Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe
-
Size
456KB
-
MD5
3e2819656660c84060062ded37a52d90
-
SHA1
c240e1e671d02bd821f2b8d50245d05d3fa16eb2
-
SHA256
1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811
-
SHA512
9c6a262b97ac454b954ff5a2c6abc21a506b52ca4a012c38668bf5163a0f6515fc3483e55cfa6ddfbc455d8a2a2de13aae5569713948207ef237acc2824aa47c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl8Z:q7Tc2NYHUrAwfMp3CDRY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2988-1-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3036-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2800-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2080-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2732-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2612-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2640-71-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2568-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2156-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1692-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2672-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2168-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1184-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1880-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/792-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/592-281-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/592-280-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2980-299-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2980-300-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1440-322-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2620-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2052-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1448-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2404-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1796-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1912-443-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2924-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2472-483-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1940-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/404-503-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2264-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2964-541-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2080-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2636-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1992-666-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1144-674-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3036 vpdjj.exe 2080 jdvdj.exe 2800 9xllrrf.exe 2732 hbnnnt.exe 2952 pjvdv.exe 2612 lfxxllx.exe 2640 ttntnt.exe 2740 jpjvd.exe 2620 7nntht.exe 3016 7dvvj.exe 1724 ttnntb.exe 2576 dvpvd.exe 2568 nhtbhh.exe 1928 3vpvd.exe 2156 hnhtnn.exe 1484 xxlffxl.exe 1768 nbnttb.exe 1692 llflffl.exe 2672 7ttthh.exe 2168 lllfxfl.exe 1968 hhbhtb.exe 2692 jdvdj.exe 1184 3ddjv.exe 2700 5ntnbn.exe 848 rlfrflx.exe 1880 pvdvj.exe 2164 rlxlxfr.exe 792 7lrfxfx.exe 592 xlflxlr.exe 992 1vjvj.exe 2980 xrflrfl.exe 2232 5xrrflx.exe 2100 rrlrfrl.exe 1440 9dppd.exe 580 xrlllrf.exe 2800 bnhnbb.exe 2744 jjdpj.exe 2748 lxllrrf.exe 1276 1tnnnn.exe 2808 bbbhnh.exe 2828 vvvvj.exe 2716 lfflrxf.exe 2668 3tnnbb.exe 2620 dvdjj.exe 1104 fxrxllr.exe 1148 llfrffr.exe 2508 bthnbh.exe 1912 5jjjp.exe 2052 lrlrllx.exe 1448 nnhthh.exe 1796 9tbhnt.exe 2404 vpjvp.exe 1040 5rxxffx.exe 1524 tnbnhh.exe 2816 nhbbhh.exe 2924 9pvvj.exe 2472 lfxxfff.exe 1940 tnnttb.exe 2460 1nthbh.exe 404 ddvdd.exe 692 9rlxrfx.exe 1516 nnttbb.exe 2264 jdpvd.exe 904 5ddjp.exe -
resource yara_rule behavioral1/memory/2988-1-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1724-108-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/2568-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1928-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2156-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-165-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1692-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2672-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2168-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-209-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2692-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1184-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1880-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/792-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2620-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2052-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1448-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2404-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1796-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/992-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2080-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2868-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2636-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1144-674-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2028-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3068-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-856-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ththt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3036 2988 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 30 PID 2988 wrote to memory of 3036 2988 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 30 PID 2988 wrote to memory of 3036 2988 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 30 PID 2988 wrote to memory of 3036 2988 1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe 30 PID 3036 wrote to memory of 2080 3036 vpdjj.exe 31 PID 3036 wrote to memory of 2080 3036 vpdjj.exe 31 PID 3036 wrote to memory of 2080 3036 vpdjj.exe 31 PID 3036 wrote to memory of 2080 3036 vpdjj.exe 31 PID 2080 wrote to memory of 2800 2080 jdvdj.exe 32 PID 2080 wrote to memory of 2800 2080 jdvdj.exe 32 PID 2080 wrote to memory of 2800 2080 jdvdj.exe 32 PID 2080 wrote to memory of 2800 2080 jdvdj.exe 32 PID 2800 wrote to memory of 2732 2800 9xllrrf.exe 33 PID 2800 wrote to memory of 2732 2800 9xllrrf.exe 33 PID 2800 wrote to memory of 2732 2800 9xllrrf.exe 33 PID 2800 wrote to memory of 2732 2800 9xllrrf.exe 33 PID 2732 wrote to memory of 2952 2732 hbnnnt.exe 34 PID 2732 wrote to memory of 2952 2732 hbnnnt.exe 34 PID 2732 wrote to memory of 2952 2732 hbnnnt.exe 34 PID 2732 wrote to memory of 2952 2732 hbnnnt.exe 34 PID 2952 wrote to memory of 2612 2952 pjvdv.exe 35 PID 2952 wrote to memory of 2612 2952 pjvdv.exe 35 PID 2952 wrote to memory of 2612 2952 pjvdv.exe 35 PID 2952 wrote to memory of 2612 2952 pjvdv.exe 35 PID 2612 wrote to memory of 2640 2612 lfxxllx.exe 36 PID 2612 wrote to memory of 2640 2612 lfxxllx.exe 36 PID 2612 wrote to memory of 2640 2612 lfxxllx.exe 36 PID 2612 wrote to memory of 2640 2612 lfxxllx.exe 36 PID 2640 wrote to memory of 2740 2640 ttntnt.exe 37 PID 2640 wrote to memory of 2740 2640 ttntnt.exe 37 PID 2640 wrote to memory of 2740 2640 ttntnt.exe 37 PID 2640 wrote to memory of 2740 2640 ttntnt.exe 37 PID 2740 wrote to memory of 2620 2740 jpjvd.exe 38 PID 2740 wrote to memory of 2620 2740 jpjvd.exe 38 PID 2740 wrote to memory of 2620 2740 jpjvd.exe 38 PID 2740 wrote to memory of 2620 2740 jpjvd.exe 38 PID 2620 wrote to memory of 3016 2620 7nntht.exe 39 PID 2620 wrote to memory of 3016 2620 7nntht.exe 39 PID 2620 wrote to memory of 3016 2620 7nntht.exe 39 PID 2620 wrote to memory of 3016 2620 7nntht.exe 39 PID 3016 wrote to memory of 1724 3016 7dvvj.exe 40 PID 3016 wrote to memory of 1724 3016 7dvvj.exe 40 PID 3016 wrote to memory of 1724 3016 7dvvj.exe 40 PID 3016 wrote to memory of 1724 3016 7dvvj.exe 40 PID 1724 wrote to memory of 2576 1724 ttnntb.exe 41 PID 1724 wrote to memory of 2576 1724 ttnntb.exe 41 PID 1724 wrote to memory of 2576 1724 ttnntb.exe 41 PID 1724 wrote to memory of 2576 1724 ttnntb.exe 41 PID 2576 wrote to memory of 2568 2576 dvpvd.exe 42 PID 2576 wrote to memory of 2568 2576 dvpvd.exe 42 PID 2576 wrote to memory of 2568 2576 dvpvd.exe 42 PID 2576 wrote to memory of 2568 2576 dvpvd.exe 42 PID 2568 wrote to memory of 1928 2568 nhtbhh.exe 43 PID 2568 wrote to memory of 1928 2568 nhtbhh.exe 43 PID 2568 wrote to memory of 1928 2568 nhtbhh.exe 43 PID 2568 wrote to memory of 1928 2568 nhtbhh.exe 43 PID 1928 wrote to memory of 2156 1928 3vpvd.exe 44 PID 1928 wrote to memory of 2156 1928 3vpvd.exe 44 PID 1928 wrote to memory of 2156 1928 3vpvd.exe 44 PID 1928 wrote to memory of 2156 1928 3vpvd.exe 44 PID 2156 wrote to memory of 1484 2156 hnhtnn.exe 45 PID 2156 wrote to memory of 1484 2156 hnhtnn.exe 45 PID 2156 wrote to memory of 1484 2156 hnhtnn.exe 45 PID 2156 wrote to memory of 1484 2156 hnhtnn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe"C:\Users\Admin\AppData\Local\Temp\1b5f218a9e566aff89def8f88425bd6232871b3483ecfba1f835d0e0a017e811N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\vpdjj.exec:\vpdjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\jdvdj.exec:\jdvdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\9xllrrf.exec:\9xllrrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\hbnnnt.exec:\hbnnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\pjvdv.exec:\pjvdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\lfxxllx.exec:\lfxxllx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\ttntnt.exec:\ttntnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\jpjvd.exec:\jpjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\7nntht.exec:\7nntht.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\7dvvj.exec:\7dvvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\ttnntb.exec:\ttnntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\dvpvd.exec:\dvpvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\nhtbhh.exec:\nhtbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\3vpvd.exec:\3vpvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\hnhtnn.exec:\hnhtnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\xxlffxl.exec:\xxlffxl.exe17⤵
- Executes dropped EXE
PID:1484 -
\??\c:\nbnttb.exec:\nbnttb.exe18⤵
- Executes dropped EXE
PID:1768 -
\??\c:\llflffl.exec:\llflffl.exe19⤵
- Executes dropped EXE
PID:1692 -
\??\c:\7ttthh.exec:\7ttthh.exe20⤵
- Executes dropped EXE
PID:2672 -
\??\c:\lllfxfl.exec:\lllfxfl.exe21⤵
- Executes dropped EXE
PID:2168 -
\??\c:\hhbhtb.exec:\hhbhtb.exe22⤵
- Executes dropped EXE
PID:1968 -
\??\c:\jdvdj.exec:\jdvdj.exe23⤵
- Executes dropped EXE
PID:2692 -
\??\c:\3ddjv.exec:\3ddjv.exe24⤵
- Executes dropped EXE
PID:1184 -
\??\c:\5ntnbn.exec:\5ntnbn.exe25⤵
- Executes dropped EXE
PID:2700 -
\??\c:\rlfrflx.exec:\rlfrflx.exe26⤵
- Executes dropped EXE
PID:848 -
\??\c:\pvdvj.exec:\pvdvj.exe27⤵
- Executes dropped EXE
PID:1880 -
\??\c:\rlxlxfr.exec:\rlxlxfr.exe28⤵
- Executes dropped EXE
PID:2164 -
\??\c:\7lrfxfx.exec:\7lrfxfx.exe29⤵
- Executes dropped EXE
PID:792 -
\??\c:\xlflxlr.exec:\xlflxlr.exe30⤵
- Executes dropped EXE
PID:592 -
\??\c:\1vjvj.exec:\1vjvj.exe31⤵
- Executes dropped EXE
PID:992 -
\??\c:\xrflrfl.exec:\xrflrfl.exe32⤵
- Executes dropped EXE
PID:2980 -
\??\c:\5xrrflx.exec:\5xrrflx.exe33⤵
- Executes dropped EXE
PID:2232 -
\??\c:\rrlrfrl.exec:\rrlrfrl.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\9dppd.exec:\9dppd.exe35⤵
- Executes dropped EXE
PID:1440 -
\??\c:\xrlllrf.exec:\xrlllrf.exe36⤵
- Executes dropped EXE
PID:580 -
\??\c:\bnhnbb.exec:\bnhnbb.exe37⤵
- Executes dropped EXE
PID:2800 -
\??\c:\jjdpj.exec:\jjdpj.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\lxllrrf.exec:\lxllrrf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
\??\c:\1tnnnn.exec:\1tnnnn.exe40⤵
- Executes dropped EXE
PID:1276 -
\??\c:\bbbhnh.exec:\bbbhnh.exe41⤵
- Executes dropped EXE
PID:2808 -
\??\c:\vvvvj.exec:\vvvvj.exe42⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfflrxf.exec:\lfflrxf.exe43⤵
- Executes dropped EXE
PID:2716 -
\??\c:\3tnnbb.exec:\3tnnbb.exe44⤵
- Executes dropped EXE
PID:2668 -
\??\c:\dvdjj.exec:\dvdjj.exe45⤵
- Executes dropped EXE
PID:2620 -
\??\c:\fxrxllr.exec:\fxrxllr.exe46⤵
- Executes dropped EXE
PID:1104 -
\??\c:\llfrffr.exec:\llfrffr.exe47⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bthnbh.exec:\bthnbh.exe48⤵
- Executes dropped EXE
PID:2508 -
\??\c:\5jjjp.exec:\5jjjp.exe49⤵
- Executes dropped EXE
PID:1912 -
\??\c:\lrlrllx.exec:\lrlrllx.exe50⤵
- Executes dropped EXE
PID:2052 -
\??\c:\nnhthh.exec:\nnhthh.exe51⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9tbhnt.exec:\9tbhnt.exe52⤵
- Executes dropped EXE
PID:1796 -
\??\c:\vpjvp.exec:\vpjvp.exe53⤵
- Executes dropped EXE
PID:2404 -
\??\c:\5rxxffx.exec:\5rxxffx.exe54⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tnbnhh.exec:\tnbnhh.exe55⤵
- Executes dropped EXE
PID:1524 -
\??\c:\nhbbhh.exec:\nhbbhh.exe56⤵
- Executes dropped EXE
PID:2816 -
\??\c:\9pvvj.exec:\9pvvj.exe57⤵
- Executes dropped EXE
PID:2924 -
\??\c:\lfxxfff.exec:\lfxxfff.exe58⤵
- Executes dropped EXE
PID:2472 -
\??\c:\tnnttb.exec:\tnnttb.exe59⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1nthbh.exec:\1nthbh.exe60⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ddvdd.exec:\ddvdd.exe61⤵
- Executes dropped EXE
PID:404 -
\??\c:\9rlxrfx.exec:\9rlxrfx.exe62⤵
- Executes dropped EXE
PID:692 -
\??\c:\nnttbb.exec:\nnttbb.exe63⤵
- Executes dropped EXE
PID:1516 -
\??\c:\jdpvd.exec:\jdpvd.exe64⤵
- Executes dropped EXE
PID:2264 -
\??\c:\5ddjp.exec:\5ddjp.exe65⤵
- Executes dropped EXE
PID:904 -
\??\c:\frlfllf.exec:\frlfllf.exe66⤵PID:1380
-
\??\c:\ttthtb.exec:\ttthtb.exe67⤵PID:2964
-
\??\c:\hbthnt.exec:\hbthnt.exe68⤵PID:2476
-
\??\c:\7vddj.exec:\7vddj.exe69⤵PID:2164
-
\??\c:\rxlllff.exec:\rxlllff.exe70⤵PID:2336
-
\??\c:\3tbntt.exec:\3tbntt.exe71⤵PID:2284
-
\??\c:\tnnnnt.exec:\tnnnnt.exe72⤵PID:700
-
\??\c:\7dppd.exec:\7dppd.exe73⤵PID:992
-
\??\c:\rlffrxl.exec:\rlffrxl.exe74⤵PID:2988
-
\??\c:\1lxrxfr.exec:\1lxrxfr.exe75⤵PID:1884
-
\??\c:\ntbnhb.exec:\ntbnhb.exe76⤵PID:3052
-
\??\c:\7dppv.exec:\7dppv.exe77⤵PID:2080
-
\??\c:\3xrxlxl.exec:\3xrxlxl.exe78⤵PID:2340
-
\??\c:\bbbnbn.exec:\bbbnbn.exe79⤵PID:2868
-
\??\c:\htnbtt.exec:\htnbtt.exe80⤵PID:2896
-
\??\c:\vpdpd.exec:\vpdpd.exe81⤵PID:2848
-
\??\c:\xrrfrfx.exec:\xrrfrfx.exe82⤵PID:2304
-
\??\c:\frlllrf.exec:\frlllrf.exe83⤵PID:1276
-
\??\c:\ttnbnt.exec:\ttnbnt.exe84⤵PID:2300
-
\??\c:\jdvvd.exec:\jdvvd.exe85⤵PID:2388
-
\??\c:\5jdjp.exec:\5jdjp.exe86⤵PID:2636
-
\??\c:\rrrxllr.exec:\rrrxllr.exe87⤵PID:1992
-
\??\c:\5ttnbn.exec:\5ttnbn.exe88⤵PID:1144
-
\??\c:\jppdj.exec:\jppdj.exe89⤵PID:3032
-
\??\c:\xlfflrx.exec:\xlfflrx.exe90⤵PID:1712
-
\??\c:\9xffxxr.exec:\9xffxxr.exe91⤵PID:2028
-
\??\c:\btnbhn.exec:\btnbhn.exe92⤵PID:2036
-
\??\c:\5vjjp.exec:\5vjjp.exe93⤵PID:1960
-
\??\c:\pvpvj.exec:\pvpvj.exe94⤵PID:2428
-
\??\c:\xrfflrl.exec:\xrfflrl.exe95⤵PID:2156
-
\??\c:\hhbthn.exec:\hhbthn.exe96⤵PID:1796
-
\??\c:\1vvpv.exec:\1vvpv.exe97⤵PID:816
-
\??\c:\9vdvv.exec:\9vdvv.exe98⤵PID:1768
-
\??\c:\7rlllrx.exec:\7rlllrx.exe99⤵PID:1788
-
\??\c:\hnhthn.exec:\hnhthn.exe100⤵PID:2128
-
\??\c:\5ppvd.exec:\5ppvd.exe101⤵PID:2456
-
\??\c:\5dvjp.exec:\5dvjp.exe102⤵PID:2824
-
\??\c:\rlrxffr.exec:\rlrxffr.exe103⤵PID:1488
-
\??\c:\thbbhh.exec:\thbbhh.exe104⤵PID:304
-
\??\c:\htthnt.exec:\htthnt.exe105⤵PID:2692
-
\??\c:\dvvpj.exec:\dvvpj.exe106⤵PID:836
-
\??\c:\xrlrrrx.exec:\xrlrrrx.exe107⤵PID:692
-
\??\c:\9bhbhn.exec:\9bhbhn.exe108⤵PID:2200
-
\??\c:\9tthtb.exec:\9tthtb.exe109⤵PID:2264
-
\??\c:\3pjpj.exec:\3pjpj.exe110⤵PID:904
-
\??\c:\lfrrflr.exec:\lfrrflr.exe111⤵PID:1552
-
\??\c:\nnhthn.exec:\nnhthn.exe112⤵PID:2964
-
\??\c:\7vdjp.exec:\7vdjp.exe113⤵PID:1224
-
\??\c:\xxffrrf.exec:\xxffrrf.exe114⤵PID:2564
-
\??\c:\nnhnbt.exec:\nnhnbt.exe115⤵PID:3068
-
\??\c:\ntttbb.exec:\ntttbb.exe116⤵PID:2288
-
\??\c:\vdjvd.exec:\vdjvd.exe117⤵PID:1052
-
\??\c:\7lrrflr.exec:\7lrrflr.exe118⤵PID:2980
-
\??\c:\3xxllrx.exec:\3xxllrx.exe119⤵PID:2072
-
\??\c:\ntthhn.exec:\ntthhn.exe120⤵PID:1596
-
\??\c:\pjdpv.exec:\pjdpv.exe121⤵PID:2092
-
\??\c:\xrxfllr.exec:\xrxfllr.exe122⤵PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-