID:1576
-
\??\c:\pdpjj.exec:\pdpjj.exe119⤵PID:3040
-
\??\c:\ddvdj.exec:\ddvdj.exe120⤵PID:2884
-
\??\c:\1rrxrfl.exec:\1rrxrfl.exe121⤵PID:2660
-
\??\c:\bbnthn.exec:\bbnthn.exe122⤵PID:2116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-