Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 03:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe
-
Size
454KB
-
MD5
1784a484f37c946ec7c82c7e4dd809d0
-
SHA1
4bacd79211427c1fea95fadb75e1133f937e6c40
-
SHA256
54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2
-
SHA512
83653061c8f75e196b49314a8b6ccd928da1bb65827162adebbcbbf94b9d705f25a0f252ad3f9c9d5294aa3a9fdbb9fd945407e35f4c272f65cd60715f2c314e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeB:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 46 IoCs
resource yara_rule behavioral1/memory/2652-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2372-16-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1924-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3064-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2440-87-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/1720-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2860-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-121-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/852-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/852-126-0x0000000000320000-0x000000000034A000-memory.dmp family_blackmoon behavioral1/memory/1284-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/900-142-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1700-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/584-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1792-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/708-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2928-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1968-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3000-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1736-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2484-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1572-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2136-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-320-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-335-0x0000000000330000-0x000000000035A000-memory.dmp family_blackmoon behavioral1/memory/2604-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1484-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1208-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2140-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2044-436-0x00000000003B0000-0x00000000003DA000-memory.dmp family_blackmoon behavioral1/memory/1700-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2460-535-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2724-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2756-601-0x00000000002A0000-0x00000000002CA000-memory.dmp family_blackmoon behavioral1/memory/2732-621-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2612-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2244-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1664-695-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/936-742-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/464-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2608-874-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/2824-887-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2372 1pjvj.exe 2816 dvjjd.exe 1924 3thhtt.exe 2952 rlfflrl.exe 2732 fxllxxf.exe 2624 9xxlrxl.exe 3064 1hbhhn.exe 2440 rrlxrxx.exe 1720 tnbbnt.exe 2912 lxrrfrf.exe 2860 nnnbtn.exe 852 9lxlflx.exe 1284 tnbbbh.exe 900 7xxxlfr.exe 2060 hhthtb.exe 1700 rrlrxfx.exe 584 tnbnbh.exe 1792 3lxrrlf.exe 708 bnbhtt.exe 1768 hbthnb.exe 1704 nhtbnt.exe 2548 lllxrlx.exe 2928 tnnbhn.exe 1968 1xrfxfr.exe 3000 hhbnth.exe 2488 rrrxlrl.exe 1736 httbhn.exe 1240 pjdjj.exe 1616 rlxfrxr.exe 2484 vdvpd.exe 2668 lrlfxlf.exe 1572 pjppj.exe 2136 ffxfxfx.exe 2680 1nhbhh.exe 2588 dvjpd.exe 2736 fxlrrrf.exe 1256 bthhnt.exe 2732 ppdpp.exe 2604 1xlrxff.exe 1484 9rllrxl.exe 2064 bnnbbb.exe 1208 dvjvp.exe 2140 5fxlflx.exe 2808 tttbtb.exe 2008 dvvpj.exe 1620 3ffxllx.exe 2244 lrfxfrx.exe 2856 tbnhbh.exe 264 vvdpj.exe 2192 lfrxllx.exe 1040 llfxlrr.exe 2044 tttbnn.exe 1700 djdjv.exe 1448 lllrlxl.exe 968 fxllxxl.exe 2960 9hbhhh.exe 2412 3dpdj.exe 1768 rrrxxff.exe 2920 bhtbhb.exe 1520 hthnbh.exe 2660 ppdpd.exe 2424 frffxxl.exe 2096 tnbntb.exe 2460 bnbhbn.exe -
resource yara_rule behavioral1/memory/2652-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1924-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2952-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2440-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1720-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2860-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/852-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/900-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/584-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/708-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2928-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3000-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1736-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1572-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2136-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2604-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1484-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1208-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2192-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1700-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2724-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2612-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2244-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/464-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2844-847-0x00000000003C0000-0x00000000003EA000-memory.dmp upx behavioral1/memory/2964-852-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxflffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2372 2652 54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe 30 PID 2652 wrote to memory of 2372 2652 54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe 30 PID 2652 wrote to memory of 2372 2652 54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe 30 PID 2652 wrote to memory of 2372 2652 54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe 30 PID 2372 wrote to memory of 2816 2372 1pjvj.exe 31 PID 2372 wrote to memory of 2816 2372 1pjvj.exe 31 PID 2372 wrote to memory of 2816 2372 1pjvj.exe 31 PID 2372 wrote to memory of 2816 2372 1pjvj.exe 31 PID 2816 wrote to memory of 1924 2816 dvjjd.exe 32 PID 2816 wrote to memory of 1924 2816 dvjjd.exe 32 PID 2816 wrote to memory of 1924 2816 dvjjd.exe 32 PID 2816 wrote to memory of 1924 2816 dvjjd.exe 32 PID 1924 wrote to memory of 2952 1924 3thhtt.exe 33 PID 1924 wrote to memory of 2952 1924 3thhtt.exe 33 PID 1924 wrote to memory of 2952 1924 3thhtt.exe 33 PID 1924 wrote to memory of 2952 1924 3thhtt.exe 33 PID 2952 wrote to memory of 2732 2952 rlfflrl.exe 34 PID 2952 wrote to memory of 2732 2952 rlfflrl.exe 34 PID 2952 wrote to memory of 2732 2952 rlfflrl.exe 34 PID 2952 wrote to memory of 2732 2952 rlfflrl.exe 34 PID 2732 wrote to memory of 2624 2732 fxllxxf.exe 35 PID 2732 wrote to memory of 2624 2732 fxllxxf.exe 35 PID 2732 wrote to memory of 2624 2732 fxllxxf.exe 35 PID 2732 wrote to memory of 2624 2732 fxllxxf.exe 35 PID 2624 wrote to memory of 3064 2624 9xxlrxl.exe 36 PID 2624 wrote to memory of 3064 2624 9xxlrxl.exe 36 PID 2624 wrote to memory of 3064 2624 9xxlrxl.exe 36 PID 2624 wrote to memory of 3064 2624 9xxlrxl.exe 36 PID 3064 wrote to memory of 2440 3064 1hbhhn.exe 37 PID 3064 wrote to memory of 2440 3064 1hbhhn.exe 37 PID 3064 wrote to memory of 2440 3064 1hbhhn.exe 37 PID 3064 wrote to memory of 2440 3064 1hbhhn.exe 37 PID 2440 wrote to memory of 1720 2440 rrlxrxx.exe 38 PID 2440 wrote to memory of 1720 2440 rrlxrxx.exe 38 PID 2440 wrote to memory of 1720 2440 rrlxrxx.exe 38 PID 2440 wrote to memory of 1720 2440 rrlxrxx.exe 38 PID 1720 wrote to memory of 2912 1720 tnbbnt.exe 39 PID 1720 wrote to memory of 2912 1720 tnbbnt.exe 39 PID 1720 wrote to memory of 2912 1720 tnbbnt.exe 39 PID 1720 wrote to memory of 2912 1720 tnbbnt.exe 39 PID 2912 wrote to memory of 2860 2912 lxrrfrf.exe 40 PID 2912 wrote to memory of 2860 2912 lxrrfrf.exe 40 PID 2912 wrote to memory of 2860 2912 lxrrfrf.exe 40 PID 2912 wrote to memory of 2860 2912 lxrrfrf.exe 40 PID 2860 wrote to memory of 852 2860 nnnbtn.exe 41 PID 2860 wrote to memory of 852 2860 nnnbtn.exe 41 PID 2860 wrote to memory of 852 2860 nnnbtn.exe 41 PID 2860 wrote to memory of 852 2860 nnnbtn.exe 41 PID 852 wrote to memory of 1284 852 9lxlflx.exe 42 PID 852 wrote to memory of 1284 852 9lxlflx.exe 42 PID 852 wrote to memory of 1284 852 9lxlflx.exe 42 PID 852 wrote to memory of 1284 852 9lxlflx.exe 42 PID 1284 wrote to memory of 900 1284 tnbbbh.exe 43 PID 1284 wrote to memory of 900 1284 tnbbbh.exe 43 PID 1284 wrote to memory of 900 1284 tnbbbh.exe 43 PID 1284 wrote to memory of 900 1284 tnbbbh.exe 43 PID 900 wrote to memory of 2060 900 7xxxlfr.exe 44 PID 900 wrote to memory of 2060 900 7xxxlfr.exe 44 PID 900 wrote to memory of 2060 900 7xxxlfr.exe 44 PID 900 wrote to memory of 2060 900 7xxxlfr.exe 44 PID 2060 wrote to memory of 1700 2060 hhthtb.exe 45 PID 2060 wrote to memory of 1700 2060 hhthtb.exe 45 PID 2060 wrote to memory of 1700 2060 hhthtb.exe 45 PID 2060 wrote to memory of 1700 2060 hhthtb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe"C:\Users\Admin\AppData\Local\Temp\54d7363ec8556b4406c87bb95f44e1772c643884a65e761e54d423579651bef2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\1pjvj.exec:\1pjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\dvjjd.exec:\dvjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3thhtt.exec:\3thhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\rlfflrl.exec:\rlfflrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\fxllxxf.exec:\fxllxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\9xxlrxl.exec:\9xxlrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\1hbhhn.exec:\1hbhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\rrlxrxx.exec:\rrlxrxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\tnbbnt.exec:\tnbbnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\lxrrfrf.exec:\lxrrfrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\nnnbtn.exec:\nnnbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\9lxlflx.exec:\9lxlflx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\tnbbbh.exec:\tnbbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\7xxxlfr.exec:\7xxxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\hhthtb.exec:\hhthtb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\rrlrxfx.exec:\rrlrxfx.exe17⤵
- Executes dropped EXE
PID:1700 -
\??\c:\tnbnbh.exec:\tnbnbh.exe18⤵
- Executes dropped EXE
PID:584 -
\??\c:\3lxrrlf.exec:\3lxrrlf.exe19⤵
- Executes dropped EXE
PID:1792 -
\??\c:\bnbhtt.exec:\bnbhtt.exe20⤵
- Executes dropped EXE
PID:708 -
\??\c:\hbthnb.exec:\hbthnb.exe21⤵
- Executes dropped EXE
PID:1768 -
\??\c:\nhtbnt.exec:\nhtbnt.exe22⤵
- Executes dropped EXE
PID:1704 -
\??\c:\lllxrlx.exec:\lllxrlx.exe23⤵
- Executes dropped EXE
PID:2548 -
\??\c:\tnnbhn.exec:\tnnbhn.exe24⤵
- Executes dropped EXE
PID:2928 -
\??\c:\1xrfxfr.exec:\1xrfxfr.exe25⤵
- Executes dropped EXE
PID:1968 -
\??\c:\hhbnth.exec:\hhbnth.exe26⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rrrxlrl.exec:\rrrxlrl.exe27⤵
- Executes dropped EXE
PID:2488 -
\??\c:\httbhn.exec:\httbhn.exe28⤵
- Executes dropped EXE
PID:1736 -
\??\c:\pjdjj.exec:\pjdjj.exe29⤵
- Executes dropped EXE
PID:1240 -
\??\c:\rlxfrxr.exec:\rlxfrxr.exe30⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vdvpd.exec:\vdvpd.exe31⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lrlfxlf.exec:\lrlfxlf.exe32⤵
- Executes dropped EXE
PID:2668 -
\??\c:\pjppj.exec:\pjppj.exe33⤵
- Executes dropped EXE
PID:1572 -
\??\c:\ffxfxfx.exec:\ffxfxfx.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\1nhbhh.exec:\1nhbhh.exe35⤵
- Executes dropped EXE
PID:2680 -
\??\c:\dvjpd.exec:\dvjpd.exe36⤵
- Executes dropped EXE
PID:2588 -
\??\c:\fxlrrrf.exec:\fxlrrrf.exe37⤵
- Executes dropped EXE
PID:2736 -
\??\c:\bthhnt.exec:\bthhnt.exe38⤵
- Executes dropped EXE
PID:1256 -
\??\c:\ppdpp.exec:\ppdpp.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\1xlrxff.exec:\1xlrxff.exe40⤵
- Executes dropped EXE
PID:2604 -
\??\c:\9rllrxl.exec:\9rllrxl.exe41⤵
- Executes dropped EXE
PID:1484 -
\??\c:\bnnbbb.exec:\bnnbbb.exe42⤵
- Executes dropped EXE
PID:2064 -
\??\c:\dvjvp.exec:\dvjvp.exe43⤵
- Executes dropped EXE
PID:1208 -
\??\c:\5fxlflx.exec:\5fxlflx.exe44⤵
- Executes dropped EXE
PID:2140 -
\??\c:\tttbtb.exec:\tttbtb.exe45⤵
- Executes dropped EXE
PID:2808 -
\??\c:\dvvpj.exec:\dvvpj.exe46⤵
- Executes dropped EXE
PID:2008 -
\??\c:\3ffxllx.exec:\3ffxllx.exe47⤵
- Executes dropped EXE
PID:1620 -
\??\c:\lrfxfrx.exec:\lrfxfrx.exe48⤵
- Executes dropped EXE
PID:2244 -
\??\c:\tbnhbh.exec:\tbnhbh.exe49⤵
- Executes dropped EXE
PID:2856 -
\??\c:\vvdpj.exec:\vvdpj.exe50⤵
- Executes dropped EXE
PID:264 -
\??\c:\lfrxllx.exec:\lfrxllx.exe51⤵
- Executes dropped EXE
PID:2192 -
\??\c:\llfxlrr.exec:\llfxlrr.exe52⤵
- Executes dropped EXE
PID:1040 -
\??\c:\tttbnn.exec:\tttbnn.exe53⤵
- Executes dropped EXE
PID:2044 -
\??\c:\djdjv.exec:\djdjv.exe54⤵
- Executes dropped EXE
PID:1700 -
\??\c:\lllrlxl.exec:\lllrlxl.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
\??\c:\fxllxxl.exec:\fxllxxl.exe56⤵
- Executes dropped EXE
PID:968 -
\??\c:\9hbhhh.exec:\9hbhhh.exe57⤵
- Executes dropped EXE
PID:2960 -
\??\c:\3dpdj.exec:\3dpdj.exe58⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rrrxxff.exec:\rrrxxff.exe59⤵
- Executes dropped EXE
PID:1768 -
\??\c:\bhtbhb.exec:\bhtbhb.exe60⤵
- Executes dropped EXE
PID:2920 -
\??\c:\hthnbh.exec:\hthnbh.exe61⤵
- Executes dropped EXE
PID:1520 -
\??\c:\ppdpd.exec:\ppdpd.exe62⤵
- Executes dropped EXE
PID:2660 -
\??\c:\frffxxl.exec:\frffxxl.exe63⤵
- Executes dropped EXE
PID:2424 -
\??\c:\tnbntb.exec:\tnbntb.exe64⤵
- Executes dropped EXE
PID:2096 -
\??\c:\bnbhbn.exec:\bnbhbn.exe65⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ddjjd.exec:\ddjjd.exe66⤵PID:3000
-
\??\c:\lfrxrlx.exec:\lfrxrlx.exe67⤵PID:1800
-
\??\c:\9bntbh.exec:\9bntbh.exe68⤵PID:2284
-
\??\c:\dvjjp.exec:\dvjjp.exe69⤵PID:2472
-
\??\c:\vddjv.exec:\vddjv.exe70⤵PID:892
-
\??\c:\7lfrxfx.exec:\7lfrxfx.exe71⤵PID:2156
-
\??\c:\1nbhtb.exec:\1nbhtb.exe72⤵PID:2748
-
\??\c:\jjjpd.exec:\jjjpd.exe73⤵PID:1576
-
\??\c:\xrllxfl.exec:\xrllxfl.exe74⤵PID:2372
-
\??\c:\thbhtb.exec:\thbhtb.exe75⤵PID:2688
-
\??\c:\7btbnt.exec:\7btbnt.exe76⤵PID:2724
-
\??\c:\ddpvd.exec:\ddpvd.exe77⤵PID:2840
-
\??\c:\xxxxxfr.exec:\xxxxxfr.exe78⤵PID:2756
-
\??\c:\hbtbhh.exec:\hbtbhh.exe79⤵PID:2556
-
\??\c:\7hbbnn.exec:\7hbbnn.exe80⤵PID:2560
-
\??\c:\9pdjv.exec:\9pdjv.exe81⤵PID:2732
-
\??\c:\lxffflr.exec:\lxffflr.exe82⤵PID:2612
-
\??\c:\hnhtht.exec:\hnhtht.exe83⤵PID:1632
-
\??\c:\bbbhbn.exec:\bbbhbn.exe84⤵PID:1976
-
\??\c:\vvjpd.exec:\vvjpd.exe85⤵PID:2984
-
\??\c:\flflxlr.exec:\flflxlr.exe86⤵PID:2544
-
\??\c:\5nthth.exec:\5nthth.exe87⤵PID:1380
-
\??\c:\tbnbhh.exec:\tbnbhh.exe88⤵PID:2864
-
\??\c:\7ddjv.exec:\7ddjv.exe89⤵PID:1664
-
\??\c:\lfrfrxl.exec:\lfrfrxl.exe90⤵PID:2244
-
\??\c:\tthnbh.exec:\tthnbh.exe91⤵PID:2856
-
\??\c:\nnhnbh.exec:\nnhnbh.exe92⤵PID:2620
-
\??\c:\jdddp.exec:\jdddp.exe93⤵PID:1624
-
\??\c:\pjvvj.exec:\pjvvj.exe94⤵PID:568
-
\??\c:\ffrxrxx.exec:\ffrxrxx.exe95⤵PID:1756
-
\??\c:\hhnthh.exec:\hhnthh.exe96⤵PID:584
-
\??\c:\7djpp.exec:\7djpp.exe97⤵PID:1600
-
\??\c:\7jdvd.exec:\7jdvd.exe98⤵PID:2072
-
\??\c:\xrxfrxf.exec:\xrxfrxf.exe99⤵PID:936
-
\??\c:\ttnbbh.exec:\ttnbbh.exe100⤵PID:1752
-
\??\c:\1vppd.exec:\1vppd.exe101⤵
- System Location Discovery: System Language Discovery
PID:1236 -
\??\c:\lfxlxfl.exec:\lfxlxfl.exe102⤵PID:1692
-
\??\c:\bhtntb.exec:\bhtntb.exe103⤵PID:1492
-
\??\c:\3nhnhn.exec:\3nhnhn.exe104⤵PID:464
-
\??\c:\jjddj.exec:\jjddj.exe105⤵PID:2476
-
\??\c:\9xxfrrx.exec:\9xxfrrx.exe106⤵PID:2456
-
\??\c:\lllllxr.exec:\lllllxr.exe107⤵PID:2396
-
\??\c:\nhtbhh.exec:\nhtbhh.exe108⤵PID:1784
-
\??\c:\5vpvd.exec:\5vpvd.exe109⤵PID:536
-
\??\c:\7xllrrf.exec:\7xllrrf.exe110⤵PID:1308
-
\??\c:\flffllx.exec:\flffllx.exe111⤵PID:1616
-
\??\c:\ppdjd.exec:\ppdjd.exe112⤵PID:2772
-
\??\c:\lflfrrf.exec:\lflfrrf.exe113⤵PID:2484
-
\??\c:\bbthtt.exec:\bbthtt.exe114⤵PID:2668
-
\??\c:\7tnntt.exec:\7tnntt.exe115⤵PID:2672
-
\??\c:\jdpvj.exec:\jdpvj.exe116⤵PID:2844
-
\??\c:\xxlfrxf.exec:\xxlfrxf.exe117⤵PID:2964
-
\??\c:\xrflrrx.exec:\xrflrrx.exe118⤵PID:2824
-
\??\c:\1btthh.exec:\1btthh.exe119⤵PID:2564
-
\??\c:\pjpdp.exec:\pjpdp.exe120⤵PID:2608
-
\??\c:\ffrlxfx.exec:\ffrlxfx.exe121⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-