Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe
-
Size
454KB
-
MD5
3469b33bcb32417fee8d75ba4b2e7500
-
SHA1
107c8370d6e4a7efa1951ca1a63389d453ce9d9b
-
SHA256
1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686
-
SHA512
69a220bbc47cd3af2483d2f6c82dcf64d95f6a2d0a46c1a9a229d3a856ff96fe55cd0d7485afb44af30846f3e71b4599a2f2f3a97e54490281c56d4c4fde4e43
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 48 IoCs
resource yara_rule behavioral1/memory/2972-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2348-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2668-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2824-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2844-66-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2604-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2576-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2736-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1608-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1632-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2492-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/236-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1456-215-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1456-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/924-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2408-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1088-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1580-306-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1580-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1136-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-375-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1156-387-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1436-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/880-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2012-467-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1604-470-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1744-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1744-518-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1464-525-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1764-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2276-565-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2276-581-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-661-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1820-728-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2964-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-894-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2480 tththt.exe 2348 jjdpv.exe 2744 xxxfxlf.exe 2668 ntnbht.exe 2824 7djpv.exe 2844 nnhntb.exe 2788 9lrrxfl.exe 2604 7xrlxfr.exe 2576 hhbtbh.exe 2608 ffxrrxl.exe 1736 httttn.exe 2736 llffrrl.exe 1892 9ntbhb.exe 2900 pjdjj.exe 2856 fxrxlrx.exe 2920 nttbhn.exe 1608 7vppd.exe 3040 vjvpp.exe 1632 9hbhnn.exe 2492 jdvdd.exe 236 fxlffff.exe 1456 tthhnt.exe 972 1lxrxfl.exe 1728 lfrrlfx.exe 924 pvppv.exe 1596 rlrxxlr.exe 2408 vjvdj.exe 2160 fxxllxf.exe 1088 djvdp.exe 2276 ppdjv.exe 2488 tnhnbb.exe 1580 7hntht.exe 2652 xxrflxl.exe 2780 hhbtbt.exe 2504 hhbtbt.exe 1976 3vpjd.exe 2816 fflrxxf.exe 1068 rrrxflx.exe 2592 3bttbh.exe 2808 dvvvj.exe 1136 jdvdj.exe 2636 llrrflr.exe 2396 bthnnb.exe 1156 nhnntt.exe 2932 vppjd.exe 2296 xlxxllx.exe 2628 7hhbtt.exe 2084 jdvdp.exe 2896 jvdpp.exe 572 1lllrrl.exe 1436 1thhhh.exe 880 nntbnn.exe 3064 1jdjv.exe 2660 7rxlrfr.exe 1064 bbtbtb.exe 2012 hnbtnb.exe 1604 9vvvp.exe 1060 5jjpv.exe 1900 xlxrlrx.exe 836 tnbhnt.exe 1744 htbnnn.exe 1896 5vppv.exe 1768 fxrlrlr.exe 920 xfxlxlx.exe -
resource yara_rule behavioral1/memory/2972-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2348-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2824-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2576-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1608-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/236-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/924-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2408-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1088-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1580-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1136-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1156-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2932-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1436-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/880-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1064-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-467-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1744-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-532-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1764-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2476-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-661-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/1820-728-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2656-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1056-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1352-816-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-866-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2964-879-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2480 2972 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 31 PID 2972 wrote to memory of 2480 2972 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 31 PID 2972 wrote to memory of 2480 2972 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 31 PID 2972 wrote to memory of 2480 2972 1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe 31 PID 2480 wrote to memory of 2348 2480 tththt.exe 32 PID 2480 wrote to memory of 2348 2480 tththt.exe 32 PID 2480 wrote to memory of 2348 2480 tththt.exe 32 PID 2480 wrote to memory of 2348 2480 tththt.exe 32 PID 2348 wrote to memory of 2744 2348 jjdpv.exe 33 PID 2348 wrote to memory of 2744 2348 jjdpv.exe 33 PID 2348 wrote to memory of 2744 2348 jjdpv.exe 33 PID 2348 wrote to memory of 2744 2348 jjdpv.exe 33 PID 2744 wrote to memory of 2668 2744 xxxfxlf.exe 34 PID 2744 wrote to memory of 2668 2744 xxxfxlf.exe 34 PID 2744 wrote to memory of 2668 2744 xxxfxlf.exe 34 PID 2744 wrote to memory of 2668 2744 xxxfxlf.exe 34 PID 2668 wrote to memory of 2824 2668 ntnbht.exe 35 PID 2668 wrote to memory of 2824 2668 ntnbht.exe 35 PID 2668 wrote to memory of 2824 2668 ntnbht.exe 35 PID 2668 wrote to memory of 2824 2668 ntnbht.exe 35 PID 2824 wrote to memory of 2844 2824 7djpv.exe 36 PID 2824 wrote to memory of 2844 2824 7djpv.exe 36 PID 2824 wrote to memory of 2844 2824 7djpv.exe 36 PID 2824 wrote to memory of 2844 2824 7djpv.exe 36 PID 2844 wrote to memory of 2788 2844 nnhntb.exe 37 PID 2844 wrote to memory of 2788 2844 nnhntb.exe 37 PID 2844 wrote to memory of 2788 2844 nnhntb.exe 37 PID 2844 wrote to memory of 2788 2844 nnhntb.exe 37 PID 2788 wrote to memory of 2604 2788 9lrrxfl.exe 38 PID 2788 wrote to memory of 2604 2788 9lrrxfl.exe 38 PID 2788 wrote to memory of 2604 2788 9lrrxfl.exe 38 PID 2788 wrote to memory of 2604 2788 9lrrxfl.exe 38 PID 2604 wrote to memory of 2576 2604 7xrlxfr.exe 39 PID 2604 wrote to memory of 2576 2604 7xrlxfr.exe 39 PID 2604 wrote to memory of 2576 2604 7xrlxfr.exe 39 PID 2604 wrote to memory of 2576 2604 7xrlxfr.exe 39 PID 2576 wrote to memory of 2608 2576 hhbtbh.exe 40 PID 2576 wrote to memory of 2608 2576 hhbtbh.exe 40 PID 2576 wrote to memory of 2608 2576 hhbtbh.exe 40 PID 2576 wrote to memory of 2608 2576 hhbtbh.exe 40 PID 2608 wrote to memory of 1736 2608 ffxrrxl.exe 41 PID 2608 wrote to memory of 1736 2608 ffxrrxl.exe 41 PID 2608 wrote to memory of 1736 2608 ffxrrxl.exe 41 PID 2608 wrote to memory of 1736 2608 ffxrrxl.exe 41 PID 1736 wrote to memory of 2736 1736 httttn.exe 42 PID 1736 wrote to memory of 2736 1736 httttn.exe 42 PID 1736 wrote to memory of 2736 1736 httttn.exe 42 PID 1736 wrote to memory of 2736 1736 httttn.exe 42 PID 2736 wrote to memory of 1892 2736 llffrrl.exe 43 PID 2736 wrote to memory of 1892 2736 llffrrl.exe 43 PID 2736 wrote to memory of 1892 2736 llffrrl.exe 43 PID 2736 wrote to memory of 1892 2736 llffrrl.exe 43 PID 1892 wrote to memory of 2900 1892 9ntbhb.exe 44 PID 1892 wrote to memory of 2900 1892 9ntbhb.exe 44 PID 1892 wrote to memory of 2900 1892 9ntbhb.exe 44 PID 1892 wrote to memory of 2900 1892 9ntbhb.exe 44 PID 2900 wrote to memory of 2856 2900 pjdjj.exe 45 PID 2900 wrote to memory of 2856 2900 pjdjj.exe 45 PID 2900 wrote to memory of 2856 2900 pjdjj.exe 45 PID 2900 wrote to memory of 2856 2900 pjdjj.exe 45 PID 2856 wrote to memory of 2920 2856 fxrxlrx.exe 46 PID 2856 wrote to memory of 2920 2856 fxrxlrx.exe 46 PID 2856 wrote to memory of 2920 2856 fxrxlrx.exe 46 PID 2856 wrote to memory of 2920 2856 fxrxlrx.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe"C:\Users\Admin\AppData\Local\Temp\1a76bde67c24f4d9cd5d394c818ffa74d748eb3a18c18cceecc35bc2fc735686N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\tththt.exec:\tththt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\jjdpv.exec:\jjdpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\xxxfxlf.exec:\xxxfxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\ntnbht.exec:\ntnbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\7djpv.exec:\7djpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\nnhntb.exec:\nnhntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\9lrrxfl.exec:\9lrrxfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\7xrlxfr.exec:\7xrlxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\hhbtbh.exec:\hhbtbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\ffxrrxl.exec:\ffxrrxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\httttn.exec:\httttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\llffrrl.exec:\llffrrl.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9ntbhb.exec:\9ntbhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\pjdjj.exec:\pjdjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\fxrxlrx.exec:\fxrxlrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\nttbhn.exec:\nttbhn.exe17⤵
- Executes dropped EXE
PID:2920 -
\??\c:\7vppd.exec:\7vppd.exe18⤵
- Executes dropped EXE
PID:1608 -
\??\c:\vjvpp.exec:\vjvpp.exe19⤵
- Executes dropped EXE
PID:3040 -
\??\c:\9hbhnn.exec:\9hbhnn.exe20⤵
- Executes dropped EXE
PID:1632 -
\??\c:\jdvdd.exec:\jdvdd.exe21⤵
- Executes dropped EXE
PID:2492 -
\??\c:\fxlffff.exec:\fxlffff.exe22⤵
- Executes dropped EXE
PID:236 -
\??\c:\tthhnt.exec:\tthhnt.exe23⤵
- Executes dropped EXE
PID:1456 -
\??\c:\1lxrxfl.exec:\1lxrxfl.exe24⤵
- Executes dropped EXE
PID:972 -
\??\c:\lfrrlfx.exec:\lfrrlfx.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\pvppv.exec:\pvppv.exe26⤵
- Executes dropped EXE
PID:924 -
\??\c:\rlrxxlr.exec:\rlrxxlr.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vjvdj.exec:\vjvdj.exe28⤵
- Executes dropped EXE
PID:2408 -
\??\c:\fxxllxf.exec:\fxxllxf.exe29⤵
- Executes dropped EXE
PID:2160 -
\??\c:\djvdp.exec:\djvdp.exe30⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ppdjv.exec:\ppdjv.exe31⤵
- Executes dropped EXE
PID:2276 -
\??\c:\tnhnbb.exec:\tnhnbb.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2488 -
\??\c:\7hntht.exec:\7hntht.exe33⤵
- Executes dropped EXE
PID:1580 -
\??\c:\xxrflxl.exec:\xxrflxl.exe34⤵
- Executes dropped EXE
PID:2652 -
\??\c:\hhbtbt.exec:\hhbtbt.exe35⤵
- Executes dropped EXE
PID:2780 -
\??\c:\hhbtbt.exec:\hhbtbt.exe36⤵
- Executes dropped EXE
PID:2504 -
\??\c:\3vpjd.exec:\3vpjd.exe37⤵
- Executes dropped EXE
PID:1976 -
\??\c:\fflrxxf.exec:\fflrxxf.exe38⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rrrxflx.exec:\rrrxflx.exe39⤵
- Executes dropped EXE
PID:1068 -
\??\c:\3bttbh.exec:\3bttbh.exe40⤵
- Executes dropped EXE
PID:2592 -
\??\c:\dvvvj.exec:\dvvvj.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\jdvdj.exec:\jdvdj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136 -
\??\c:\llrrflr.exec:\llrrflr.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\bthnnb.exec:\bthnnb.exe44⤵
- Executes dropped EXE
PID:2396 -
\??\c:\nhnntt.exec:\nhnntt.exe45⤵
- Executes dropped EXE
PID:1156 -
\??\c:\vppjd.exec:\vppjd.exe46⤵
- Executes dropped EXE
PID:2932 -
\??\c:\xlxxllx.exec:\xlxxllx.exe47⤵
- Executes dropped EXE
PID:2296 -
\??\c:\7hhbtt.exec:\7hhbtt.exe48⤵
- Executes dropped EXE
PID:2628 -
\??\c:\jdvdp.exec:\jdvdp.exe49⤵
- Executes dropped EXE
PID:2084 -
\??\c:\jvdpp.exec:\jvdpp.exe50⤵
- Executes dropped EXE
PID:2896 -
\??\c:\1lllrrl.exec:\1lllrrl.exe51⤵
- Executes dropped EXE
PID:572 -
\??\c:\1thhhh.exec:\1thhhh.exe52⤵
- Executes dropped EXE
PID:1436 -
\??\c:\nntbnn.exec:\nntbnn.exe53⤵
- Executes dropped EXE
PID:880 -
\??\c:\1jdjv.exec:\1jdjv.exe54⤵
- Executes dropped EXE
PID:3064 -
\??\c:\7rxlrfr.exec:\7rxlrfr.exe55⤵
- Executes dropped EXE
PID:2660 -
\??\c:\bbtbtb.exec:\bbtbtb.exe56⤵
- Executes dropped EXE
PID:1064 -
\??\c:\hnbtnb.exec:\hnbtnb.exe57⤵
- Executes dropped EXE
PID:2012 -
\??\c:\9vvvp.exec:\9vvvp.exe58⤵
- Executes dropped EXE
PID:1604 -
\??\c:\5jjpv.exec:\5jjpv.exe59⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xlxrlrx.exec:\xlxrlrx.exe60⤵
- Executes dropped EXE
PID:1900 -
\??\c:\tnbhnt.exec:\tnbhnt.exe61⤵
- Executes dropped EXE
PID:836 -
\??\c:\htbnnn.exec:\htbnnn.exe62⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5vppv.exec:\5vppv.exe63⤵
- Executes dropped EXE
PID:1896 -
\??\c:\fxrlrlr.exec:\fxrlrlr.exe64⤵
- Executes dropped EXE
PID:1768 -
\??\c:\xfxlxlx.exec:\xfxlxlx.exe65⤵
- Executes dropped EXE
PID:920 -
\??\c:\1bnbbt.exec:\1bnbbt.exe66⤵PID:1464
-
\??\c:\jjpdj.exec:\jjpdj.exe67⤵PID:2368
-
\??\c:\7pjdv.exec:\7pjdv.exe68⤵PID:2408
-
\??\c:\xxlllrf.exec:\xxlllrf.exe69⤵PID:1076
-
\??\c:\nhnbbb.exec:\nhnbbb.exe70⤵PID:1764
-
\??\c:\hthbhb.exec:\hthbhb.exe71⤵PID:2476
-
\??\c:\9vvvp.exec:\9vvvp.exe72⤵PID:2276
-
\??\c:\7rxlrxx.exec:\7rxlrxx.exe73⤵PID:2488
-
\??\c:\ffxxfxf.exec:\ffxxfxf.exe74⤵PID:2340
-
\??\c:\3nbbhh.exec:\3nbbhh.exe75⤵PID:2264
-
\??\c:\pjdjv.exec:\pjdjv.exe76⤵PID:2336
-
\??\c:\ddddd.exec:\ddddd.exe77⤵PID:2412
-
\??\c:\llflffl.exec:\llflffl.exe78⤵PID:2688
-
\??\c:\bbbttb.exec:\bbbttb.exe79⤵
- System Location Discovery: System Language Discovery
PID:2828 -
\??\c:\7htttn.exec:\7htttn.exe80⤵PID:2720
-
\??\c:\5vjvj.exec:\5vjvj.exe81⤵PID:2860
-
\??\c:\lfffxff.exec:\lfffxff.exe82⤵PID:2560
-
\??\c:\hbnbhb.exec:\hbnbhb.exe83⤵PID:2572
-
\??\c:\hbhbhh.exec:\hbhbhh.exe84⤵PID:2568
-
\??\c:\1pjpp.exec:\1pjpp.exe85⤵PID:3052
-
\??\c:\rrfxfxf.exec:\rrfxfxf.exe86⤵PID:2396
-
\??\c:\9nbnnn.exec:\9nbnnn.exe87⤵PID:1736
-
\??\c:\pjppp.exec:\pjppp.exe88⤵PID:2040
-
\??\c:\djddj.exec:\djddj.exe89⤵PID:2852
-
\??\c:\xfxxffl.exec:\xfxxffl.exe90⤵PID:2628
-
\??\c:\tnhbnt.exec:\tnhbnt.exe91⤵
- System Location Discovery: System Language Discovery
PID:1564 -
\??\c:\hbnhnh.exec:\hbnhnh.exe92⤵PID:2896
-
\??\c:\vvjjj.exec:\vvjjj.exe93⤵PID:1628
-
\??\c:\rlrfxrr.exec:\rlrfxrr.exe94⤵PID:1436
-
\??\c:\fxrrxfr.exec:\fxrrxfr.exe95⤵PID:860
-
\??\c:\tntnnb.exec:\tntnnb.exe96⤵PID:3064
-
\??\c:\vvpdp.exec:\vvpdp.exe97⤵PID:2936
-
\??\c:\fxlxfxx.exec:\fxlxfxx.exe98⤵PID:1820
-
\??\c:\fxrxllr.exec:\fxrxllr.exe99⤵PID:112
-
\??\c:\bbtbtn.exec:\bbtbtn.exe100⤵PID:2656
-
\??\c:\pjjjp.exec:\pjjjp.exe101⤵PID:3036
-
\??\c:\dpppp.exec:\dpppp.exe102⤵PID:1456
-
\??\c:\rrllrxl.exec:\rrllrxl.exe103⤵PID:2440
-
\??\c:\hthhbb.exec:\hthhbb.exe104⤵PID:1056
-
\??\c:\3btbbb.exec:\3btbbb.exe105⤵PID:2800
-
\??\c:\vvjdv.exec:\vvjdv.exe106⤵PID:1500
-
\??\c:\9rrrrrx.exec:\9rrrrrx.exe107⤵PID:2112
-
\??\c:\flrlrrx.exec:\flrlrrx.exe108⤵PID:1464
-
\??\c:\3bnthn.exec:\3bnthn.exe109⤵PID:2128
-
\??\c:\9dppp.exec:\9dppp.exe110⤵PID:1940
-
\??\c:\frfrrfl.exec:\frfrrfl.exe111⤵PID:1096
-
\??\c:\bbbbhh.exec:\bbbbhh.exe112⤵PID:1352
-
\??\c:\hbhhnt.exec:\hbhhnt.exe113⤵PID:3004
-
\??\c:\1dvpd.exec:\1dvpd.exe114⤵PID:2316
-
\??\c:\jjvvd.exec:\jjvvd.exe115⤵PID:1556
-
\??\c:\lxlllrl.exec:\lxlllrl.exe116⤵PID:2332
-
\??\c:\nbnhnh.exec:\nbnhnh.exe117⤵PID:2652
-
\??\c:\djjjp.exec:\djjjp.exe118⤵PID:2708
-
\??\c:\dpvjp.exec:\dpvjp.exe119⤵PID:2504
-
\??\c:\llxxrrx.exec:\llxxrrx.exe120⤵PID:2412
-
\??\c:\bbtbhn.exec:\bbtbhn.exe121⤵PID:2964
-
\??\c:\9thhbt.exec:\9thhbt.exe122⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-