Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe
-
Size
453KB
-
MD5
e1691e305614ef1b88fffc3e5e214f20
-
SHA1
9d8f7d3942a07291ebe1ea57e22fbb10eaf91433
-
SHA256
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff
-
SHA512
d43dc218c4b1b3101c981e17ef4af645629bb4b2225eea43b41548a250f926a479597e4c9afa1218fe4020120234a78624ec8f38e7d567de450e8264ea0439dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 58 IoCs
resource yara_rule behavioral1/memory/2112-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2352-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2728-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2988-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2900-53-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2972-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2652-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2896-88-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1960-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1892-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1956-127-0x00000000003C0000-0x00000000003EA000-memory.dmp family_blackmoon behavioral1/memory/1732-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1732-147-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2004-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2816-183-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/1648-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1648-203-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/948-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1492-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/808-239-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2304-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1672-257-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2340-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1508-276-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2056-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2172-302-0x00000000001C0000-0x00000000001EA000-memory.dmp family_blackmoon behavioral1/memory/1576-310-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2760-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1576-312-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/536-333-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/536-332-0x00000000005C0000-0x00000000005EA000-memory.dmp family_blackmoon behavioral1/memory/2676-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2128-466-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2584-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2584-473-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/912-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2340-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/3052-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1668-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1064-571-0x0000000000430000-0x000000000045A000-memory.dmp family_blackmoon behavioral1/memory/2728-591-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2144-667-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2028-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2392-809-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/3004-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2224-862-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2784-869-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1732-947-0x00000000001B0000-0x00000000001DA000-memory.dmp family_blackmoon behavioral1/memory/2444-949-0x00000000002B0000-0x00000000002DA000-memory.dmp family_blackmoon behavioral1/memory/2912-1104-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2392 vpjvj.exe 2352 9btbnt.exe 2988 hnnhnb.exe 2728 9dddv.exe 2900 ffflrrl.exe 2744 7bbhtb.exe 2736 bttbnt.exe 2972 pvdjv.exe 2896 rlllxxf.exe 2652 nbhthn.exe 2472 5fxxflr.exe 1960 hbnntn.exe 1956 vvpvp.exe 1892 3flrlrl.exe 1732 1jvvv.exe 2828 lfllllr.exe 1440 7vjjv.exe 2004 lfrrxxf.exe 2816 thhnhh.exe 2216 ffxxllr.exe 1648 ntnthh.exe 2716 jjdjp.exe 948 lfffrxl.exe 912 vjppv.exe 808 xlfxffl.exe 1492 3nbhbb.exe 1672 3xxfrrx.exe 2304 pjvdv.exe 1508 llfxrxx.exe 2340 ppvjd.exe 2056 frxlxxf.exe 2172 3nnnbh.exe 1576 xxrfxfx.exe 2760 1jvjp.exe 2868 frxxxxf.exe 536 7fllrxf.exe 2900 hbnhtt.exe 2944 pjvjp.exe 2788 rfffrrr.exe 2676 btbtbb.exe 1432 nnhtnn.exe 2740 dddpv.exe 2164 xllfllr.exe 2192 xrfflrf.exe 1476 nthnbh.exe 2852 vppdp.exe 2856 dvpvj.exe 2156 ffllrxl.exe 2000 bbtthh.exe 1944 ddddj.exe 2828 vvvvp.exe 292 1rfflrf.exe 2008 bbbhbn.exe 2004 ttnthn.exe 2484 vvpvj.exe 2092 7lfrffr.exe 2128 xxfxlxl.exe 2584 9hnntn.exe 1208 5dppv.exe 1156 llflxfr.exe 1680 lflrxfl.exe 912 hhtnth.exe 1148 5pvdp.exe 1756 3fflrrf.exe -
resource yara_rule behavioral1/memory/2392-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2112-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2352-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2728-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2988-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2744-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2736-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2972-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2652-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2896-90-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1960-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1956-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2004-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2816-183-0x00000000003A0000-0x00000000003CA000-memory.dmp upx behavioral1/memory/1648-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/948-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1492-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1576-310-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2760-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2944-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2676-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/292-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2128-466-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2584-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/912-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1212-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/300-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2340-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3052-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1668-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2028-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2392-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-817-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3012-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3004-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1632-913-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2680-934-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-947-0x00000000001B0000-0x00000000001DA000-memory.dmp upx behavioral1/memory/1576-1084-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1097-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2912-1104-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btntbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrxflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2392 2112 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 30 PID 2112 wrote to memory of 2392 2112 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 30 PID 2112 wrote to memory of 2392 2112 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 30 PID 2112 wrote to memory of 2392 2112 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 30 PID 2392 wrote to memory of 2352 2392 vpjvj.exe 31 PID 2392 wrote to memory of 2352 2392 vpjvj.exe 31 PID 2392 wrote to memory of 2352 2392 vpjvj.exe 31 PID 2392 wrote to memory of 2352 2392 vpjvj.exe 31 PID 2352 wrote to memory of 2988 2352 9btbnt.exe 32 PID 2352 wrote to memory of 2988 2352 9btbnt.exe 32 PID 2352 wrote to memory of 2988 2352 9btbnt.exe 32 PID 2352 wrote to memory of 2988 2352 9btbnt.exe 32 PID 2988 wrote to memory of 2728 2988 hnnhnb.exe 33 PID 2988 wrote to memory of 2728 2988 hnnhnb.exe 33 PID 2988 wrote to memory of 2728 2988 hnnhnb.exe 33 PID 2988 wrote to memory of 2728 2988 hnnhnb.exe 33 PID 2728 wrote to memory of 2900 2728 9dddv.exe 34 PID 2728 wrote to memory of 2900 2728 9dddv.exe 34 PID 2728 wrote to memory of 2900 2728 9dddv.exe 34 PID 2728 wrote to memory of 2900 2728 9dddv.exe 34 PID 2900 wrote to memory of 2744 2900 ffflrrl.exe 35 PID 2900 wrote to memory of 2744 2900 ffflrrl.exe 35 PID 2900 wrote to memory of 2744 2900 ffflrrl.exe 35 PID 2900 wrote to memory of 2744 2900 ffflrrl.exe 35 PID 2744 wrote to memory of 2736 2744 7bbhtb.exe 36 PID 2744 wrote to memory of 2736 2744 7bbhtb.exe 36 PID 2744 wrote to memory of 2736 2744 7bbhtb.exe 36 PID 2744 wrote to memory of 2736 2744 7bbhtb.exe 36 PID 2736 wrote to memory of 2972 2736 bttbnt.exe 37 PID 2736 wrote to memory of 2972 2736 bttbnt.exe 37 PID 2736 wrote to memory of 2972 2736 bttbnt.exe 37 PID 2736 wrote to memory of 2972 2736 bttbnt.exe 37 PID 2972 wrote to memory of 2896 2972 pvdjv.exe 38 PID 2972 wrote to memory of 2896 2972 pvdjv.exe 38 PID 2972 wrote to memory of 2896 2972 pvdjv.exe 38 PID 2972 wrote to memory of 2896 2972 pvdjv.exe 38 PID 2896 wrote to memory of 2652 2896 rlllxxf.exe 39 PID 2896 wrote to memory of 2652 2896 rlllxxf.exe 39 PID 2896 wrote to memory of 2652 2896 rlllxxf.exe 39 PID 2896 wrote to memory of 2652 2896 rlllxxf.exe 39 PID 2652 wrote to memory of 2472 2652 nbhthn.exe 40 PID 2652 wrote to memory of 2472 2652 nbhthn.exe 40 PID 2652 wrote to memory of 2472 2652 nbhthn.exe 40 PID 2652 wrote to memory of 2472 2652 nbhthn.exe 40 PID 2472 wrote to memory of 1960 2472 5fxxflr.exe 41 PID 2472 wrote to memory of 1960 2472 5fxxflr.exe 41 PID 2472 wrote to memory of 1960 2472 5fxxflr.exe 41 PID 2472 wrote to memory of 1960 2472 5fxxflr.exe 41 PID 1960 wrote to memory of 1956 1960 hbnntn.exe 42 PID 1960 wrote to memory of 1956 1960 hbnntn.exe 42 PID 1960 wrote to memory of 1956 1960 hbnntn.exe 42 PID 1960 wrote to memory of 1956 1960 hbnntn.exe 42 PID 1956 wrote to memory of 1892 1956 vvpvp.exe 43 PID 1956 wrote to memory of 1892 1956 vvpvp.exe 43 PID 1956 wrote to memory of 1892 1956 vvpvp.exe 43 PID 1956 wrote to memory of 1892 1956 vvpvp.exe 43 PID 1892 wrote to memory of 1732 1892 3flrlrl.exe 44 PID 1892 wrote to memory of 1732 1892 3flrlrl.exe 44 PID 1892 wrote to memory of 1732 1892 3flrlrl.exe 44 PID 1892 wrote to memory of 1732 1892 3flrlrl.exe 44 PID 1732 wrote to memory of 2828 1732 1jvvv.exe 45 PID 1732 wrote to memory of 2828 1732 1jvvv.exe 45 PID 1732 wrote to memory of 2828 1732 1jvvv.exe 45 PID 1732 wrote to memory of 2828 1732 1jvvv.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe"C:\Users\Admin\AppData\Local\Temp\53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\vpjvj.exec:\vpjvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\9btbnt.exec:\9btbnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\hnnhnb.exec:\hnnhnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\9dddv.exec:\9dddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\ffflrrl.exec:\ffflrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\7bbhtb.exec:\7bbhtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\bttbnt.exec:\bttbnt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\pvdjv.exec:\pvdjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\rlllxxf.exec:\rlllxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\nbhthn.exec:\nbhthn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\5fxxflr.exec:\5fxxflr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\hbnntn.exec:\hbnntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\vvpvp.exec:\vvpvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\3flrlrl.exec:\3flrlrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\1jvvv.exec:\1jvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\lfllllr.exec:\lfllllr.exe17⤵
- Executes dropped EXE
PID:2828 -
\??\c:\7vjjv.exec:\7vjjv.exe18⤵
- Executes dropped EXE
PID:1440 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe19⤵
- Executes dropped EXE
PID:2004 -
\??\c:\thhnhh.exec:\thhnhh.exe20⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ffxxllr.exec:\ffxxllr.exe21⤵
- Executes dropped EXE
PID:2216 -
\??\c:\ntnthh.exec:\ntnthh.exe22⤵
- Executes dropped EXE
PID:1648 -
\??\c:\jjdjp.exec:\jjdjp.exe23⤵
- Executes dropped EXE
PID:2716 -
\??\c:\lfffrxl.exec:\lfffrxl.exe24⤵
- Executes dropped EXE
PID:948 -
\??\c:\vjppv.exec:\vjppv.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\xlfxffl.exec:\xlfxffl.exe26⤵
- Executes dropped EXE
PID:808 -
\??\c:\3nbhbb.exec:\3nbhbb.exe27⤵
- Executes dropped EXE
PID:1492 -
\??\c:\3xxfrrx.exec:\3xxfrrx.exe28⤵
- Executes dropped EXE
PID:1672 -
\??\c:\pjvdv.exec:\pjvdv.exe29⤵
- Executes dropped EXE
PID:2304 -
\??\c:\llfxrxx.exec:\llfxrxx.exe30⤵
- Executes dropped EXE
PID:1508 -
\??\c:\ppvjd.exec:\ppvjd.exe31⤵
- Executes dropped EXE
PID:2340 -
\??\c:\frxlxxf.exec:\frxlxxf.exe32⤵
- Executes dropped EXE
PID:2056 -
\??\c:\3nnnbh.exec:\3nnnbh.exe33⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xxrfxfx.exec:\xxrfxfx.exe34⤵
- Executes dropped EXE
PID:1576 -
\??\c:\1jvjp.exec:\1jvjp.exe35⤵
- Executes dropped EXE
PID:2760 -
\??\c:\frxxxxf.exec:\frxxxxf.exe36⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7fllrxf.exec:\7fllrxf.exe37⤵
- Executes dropped EXE
PID:536 -
\??\c:\hbnhtt.exec:\hbnhtt.exe38⤵
- Executes dropped EXE
PID:2900 -
\??\c:\pjvjp.exec:\pjvjp.exe39⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rfffrrr.exec:\rfffrrr.exe40⤵
- Executes dropped EXE
PID:2788 -
\??\c:\btbtbb.exec:\btbtbb.exe41⤵
- Executes dropped EXE
PID:2676 -
\??\c:\nnhtnn.exec:\nnhtnn.exe42⤵
- Executes dropped EXE
PID:1432 -
\??\c:\dddpv.exec:\dddpv.exe43⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xllfllr.exec:\xllfllr.exe44⤵
- Executes dropped EXE
PID:2164 -
\??\c:\xrfflrf.exec:\xrfflrf.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nthnbh.exec:\nthnbh.exe46⤵
- Executes dropped EXE
PID:1476 -
\??\c:\vppdp.exec:\vppdp.exe47⤵
- Executes dropped EXE
PID:2852 -
\??\c:\dvpvj.exec:\dvpvj.exe48⤵
- Executes dropped EXE
PID:2856 -
\??\c:\ffllrxl.exec:\ffllrxl.exe49⤵
- Executes dropped EXE
PID:2156 -
\??\c:\bbtthh.exec:\bbtthh.exe50⤵
- Executes dropped EXE
PID:2000 -
\??\c:\ddddj.exec:\ddddj.exe51⤵
- Executes dropped EXE
PID:1944 -
\??\c:\vvvvp.exec:\vvvvp.exe52⤵
- Executes dropped EXE
PID:2828 -
\??\c:\1rfflrf.exec:\1rfflrf.exe53⤵
- Executes dropped EXE
PID:292 -
\??\c:\bbbhbn.exec:\bbbhbn.exe54⤵
- Executes dropped EXE
PID:2008 -
\??\c:\ttnthn.exec:\ttnthn.exe55⤵
- Executes dropped EXE
PID:2004 -
\??\c:\vvpvj.exec:\vvpvj.exe56⤵
- Executes dropped EXE
PID:2484 -
\??\c:\7lfrffr.exec:\7lfrffr.exe57⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xxfxlxl.exec:\xxfxlxl.exe58⤵
- Executes dropped EXE
PID:2128 -
\??\c:\9hnntn.exec:\9hnntn.exe59⤵
- Executes dropped EXE
PID:2584 -
\??\c:\5dppv.exec:\5dppv.exe60⤵
- Executes dropped EXE
PID:1208 -
\??\c:\llflxfr.exec:\llflxfr.exe61⤵
- Executes dropped EXE
PID:1156 -
\??\c:\lflrxfl.exec:\lflrxfl.exe62⤵
- Executes dropped EXE
PID:1680 -
\??\c:\hhtnth.exec:\hhtnth.exe63⤵
- Executes dropped EXE
PID:912 -
\??\c:\5pvdp.exec:\5pvdp.exe64⤵
- Executes dropped EXE
PID:1148 -
\??\c:\3fflrrf.exec:\3fflrrf.exe65⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rxrrfff.exec:\rxrrfff.exe66⤵PID:1212
-
\??\c:\1btbnn.exec:\1btbnn.exe67⤵PID:300
-
\??\c:\1ppvj.exec:\1ppvj.exe68⤵PID:2076
-
\??\c:\jpdjv.exec:\jpdjv.exe69⤵PID:552
-
\??\c:\llllrlr.exec:\llllrlr.exe70⤵PID:1508
-
\??\c:\ttbhnt.exec:\ttbhnt.exe71⤵PID:2340
-
\??\c:\vppvd.exec:\vppvd.exe72⤵PID:3052
-
\??\c:\vvddj.exec:\vvddj.exe73⤵PID:2808
-
\??\c:\rxxrfrl.exec:\rxxrfrl.exe74⤵PID:1064
-
\??\c:\7nhhnt.exec:\7nhhnt.exe75⤵PID:1668
-
\??\c:\7ppvj.exec:\7ppvj.exe76⤵PID:1948
-
\??\c:\vpppv.exec:\vpppv.exe77⤵PID:2728
-
\??\c:\3fxrxxf.exec:\3fxrxxf.exe78⤵PID:2052
-
\??\c:\3tnhtb.exec:\3tnhtb.exe79⤵PID:2744
-
\??\c:\nhbbhh.exec:\nhbbhh.exe80⤵PID:3000
-
\??\c:\jjjdp.exec:\jjjdp.exe81⤵PID:2648
-
\??\c:\rrflxfr.exec:\rrflxfr.exe82⤵PID:2788
-
\??\c:\htbtnh.exec:\htbtnh.exe83⤵PID:2664
-
\??\c:\hhbbhh.exec:\hhbbhh.exe84⤵PID:2668
-
\??\c:\vvpvj.exec:\vvpvj.exe85⤵
- System Location Discovery: System Language Discovery
PID:548 -
\??\c:\fffrffx.exec:\fffrffx.exe86⤵PID:2372
-
\??\c:\nhbhnt.exec:\nhbhnt.exe87⤵PID:2688
-
\??\c:\5tnthn.exec:\5tnthn.exe88⤵PID:1104
-
\??\c:\jdddv.exec:\jdddv.exe89⤵PID:2144
-
\??\c:\ffllrxf.exec:\ffllrxf.exe90⤵PID:1816
-
\??\c:\tbhtht.exec:\tbhtht.exe91⤵PID:2812
-
\??\c:\nthntb.exec:\nthntb.exe92⤵PID:1732
-
\??\c:\ppjvj.exec:\ppjvj.exe93⤵PID:1924
-
\??\c:\jddjp.exec:\jddjp.exe94⤵PID:2028
-
\??\c:\frflrrx.exec:\frflrrx.exe95⤵PID:832
-
\??\c:\tttnhn.exec:\tttnhn.exe96⤵PID:2976
-
\??\c:\dvpdp.exec:\dvpdp.exe97⤵PID:2440
-
\??\c:\vvvdp.exec:\vvvdp.exe98⤵PID:2448
-
\??\c:\rrllxfr.exec:\rrllxfr.exe99⤵PID:2332
-
\??\c:\hbtthn.exec:\hbtthn.exe100⤵PID:1648
-
\??\c:\tbtnbh.exec:\tbtnbh.exe101⤵PID:2468
-
\??\c:\7pdjv.exec:\7pdjv.exe102⤵PID:1156
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe103⤵PID:1680
-
\??\c:\7btbtb.exec:\7btbtb.exe104⤵PID:612
-
\??\c:\vvpvj.exec:\vvpvj.exe105⤵PID:2124
-
\??\c:\jjjpd.exec:\jjjpd.exe106⤵PID:2252
-
\??\c:\llrxllx.exec:\llrxllx.exe107⤵PID:2540
-
\??\c:\fffrlrx.exec:\fffrlrx.exe108⤵PID:2212
-
\??\c:\hbntbh.exec:\hbntbh.exe109⤵
- System Location Discovery: System Language Discovery
PID:2112 -
\??\c:\jjvvd.exec:\jjvvd.exe110⤵PID:892
-
\??\c:\jdvdp.exec:\jdvdp.exe111⤵PID:2108
-
\??\c:\rrlxlxr.exec:\rrlxlxr.exe112⤵PID:2392
-
\??\c:\9bnntt.exec:\9bnntt.exe113⤵PID:2424
-
\??\c:\1hnhhn.exec:\1hnhhn.exe114⤵PID:1716
-
\??\c:\pppdp.exec:\pppdp.exe115⤵PID:1724
-
\??\c:\xrxxffr.exec:\xrxxffr.exe116⤵PID:2764
-
\??\c:\1ttbht.exec:\1ttbht.exe117⤵PID:2880
-
\??\c:\dvpdp.exec:\dvpdp.exe118⤵PID:3012
-
\??\c:\vddpd.exec:\vddpd.exe119⤵PID:3004
-
\??\c:\xflllfl.exec:\xflllfl.exe120⤵PID:2224
-
\??\c:\7nbtbh.exec:\7nbtbh.exe121⤵PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-