Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/01/2025, 07:33
Behavioral task
behavioral1
Sample
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe
-
Size
335KB
-
MD5
2e7868b0c6b122e9524dcc935540edf0
-
SHA1
b7b85b72c6edcaf68936febd06bd438d18c520cf
-
SHA256
1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991
-
SHA512
3f5c04e114228fa9cb8aa1f8629fea4c75c3b7b6a4dd7a30ccebb304e810a91cc0c41a16f84de6e265d5d9344bf12aaf5aeaec29c6910c23bfbe3a280b74d56c
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR:R4wFHoSHYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2452-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1440-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1256-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2300-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2212-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2776-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2720-58-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2720-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2732-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2580-94-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2968-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/872-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1808-126-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1808-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2304-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2408-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2500-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2044-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2264-191-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2868-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2336-236-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1748-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2896-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1736-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/700-296-0x00000000003C0000-0x00000000003E7000-memory.dmp family_blackmoon behavioral1/memory/2888-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2680-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2972-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1704-399-0x00000000001B0000-0x00000000001D7000-memory.dmp family_blackmoon behavioral1/memory/772-411-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/772-410-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/1984-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2028-429-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/2248-444-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1968-443-0x00000000002C0000-0x00000000002E7000-memory.dmp family_blackmoon behavioral1/memory/1492-473-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2928-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2708-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2788-568-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2764-581-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral1/memory/2616-617-0x0000000000220000-0x0000000000247000-memory.dmp family_blackmoon behavioral1/memory/1996-10690-0x00000000771F0000-0x000000007730F000-memory.dmp family_blackmoon behavioral1/memory/1996-13464-0x00000000771F0000-0x000000007730F000-memory.dmp family_blackmoon behavioral1/memory/1996-14596-0x00000000771F0000-0x000000007730F000-memory.dmp family_blackmoon behavioral1/memory/1996-15684-0x0000000077310000-0x000000007740A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1440 djpvd.exe 1256 djvvv.exe 2300 xlxfllx.exe 2212 pdjpv.exe 2776 lxlxxll.exe 2720 3ntbbt.exe 2824 vjvpp.exe 2596 5fllrrr.exe 2732 tnnthh.exe 2580 pdppp.exe 2968 hhbhtb.exe 2612 thbtth.exe 872 flllfxr.exe 1808 3lxflrr.exe 1704 hbtbnt.exe 2304 pdvpp.exe 2408 nbbthb.exe 2500 dpppv.exe 1452 3rxflff.exe 2044 fflrxfr.exe 1852 pjppv.exe 2264 llrflrl.exe 2868 9nthhn.exe 1132 1nbthh.exe 552 rrlrflx.exe 1544 9hnhhh.exe 788 vvdpd.exe 2336 9llrxxf.exe 1628 tnnbnb.exe 580 vjppv.exe 1880 7xlxrxx.exe 1748 bnnnht.exe 2896 vddpp.exe 1736 vjjjd.exe 2216 7llfrfr.exe 2208 lxffxrr.exe 700 bnbhnt.exe 2424 pdjjp.exe 2236 vpvvd.exe 3068 rflffxx.exe 2724 1ntnnh.exe 2892 3bbttn.exe 2716 dpjjp.exe 2888 rxlrffr.exe 2604 lflxxxl.exe 2680 nbnhnh.exe 2600 dvjjp.exe 2360 dpddp.exe 2972 rlxlrxx.exe 2984 lflffxx.exe 1520 htbttb.exe 2468 3vdvj.exe 1684 7xrxllr.exe 1808 lxxlrrr.exe 1704 bnttbb.exe 2404 jdppj.exe 772 dpvvv.exe 1984 xlfffxf.exe 1968 xflxfrl.exe 2028 bbnhtn.exe 2008 vjjjp.exe 2248 pdjjd.exe 2396 7xrlrrf.exe 952 7bhttn.exe -
resource yara_rule behavioral1/memory/2452-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2452-3-0x00000000002A0000-0x00000000002C7000-memory.dmp upx behavioral1/files/0x000c000000012281-6.dat upx behavioral1/memory/2452-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x001600000001866f-15.dat upx behavioral1/memory/1256-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1440-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1256-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2300-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000700000001868b-24.dat upx behavioral1/files/0x00060000000186f8-34.dat upx behavioral1/memory/2300-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018731-42.dat upx behavioral1/memory/2212-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0006000000018742-51.dat upx behavioral1/memory/2776-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000800000001878c-59.dat upx behavioral1/memory/2824-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2720-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2824-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000600000001942c-68.dat upx behavioral1/memory/2596-76-0x00000000002C0000-0x00000000002E7000-memory.dmp upx behavioral1/files/0x0005000000019438-77.dat upx behavioral1/memory/2732-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019456-85.dat upx behavioral1/memory/2580-92-0x0000000000220000-0x0000000000247000-memory.dmp upx behavioral1/files/0x000500000001945c-93.dat upx behavioral1/memory/2580-94-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019467-101.dat upx behavioral1/memory/2968-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019496-111.dat upx behavioral1/files/0x00050000000194ad-119.dat upx behavioral1/memory/872-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1808-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x00050000000194d0-127.dat upx behavioral1/files/0x00050000000194ef-136.dat upx behavioral1/files/0x00050000000194fc-144.dat upx behavioral1/memory/2304-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2408-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019506-153.dat upx behavioral1/memory/2500-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001952f-160.dat upx behavioral1/files/0x000500000001957e-168.dat upx behavioral1/files/0x00050000000195a7-176.dat upx behavioral1/memory/2044-177-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0009000000017491-184.dat upx behavioral1/files/0x00050000000195e6-192.dat upx behavioral1/memory/2868-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x000500000001961d-199.dat upx behavioral1/files/0x000500000001961f-208.dat upx behavioral1/files/0x0005000000019621-215.dat upx behavioral1/files/0x0005000000019622-222.dat upx behavioral1/files/0x0005000000019623-229.dat upx behavioral1/memory/2336-236-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/files/0x0005000000019625-237.dat upx behavioral1/files/0x0005000000019627-245.dat upx behavioral1/files/0x0005000000019629-252.dat upx behavioral1/files/0x000500000001962b-259.dat upx behavioral1/memory/1748-267-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2896-273-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1736-280-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2888-337-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2680-348-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2972-364-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llrfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2452 wrote to memory of 1440 2452 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 31 PID 2452 wrote to memory of 1440 2452 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 31 PID 2452 wrote to memory of 1440 2452 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 31 PID 2452 wrote to memory of 1440 2452 1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe 31 PID 1440 wrote to memory of 1256 1440 djpvd.exe 32 PID 1440 wrote to memory of 1256 1440 djpvd.exe 32 PID 1440 wrote to memory of 1256 1440 djpvd.exe 32 PID 1440 wrote to memory of 1256 1440 djpvd.exe 32 PID 1256 wrote to memory of 2300 1256 djvvv.exe 33 PID 1256 wrote to memory of 2300 1256 djvvv.exe 33 PID 1256 wrote to memory of 2300 1256 djvvv.exe 33 PID 1256 wrote to memory of 2300 1256 djvvv.exe 33 PID 2300 wrote to memory of 2212 2300 xlxfllx.exe 34 PID 2300 wrote to memory of 2212 2300 xlxfllx.exe 34 PID 2300 wrote to memory of 2212 2300 xlxfllx.exe 34 PID 2300 wrote to memory of 2212 2300 xlxfllx.exe 34 PID 2212 wrote to memory of 2776 2212 pdjpv.exe 35 PID 2212 wrote to memory of 2776 2212 pdjpv.exe 35 PID 2212 wrote to memory of 2776 2212 pdjpv.exe 35 PID 2212 wrote to memory of 2776 2212 pdjpv.exe 35 PID 2776 wrote to memory of 2720 2776 lxlxxll.exe 36 PID 2776 wrote to memory of 2720 2776 lxlxxll.exe 36 PID 2776 wrote to memory of 2720 2776 lxlxxll.exe 36 PID 2776 wrote to memory of 2720 2776 lxlxxll.exe 36 PID 2720 wrote to memory of 2824 2720 3ntbbt.exe 37 PID 2720 wrote to memory of 2824 2720 3ntbbt.exe 37 PID 2720 wrote to memory of 2824 2720 3ntbbt.exe 37 PID 2720 wrote to memory of 2824 2720 3ntbbt.exe 37 PID 2824 wrote to memory of 2596 2824 vjvpp.exe 38 PID 2824 wrote to memory of 2596 2824 vjvpp.exe 38 PID 2824 wrote to memory of 2596 2824 vjvpp.exe 38 PID 2824 wrote to memory of 2596 2824 vjvpp.exe 38 PID 2596 wrote to memory of 2732 2596 5fllrrr.exe 39 PID 2596 wrote to memory of 2732 2596 5fllrrr.exe 39 PID 2596 wrote to memory of 2732 2596 5fllrrr.exe 39 PID 2596 wrote to memory of 2732 2596 5fllrrr.exe 39 PID 2732 wrote to memory of 2580 2732 tnnthh.exe 40 PID 2732 wrote to memory of 2580 2732 tnnthh.exe 40 PID 2732 wrote to memory of 2580 2732 tnnthh.exe 40 PID 2732 wrote to memory of 2580 2732 tnnthh.exe 40 PID 2580 wrote to memory of 2968 2580 pdppp.exe 41 PID 2580 wrote to memory of 2968 2580 pdppp.exe 41 PID 2580 wrote to memory of 2968 2580 pdppp.exe 41 PID 2580 wrote to memory of 2968 2580 pdppp.exe 41 PID 2968 wrote to memory of 2612 2968 hhbhtb.exe 42 PID 2968 wrote to memory of 2612 2968 hhbhtb.exe 42 PID 2968 wrote to memory of 2612 2968 hhbhtb.exe 42 PID 2968 wrote to memory of 2612 2968 hhbhtb.exe 42 PID 2612 wrote to memory of 872 2612 thbtth.exe 43 PID 2612 wrote to memory of 872 2612 thbtth.exe 43 PID 2612 wrote to memory of 872 2612 thbtth.exe 43 PID 2612 wrote to memory of 872 2612 thbtth.exe 43 PID 872 wrote to memory of 1808 872 flllfxr.exe 44 PID 872 wrote to memory of 1808 872 flllfxr.exe 44 PID 872 wrote to memory of 1808 872 flllfxr.exe 44 PID 872 wrote to memory of 1808 872 flllfxr.exe 44 PID 1808 wrote to memory of 1704 1808 3lxflrr.exe 45 PID 1808 wrote to memory of 1704 1808 3lxflrr.exe 45 PID 1808 wrote to memory of 1704 1808 3lxflrr.exe 45 PID 1808 wrote to memory of 1704 1808 3lxflrr.exe 45 PID 1704 wrote to memory of 2304 1704 hbtbnt.exe 46 PID 1704 wrote to memory of 2304 1704 hbtbnt.exe 46 PID 1704 wrote to memory of 2304 1704 hbtbnt.exe 46 PID 1704 wrote to memory of 2304 1704 hbtbnt.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe"C:\Users\Admin\AppData\Local\Temp\1815b7f9a5f5e5c066d323648b9fda6e112040d2ea4c883a2f3d3c57df785991N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\djpvd.exec:\djpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\djvvv.exec:\djvvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\xlxfllx.exec:\xlxfllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\pdjpv.exec:\pdjpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\lxlxxll.exec:\lxlxxll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\3ntbbt.exec:\3ntbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\vjvpp.exec:\vjvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\5fllrrr.exec:\5fllrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\tnnthh.exec:\tnnthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\pdppp.exec:\pdppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\hhbhtb.exec:\hhbhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\thbtth.exec:\thbtth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\flllfxr.exec:\flllfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\3lxflrr.exec:\3lxflrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\hbtbnt.exec:\hbtbnt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\pdvpp.exec:\pdvpp.exe17⤵
- Executes dropped EXE
PID:2304 -
\??\c:\nbbthb.exec:\nbbthb.exe18⤵
- Executes dropped EXE
PID:2408 -
\??\c:\dpppv.exec:\dpppv.exe19⤵
- Executes dropped EXE
PID:2500 -
\??\c:\3rxflff.exec:\3rxflff.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
\??\c:\fflrxfr.exec:\fflrxfr.exe21⤵
- Executes dropped EXE
PID:2044 -
\??\c:\pjppv.exec:\pjppv.exe22⤵
- Executes dropped EXE
PID:1852 -
\??\c:\llrflrl.exec:\llrflrl.exe23⤵
- Executes dropped EXE
PID:2264 -
\??\c:\9nthhn.exec:\9nthhn.exe24⤵
- Executes dropped EXE
PID:2868 -
\??\c:\1nbthh.exec:\1nbthh.exe25⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rrlrflx.exec:\rrlrflx.exe26⤵
- Executes dropped EXE
PID:552 -
\??\c:\9hnhhh.exec:\9hnhhh.exe27⤵
- Executes dropped EXE
PID:1544 -
\??\c:\vvdpd.exec:\vvdpd.exe28⤵
- Executes dropped EXE
PID:788 -
\??\c:\9llrxxf.exec:\9llrxxf.exe29⤵
- Executes dropped EXE
PID:2336 -
\??\c:\tnnbnb.exec:\tnnbnb.exe30⤵
- Executes dropped EXE
PID:1628 -
\??\c:\vjppv.exec:\vjppv.exe31⤵
- Executes dropped EXE
PID:580 -
\??\c:\7xlxrxx.exec:\7xlxrxx.exe32⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bnnnht.exec:\bnnnht.exe33⤵
- Executes dropped EXE
PID:1748 -
\??\c:\vddpp.exec:\vddpp.exe34⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vjjjd.exec:\vjjjd.exe35⤵
- Executes dropped EXE
PID:1736 -
\??\c:\7llfrfr.exec:\7llfrfr.exe36⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lxffxrr.exec:\lxffxrr.exe37⤵
- Executes dropped EXE
PID:2208 -
\??\c:\bnbhnt.exec:\bnbhnt.exe38⤵
- Executes dropped EXE
PID:700 -
\??\c:\pdjjp.exec:\pdjjp.exe39⤵
- Executes dropped EXE
PID:2424 -
\??\c:\vpvvd.exec:\vpvvd.exe40⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rflffxx.exec:\rflffxx.exe41⤵
- Executes dropped EXE
PID:3068 -
\??\c:\1ntnnh.exec:\1ntnnh.exe42⤵
- Executes dropped EXE
PID:2724 -
\??\c:\3bbttn.exec:\3bbttn.exe43⤵
- Executes dropped EXE
PID:2892 -
\??\c:\dpjjp.exec:\dpjjp.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rxlrffr.exec:\rxlrffr.exe45⤵
- Executes dropped EXE
PID:2888 -
\??\c:\lflxxxl.exec:\lflxxxl.exe46⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nbnhnh.exec:\nbnhnh.exe47⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvjjp.exec:\dvjjp.exe48⤵
- Executes dropped EXE
PID:2600 -
\??\c:\dpddp.exec:\dpddp.exe49⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rlxlrxx.exec:\rlxlrxx.exe50⤵
- Executes dropped EXE
PID:2972 -
\??\c:\lflffxx.exec:\lflffxx.exe51⤵
- Executes dropped EXE
PID:2984 -
\??\c:\htbttb.exec:\htbttb.exe52⤵
- Executes dropped EXE
PID:1520 -
\??\c:\3vdvj.exec:\3vdvj.exe53⤵
- Executes dropped EXE
PID:2468 -
\??\c:\7xrxllr.exec:\7xrxllr.exe54⤵
- Executes dropped EXE
PID:1684 -
\??\c:\lxxlrrr.exec:\lxxlrrr.exe55⤵
- Executes dropped EXE
PID:1808 -
\??\c:\bnttbb.exec:\bnttbb.exe56⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jdppj.exec:\jdppj.exe57⤵
- Executes dropped EXE
PID:2404 -
\??\c:\dpvvv.exec:\dpvvv.exe58⤵
- Executes dropped EXE
PID:772 -
\??\c:\xlfffxf.exec:\xlfffxf.exe59⤵
- Executes dropped EXE
PID:1984 -
\??\c:\xflxfrl.exec:\xflxfrl.exe60⤵
- Executes dropped EXE
PID:1968 -
\??\c:\bbnhtn.exec:\bbnhtn.exe61⤵
- Executes dropped EXE
PID:2028 -
\??\c:\vjjjp.exec:\vjjjp.exe62⤵
- Executes dropped EXE
PID:2008 -
\??\c:\pdjjd.exec:\pdjjd.exe63⤵
- Executes dropped EXE
PID:2248 -
\??\c:\7xrlrrf.exec:\7xrlrrf.exe64⤵
- Executes dropped EXE
PID:2396 -
\??\c:\7bhttn.exec:\7bhttn.exe65⤵
- Executes dropped EXE
PID:952 -
\??\c:\hbttbh.exec:\hbttbh.exe66⤵PID:1624
-
\??\c:\7jjdd.exec:\7jjdd.exe67⤵PID:1560
-
\??\c:\lfxxlfl.exec:\lfxxlfl.exe68⤵PID:1492
-
\??\c:\frfrxll.exec:\frfrxll.exe69⤵PID:836
-
\??\c:\9hbhnn.exec:\9hbhnn.exe70⤵PID:1532
-
\??\c:\7thhtt.exec:\7thhtt.exe71⤵PID:1536
-
\??\c:\dvjjd.exec:\dvjjd.exe72⤵PID:2084
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe73⤵PID:2184
-
\??\c:\nnbhbb.exec:\nnbhbb.exe74⤵PID:1156
-
\??\c:\3tbbbt.exec:\3tbbbt.exe75⤵PID:580
-
\??\c:\7pppv.exec:\7pppv.exe76⤵PID:2928
-
\??\c:\dpjdp.exec:\dpjdp.exe77⤵PID:2340
-
\??\c:\xrfxllx.exec:\xrfxllx.exe78⤵PID:2180
-
\??\c:\9nbntn.exec:\9nbntn.exe79⤵PID:2220
-
\??\c:\tntbhh.exec:\tntbhh.exe80⤵PID:1736
-
\??\c:\vpddj.exec:\vpddj.exe81⤵PID:2876
-
\??\c:\frxrrrr.exec:\frxrrrr.exe82⤵PID:3048
-
\??\c:\xrxffll.exec:\xrxffll.exe83⤵PID:2760
-
\??\c:\thnntt.exec:\thnntt.exe84⤵PID:2708
-
\??\c:\thbttn.exec:\thbttn.exe85⤵PID:2788
-
\??\c:\pdjjd.exec:\pdjjd.exe86⤵PID:2676
-
\??\c:\xlxxffr.exec:\xlxxffr.exe87⤵PID:2692
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe88⤵PID:2764
-
\??\c:\nhnhbt.exec:\nhnhbt.exe89⤵PID:1344
-
\??\c:\vpjdp.exec:\vpjdp.exe90⤵PID:2616
-
\??\c:\jdvdj.exec:\jdvdj.exe91⤵PID:2604
-
\??\c:\lxllrll.exec:\lxllrll.exe92⤵PID:2568
-
\??\c:\7httbb.exec:\7httbb.exe93⤵PID:2688
-
\??\c:\pjjpj.exec:\pjjpj.exe94⤵PID:2976
-
\??\c:\dvvpp.exec:\dvvpp.exe95⤵PID:1948
-
\??\c:\7rlrxfr.exec:\7rlrxfr.exe96⤵PID:2612
-
\??\c:\1lxxxxl.exec:\1lxxxxl.exe97⤵PID:1672
-
\??\c:\ttntbb.exec:\ttntbb.exe98⤵PID:2512
-
\??\c:\vpddj.exec:\vpddj.exe99⤵PID:2540
-
\??\c:\jdvdj.exec:\jdvdj.exe100⤵PID:1288
-
\??\c:\7lffffl.exec:\7lffffl.exe101⤵PID:2304
-
\??\c:\bthhbb.exec:\bthhbb.exe102⤵PID:1444
-
\??\c:\1nbntb.exec:\1nbntb.exe103⤵PID:2316
-
\??\c:\vjvvv.exec:\vjvvv.exe104⤵PID:2636
-
\??\c:\dvjpp.exec:\dvjpp.exe105⤵PID:380
-
\??\c:\lfrxflr.exec:\lfrxflr.exe106⤵PID:2012
-
\??\c:\hbhntb.exec:\hbhntb.exe107⤵PID:2656
-
\??\c:\bhbhtb.exec:\bhbhtb.exe108⤵PID:2272
-
\??\c:\jpdvp.exec:\jpdvp.exe109⤵PID:2752
-
\??\c:\pjvjv.exec:\pjvjv.exe110⤵PID:584
-
\??\c:\xrlfflr.exec:\xrlfflr.exe111⤵PID:1624
-
\??\c:\9tnntn.exec:\9tnntn.exe112⤵PID:1560
-
\??\c:\hbntnt.exec:\hbntnt.exe113⤵PID:3064
-
\??\c:\vpjjp.exec:\vpjjp.exe114⤵PID:1800
-
\??\c:\9dpjp.exec:\9dpjp.exe115⤵PID:1404
-
\??\c:\rlfrflx.exec:\rlfrflx.exe116⤵PID:1728
-
\??\c:\rlxxfff.exec:\rlxxfff.exe117⤵PID:1724
-
\??\c:\nbhbhn.exec:\nbhbhn.exe118⤵PID:780
-
\??\c:\dvpvd.exec:\dvpvd.exe119⤵PID:2372
-
\??\c:\pddjp.exec:\pddjp.exe120⤵PID:1656
-
\??\c:\lrxxxfl.exec:\lrxxxfl.exe121⤵PID:896
-
\??\c:\llxfrxf.exec:\llxfrxf.exe122⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-