Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe
-
Size
454KB
-
MD5
e1ec185ebf4ca0fc093c485aad0db828
-
SHA1
90dcf7c45ea9d563955a84b5239a44fb9e055cd7
-
SHA256
98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2
-
SHA512
be0160ead2fa54ef5e9a56a20a6ea4810528db2a4e9f63de7c03ebb88e1ab9f5851479acffcc7cdfa8b9b38ac3bc66ef79eda4250ca60369c930af3c51f50dfd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 40 IoCs
resource yara_rule behavioral1/memory/2824-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2848-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3008-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2284-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2792-72-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1128-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-115-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2916-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/836-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2124-169-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2364-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1688-212-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1688-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1364-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/540-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/520-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2984-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2820-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2772-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/892-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1824-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/840-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2452-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1848-571-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/2376-578-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1184-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-656-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2412-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1700-829-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2824 bnrtl.exe 3008 nxvxt.exe 2848 pppdtl.exe 2284 nhhvj.exe 2756 bhxxjb.exe 2716 hbtnlrh.exe 2792 lrpvf.exe 1128 hxpbnnf.exe 2148 bdtnxbf.exe 2316 dfbvxbn.exe 1252 rbtdf.exe 2916 brrhj.exe 856 vbpbf.exe 1952 pjljt.exe 1868 nvvnht.exe 836 frvfjtj.exe 2124 rrffbd.exe 2192 bpndbf.exe 2520 dlbtrtl.exe 2668 nbjjr.exe 2364 tfjrbp.exe 1688 fdhtn.exe 604 pnhbpxx.exe 1300 tjjfbj.exe 1784 lntrdnp.exe 1516 xtbbjr.exe 1364 flrdt.exe 540 rplvrf.exe 912 lfnbnn.exe 1384 hjrvrt.exe 520 pnnddj.exe 2392 bfvpx.exe 2432 vbxdj.exe 2864 vxfbj.exe 1572 tjdfp.exe 2872 hjbnvvd.exe 2984 rpjjppd.exe 2820 pjbnh.exe 3032 rlpnfd.exe 2284 bhvhrdf.exe 2888 lfxrjdf.exe 2772 jhxtvf.exe 2560 fnjhj.exe 328 vpvnj.exe 872 lhxlttv.exe 1736 hprjh.exe 968 vxbnjv.exe 2960 rtfrf.exe 2952 djnfflj.exe 2280 trbldbd.exe 1360 btftvdd.exe 2396 htfljvf.exe 892 hdnljf.exe 1088 rttjr.exe 1824 jbdxdr.exe 840 tbvjl.exe 2452 pbjhnpv.exe 904 ffhdh.exe 2408 nvvnf.exe 1732 pvtbtrv.exe 1036 jvxpt.exe 944 dvdfpn.exe 1872 ltnbhx.exe 600 hrpprfp.exe -
resource yara_rule behavioral1/memory/2824-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3008-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2756-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2284-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1128-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2316-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/836-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2124-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2364-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1688-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/540-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/520-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2984-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2820-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3032-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2772-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2560-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/892-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1824-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/840-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2452-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1564-617-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2896-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2412-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-829-0x0000000000320000-0x000000000034A000-memory.dmp upx behavioral1/memory/2720-933-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnjvpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntfflln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvtlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfvnjjr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvrllv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vflfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jldbbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fjtdhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlrfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlvtjxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnrjbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fnbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dnlbtdt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhrvph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbjjr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldfxv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vhrljb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftvvxbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxdpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pbbrbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdbjbx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhnjtbv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jxnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jfhdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nfttx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfprrhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dlppl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htlxntf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpbrlhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2824 2808 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 29 PID 2808 wrote to memory of 2824 2808 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 29 PID 2808 wrote to memory of 2824 2808 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 29 PID 2808 wrote to memory of 2824 2808 98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe 29 PID 2824 wrote to memory of 3008 2824 bnrtl.exe 30 PID 2824 wrote to memory of 3008 2824 bnrtl.exe 30 PID 2824 wrote to memory of 3008 2824 bnrtl.exe 30 PID 2824 wrote to memory of 3008 2824 bnrtl.exe 30 PID 3008 wrote to memory of 2848 3008 nxvxt.exe 31 PID 3008 wrote to memory of 2848 3008 nxvxt.exe 31 PID 3008 wrote to memory of 2848 3008 nxvxt.exe 31 PID 3008 wrote to memory of 2848 3008 nxvxt.exe 31 PID 2848 wrote to memory of 2284 2848 pppdtl.exe 32 PID 2848 wrote to memory of 2284 2848 pppdtl.exe 32 PID 2848 wrote to memory of 2284 2848 pppdtl.exe 32 PID 2848 wrote to memory of 2284 2848 pppdtl.exe 32 PID 2284 wrote to memory of 2756 2284 nhhvj.exe 33 PID 2284 wrote to memory of 2756 2284 nhhvj.exe 33 PID 2284 wrote to memory of 2756 2284 nhhvj.exe 33 PID 2284 wrote to memory of 2756 2284 nhhvj.exe 33 PID 2756 wrote to memory of 2716 2756 bhxxjb.exe 34 PID 2756 wrote to memory of 2716 2756 bhxxjb.exe 34 PID 2756 wrote to memory of 2716 2756 bhxxjb.exe 34 PID 2756 wrote to memory of 2716 2756 bhxxjb.exe 34 PID 2716 wrote to memory of 2792 2716 hbtnlrh.exe 35 PID 2716 wrote to memory of 2792 2716 hbtnlrh.exe 35 PID 2716 wrote to memory of 2792 2716 hbtnlrh.exe 35 PID 2716 wrote to memory of 2792 2716 hbtnlrh.exe 35 PID 2792 wrote to memory of 1128 2792 lrpvf.exe 36 PID 2792 wrote to memory of 1128 2792 lrpvf.exe 36 PID 2792 wrote to memory of 1128 2792 lrpvf.exe 36 PID 2792 wrote to memory of 1128 2792 lrpvf.exe 36 PID 1128 wrote to memory of 2148 1128 hxpbnnf.exe 37 PID 1128 wrote to memory of 2148 1128 hxpbnnf.exe 37 PID 1128 wrote to memory of 2148 1128 hxpbnnf.exe 37 PID 1128 wrote to memory of 2148 1128 hxpbnnf.exe 37 PID 2148 wrote to memory of 2316 2148 bdtnxbf.exe 38 PID 2148 wrote to memory of 2316 2148 bdtnxbf.exe 38 PID 2148 wrote to memory of 2316 2148 bdtnxbf.exe 38 PID 2148 wrote to memory of 2316 2148 bdtnxbf.exe 38 PID 2316 wrote to memory of 1252 2316 dfbvxbn.exe 39 PID 2316 wrote to memory of 1252 2316 dfbvxbn.exe 39 PID 2316 wrote to memory of 1252 2316 dfbvxbn.exe 39 PID 2316 wrote to memory of 1252 2316 dfbvxbn.exe 39 PID 1252 wrote to memory of 2916 1252 rbtdf.exe 40 PID 1252 wrote to memory of 2916 1252 rbtdf.exe 40 PID 1252 wrote to memory of 2916 1252 rbtdf.exe 40 PID 1252 wrote to memory of 2916 1252 rbtdf.exe 40 PID 2916 wrote to memory of 856 2916 brrhj.exe 41 PID 2916 wrote to memory of 856 2916 brrhj.exe 41 PID 2916 wrote to memory of 856 2916 brrhj.exe 41 PID 2916 wrote to memory of 856 2916 brrhj.exe 41 PID 856 wrote to memory of 1952 856 vbpbf.exe 42 PID 856 wrote to memory of 1952 856 vbpbf.exe 42 PID 856 wrote to memory of 1952 856 vbpbf.exe 42 PID 856 wrote to memory of 1952 856 vbpbf.exe 42 PID 1952 wrote to memory of 1868 1952 pjljt.exe 43 PID 1952 wrote to memory of 1868 1952 pjljt.exe 43 PID 1952 wrote to memory of 1868 1952 pjljt.exe 43 PID 1952 wrote to memory of 1868 1952 pjljt.exe 43 PID 1868 wrote to memory of 836 1868 nvvnht.exe 44 PID 1868 wrote to memory of 836 1868 nvvnht.exe 44 PID 1868 wrote to memory of 836 1868 nvvnht.exe 44 PID 1868 wrote to memory of 836 1868 nvvnht.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe"C:\Users\Admin\AppData\Local\Temp\98c9c0797954f0521d3eed50448cacfba1296265f3e9722906790a1e573442b2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\bnrtl.exec:\bnrtl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\nxvxt.exec:\nxvxt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\pppdtl.exec:\pppdtl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\nhhvj.exec:\nhhvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\bhxxjb.exec:\bhxxjb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\hbtnlrh.exec:\hbtnlrh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\lrpvf.exec:\lrpvf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\hxpbnnf.exec:\hxpbnnf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\bdtnxbf.exec:\bdtnxbf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\dfbvxbn.exec:\dfbvxbn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\rbtdf.exec:\rbtdf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\brrhj.exec:\brrhj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\vbpbf.exec:\vbpbf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\pjljt.exec:\pjljt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\nvvnht.exec:\nvvnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\frvfjtj.exec:\frvfjtj.exe17⤵
- Executes dropped EXE
PID:836 -
\??\c:\rrffbd.exec:\rrffbd.exe18⤵
- Executes dropped EXE
PID:2124 -
\??\c:\bpndbf.exec:\bpndbf.exe19⤵
- Executes dropped EXE
PID:2192 -
\??\c:\dlbtrtl.exec:\dlbtrtl.exe20⤵
- Executes dropped EXE
PID:2520 -
\??\c:\nbjjr.exec:\nbjjr.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
\??\c:\tfjrbp.exec:\tfjrbp.exe22⤵
- Executes dropped EXE
PID:2364 -
\??\c:\fdhtn.exec:\fdhtn.exe23⤵
- Executes dropped EXE
PID:1688 -
\??\c:\pnhbpxx.exec:\pnhbpxx.exe24⤵
- Executes dropped EXE
PID:604 -
\??\c:\tjjfbj.exec:\tjjfbj.exe25⤵
- Executes dropped EXE
PID:1300 -
\??\c:\lntrdnp.exec:\lntrdnp.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\xtbbjr.exec:\xtbbjr.exe27⤵
- Executes dropped EXE
PID:1516 -
\??\c:\flrdt.exec:\flrdt.exe28⤵
- Executes dropped EXE
PID:1364 -
\??\c:\rplvrf.exec:\rplvrf.exe29⤵
- Executes dropped EXE
PID:540 -
\??\c:\lfnbnn.exec:\lfnbnn.exe30⤵
- Executes dropped EXE
PID:912 -
\??\c:\hjrvrt.exec:\hjrvrt.exe31⤵
- Executes dropped EXE
PID:1384 -
\??\c:\pnnddj.exec:\pnnddj.exe32⤵
- Executes dropped EXE
PID:520 -
\??\c:\bfvpx.exec:\bfvpx.exe33⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vbxdj.exec:\vbxdj.exe34⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vxfbj.exec:\vxfbj.exe35⤵
- Executes dropped EXE
PID:2864 -
\??\c:\tjdfp.exec:\tjdfp.exe36⤵
- Executes dropped EXE
PID:1572 -
\??\c:\hjbnvvd.exec:\hjbnvvd.exe37⤵
- Executes dropped EXE
PID:2872 -
\??\c:\rpjjppd.exec:\rpjjppd.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\pjbnh.exec:\pjbnh.exe39⤵
- Executes dropped EXE
PID:2820 -
\??\c:\rlpnfd.exec:\rlpnfd.exe40⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bhvhrdf.exec:\bhvhrdf.exe41⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lfxrjdf.exec:\lfxrjdf.exe42⤵
- Executes dropped EXE
PID:2888 -
\??\c:\jhxtvf.exec:\jhxtvf.exe43⤵
- Executes dropped EXE
PID:2772 -
\??\c:\fnjhj.exec:\fnjhj.exe44⤵
- Executes dropped EXE
PID:2560 -
\??\c:\vpvnj.exec:\vpvnj.exe45⤵
- Executes dropped EXE
PID:328 -
\??\c:\lhxlttv.exec:\lhxlttv.exe46⤵
- Executes dropped EXE
PID:872 -
\??\c:\hprjh.exec:\hprjh.exe47⤵
- Executes dropped EXE
PID:1736 -
\??\c:\vxbnjv.exec:\vxbnjv.exe48⤵
- Executes dropped EXE
PID:968 -
\??\c:\rtfrf.exec:\rtfrf.exe49⤵
- Executes dropped EXE
PID:2960 -
\??\c:\djnfflj.exec:\djnfflj.exe50⤵
- Executes dropped EXE
PID:2952 -
\??\c:\trbldbd.exec:\trbldbd.exe51⤵
- Executes dropped EXE
PID:2280 -
\??\c:\btftvdd.exec:\btftvdd.exe52⤵
- Executes dropped EXE
PID:1360 -
\??\c:\htfljvf.exec:\htfljvf.exe53⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hdnljf.exec:\hdnljf.exe54⤵
- Executes dropped EXE
PID:892 -
\??\c:\rttjr.exec:\rttjr.exe55⤵
- Executes dropped EXE
PID:1088 -
\??\c:\jbdxdr.exec:\jbdxdr.exe56⤵
- Executes dropped EXE
PID:1824 -
\??\c:\tbvjl.exec:\tbvjl.exe57⤵
- Executes dropped EXE
PID:840 -
\??\c:\pbjhnpv.exec:\pbjhnpv.exe58⤵
- Executes dropped EXE
PID:2452 -
\??\c:\ffhdh.exec:\ffhdh.exe59⤵
- Executes dropped EXE
PID:904 -
\??\c:\nvvnf.exec:\nvvnf.exe60⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pvtbtrv.exec:\pvtbtrv.exe61⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jvxpt.exec:\jvxpt.exe62⤵
- Executes dropped EXE
PID:1036 -
\??\c:\dvdfpn.exec:\dvdfpn.exe63⤵
- Executes dropped EXE
PID:944 -
\??\c:\ltnbhx.exec:\ltnbhx.exe64⤵
- Executes dropped EXE
PID:1872 -
\??\c:\hrpprfp.exec:\hrpprfp.exe65⤵
- Executes dropped EXE
PID:600 -
\??\c:\ntdtdvp.exec:\ntdtdvp.exe66⤵PID:2384
-
\??\c:\ftvlxdv.exec:\ftvlxdv.exe67⤵PID:1336
-
\??\c:\ntdrvnf.exec:\ntdrvnf.exe68⤵PID:1768
-
\??\c:\phfpd.exec:\phfpd.exe69⤵PID:2644
-
\??\c:\dbhtbp.exec:\dbhtbp.exe70⤵PID:1008
-
\??\c:\btllp.exec:\btllp.exe71⤵PID:1848
-
\??\c:\nltdt.exec:\nltdt.exe72⤵PID:540
-
\??\c:\ftrxpd.exec:\ftrxpd.exe73⤵PID:1760
-
\??\c:\nlppnbh.exec:\nlppnbh.exe74⤵PID:2324
-
\??\c:\hvffxxl.exec:\hvffxxl.exe75⤵PID:2376
-
\??\c:\bvbdlbb.exec:\bvbdlbb.exe76⤵PID:692
-
\??\c:\lbrrt.exec:\lbrrt.exe77⤵PID:868
-
\??\c:\hrblvl.exec:\hrblvl.exe78⤵PID:1564
-
\??\c:\dllxflf.exec:\dllxflf.exe79⤵PID:2860
-
\??\c:\dddxbb.exec:\dddxbb.exe80⤵PID:2460
-
\??\c:\drjxfh.exec:\drjxfh.exe81⤵PID:2980
-
\??\c:\lhvlt.exec:\lhvlt.exe82⤵PID:2264
-
\??\c:\xlhppf.exec:\xlhppf.exe83⤵PID:2912
-
\??\c:\bhhjp.exec:\bhhjp.exe84⤵PID:2896
-
\??\c:\tdnbt.exec:\tdnbt.exe85⤵PID:1184
-
\??\c:\lvxlhvr.exec:\lvxlhvr.exe86⤵PID:2732
-
\??\c:\hdhvldl.exec:\hdhvldl.exe87⤵PID:2788
-
\??\c:\tdrtp.exec:\tdrtp.exe88⤵PID:2256
-
\??\c:\lnfvt.exec:\lnfvt.exe89⤵PID:2928
-
\??\c:\xhnvnn.exec:\xhnvnn.exe90⤵PID:568
-
\??\c:\rbdbb.exec:\rbdbb.exe91⤵PID:2568
-
\??\c:\hfjfxnl.exec:\hfjfxnl.exe92⤵PID:2784
-
\??\c:\nrjdxjd.exec:\nrjdxjd.exe93⤵PID:968
-
\??\c:\lbpxbj.exec:\lbpxbj.exe94⤵PID:2960
-
\??\c:\htvflx.exec:\htvflx.exe95⤵PID:2952
-
\??\c:\trlpxdt.exec:\trlpxdt.exe96⤵PID:2280
-
\??\c:\fffndhd.exec:\fffndhd.exe97⤵PID:2940
-
\??\c:\vdnhv.exec:\vdnhv.exe98⤵PID:2944
-
\??\c:\xvpvbh.exec:\xvpvbh.exe99⤵PID:1796
-
\??\c:\jppblj.exec:\jppblj.exe100⤵PID:836
-
\??\c:\lplpb.exec:\lplpb.exe101⤵PID:2208
-
\??\c:\xdjhvl.exec:\xdjhvl.exe102⤵PID:2412
-
\??\c:\tvjvnv.exec:\tvjvnv.exe103⤵PID:2356
-
\??\c:\tnlfbpb.exec:\tnlfbpb.exe104⤵PID:2332
-
\??\c:\lxrtjf.exec:\lxrtjf.exe105⤵PID:2408
-
\??\c:\bjnfx.exec:\bjnfx.exe106⤵PID:2668
-
\??\c:\vbtvp.exec:\vbtvp.exe107⤵PID:1036
-
\??\c:\fjvvdb.exec:\fjvvdb.exe108⤵PID:2512
-
\??\c:\pnhrv.exec:\pnhrv.exe109⤵PID:1428
-
\??\c:\bvvbb.exec:\bvvbb.exe110⤵PID:2540
-
\??\c:\jxvxd.exec:\jxvxd.exe111⤵PID:2016
-
\??\c:\tdxlnvd.exec:\tdxlnvd.exe112⤵PID:1664
-
\??\c:\pldrdxt.exec:\pldrdxt.exe113⤵PID:2108
-
\??\c:\bfrbdtb.exec:\bfrbdtb.exe114⤵PID:1700
-
\??\c:\blxldrn.exec:\blxldrn.exe115⤵PID:1008
-
\??\c:\xnljhjl.exec:\xnljhjl.exe116⤵PID:2012
-
\??\c:\nrnbvfn.exec:\nrnbvfn.exe117⤵PID:2044
-
\??\c:\nvhhnx.exec:\nvhhnx.exe118⤵PID:1048
-
\??\c:\rhhvr.exec:\rhhvr.exe119⤵PID:1092
-
\??\c:\dptffb.exec:\dptffb.exe120⤵PID:2640
-
\??\c:\fflxjx.exec:\fflxjx.exe121⤵PID:692
-
\??\c:\thvdfp.exec:\thvdfp.exe122⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-