Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe
-
Size
454KB
-
MD5
077a90a0acacb4e6ae62b1f89f6a5a9c
-
SHA1
a40c636cb09249a0e5ea47909dd52c95cdd228f5
-
SHA256
be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59
-
SHA512
d23d7773dddbd7e2e3f9da9ef4ae8e5031493b3243e02219af35d4ceababa70dab1f445099f5e6cfbd877223de4c42f99c4db4731f8c3b0ed9ae2941ead07069
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 49 IoCs
resource yara_rule behavioral1/memory/2508-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1416-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2880-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-72-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2108-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/996-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2996-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2588-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2432-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-203-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1956-201-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/916-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2552-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/288-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2548-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1480-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/672-422-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2416-425-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1100-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2116-507-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/764-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/764-535-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1740-545-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2264-556-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1576-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2868-592-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2636-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1764-646-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/536-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2164-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2420-700-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1252-738-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1704-788-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2536-801-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/288-829-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2920-870-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2600-885-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2900 ppddp.exe 1416 dvddj.exe 2880 nhttbn.exe 2612 1pdvv.exe 1044 rlffrxr.exe 1672 9ntbbh.exe 2608 ttttbb.exe 2108 fxlxfrx.exe 2888 tnhbbn.exe 1900 5vpjv.exe 996 hnthnn.exe 2996 3xlrlxf.exe 2856 nntttt.exe 1976 xfffflr.exe 2588 tbhthh.exe 2432 7rrrxlx.exe 2848 ffxrfrx.exe 592 3httnt.exe 2444 flrxfrx.exe 2424 llrrlrx.exe 1956 1jddp.exe 916 1xrrflf.exe 884 vpdvv.exe 1936 rxrxrrr.exe 3032 ddpvp.exe 1696 5hhhnt.exe 2292 pvdjv.exe 2304 bbbthh.exe 2552 jdpjj.exe 288 rllxrfr.exe 2548 nnnhhh.exe 1992 rlxxfff.exe 1544 1bhhht.exe 1480 9jddj.exe 2868 jpjjd.exe 2812 3flrxxl.exe 2768 hhbbbb.exe 2972 jpddj.exe 2780 jpddj.exe 1916 fxfxxrx.exe 2624 7nbhnn.exe 2596 bnbbbb.exe 2108 5pjvj.exe 2240 fflllff.exe 2888 9bbthn.exe 1320 ppvpp.exe 1132 jjjvd.exe 2932 llrlrrx.exe 2940 hbnthh.exe 2164 7tttnh.exe 2664 ppvvd.exe 672 xxlrxfr.exe 2416 tbnntt.exe 936 vpvdj.exe 1100 jjjjp.exe 1512 lrxlllr.exe 1208 hhtbhb.exe 1252 nhnhnn.exe 2440 9jvpd.exe 2184 lflfffl.exe 1956 7xrrrrx.exe 2492 hnbbnh.exe 1800 vjpjj.exe 932 lxllrxr.exe -
resource yara_rule behavioral1/memory/2508-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1416-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2880-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1044-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1672-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/996-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2588-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2432-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2552-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/288-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2548-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1480-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2108-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-425-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/1100-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/764-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-592-0x0000000000250000-0x000000000027A000-memory.dmp upx behavioral1/memory/2636-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2164-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1704-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-871-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-892-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-936-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2900 2508 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2508 wrote to memory of 2900 2508 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2508 wrote to memory of 2900 2508 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2508 wrote to memory of 2900 2508 be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe 30 PID 2900 wrote to memory of 1416 2900 ppddp.exe 31 PID 2900 wrote to memory of 1416 2900 ppddp.exe 31 PID 2900 wrote to memory of 1416 2900 ppddp.exe 31 PID 2900 wrote to memory of 1416 2900 ppddp.exe 31 PID 1416 wrote to memory of 2880 1416 dvddj.exe 32 PID 1416 wrote to memory of 2880 1416 dvddj.exe 32 PID 1416 wrote to memory of 2880 1416 dvddj.exe 32 PID 1416 wrote to memory of 2880 1416 dvddj.exe 32 PID 2880 wrote to memory of 2612 2880 nhttbn.exe 33 PID 2880 wrote to memory of 2612 2880 nhttbn.exe 33 PID 2880 wrote to memory of 2612 2880 nhttbn.exe 33 PID 2880 wrote to memory of 2612 2880 nhttbn.exe 33 PID 2612 wrote to memory of 1044 2612 1pdvv.exe 34 PID 2612 wrote to memory of 1044 2612 1pdvv.exe 34 PID 2612 wrote to memory of 1044 2612 1pdvv.exe 34 PID 2612 wrote to memory of 1044 2612 1pdvv.exe 34 PID 1044 wrote to memory of 1672 1044 rlffrxr.exe 35 PID 1044 wrote to memory of 1672 1044 rlffrxr.exe 35 PID 1044 wrote to memory of 1672 1044 rlffrxr.exe 35 PID 1044 wrote to memory of 1672 1044 rlffrxr.exe 35 PID 1672 wrote to memory of 2608 1672 9ntbbh.exe 36 PID 1672 wrote to memory of 2608 1672 9ntbbh.exe 36 PID 1672 wrote to memory of 2608 1672 9ntbbh.exe 36 PID 1672 wrote to memory of 2608 1672 9ntbbh.exe 36 PID 2608 wrote to memory of 2108 2608 ttttbb.exe 37 PID 2608 wrote to memory of 2108 2608 ttttbb.exe 37 PID 2608 wrote to memory of 2108 2608 ttttbb.exe 37 PID 2608 wrote to memory of 2108 2608 ttttbb.exe 37 PID 2108 wrote to memory of 2888 2108 fxlxfrx.exe 38 PID 2108 wrote to memory of 2888 2108 fxlxfrx.exe 38 PID 2108 wrote to memory of 2888 2108 fxlxfrx.exe 38 PID 2108 wrote to memory of 2888 2108 fxlxfrx.exe 38 PID 2888 wrote to memory of 1900 2888 tnhbbn.exe 39 PID 2888 wrote to memory of 1900 2888 tnhbbn.exe 39 PID 2888 wrote to memory of 1900 2888 tnhbbn.exe 39 PID 2888 wrote to memory of 1900 2888 tnhbbn.exe 39 PID 1900 wrote to memory of 996 1900 5vpjv.exe 40 PID 1900 wrote to memory of 996 1900 5vpjv.exe 40 PID 1900 wrote to memory of 996 1900 5vpjv.exe 40 PID 1900 wrote to memory of 996 1900 5vpjv.exe 40 PID 996 wrote to memory of 2996 996 hnthnn.exe 41 PID 996 wrote to memory of 2996 996 hnthnn.exe 41 PID 996 wrote to memory of 2996 996 hnthnn.exe 41 PID 996 wrote to memory of 2996 996 hnthnn.exe 41 PID 2996 wrote to memory of 2856 2996 3xlrlxf.exe 42 PID 2996 wrote to memory of 2856 2996 3xlrlxf.exe 42 PID 2996 wrote to memory of 2856 2996 3xlrlxf.exe 42 PID 2996 wrote to memory of 2856 2996 3xlrlxf.exe 42 PID 2856 wrote to memory of 1976 2856 nntttt.exe 43 PID 2856 wrote to memory of 1976 2856 nntttt.exe 43 PID 2856 wrote to memory of 1976 2856 nntttt.exe 43 PID 2856 wrote to memory of 1976 2856 nntttt.exe 43 PID 1976 wrote to memory of 2588 1976 xfffflr.exe 44 PID 1976 wrote to memory of 2588 1976 xfffflr.exe 44 PID 1976 wrote to memory of 2588 1976 xfffflr.exe 44 PID 1976 wrote to memory of 2588 1976 xfffflr.exe 44 PID 2588 wrote to memory of 2432 2588 tbhthh.exe 45 PID 2588 wrote to memory of 2432 2588 tbhthh.exe 45 PID 2588 wrote to memory of 2432 2588 tbhthh.exe 45 PID 2588 wrote to memory of 2432 2588 tbhthh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"C:\Users\Admin\AppData\Local\Temp\be686cd7e764701638e7fad2b6207756c62a12904c9b49d5697c16de718e3f59.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\ppddp.exec:\ppddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\dvddj.exec:\dvddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\nhttbn.exec:\nhttbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\1pdvv.exec:\1pdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\rlffrxr.exec:\rlffrxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\9ntbbh.exec:\9ntbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\ttttbb.exec:\ttttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\fxlxfrx.exec:\fxlxfrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\tnhbbn.exec:\tnhbbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\5vpjv.exec:\5vpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\hnthnn.exec:\hnthnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\3xlrlxf.exec:\3xlrlxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\nntttt.exec:\nntttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\xfffflr.exec:\xfffflr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\tbhthh.exec:\tbhthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\7rrrxlx.exec:\7rrrxlx.exe17⤵
- Executes dropped EXE
PID:2432 -
\??\c:\ffxrfrx.exec:\ffxrfrx.exe18⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3httnt.exec:\3httnt.exe19⤵
- Executes dropped EXE
PID:592 -
\??\c:\flrxfrx.exec:\flrxfrx.exe20⤵
- Executes dropped EXE
PID:2444 -
\??\c:\llrrlrx.exec:\llrrlrx.exe21⤵
- Executes dropped EXE
PID:2424 -
\??\c:\1jddp.exec:\1jddp.exe22⤵
- Executes dropped EXE
PID:1956 -
\??\c:\1xrrflf.exec:\1xrrflf.exe23⤵
- Executes dropped EXE
PID:916 -
\??\c:\vpdvv.exec:\vpdvv.exe24⤵
- Executes dropped EXE
PID:884 -
\??\c:\rxrxrrr.exec:\rxrxrrr.exe25⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ddpvp.exec:\ddpvp.exe26⤵
- Executes dropped EXE
PID:3032 -
\??\c:\5hhhnt.exec:\5hhhnt.exe27⤵
- Executes dropped EXE
PID:1696 -
\??\c:\pvdjv.exec:\pvdjv.exe28⤵
- Executes dropped EXE
PID:2292 -
\??\c:\bbbthh.exec:\bbbthh.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jdpjj.exec:\jdpjj.exe30⤵
- Executes dropped EXE
PID:2552 -
\??\c:\rllxrfr.exec:\rllxrfr.exe31⤵
- Executes dropped EXE
PID:288 -
\??\c:\nnnhhh.exec:\nnnhhh.exe32⤵
- Executes dropped EXE
PID:2548 -
\??\c:\rlxxfff.exec:\rlxxfff.exe33⤵
- Executes dropped EXE
PID:1992 -
\??\c:\1bhhht.exec:\1bhhht.exe34⤵
- Executes dropped EXE
PID:1544 -
\??\c:\9jddj.exec:\9jddj.exe35⤵
- Executes dropped EXE
PID:1480 -
\??\c:\jpjjd.exec:\jpjjd.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\3flrxxl.exec:\3flrxxl.exe37⤵
- Executes dropped EXE
PID:2812 -
\??\c:\hhbbbb.exec:\hhbbbb.exe38⤵
- Executes dropped EXE
PID:2768 -
\??\c:\jpddj.exec:\jpddj.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
\??\c:\jpddj.exec:\jpddj.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\fxfxxrx.exec:\fxfxxrx.exe41⤵
- Executes dropped EXE
PID:1916 -
\??\c:\7nbhnn.exec:\7nbhnn.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\bnbbbb.exec:\bnbbbb.exe43⤵
- Executes dropped EXE
PID:2596 -
\??\c:\5pjvj.exec:\5pjvj.exe44⤵
- Executes dropped EXE
PID:2108 -
\??\c:\fflllff.exec:\fflllff.exe45⤵
- Executes dropped EXE
PID:2240 -
\??\c:\9bbthn.exec:\9bbthn.exe46⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ppvpp.exec:\ppvpp.exe47⤵
- Executes dropped EXE
PID:1320 -
\??\c:\jjjvd.exec:\jjjvd.exe48⤵
- Executes dropped EXE
PID:1132 -
\??\c:\llrlrrx.exec:\llrlrrx.exe49⤵
- Executes dropped EXE
PID:2932 -
\??\c:\hbnthh.exec:\hbnthh.exe50⤵
- Executes dropped EXE
PID:2940 -
\??\c:\7tttnh.exec:\7tttnh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
\??\c:\ppvvd.exec:\ppvvd.exe52⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xxlrxfr.exec:\xxlrxfr.exe53⤵
- Executes dropped EXE
PID:672 -
\??\c:\tbnntt.exec:\tbnntt.exe54⤵
- Executes dropped EXE
PID:2416 -
\??\c:\vpvdj.exec:\vpvdj.exe55⤵
- Executes dropped EXE
PID:936 -
\??\c:\jjjjp.exec:\jjjjp.exe56⤵
- Executes dropped EXE
PID:1100 -
\??\c:\lrxlllr.exec:\lrxlllr.exe57⤵
- Executes dropped EXE
PID:1512 -
\??\c:\hhtbhb.exec:\hhtbhb.exe58⤵
- Executes dropped EXE
PID:1208 -
\??\c:\nhnhnn.exec:\nhnhnn.exe59⤵
- Executes dropped EXE
PID:1252 -
\??\c:\9jvpd.exec:\9jvpd.exe60⤵
- Executes dropped EXE
PID:2440 -
\??\c:\lflfffl.exec:\lflfffl.exe61⤵
- Executes dropped EXE
PID:2184 -
\??\c:\7xrrrrx.exec:\7xrrrrx.exe62⤵
- Executes dropped EXE
PID:1956 -
\??\c:\hnbbnh.exec:\hnbbnh.exe63⤵
- Executes dropped EXE
PID:2492 -
\??\c:\vjpjj.exec:\vjpjj.exe64⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lxllrxr.exec:\lxllrxr.exe65⤵
- Executes dropped EXE
PID:932 -
\??\c:\7rlrxxl.exec:\7rlrxxl.exe66⤵PID:2116
-
\??\c:\ttbbbh.exec:\ttbbbh.exe67⤵PID:2012
-
\??\c:\vpvdd.exec:\vpvdd.exe68⤵PID:1756
-
\??\c:\7flfffl.exec:\7flfffl.exe69⤵PID:2536
-
\??\c:\xxxrfff.exec:\xxxrfff.exe70⤵PID:3012
-
\??\c:\5ntntt.exec:\5ntntt.exe71⤵PID:764
-
\??\c:\hhntbb.exec:\hhntbb.exe72⤵PID:1740
-
\??\c:\jpvvv.exec:\jpvvv.exe73⤵PID:1500
-
\??\c:\xfrrxxl.exec:\xfrrxxl.exe74⤵PID:2264
-
\??\c:\bthnhh.exec:\bthnhh.exe75⤵PID:1576
-
\??\c:\1thnnn.exec:\1thnnn.exe76⤵PID:2824
-
\??\c:\3djdj.exec:\3djdj.exe77⤵PID:1416
-
\??\c:\xrfxllr.exec:\xrfxllr.exe78⤵PID:2876
-
\??\c:\1rxrrrx.exec:\1rxrrrx.exe79⤵PID:2868
-
\??\c:\ttthbh.exec:\ttthbh.exe80⤵PID:2908
-
\??\c:\dddjj.exec:\dddjj.exe81⤵PID:2140
-
\??\c:\ppdvd.exec:\ppdvd.exe82⤵PID:2800
-
\??\c:\flrllrf.exec:\flrllrf.exe83⤵PID:2636
-
\??\c:\5hbttb.exec:\5hbttb.exe84⤵PID:2648
-
\??\c:\hhnnhn.exec:\hhnnhn.exe85⤵PID:2608
-
\??\c:\pjjdj.exec:\pjjdj.exe86⤵PID:1260
-
\??\c:\3lrxxxx.exec:\3lrxxxx.exe87⤵PID:1764
-
\??\c:\7frxxff.exec:\7frxxff.exe88⤵PID:1608
-
\??\c:\tntbnt.exec:\tntbnt.exe89⤵PID:1984
-
\??\c:\dvvdj.exec:\dvvdj.exe90⤵PID:536
-
\??\c:\ddvvv.exec:\ddvvv.exe91⤵PID:3068
-
\??\c:\rrrrxrf.exec:\rrrrxrf.exe92⤵PID:2952
-
\??\c:\hhtnbt.exec:\hhtnbt.exe93⤵PID:2164
-
\??\c:\ppddj.exec:\ppddj.exe94⤵PID:1276
-
\??\c:\1xfllrx.exec:\1xfllrx.exe95⤵PID:2420
-
\??\c:\3xlxxrr.exec:\3xlxxrr.exe96⤵PID:2404
-
\??\c:\ttnttn.exec:\ttnttn.exe97⤵PID:2080
-
\??\c:\vjppv.exec:\vjppv.exe98⤵PID:592
-
\??\c:\lffxxrr.exec:\lffxxrr.exe99⤵PID:2480
-
\??\c:\rrxrfff.exec:\rrxrfff.exe100⤵PID:2324
-
\??\c:\hhhhnn.exec:\hhhhnn.exe101⤵PID:1252
-
\??\c:\jddpv.exec:\jddpv.exe102⤵PID:2204
-
\??\c:\jdddj.exec:\jdddj.exe103⤵PID:3008
-
\??\c:\llrxxfl.exec:\llrxxfl.exe104⤵PID:1956
-
\??\c:\3bnntt.exec:\3bnntt.exe105⤵PID:2864
-
\??\c:\nttbtb.exec:\nttbtb.exe106⤵PID:2028
-
\??\c:\5jppv.exec:\5jppv.exe107⤵PID:264
-
\??\c:\rrxrllr.exec:\rrxrllr.exe108⤵PID:1796
-
\??\c:\9rfxllr.exec:\9rfxllr.exe109⤵PID:1704
-
\??\c:\3ththh.exec:\3ththh.exe110⤵PID:2160
-
\??\c:\1ddjj.exec:\1ddjj.exe111⤵PID:2536
-
\??\c:\dvvdd.exec:\dvvdd.exe112⤵PID:3012
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe113⤵PID:1888
-
\??\c:\tttbtn.exec:\tttbtn.exe114⤵PID:1740
-
\??\c:\ddjpp.exec:\ddjpp.exe115⤵PID:288
-
\??\c:\dvvpj.exec:\dvvpj.exe116⤵PID:2544
-
\??\c:\xrlrxxl.exec:\xrlrxxl.exe117⤵PID:1552
-
\??\c:\bthhth.exec:\bthhth.exe118⤵PID:2832
-
\??\c:\htbhtb.exec:\htbhtb.exe119⤵PID:1416
-
\??\c:\ppvdj.exec:\ppvdj.exe120⤵PID:2872
-
\??\c:\5xllrxl.exec:\5xllrxl.exe121⤵PID:2920
-
\??\c:\9nhhtn.exec:\9nhhtn.exe122⤵PID:2908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-