Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe
-
Size
454KB
-
MD5
f1af55dd54e1ef703b8e8ba93e0b6170
-
SHA1
91a6b9f204f898f5830ea2c34eb0edee001b2a1e
-
SHA256
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3f
-
SHA512
437e95aef852a37be0a11c423e11327a18c8d3d5c4f433b47736bdd6f60e747ab6b20e1193a2ab66f58568b21be9ca0260704f7b262e425bdd76acf53402c8ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetQ:q7Tc2NYHUrAwfMp3CDtQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 52 IoCs
resource yara_rule behavioral1/memory/1744-0-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1300-21-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1300-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1812-42-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1812-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/316-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3028-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2592-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2752-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2508-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2656-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3024-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/824-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2832-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1944-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1392-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1528-221-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1364-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/772-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1092-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2132-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2264-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2280-308-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2444-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-334-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2068-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2616-383-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2676-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/980-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/464-441-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/1984-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1280-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2936-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2112-547-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2264-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2812-674-0x00000000003D0000-0x00000000003FA000-memory.dmp family_blackmoon behavioral1/memory/2084-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2160-826-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-838-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2576-920-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-1154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1616-1159-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2596-1194-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2652-1230-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1756-1306-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/564-1378-0x0000000000340000-0x000000000036A000-memory.dmp family_blackmoon behavioral1/memory/1476-1387-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2244 1xfrflr.exe 1300 nhhnbh.exe 316 rrlrffr.exe 1812 lfflxxl.exe 3028 xxllrrx.exe 2900 1nbbtb.exe 2592 tbthnb.exe 2732 bbntbn.exe 2752 dvjpv.exe 2508 jddpv.exe 2656 jdvdp.exe 2500 bhnnbb.exe 3024 jpjjp.exe 824 pjjpd.exe 1012 7bnttn.exe 2240 ddvdv.exe 1648 tttbnb.exe 1944 3jjvj.exe 2832 xllrflf.exe 2384 bhhbnb.exe 1392 llfxlfx.exe 2764 llflflx.exe 1528 7nntht.exe 1364 bbbnbt.exe 692 flxrrxf.exe 772 rlffrfx.exe 828 fxlrflf.exe 700 ttntnb.exe 616 flffxll.exe 1092 9hhttb.exe 2132 3pvvj.exe 2264 pjddj.exe 2280 dvpvv.exe 2236 rrrxllx.exe 2452 7nhtbb.exe 2444 pjdpv.exe 1912 9ppvd.exe 2908 9lxxxff.exe 3040 bnhbbn.exe 2068 ppjpd.exe 2148 vpjpp.exe 2636 rxlfllr.exe 2744 ntnbnn.exe 2616 vvddj.exe 2676 ddppd.exe 2752 rlflxxf.exe 2600 thtbhh.exe 2476 dpdpd.exe 2548 1pdjp.exe 2152 5llrllr.exe 1852 7rfllrf.exe 980 httbht.exe 464 vpjpv.exe 2248 ppjdv.exe 1984 rxrxffr.exe 1840 tnbbnb.exe 1280 3djvd.exe 2800 ppddj.exe 2936 5xllrrr.exe 2944 5nbbbb.exe 1356 nhhnbh.exe 1392 vjpdd.exe 1568 lflrlxl.exe 1908 rlxxlxl.exe -
resource yara_rule behavioral1/memory/1744-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1300-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1812-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/316-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2900-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2592-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2752-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2508-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2656-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3024-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/824-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2832-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1944-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1392-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1364-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/772-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1092-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2132-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2444-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2148-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2616-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/980-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1984-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1280-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2936-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-547-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2264-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2812-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-826-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1516-977-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-1016-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-1154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3040-1181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2720-1201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-1230-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2656-1233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1476-1380-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lflfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2244 1744 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 28 PID 1744 wrote to memory of 2244 1744 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 28 PID 1744 wrote to memory of 2244 1744 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 28 PID 1744 wrote to memory of 2244 1744 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 28 PID 2244 wrote to memory of 1300 2244 1xfrflr.exe 29 PID 2244 wrote to memory of 1300 2244 1xfrflr.exe 29 PID 2244 wrote to memory of 1300 2244 1xfrflr.exe 29 PID 2244 wrote to memory of 1300 2244 1xfrflr.exe 29 PID 1300 wrote to memory of 316 1300 nhhnbh.exe 30 PID 1300 wrote to memory of 316 1300 nhhnbh.exe 30 PID 1300 wrote to memory of 316 1300 nhhnbh.exe 30 PID 1300 wrote to memory of 316 1300 nhhnbh.exe 30 PID 316 wrote to memory of 1812 316 rrlrffr.exe 31 PID 316 wrote to memory of 1812 316 rrlrffr.exe 31 PID 316 wrote to memory of 1812 316 rrlrffr.exe 31 PID 316 wrote to memory of 1812 316 rrlrffr.exe 31 PID 1812 wrote to memory of 3028 1812 lfflxxl.exe 32 PID 1812 wrote to memory of 3028 1812 lfflxxl.exe 32 PID 1812 wrote to memory of 3028 1812 lfflxxl.exe 32 PID 1812 wrote to memory of 3028 1812 lfflxxl.exe 32 PID 3028 wrote to memory of 2900 3028 xxllrrx.exe 33 PID 3028 wrote to memory of 2900 3028 xxllrrx.exe 33 PID 3028 wrote to memory of 2900 3028 xxllrrx.exe 33 PID 3028 wrote to memory of 2900 3028 xxllrrx.exe 33 PID 2900 wrote to memory of 2592 2900 1nbbtb.exe 34 PID 2900 wrote to memory of 2592 2900 1nbbtb.exe 34 PID 2900 wrote to memory of 2592 2900 1nbbtb.exe 34 PID 2900 wrote to memory of 2592 2900 1nbbtb.exe 34 PID 2592 wrote to memory of 2732 2592 tbthnb.exe 35 PID 2592 wrote to memory of 2732 2592 tbthnb.exe 35 PID 2592 wrote to memory of 2732 2592 tbthnb.exe 35 PID 2592 wrote to memory of 2732 2592 tbthnb.exe 35 PID 2732 wrote to memory of 2752 2732 bbntbn.exe 36 PID 2732 wrote to memory of 2752 2732 bbntbn.exe 36 PID 2732 wrote to memory of 2752 2732 bbntbn.exe 36 PID 2732 wrote to memory of 2752 2732 bbntbn.exe 36 PID 2752 wrote to memory of 2508 2752 dvjpv.exe 37 PID 2752 wrote to memory of 2508 2752 dvjpv.exe 37 PID 2752 wrote to memory of 2508 2752 dvjpv.exe 37 PID 2752 wrote to memory of 2508 2752 dvjpv.exe 37 PID 2508 wrote to memory of 2656 2508 jddpv.exe 38 PID 2508 wrote to memory of 2656 2508 jddpv.exe 38 PID 2508 wrote to memory of 2656 2508 jddpv.exe 38 PID 2508 wrote to memory of 2656 2508 jddpv.exe 38 PID 2656 wrote to memory of 2500 2656 jdvdp.exe 39 PID 2656 wrote to memory of 2500 2656 jdvdp.exe 39 PID 2656 wrote to memory of 2500 2656 jdvdp.exe 39 PID 2656 wrote to memory of 2500 2656 jdvdp.exe 39 PID 2500 wrote to memory of 3024 2500 bhnnbb.exe 40 PID 2500 wrote to memory of 3024 2500 bhnnbb.exe 40 PID 2500 wrote to memory of 3024 2500 bhnnbb.exe 40 PID 2500 wrote to memory of 3024 2500 bhnnbb.exe 40 PID 3024 wrote to memory of 824 3024 jpjjp.exe 41 PID 3024 wrote to memory of 824 3024 jpjjp.exe 41 PID 3024 wrote to memory of 824 3024 jpjjp.exe 41 PID 3024 wrote to memory of 824 3024 jpjjp.exe 41 PID 824 wrote to memory of 1012 824 pjjpd.exe 42 PID 824 wrote to memory of 1012 824 pjjpd.exe 42 PID 824 wrote to memory of 1012 824 pjjpd.exe 42 PID 824 wrote to memory of 1012 824 pjjpd.exe 42 PID 1012 wrote to memory of 2240 1012 7bnttn.exe 43 PID 1012 wrote to memory of 2240 1012 7bnttn.exe 43 PID 1012 wrote to memory of 2240 1012 7bnttn.exe 43 PID 1012 wrote to memory of 2240 1012 7bnttn.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe"C:\Users\Admin\AppData\Local\Temp\f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\1xfrflr.exec:\1xfrflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\nhhnbh.exec:\nhhnbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\rrlrffr.exec:\rrlrffr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\lfflxxl.exec:\lfflxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\xxllrrx.exec:\xxllrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\1nbbtb.exec:\1nbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\tbthnb.exec:\tbthnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\bbntbn.exec:\bbntbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\dvjpv.exec:\dvjpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\jddpv.exec:\jddpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\jdvdp.exec:\jdvdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\bhnnbb.exec:\bhnnbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\jpjjp.exec:\jpjjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\pjjpd.exec:\pjjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\7bnttn.exec:\7bnttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\ddvdv.exec:\ddvdv.exe17⤵
- Executes dropped EXE
PID:2240 -
\??\c:\tttbnb.exec:\tttbnb.exe18⤵
- Executes dropped EXE
PID:1648 -
\??\c:\3jjvj.exec:\3jjvj.exe19⤵
- Executes dropped EXE
PID:1944 -
\??\c:\xllrflf.exec:\xllrflf.exe20⤵
- Executes dropped EXE
PID:2832 -
\??\c:\bhhbnb.exec:\bhhbnb.exe21⤵
- Executes dropped EXE
PID:2384 -
\??\c:\llfxlfx.exec:\llfxlfx.exe22⤵
- Executes dropped EXE
PID:1392 -
\??\c:\llflflx.exec:\llflflx.exe23⤵
- Executes dropped EXE
PID:2764 -
\??\c:\7nntht.exec:\7nntht.exe24⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bbbnbt.exec:\bbbnbt.exe25⤵
- Executes dropped EXE
PID:1364 -
\??\c:\flxrrxf.exec:\flxrrxf.exe26⤵
- Executes dropped EXE
PID:692 -
\??\c:\rlffrfx.exec:\rlffrfx.exe27⤵
- Executes dropped EXE
PID:772 -
\??\c:\fxlrflf.exec:\fxlrflf.exe28⤵
- Executes dropped EXE
PID:828 -
\??\c:\ttntnb.exec:\ttntnb.exe29⤵
- Executes dropped EXE
PID:700 -
\??\c:\flffxll.exec:\flffxll.exe30⤵
- Executes dropped EXE
PID:616 -
\??\c:\9hhttb.exec:\9hhttb.exe31⤵
- Executes dropped EXE
PID:1092 -
\??\c:\3pvvj.exec:\3pvvj.exe32⤵
- Executes dropped EXE
PID:2132 -
\??\c:\pjddj.exec:\pjddj.exe33⤵
- Executes dropped EXE
PID:2264 -
\??\c:\dvpvv.exec:\dvpvv.exe34⤵
- Executes dropped EXE
PID:2280 -
\??\c:\rrrxllx.exec:\rrrxllx.exe35⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7nhtbb.exec:\7nhtbb.exe36⤵
- Executes dropped EXE
PID:2452 -
\??\c:\pjdpv.exec:\pjdpv.exe37⤵
- Executes dropped EXE
PID:2444 -
\??\c:\9ppvd.exec:\9ppvd.exe38⤵
- Executes dropped EXE
PID:1912 -
\??\c:\9lxxxff.exec:\9lxxxff.exe39⤵
- Executes dropped EXE
PID:2908 -
\??\c:\bnhbbn.exec:\bnhbbn.exe40⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ppjpd.exec:\ppjpd.exe41⤵
- Executes dropped EXE
PID:2068 -
\??\c:\vpjpp.exec:\vpjpp.exe42⤵
- Executes dropped EXE
PID:2148 -
\??\c:\rxlfllr.exec:\rxlfllr.exe43⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ntnbnn.exec:\ntnbnn.exe44⤵
- Executes dropped EXE
PID:2744 -
\??\c:\vvddj.exec:\vvddj.exe45⤵
- Executes dropped EXE
PID:2616 -
\??\c:\ddppd.exec:\ddppd.exe46⤵
- Executes dropped EXE
PID:2676 -
\??\c:\rlflxxf.exec:\rlflxxf.exe47⤵
- Executes dropped EXE
PID:2752 -
\??\c:\thtbhh.exec:\thtbhh.exe48⤵
- Executes dropped EXE
PID:2600 -
\??\c:\dpdpd.exec:\dpdpd.exe49⤵
- Executes dropped EXE
PID:2476 -
\??\c:\1pdjp.exec:\1pdjp.exe50⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5llrllr.exec:\5llrllr.exe51⤵
- Executes dropped EXE
PID:2152 -
\??\c:\7rfllrf.exec:\7rfllrf.exe52⤵
- Executes dropped EXE
PID:1852 -
\??\c:\httbht.exec:\httbht.exe53⤵
- Executes dropped EXE
PID:980 -
\??\c:\vpjpv.exec:\vpjpv.exe54⤵
- Executes dropped EXE
PID:464 -
\??\c:\ppjdv.exec:\ppjdv.exe55⤵
- Executes dropped EXE
PID:2248 -
\??\c:\rxrxffr.exec:\rxrxffr.exe56⤵
- Executes dropped EXE
PID:1984 -
\??\c:\tnbbnb.exec:\tnbbnb.exe57⤵
- Executes dropped EXE
PID:1840 -
\??\c:\3djvd.exec:\3djvd.exe58⤵
- Executes dropped EXE
PID:1280 -
\??\c:\ppddj.exec:\ppddj.exe59⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5xllrrr.exec:\5xllrrr.exe60⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5nbbbb.exec:\5nbbbb.exe61⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nhhnbh.exec:\nhhnbh.exe62⤵
- Executes dropped EXE
PID:1356 -
\??\c:\vjpdd.exec:\vjpdd.exe63⤵
- Executes dropped EXE
PID:1392 -
\??\c:\lflrlxl.exec:\lflrlxl.exe64⤵
- Executes dropped EXE
PID:1568 -
\??\c:\rlxxlxl.exec:\rlxxlxl.exe65⤵
- Executes dropped EXE
PID:1908 -
\??\c:\1bhntt.exec:\1bhntt.exe66⤵PID:944
-
\??\c:\nhbbnt.exec:\nhbbnt.exe67⤵PID:284
-
\??\c:\ddjjd.exec:\ddjjd.exe68⤵PID:1288
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe69⤵PID:1492
-
\??\c:\tbthhn.exec:\tbthhn.exe70⤵PID:3016
-
\??\c:\bbbbhn.exec:\bbbbhn.exe71⤵PID:2112
-
\??\c:\jvppv.exec:\jvppv.exe72⤵PID:3068
-
\??\c:\rxrxfxr.exec:\rxrxfxr.exe73⤵PID:1020
-
\??\c:\nbbhnn.exec:\nbbhnn.exe74⤵PID:2460
-
\??\c:\5djvv.exec:\5djvv.exe75⤵PID:880
-
\??\c:\3jvpj.exec:\3jvpj.exe76⤵PID:960
-
\??\c:\xfxlrlf.exec:\xfxlrlf.exe77⤵PID:2264
-
\??\c:\tbtbnb.exec:\tbtbnb.exe78⤵PID:1600
-
\??\c:\7jjjj.exec:\7jjjj.exe79⤵PID:1572
-
\??\c:\jdvpd.exec:\jdvpd.exe80⤵PID:1672
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe81⤵PID:2400
-
\??\c:\5tnbbh.exec:\5tnbbh.exe82⤵PID:2904
-
\??\c:\7vjvd.exec:\7vjvd.exe83⤵PID:3032
-
\??\c:\3pppd.exec:\3pppd.exe84⤵PID:2120
-
\??\c:\lfrxlfl.exec:\lfrxlfl.exe85⤵PID:3028
-
\??\c:\hbtbbb.exec:\hbtbbb.exe86⤵PID:3060
-
\??\c:\tbntbh.exec:\tbntbh.exe87⤵PID:2148
-
\??\c:\ddvvj.exec:\ddvvj.exe88⤵PID:2336
-
\??\c:\5lxxflr.exec:\5lxxflr.exe89⤵PID:2744
-
\??\c:\hhhthn.exec:\hhhthn.exe90⤵PID:2604
-
\??\c:\9htbht.exec:\9htbht.exe91⤵PID:2812
-
\??\c:\jdddv.exec:\jdddv.exe92⤵PID:2504
-
\??\c:\lrrxlrf.exec:\lrrxlrf.exe93⤵PID:2536
-
\??\c:\bbnhnt.exec:\bbnhnt.exe94⤵PID:2476
-
\??\c:\nnnnhn.exec:\nnnnhn.exe95⤵PID:2560
-
\??\c:\ddvvv.exec:\ddvvv.exe96⤵PID:2152
-
\??\c:\7lxfrfl.exec:\7lxfrfl.exe97⤵PID:1520
-
\??\c:\xrfxlrf.exec:\xrfxlrf.exe98⤵PID:2028
-
\??\c:\ntthth.exec:\ntthth.exe99⤵PID:2024
-
\??\c:\5pjjj.exec:\5pjjj.exe100⤵PID:1604
-
\??\c:\lllrflf.exec:\lllrflf.exe101⤵PID:1948
-
\??\c:\rfrrfxf.exec:\rfrrfxf.exe102⤵PID:756
-
\??\c:\ntnthn.exec:\ntnthn.exe103⤵PID:1944
-
\??\c:\ppdpj.exec:\ppdpj.exe104⤵PID:2768
-
\??\c:\vppvd.exec:\vppvd.exe105⤵PID:2588
-
\??\c:\lfflrrf.exec:\lfflrrf.exe106⤵PID:2084
-
\??\c:\3rfllrx.exec:\3rfllrx.exe107⤵PID:2232
-
\??\c:\htnttt.exec:\htnttt.exe108⤵
- System Location Discovery: System Language Discovery
PID:704 -
\??\c:\5jpvd.exec:\5jpvd.exe109⤵PID:1140
-
\??\c:\xrrfffx.exec:\xrrfffx.exe110⤵PID:1860
-
\??\c:\ffrxlrr.exec:\ffrxlrr.exe111⤵PID:612
-
\??\c:\3thhbn.exec:\3thhbn.exe112⤵
- System Location Discovery: System Language Discovery
PID:1320 -
\??\c:\pjpdp.exec:\pjpdp.exe113⤵PID:1284
-
\??\c:\1vpjj.exec:\1vpjj.exe114⤵PID:564
-
\??\c:\xxxlflf.exec:\xxxlflf.exe115⤵PID:828
-
\??\c:\hbtbnt.exec:\hbtbnt.exe116⤵PID:2160
-
\??\c:\btbnbt.exec:\btbnbt.exe117⤵PID:1972
-
\??\c:\jdvpd.exec:\jdvpd.exe118⤵PID:2888
-
\??\c:\xxrxlrl.exec:\xxrxlrl.exe119⤵PID:3000
-
\??\c:\lfxxrlr.exec:\lfxxrlr.exe120⤵PID:2216
-
\??\c:\1hbbtb.exec:\1hbbtb.exe121⤵PID:2224
-
\??\c:\1ffxlff.exec:\1ffxlff.exe122⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-