Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-01-2025 06:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe
-
Size
454KB
-
MD5
f9d59d084833e8264cbdfde9a944e700
-
SHA1
3a2038a3abf2767b26bf712d1c02aa3b6a372c75
-
SHA256
6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732
-
SHA512
82e3b9ce842b926f836119c67239de19a87661c52c1f6a5d68051b7a48d16245669d74619064d9d2bf93f42335f17880da24c531ec31a85fdec984589829f022
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 55 IoCs
resource yara_rule behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2808-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2488-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2760-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-62-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2520-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2660-64-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/2848-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1588-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2556-100-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2728-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1424-134-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1424-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1252-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2740-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-191-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2892-210-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/572-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/864-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2424-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2924-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1584-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2320-325-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2540-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2540-361-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2548-369-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/868-376-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/1888-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1452-433-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1748-436-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2868-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2920-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-518-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/660-524-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2568-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2604-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2200-746-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-772-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1960-791-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1504-840-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/2708-878-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2792-905-0x0000000000230000-0x000000000025A000-memory.dmp family_blackmoon behavioral1/memory/1424-966-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/1028-1067-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1716-1312-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/644-1340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1868 tnhhnt.exe 2808 9rfxxlr.exe 2488 jvjjp.exe 2608 frffrfr.exe 2760 vdvdj.exe 2660 3frlxfl.exe 2520 7tnnnt.exe 2848 5jdpv.exe 2560 vvjpd.exe 2556 7dvdj.exe 1588 lxrlxfr.exe 1084 jdjdp.exe 2728 5tnbnt.exe 1424 3bhhhn.exe 1268 vjvvv.exe 1252 7nhhnh.exe 2828 fxrxffl.exe 2868 fxlrxxl.exe 2740 7ntntn.exe 872 xrlxflr.exe 3040 3lxxxrx.exe 2892 rrlxxlx.exe 572 ddvvj.exe 864 fxlxxfl.exe 808 7ttbnn.exe 924 hbnbtb.exe 768 djdjp.exe 2224 ffrrxxl.exe 1836 3hthbh.exe 1440 5ppvd.exe 2424 pjddj.exe 1652 fxfllrf.exe 2272 bttbbn.exe 2924 dddvv.exe 272 xlxxfxf.exe 1584 bnbhnt.exe 2320 nbtntn.exe 2724 jjddv.exe 2764 fxxfffl.exe 2624 rllxflr.exe 2632 nhtttt.exe 2540 pjvvp.exe 2548 fxfrffl.exe 868 9fxflrr.exe 2532 hhtbhb.exe 1852 5dvdv.exe 2564 lfxflrl.exe 1888 tntnhn.exe 2832 hthbhh.exe 1552 pvdjv.exe 1432 rlfrffl.exe 1452 rlxfxxf.exe 1748 bbttbh.exe 1968 3pjpp.exe 2864 dvjdd.exe 2868 llrlrrx.exe 2212 hbhthh.exe 2920 dvvvj.exe 1792 lxllllx.exe 2460 lllflxr.exe 1756 hbhbnt.exe 1108 vpvjp.exe 2116 vvvjp.exe 1628 rrflxxl.exe -
resource yara_rule behavioral1/memory/2464-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2464-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2808-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2608-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-62-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2520-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2660-64-0x00000000003B0000-0x00000000003DA000-memory.dmp upx behavioral1/memory/2848-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1588-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1084-118-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/2728-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1424-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1252-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2740-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/572-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/864-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2424-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2924-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1584-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2320-325-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2540-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1888-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1748-436-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2868-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2920-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2460-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1868-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2760-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2568-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1452-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2708-872-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-898-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-905-0x0000000000230000-0x000000000025A000-memory.dmp upx behavioral1/memory/3044-992-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1960-1041-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2000-1054-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1028-1067-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1948-1153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1220-1215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1904-1228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-1253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/644-1340-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 1868 2464 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 30 PID 2464 wrote to memory of 1868 2464 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 30 PID 2464 wrote to memory of 1868 2464 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 30 PID 2464 wrote to memory of 1868 2464 6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe 30 PID 1868 wrote to memory of 2808 1868 tnhhnt.exe 31 PID 1868 wrote to memory of 2808 1868 tnhhnt.exe 31 PID 1868 wrote to memory of 2808 1868 tnhhnt.exe 31 PID 1868 wrote to memory of 2808 1868 tnhhnt.exe 31 PID 2808 wrote to memory of 2488 2808 9rfxxlr.exe 32 PID 2808 wrote to memory of 2488 2808 9rfxxlr.exe 32 PID 2808 wrote to memory of 2488 2808 9rfxxlr.exe 32 PID 2808 wrote to memory of 2488 2808 9rfxxlr.exe 32 PID 2488 wrote to memory of 2608 2488 jvjjp.exe 33 PID 2488 wrote to memory of 2608 2488 jvjjp.exe 33 PID 2488 wrote to memory of 2608 2488 jvjjp.exe 33 PID 2488 wrote to memory of 2608 2488 jvjjp.exe 33 PID 2608 wrote to memory of 2760 2608 frffrfr.exe 34 PID 2608 wrote to memory of 2760 2608 frffrfr.exe 34 PID 2608 wrote to memory of 2760 2608 frffrfr.exe 34 PID 2608 wrote to memory of 2760 2608 frffrfr.exe 34 PID 2760 wrote to memory of 2660 2760 vdvdj.exe 35 PID 2760 wrote to memory of 2660 2760 vdvdj.exe 35 PID 2760 wrote to memory of 2660 2760 vdvdj.exe 35 PID 2760 wrote to memory of 2660 2760 vdvdj.exe 35 PID 2660 wrote to memory of 2520 2660 3frlxfl.exe 36 PID 2660 wrote to memory of 2520 2660 3frlxfl.exe 36 PID 2660 wrote to memory of 2520 2660 3frlxfl.exe 36 PID 2660 wrote to memory of 2520 2660 3frlxfl.exe 36 PID 2520 wrote to memory of 2848 2520 7tnnnt.exe 37 PID 2520 wrote to memory of 2848 2520 7tnnnt.exe 37 PID 2520 wrote to memory of 2848 2520 7tnnnt.exe 37 PID 2520 wrote to memory of 2848 2520 7tnnnt.exe 37 PID 2848 wrote to memory of 2560 2848 5jdpv.exe 38 PID 2848 wrote to memory of 2560 2848 5jdpv.exe 38 PID 2848 wrote to memory of 2560 2848 5jdpv.exe 38 PID 2848 wrote to memory of 2560 2848 5jdpv.exe 38 PID 2560 wrote to memory of 2556 2560 vvjpd.exe 39 PID 2560 wrote to memory of 2556 2560 vvjpd.exe 39 PID 2560 wrote to memory of 2556 2560 vvjpd.exe 39 PID 2560 wrote to memory of 2556 2560 vvjpd.exe 39 PID 2556 wrote to memory of 1588 2556 7dvdj.exe 40 PID 2556 wrote to memory of 1588 2556 7dvdj.exe 40 PID 2556 wrote to memory of 1588 2556 7dvdj.exe 40 PID 2556 wrote to memory of 1588 2556 7dvdj.exe 40 PID 1588 wrote to memory of 1084 1588 lxrlxfr.exe 41 PID 1588 wrote to memory of 1084 1588 lxrlxfr.exe 41 PID 1588 wrote to memory of 1084 1588 lxrlxfr.exe 41 PID 1588 wrote to memory of 1084 1588 lxrlxfr.exe 41 PID 1084 wrote to memory of 2728 1084 jdjdp.exe 42 PID 1084 wrote to memory of 2728 1084 jdjdp.exe 42 PID 1084 wrote to memory of 2728 1084 jdjdp.exe 42 PID 1084 wrote to memory of 2728 1084 jdjdp.exe 42 PID 2728 wrote to memory of 1424 2728 5tnbnt.exe 43 PID 2728 wrote to memory of 1424 2728 5tnbnt.exe 43 PID 2728 wrote to memory of 1424 2728 5tnbnt.exe 43 PID 2728 wrote to memory of 1424 2728 5tnbnt.exe 43 PID 1424 wrote to memory of 1268 1424 3bhhhn.exe 44 PID 1424 wrote to memory of 1268 1424 3bhhhn.exe 44 PID 1424 wrote to memory of 1268 1424 3bhhhn.exe 44 PID 1424 wrote to memory of 1268 1424 3bhhhn.exe 44 PID 1268 wrote to memory of 1252 1268 vjvvv.exe 45 PID 1268 wrote to memory of 1252 1268 vjvvv.exe 45 PID 1268 wrote to memory of 1252 1268 vjvvv.exe 45 PID 1268 wrote to memory of 1252 1268 vjvvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe"C:\Users\Admin\AppData\Local\Temp\6572e0751e39299b0cdc3faf5689a97bcece5ba8de9c08828fa5678926054732N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\tnhhnt.exec:\tnhhnt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\9rfxxlr.exec:\9rfxxlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\jvjjp.exec:\jvjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\frffrfr.exec:\frffrfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\vdvdj.exec:\vdvdj.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\3frlxfl.exec:\3frlxfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\7tnnnt.exec:\7tnnnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\5jdpv.exec:\5jdpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\vvjpd.exec:\vvjpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\7dvdj.exec:\7dvdj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\lxrlxfr.exec:\lxrlxfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\jdjdp.exec:\jdjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\5tnbnt.exec:\5tnbnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\3bhhhn.exec:\3bhhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\vjvvv.exec:\vjvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\7nhhnh.exec:\7nhhnh.exe17⤵
- Executes dropped EXE
PID:1252 -
\??\c:\fxrxffl.exec:\fxrxffl.exe18⤵
- Executes dropped EXE
PID:2828 -
\??\c:\fxlrxxl.exec:\fxlrxxl.exe19⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7ntntn.exec:\7ntntn.exe20⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xrlxflr.exec:\xrlxflr.exe21⤵
- Executes dropped EXE
PID:872 -
\??\c:\3lxxxrx.exec:\3lxxxrx.exe22⤵
- Executes dropped EXE
PID:3040 -
\??\c:\rrlxxlx.exec:\rrlxxlx.exe23⤵
- Executes dropped EXE
PID:2892 -
\??\c:\ddvvj.exec:\ddvvj.exe24⤵
- Executes dropped EXE
PID:572 -
\??\c:\fxlxxfl.exec:\fxlxxfl.exe25⤵
- Executes dropped EXE
PID:864 -
\??\c:\7ttbnn.exec:\7ttbnn.exe26⤵
- Executes dropped EXE
PID:808 -
\??\c:\hbnbtb.exec:\hbnbtb.exe27⤵
- Executes dropped EXE
PID:924 -
\??\c:\djdjp.exec:\djdjp.exe28⤵
- Executes dropped EXE
PID:768 -
\??\c:\ffrrxxl.exec:\ffrrxxl.exe29⤵
- Executes dropped EXE
PID:2224 -
\??\c:\3hthbh.exec:\3hthbh.exe30⤵
- Executes dropped EXE
PID:1836 -
\??\c:\5ppvd.exec:\5ppvd.exe31⤵
- Executes dropped EXE
PID:1440 -
\??\c:\pjddj.exec:\pjddj.exe32⤵
- Executes dropped EXE
PID:2424 -
\??\c:\fxfllrf.exec:\fxfllrf.exe33⤵
- Executes dropped EXE
PID:1652 -
\??\c:\bttbbn.exec:\bttbbn.exe34⤵
- Executes dropped EXE
PID:2272 -
\??\c:\dddvv.exec:\dddvv.exe35⤵
- Executes dropped EXE
PID:2924 -
\??\c:\xlxxfxf.exec:\xlxxfxf.exe36⤵
- Executes dropped EXE
PID:272 -
\??\c:\bnbhnt.exec:\bnbhnt.exe37⤵
- Executes dropped EXE
PID:1584 -
\??\c:\nbtntn.exec:\nbtntn.exe38⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jjddv.exec:\jjddv.exe39⤵
- Executes dropped EXE
PID:2724 -
\??\c:\fxxfffl.exec:\fxxfffl.exe40⤵
- Executes dropped EXE
PID:2764 -
\??\c:\rllxflr.exec:\rllxflr.exe41⤵
- Executes dropped EXE
PID:2624 -
\??\c:\nhtttt.exec:\nhtttt.exe42⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pjvvp.exec:\pjvvp.exe43⤵
- Executes dropped EXE
PID:2540 -
\??\c:\fxfrffl.exec:\fxfrffl.exe44⤵
- Executes dropped EXE
PID:2548 -
\??\c:\9fxflrr.exec:\9fxflrr.exe45⤵
- Executes dropped EXE
PID:868 -
\??\c:\hhtbhb.exec:\hhtbhb.exe46⤵
- Executes dropped EXE
PID:2532 -
\??\c:\5dvdv.exec:\5dvdv.exe47⤵
- Executes dropped EXE
PID:1852 -
\??\c:\lfxflrl.exec:\lfxflrl.exe48⤵
- Executes dropped EXE
PID:2564 -
\??\c:\tntnhn.exec:\tntnhn.exe49⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hthbhh.exec:\hthbhh.exe50⤵
- Executes dropped EXE
PID:2832 -
\??\c:\pvdjv.exec:\pvdjv.exe51⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rlfrffl.exec:\rlfrffl.exe52⤵
- Executes dropped EXE
PID:1432 -
\??\c:\rlxfxxf.exec:\rlxfxxf.exe53⤵
- Executes dropped EXE
PID:1452 -
\??\c:\bbttbh.exec:\bbttbh.exe54⤵
- Executes dropped EXE
PID:1748 -
\??\c:\3pjpp.exec:\3pjpp.exe55⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dvjdd.exec:\dvjdd.exe56⤵
- Executes dropped EXE
PID:2864 -
\??\c:\llrlrrx.exec:\llrlrrx.exe57⤵
- Executes dropped EXE
PID:2868 -
\??\c:\hbhthh.exec:\hbhthh.exe58⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvvvj.exec:\dvvvj.exe59⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lxllllx.exec:\lxllllx.exe60⤵
- Executes dropped EXE
PID:1792 -
\??\c:\lllflxr.exec:\lllflxr.exe61⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hbhbnt.exec:\hbhbnt.exe62⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vpvjp.exec:\vpvjp.exe63⤵
- Executes dropped EXE
PID:1108 -
\??\c:\vvvjp.exec:\vvvjp.exe64⤵
- Executes dropped EXE
PID:2116 -
\??\c:\rrflxxl.exec:\rrflxxl.exe65⤵
- Executes dropped EXE
PID:1628 -
\??\c:\btnnbb.exec:\btnnbb.exe66⤵PID:808
-
\??\c:\ddvpd.exec:\ddvpd.exe67⤵PID:660
-
\??\c:\pjdjp.exec:\pjdjp.exe68⤵PID:1484
-
\??\c:\1lrxlrl.exec:\1lrxlrl.exe69⤵PID:1640
-
\??\c:\1bhnbh.exec:\1bhnbh.exe70⤵PID:2356
-
\??\c:\hbhntn.exec:\hbhntn.exe71⤵PID:2388
-
\??\c:\jvjpv.exec:\jvjpv.exe72⤵PID:1692
-
\??\c:\xrxrfff.exec:\xrxrfff.exe73⤵PID:1956
-
\??\c:\lxllrrl.exec:\lxllrrl.exe74⤵PID:1532
-
\??\c:\hbnhtn.exec:\hbnhtn.exe75⤵PID:1652
-
\??\c:\1jvpp.exec:\1jvpp.exe76⤵PID:1868
-
\??\c:\lxxfllr.exec:\lxxfllr.exe77⤵PID:1796
-
\??\c:\lxxfrrx.exec:\lxxfrrx.exe78⤵PID:272
-
\??\c:\thnntb.exec:\thnntb.exe79⤵PID:1584
-
\??\c:\9vpjp.exec:\9vpjp.exe80⤵PID:2320
-
\??\c:\jdjjp.exec:\jdjjp.exe81⤵PID:2724
-
\??\c:\fxllrxf.exec:\fxllrxf.exe82⤵PID:2760
-
\??\c:\tnbntb.exec:\tnbntb.exe83⤵PID:2624
-
\??\c:\ttbhbn.exec:\ttbhbn.exe84⤵PID:2796
-
\??\c:\3jjpd.exec:\3jjpd.exe85⤵PID:2768
-
\??\c:\5lffrfr.exec:\5lffrfr.exe86⤵PID:2568
-
\??\c:\ffxllxl.exec:\ffxllxl.exe87⤵PID:2064
-
\??\c:\ttttbh.exec:\ttttbh.exe88⤵PID:2196
-
\??\c:\vpjjp.exec:\vpjjp.exe89⤵PID:2268
-
\??\c:\xrxxffr.exec:\xrxxffr.exe90⤵PID:2736
-
\??\c:\9lflxxf.exec:\9lflxxf.exe91⤵PID:2040
-
\??\c:\7bhhht.exec:\7bhhht.exe92⤵PID:1648
-
\??\c:\tnhttt.exec:\tnhttt.exe93⤵PID:2728
-
\??\c:\pjjjp.exec:\pjjjp.exe94⤵PID:2604
-
\??\c:\frlrrxf.exec:\frlrrxf.exe95⤵
- System Location Discovery: System Language Discovery
PID:560 -
\??\c:\ffflxfr.exec:\ffflxfr.exe96⤵PID:1452
-
\??\c:\nhtnbh.exec:\nhtnbh.exe97⤵PID:1748
-
\??\c:\jjddj.exec:\jjddj.exe98⤵PID:1708
-
\??\c:\pdddd.exec:\pdddd.exe99⤵PID:2880
-
\??\c:\xrrrxfl.exec:\xrrrxfl.exe100⤵PID:1952
-
\??\c:\nbtttt.exec:\nbtttt.exe101⤵PID:3056
-
\??\c:\hhbhhh.exec:\hhbhhh.exe102⤵PID:2200
-
\??\c:\jddpj.exec:\jddpj.exe103⤵PID:712
-
\??\c:\xrlrllr.exec:\xrlrllr.exe104⤵PID:2492
-
\??\c:\bhhnbh.exec:\bhhnbh.exe105⤵PID:448
-
\??\c:\1nbhhh.exec:\1nbhhh.exe106⤵PID:1960
-
\??\c:\ddvvd.exec:\ddvvd.exe107⤵PID:864
-
\??\c:\fxrfrff.exec:\fxrfrff.exe108⤵PID:2000
-
\??\c:\7tnntt.exec:\7tnntt.exe109⤵PID:916
-
\??\c:\tnbbhh.exec:\tnbbhh.exe110⤵PID:696
-
\??\c:\jppvj.exec:\jppvj.exe111⤵PID:768
-
\??\c:\xlrlrrx.exec:\xlrlrrx.exe112⤵PID:2176
-
\??\c:\nnntbh.exec:\nnntbh.exe113⤵PID:1256
-
\??\c:\ntthbn.exec:\ntthbn.exe114⤵PID:1156
-
\??\c:\dpppv.exec:\dpppv.exe115⤵PID:2240
-
\??\c:\rrlrrrx.exec:\rrlrrrx.exe116⤵PID:880
-
\??\c:\hbhntb.exec:\hbhntb.exe117⤵PID:1504
-
\??\c:\htbbbh.exec:\htbbbh.exe118⤵PID:1000
-
\??\c:\vdppv.exec:\vdppv.exe119⤵PID:2444
-
\??\c:\fxllrlx.exec:\fxllrlx.exe120⤵PID:2808
-
\??\c:\xrfxxlf.exec:\xrfxxlf.exe121⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-