Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe
-
Size
454KB
-
MD5
75aa1d13efe8ce777c478382731b8c5f
-
SHA1
8d7bf8d1a58dcb7af52d27ec1b1464148130efe2
-
SHA256
672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58
-
SHA512
5230fa37af838d002b7471a5443b8a12bcd1c573f98e28f4a3983017498aa42468bf3a14f4955822445faa6d274ab4b1ac98514397e7758779ac35413aa31c59
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2540-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/264-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2428-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2856-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2004-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2144-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1896-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1116-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2700-173-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2700-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2236-207-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1276-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1952-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/868-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1776-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1520-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2544-308-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2544-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2360-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1628-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-444-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1916-510-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2196-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2252-564-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/944-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-721-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2432-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1908-774-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1908-772-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1648-963-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2328-1004-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2960-1012-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1464-1063-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2232-1271-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2840-1312-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2540 tnhhnt.exe 2428 7hhhhh.exe 2696 jdpvj.exe 2904 bhthnt.exe 2296 xrxxffr.exe 2856 lfrxlxf.exe 2628 1tbhth.exe 2044 lrflflx.exe 2680 9vpdj.exe 824 fxrfxfx.exe 2004 7nhtbh.exe 1716 7rxxffl.exe 2144 5jppv.exe 1896 flrlrlr.exe 1116 1lflrfr.exe 2808 vpjpd.exe 2152 nbntbb.exe 2700 djdvj.exe 2140 xxrlxff.exe 408 3jpvd.exe 2236 xrlrffl.exe 1276 jdvdd.exe 1952 tnbbhh.exe 892 vjvdp.exe 2244 xxrxlrx.exe 868 thhnhb.exe 796 llxxflx.exe 2592 nnhtbh.exe 1776 lrfxfrx.exe 756 nhtbnn.exe 2460 frxrxxf.exe 1520 rrfrffr.exe 2544 dvjjj.exe 3012 llxxfxf.exe 2056 nhthnn.exe 2096 3ppvv.exe 2900 1vdvv.exe 2904 xlxfllx.exe 2756 fxrfxfr.exe 2880 btnthh.exe 2632 vpjjp.exe 2744 xrrxfxl.exe 2624 xxrlxxr.exe 2932 btthhh.exe 476 dvdvj.exe 2416 vvvjp.exe 2360 xlflxrx.exe 1712 7tnnbb.exe 2016 1htntb.exe 2500 dvjpv.exe 1912 flxrxxl.exe 1628 lxrfffx.exe 1664 hhbhtt.exe 2828 1pjjv.exe 2328 vjdvv.exe 2960 frxrxxf.exe 840 bhtbnh.exe 1700 vpdjj.exe 1176 5jdvv.exe 1656 llfrrxf.exe 596 thbtbt.exe 2164 tnnnbb.exe 1276 5jvpv.exe 2784 lxxfllx.exe -
resource yara_rule behavioral1/memory/2540-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/264-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2696-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2856-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2628-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1896-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1116-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1520-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2544-308-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2544-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2360-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1628-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1176-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-510-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2244-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1776-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2196-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2428-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/944-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-721-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2432-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2512-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2768-891-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-923-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-1043-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-1063-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-1113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2664-1223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2840-1312-0x00000000001B0000-0x00000000001DA000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xllrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 264 wrote to memory of 2540 264 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 31 PID 264 wrote to memory of 2540 264 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 31 PID 264 wrote to memory of 2540 264 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 31 PID 264 wrote to memory of 2540 264 672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe 31 PID 2540 wrote to memory of 2428 2540 tnhhnt.exe 32 PID 2540 wrote to memory of 2428 2540 tnhhnt.exe 32 PID 2540 wrote to memory of 2428 2540 tnhhnt.exe 32 PID 2540 wrote to memory of 2428 2540 tnhhnt.exe 32 PID 2428 wrote to memory of 2696 2428 7hhhhh.exe 33 PID 2428 wrote to memory of 2696 2428 7hhhhh.exe 33 PID 2428 wrote to memory of 2696 2428 7hhhhh.exe 33 PID 2428 wrote to memory of 2696 2428 7hhhhh.exe 33 PID 2696 wrote to memory of 2904 2696 jdpvj.exe 34 PID 2696 wrote to memory of 2904 2696 jdpvj.exe 34 PID 2696 wrote to memory of 2904 2696 jdpvj.exe 34 PID 2696 wrote to memory of 2904 2696 jdpvj.exe 34 PID 2904 wrote to memory of 2296 2904 bhthnt.exe 35 PID 2904 wrote to memory of 2296 2904 bhthnt.exe 35 PID 2904 wrote to memory of 2296 2904 bhthnt.exe 35 PID 2904 wrote to memory of 2296 2904 bhthnt.exe 35 PID 2296 wrote to memory of 2856 2296 xrxxffr.exe 36 PID 2296 wrote to memory of 2856 2296 xrxxffr.exe 36 PID 2296 wrote to memory of 2856 2296 xrxxffr.exe 36 PID 2296 wrote to memory of 2856 2296 xrxxffr.exe 36 PID 2856 wrote to memory of 2628 2856 lfrxlxf.exe 37 PID 2856 wrote to memory of 2628 2856 lfrxlxf.exe 37 PID 2856 wrote to memory of 2628 2856 lfrxlxf.exe 37 PID 2856 wrote to memory of 2628 2856 lfrxlxf.exe 37 PID 2628 wrote to memory of 2044 2628 1tbhth.exe 38 PID 2628 wrote to memory of 2044 2628 1tbhth.exe 38 PID 2628 wrote to memory of 2044 2628 1tbhth.exe 38 PID 2628 wrote to memory of 2044 2628 1tbhth.exe 38 PID 2044 wrote to memory of 2680 2044 lrflflx.exe 39 PID 2044 wrote to memory of 2680 2044 lrflflx.exe 39 PID 2044 wrote to memory of 2680 2044 lrflflx.exe 39 PID 2044 wrote to memory of 2680 2044 lrflflx.exe 39 PID 2680 wrote to memory of 824 2680 9vpdj.exe 40 PID 2680 wrote to memory of 824 2680 9vpdj.exe 40 PID 2680 wrote to memory of 824 2680 9vpdj.exe 40 PID 2680 wrote to memory of 824 2680 9vpdj.exe 40 PID 824 wrote to memory of 2004 824 fxrfxfx.exe 41 PID 824 wrote to memory of 2004 824 fxrfxfx.exe 41 PID 824 wrote to memory of 2004 824 fxrfxfx.exe 41 PID 824 wrote to memory of 2004 824 fxrfxfx.exe 41 PID 2004 wrote to memory of 1716 2004 7nhtbh.exe 42 PID 2004 wrote to memory of 1716 2004 7nhtbh.exe 42 PID 2004 wrote to memory of 1716 2004 7nhtbh.exe 42 PID 2004 wrote to memory of 1716 2004 7nhtbh.exe 42 PID 1716 wrote to memory of 2144 1716 7rxxffl.exe 43 PID 1716 wrote to memory of 2144 1716 7rxxffl.exe 43 PID 1716 wrote to memory of 2144 1716 7rxxffl.exe 43 PID 1716 wrote to memory of 2144 1716 7rxxffl.exe 43 PID 2144 wrote to memory of 1896 2144 5jppv.exe 44 PID 2144 wrote to memory of 1896 2144 5jppv.exe 44 PID 2144 wrote to memory of 1896 2144 5jppv.exe 44 PID 2144 wrote to memory of 1896 2144 5jppv.exe 44 PID 1896 wrote to memory of 1116 1896 flrlrlr.exe 45 PID 1896 wrote to memory of 1116 1896 flrlrlr.exe 45 PID 1896 wrote to memory of 1116 1896 flrlrlr.exe 45 PID 1896 wrote to memory of 1116 1896 flrlrlr.exe 45 PID 1116 wrote to memory of 2808 1116 1lflrfr.exe 46 PID 1116 wrote to memory of 2808 1116 1lflrfr.exe 46 PID 1116 wrote to memory of 2808 1116 1lflrfr.exe 46 PID 1116 wrote to memory of 2808 1116 1lflrfr.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"C:\Users\Admin\AppData\Local\Temp\672450d2c7364dfdee437a9e900733abf9f8079eaca93aeae93d64e022fe9b58.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\tnhhnt.exec:\tnhhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\7hhhhh.exec:\7hhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\jdpvj.exec:\jdpvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\bhthnt.exec:\bhthnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\xrxxffr.exec:\xrxxffr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\lfrxlxf.exec:\lfrxlxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\1tbhth.exec:\1tbhth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\lrflflx.exec:\lrflflx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\9vpdj.exec:\9vpdj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\fxrfxfx.exec:\fxrfxfx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\7nhtbh.exec:\7nhtbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\7rxxffl.exec:\7rxxffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\5jppv.exec:\5jppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\flrlrlr.exec:\flrlrlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\1lflrfr.exec:\1lflrfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\vpjpd.exec:\vpjpd.exe17⤵
- Executes dropped EXE
PID:2808 -
\??\c:\nbntbb.exec:\nbntbb.exe18⤵
- Executes dropped EXE
PID:2152 -
\??\c:\djdvj.exec:\djdvj.exe19⤵
- Executes dropped EXE
PID:2700 -
\??\c:\xxrlxff.exec:\xxrlxff.exe20⤵
- Executes dropped EXE
PID:2140 -
\??\c:\3jpvd.exec:\3jpvd.exe21⤵
- Executes dropped EXE
PID:408 -
\??\c:\xrlrffl.exec:\xrlrffl.exe22⤵
- Executes dropped EXE
PID:2236 -
\??\c:\jdvdd.exec:\jdvdd.exe23⤵
- Executes dropped EXE
PID:1276 -
\??\c:\tnbbhh.exec:\tnbbhh.exe24⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vjvdp.exec:\vjvdp.exe25⤵
- Executes dropped EXE
PID:892 -
\??\c:\xxrxlrx.exec:\xxrxlrx.exe26⤵
- Executes dropped EXE
PID:2244 -
\??\c:\thhnhb.exec:\thhnhb.exe27⤵
- Executes dropped EXE
PID:868 -
\??\c:\llxxflx.exec:\llxxflx.exe28⤵
- Executes dropped EXE
PID:796 -
\??\c:\nnhtbh.exec:\nnhtbh.exe29⤵
- Executes dropped EXE
PID:2592 -
\??\c:\lrfxfrx.exec:\lrfxfrx.exe30⤵
- Executes dropped EXE
PID:1776 -
\??\c:\nhtbnn.exec:\nhtbnn.exe31⤵
- Executes dropped EXE
PID:756 -
\??\c:\frxrxxf.exec:\frxrxxf.exe32⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rrfrffr.exec:\rrfrffr.exe33⤵
- Executes dropped EXE
PID:1520 -
\??\c:\dvjjj.exec:\dvjjj.exe34⤵
- Executes dropped EXE
PID:2544 -
\??\c:\llxxfxf.exec:\llxxfxf.exe35⤵
- Executes dropped EXE
PID:3012 -
\??\c:\nhthnn.exec:\nhthnn.exe36⤵
- Executes dropped EXE
PID:2056 -
\??\c:\3ppvv.exec:\3ppvv.exe37⤵
- Executes dropped EXE
PID:2096 -
\??\c:\1vdvv.exec:\1vdvv.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xlxfllx.exec:\xlxfllx.exe39⤵
- Executes dropped EXE
PID:2904 -
\??\c:\fxrfxfr.exec:\fxrfxfr.exe40⤵
- Executes dropped EXE
PID:2756 -
\??\c:\btnthh.exec:\btnthh.exe41⤵
- Executes dropped EXE
PID:2880 -
\??\c:\vpjjp.exec:\vpjjp.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\xrrxfxl.exec:\xrrxfxl.exe43⤵
- Executes dropped EXE
PID:2744 -
\??\c:\xxrlxxr.exec:\xxrlxxr.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\btthhh.exec:\btthhh.exe45⤵
- Executes dropped EXE
PID:2932 -
\??\c:\dvdvj.exec:\dvdvj.exe46⤵
- Executes dropped EXE
PID:476 -
\??\c:\vvvjp.exec:\vvvjp.exe47⤵
- Executes dropped EXE
PID:2416 -
\??\c:\xlflxrx.exec:\xlflxrx.exe48⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7tnnbb.exec:\7tnnbb.exe49⤵
- Executes dropped EXE
PID:1712 -
\??\c:\1htntb.exec:\1htntb.exe50⤵
- Executes dropped EXE
PID:2016 -
\??\c:\dvjpv.exec:\dvjpv.exe51⤵
- Executes dropped EXE
PID:2500 -
\??\c:\flxrxxl.exec:\flxrxxl.exe52⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lxrfffx.exec:\lxrfffx.exe53⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hhbhtt.exec:\hhbhtt.exe54⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1pjjv.exec:\1pjjv.exe55⤵
- Executes dropped EXE
PID:2828 -
\??\c:\vjdvv.exec:\vjdvv.exe56⤵
- Executes dropped EXE
PID:2328 -
\??\c:\frxrxxf.exec:\frxrxxf.exe57⤵
- Executes dropped EXE
PID:2960 -
\??\c:\bhtbnh.exec:\bhtbnh.exe58⤵
- Executes dropped EXE
PID:840 -
\??\c:\vpdjj.exec:\vpdjj.exe59⤵
- Executes dropped EXE
PID:1700 -
\??\c:\5jdvv.exec:\5jdvv.exe60⤵
- Executes dropped EXE
PID:1176 -
\??\c:\llfrrxf.exec:\llfrrxf.exe61⤵
- Executes dropped EXE
PID:1656 -
\??\c:\thbtbt.exec:\thbtbt.exe62⤵
- Executes dropped EXE
PID:596 -
\??\c:\tnnnbb.exec:\tnnnbb.exe63⤵
- Executes dropped EXE
PID:2164 -
\??\c:\5jvpv.exec:\5jvpv.exe64⤵
- Executes dropped EXE
PID:1276 -
\??\c:\lxxfllx.exec:\lxxfllx.exe65⤵
- Executes dropped EXE
PID:2784 -
\??\c:\1rfrxrf.exec:\1rfrxrf.exe66⤵PID:1916
-
\??\c:\1thntb.exec:\1thntb.exe67⤵PID:892
-
\??\c:\pdjvv.exec:\pdjvv.exe68⤵PID:2244
-
\??\c:\9rlrrxf.exec:\9rlrrxf.exe69⤵PID:2280
-
\??\c:\rlflrxx.exec:\rlflrxx.exe70⤵PID:328
-
\??\c:\hbnnbb.exec:\hbnnbb.exe71⤵PID:1280
-
\??\c:\dvjvd.exec:\dvjvd.exe72⤵PID:2196
-
\??\c:\jjjdj.exec:\jjjdj.exe73⤵PID:1776
-
\??\c:\5frxlrf.exec:\5frxlrf.exe74⤵PID:2252
-
\??\c:\tnbhbh.exec:\tnbhbh.exe75⤵PID:2112
-
\??\c:\pjjjp.exec:\pjjjp.exe76⤵PID:2516
-
\??\c:\pvppp.exec:\pvppp.exe77⤵PID:2368
-
\??\c:\3rrflrr.exec:\3rrflrr.exe78⤵PID:2544
-
\??\c:\nhnntb.exec:\nhnntb.exe79⤵PID:2428
-
\??\c:\vpddd.exec:\vpddd.exe80⤵PID:2056
-
\??\c:\jdpvv.exec:\jdpvv.exe81⤵PID:2748
-
\??\c:\5rxrllr.exec:\5rxrllr.exe82⤵PID:2908
-
\??\c:\thbhtt.exec:\thbhtt.exe83⤵PID:2892
-
\??\c:\bthhnn.exec:\bthhnn.exe84⤵PID:2756
-
\??\c:\vpjjp.exec:\vpjjp.exe85⤵PID:2880
-
\??\c:\fxllllr.exec:\fxllllr.exe86⤵PID:2996
-
\??\c:\7rfllrx.exec:\7rfllrx.exe87⤵PID:2636
-
\??\c:\nbnnnn.exec:\nbnnnn.exe88⤵PID:2044
-
\??\c:\vpjpp.exec:\vpjpp.exe89⤵PID:944
-
\??\c:\dvjpd.exec:\dvjpd.exe90⤵PID:1900
-
\??\c:\xrrrflr.exec:\xrrrflr.exe91⤵PID:1704
-
\??\c:\1tnhtb.exec:\1tnhtb.exe92⤵PID:2664
-
\??\c:\bbtbnt.exec:\bbtbnt.exe93⤵PID:2128
-
\??\c:\ddjpd.exec:\ddjpd.exe94⤵PID:1644
-
\??\c:\7xlxflr.exec:\7xlxflr.exe95⤵PID:1872
-
\??\c:\fxffffl.exec:\fxffffl.exe96⤵PID:380
-
\??\c:\btnnbt.exec:\btnnbt.exe97⤵PID:2852
-
\??\c:\pjvvp.exec:\pjvvp.exe98⤵PID:2844
-
\??\c:\3dpjp.exec:\3dpjp.exe99⤵PID:2168
-
\??\c:\fxllfxf.exec:\fxllfxf.exe100⤵PID:1036
-
\??\c:\xrxflrx.exec:\xrxflrx.exe101⤵PID:2432
-
\??\c:\3ntthh.exec:\3ntthh.exe102⤵PID:864
-
\??\c:\3pjjp.exec:\3pjjp.exe103⤵PID:1396
-
\??\c:\1jdvj.exec:\1jdvj.exe104⤵PID:3044
-
\??\c:\9rllxff.exec:\9rllxff.exe105⤵PID:692
-
\??\c:\3htbnn.exec:\3htbnn.exe106⤵PID:1772
-
\??\c:\tnhnbb.exec:\tnhnbb.exe107⤵PID:1908
-
\??\c:\dvdpd.exec:\dvdpd.exe108⤵PID:1920
-
\??\c:\5xrxlrl.exec:\5xrxlrl.exe109⤵PID:2948
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe110⤵PID:1212
-
\??\c:\9thntt.exec:\9thntt.exe111⤵PID:2212
-
\??\c:\1vjjp.exec:\1vjjp.exe112⤵PID:728
-
\??\c:\3ddvd.exec:\3ddvd.exe113⤵PID:1432
-
\??\c:\xrflrrx.exec:\xrflrrx.exe114⤵PID:2476
-
\??\c:\hthnbt.exec:\hthnbt.exe115⤵PID:2256
-
\??\c:\tnbhbb.exec:\tnbhbb.exe116⤵PID:2300
-
\??\c:\jjdjv.exec:\jjdjv.exe117⤵PID:884
-
\??\c:\rffxlll.exec:\rffxlll.exe118⤵PID:2512
-
\??\c:\5fllrxf.exec:\5fllrxf.exe119⤵PID:1608
-
\??\c:\nhthtt.exec:\nhthtt.exe120⤵PID:2112
-
\??\c:\jvjjp.exec:\jvjjp.exe121⤵PID:2356
-
\??\c:\pdvpv.exec:\pdvpv.exe122⤵PID:2368
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-