Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe
-
Size
453KB
-
MD5
e1691e305614ef1b88fffc3e5e214f20
-
SHA1
9d8f7d3942a07291ebe1ea57e22fbb10eaf91433
-
SHA256
53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff
-
SHA512
d43dc218c4b1b3101c981e17ef4af645629bb4b2225eea43b41548a250f926a479597e4c9afa1218fe4020120234a78624ec8f38e7d567de450e8264ea0439dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2612-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4184-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-1177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-1480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4608 nbnhbh.exe 5112 pvdvp.exe 1068 7bbtnn.exe 1636 xrrlxxr.exe 1756 vvjdd.exe 3536 nthnnh.exe 4280 vddvp.exe 1428 nhbnht.exe 1420 flrfrrl.exe 3316 vvvpd.exe 4160 xxfxlfx.exe 3220 9pppd.exe 1952 dppdv.exe 5060 lffxrrl.exe 2528 7nnhhh.exe 2284 rxfrllf.exe 436 bhhbtn.exe 3448 bhnhnh.exe 4444 jvvpj.exe 3096 lrxrfxr.exe 4768 tthbtn.exe 1028 7djvv.exe 3364 rxfxllf.exe 1560 rffxrlf.exe 4048 3bhbtb.exe 1048 pjvjp.exe 548 pdjdp.exe 4792 jdvpj.exe 828 fxxlxrl.exe 5016 btbtnh.exe 1264 dpvpj.exe 2480 fxflxxx.exe 3740 9xrfxrl.exe 2316 bnnhbt.exe 1776 pjjjj.exe 4304 bnnbtn.exe 1588 lffrfxr.exe 3948 btbthn.exe 2628 3ddvj.exe 2040 xlrfrrl.exe 4820 5bttnb.exe 3616 hbhbnt.exe 3368 vjvjd.exe 4512 xrllfxx.exe 1600 xxxrrrr.exe 4084 bntnbb.exe 1016 pvvjv.exe 3868 lffxllf.exe 3340 tthtnh.exe 2320 nhnnhb.exe 2540 jddjv.exe 1840 lxlfxrr.exe 4608 bttnbb.exe 452 tnbnhh.exe 4900 djdvj.exe 3660 frrfrlx.exe 1500 hntnhb.exe 4832 bbhthh.exe 3668 1djvd.exe 3928 flxrlll.exe 1484 bbnhbb.exe 4996 nhbtnh.exe 1612 pjpjj.exe 1192 lffxrrr.exe -
resource yara_rule behavioral2/memory/2612-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4184-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 4608 2612 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 83 PID 2612 wrote to memory of 4608 2612 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 83 PID 2612 wrote to memory of 4608 2612 53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe 83 PID 4608 wrote to memory of 5112 4608 nbnhbh.exe 84 PID 4608 wrote to memory of 5112 4608 nbnhbh.exe 84 PID 4608 wrote to memory of 5112 4608 nbnhbh.exe 84 PID 5112 wrote to memory of 1068 5112 pvdvp.exe 85 PID 5112 wrote to memory of 1068 5112 pvdvp.exe 85 PID 5112 wrote to memory of 1068 5112 pvdvp.exe 85 PID 1068 wrote to memory of 1636 1068 7bbtnn.exe 86 PID 1068 wrote to memory of 1636 1068 7bbtnn.exe 86 PID 1068 wrote to memory of 1636 1068 7bbtnn.exe 86 PID 1636 wrote to memory of 1756 1636 xrrlxxr.exe 87 PID 1636 wrote to memory of 1756 1636 xrrlxxr.exe 87 PID 1636 wrote to memory of 1756 1636 xrrlxxr.exe 87 PID 1756 wrote to memory of 3536 1756 vvjdd.exe 88 PID 1756 wrote to memory of 3536 1756 vvjdd.exe 88 PID 1756 wrote to memory of 3536 1756 vvjdd.exe 88 PID 3536 wrote to memory of 4280 3536 nthnnh.exe 89 PID 3536 wrote to memory of 4280 3536 nthnnh.exe 89 PID 3536 wrote to memory of 4280 3536 nthnnh.exe 89 PID 4280 wrote to memory of 1428 4280 vddvp.exe 90 PID 4280 wrote to memory of 1428 4280 vddvp.exe 90 PID 4280 wrote to memory of 1428 4280 vddvp.exe 90 PID 1428 wrote to memory of 1420 1428 nhbnht.exe 91 PID 1428 wrote to memory of 1420 1428 nhbnht.exe 91 PID 1428 wrote to memory of 1420 1428 nhbnht.exe 91 PID 1420 wrote to memory of 3316 1420 flrfrrl.exe 92 PID 1420 wrote to memory of 3316 1420 flrfrrl.exe 92 PID 1420 wrote to memory of 3316 1420 flrfrrl.exe 92 PID 3316 wrote to memory of 4160 3316 vvvpd.exe 93 PID 3316 wrote to memory of 4160 3316 vvvpd.exe 93 PID 3316 wrote to memory of 4160 3316 vvvpd.exe 93 PID 4160 wrote to memory of 3220 4160 xxfxlfx.exe 94 PID 4160 wrote to memory of 3220 4160 xxfxlfx.exe 94 PID 4160 wrote to memory of 3220 4160 xxfxlfx.exe 94 PID 3220 wrote to memory of 1952 3220 9pppd.exe 95 PID 3220 wrote to memory of 1952 3220 9pppd.exe 95 PID 3220 wrote to memory of 1952 3220 9pppd.exe 95 PID 1952 wrote to memory of 5060 1952 dppdv.exe 96 PID 1952 wrote to memory of 5060 1952 dppdv.exe 96 PID 1952 wrote to memory of 5060 1952 dppdv.exe 96 PID 5060 wrote to memory of 2528 5060 lffxrrl.exe 97 PID 5060 wrote to memory of 2528 5060 lffxrrl.exe 97 PID 5060 wrote to memory of 2528 5060 lffxrrl.exe 97 PID 2528 wrote to memory of 2284 2528 7nnhhh.exe 98 PID 2528 wrote to memory of 2284 2528 7nnhhh.exe 98 PID 2528 wrote to memory of 2284 2528 7nnhhh.exe 98 PID 2284 wrote to memory of 436 2284 rxfrllf.exe 99 PID 2284 wrote to memory of 436 2284 rxfrllf.exe 99 PID 2284 wrote to memory of 436 2284 rxfrllf.exe 99 PID 436 wrote to memory of 3448 436 bhhbtn.exe 100 PID 436 wrote to memory of 3448 436 bhhbtn.exe 100 PID 436 wrote to memory of 3448 436 bhhbtn.exe 100 PID 3448 wrote to memory of 4444 3448 bhnhnh.exe 101 PID 3448 wrote to memory of 4444 3448 bhnhnh.exe 101 PID 3448 wrote to memory of 4444 3448 bhnhnh.exe 101 PID 4444 wrote to memory of 3096 4444 jvvpj.exe 102 PID 4444 wrote to memory of 3096 4444 jvvpj.exe 102 PID 4444 wrote to memory of 3096 4444 jvvpj.exe 102 PID 3096 wrote to memory of 4768 3096 lrxrfxr.exe 103 PID 3096 wrote to memory of 4768 3096 lrxrfxr.exe 103 PID 3096 wrote to memory of 4768 3096 lrxrfxr.exe 103 PID 4768 wrote to memory of 1028 4768 tthbtn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe"C:\Users\Admin\AppData\Local\Temp\53576f03f13cfdc0609ff91b331e68a12bb68ac68a8029b66d14956e152345ff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\nbnhbh.exec:\nbnhbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\pvdvp.exec:\pvdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\7bbtnn.exec:\7bbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\vvjdd.exec:\vvjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\nthnnh.exec:\nthnnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\vddvp.exec:\vddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\nhbnht.exec:\nhbnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\flrfrrl.exec:\flrfrrl.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\vvvpd.exec:\vvvpd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\9pppd.exec:\9pppd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\dppdv.exec:\dppdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lffxrrl.exec:\lffxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\7nnhhh.exec:\7nnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\rxfrllf.exec:\rxfrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\bhhbtn.exec:\bhhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\bhnhnh.exec:\bhnhnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\jvvpj.exec:\jvvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\lrxrfxr.exec:\lrxrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\tthbtn.exec:\tthbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\7djvv.exec:\7djvv.exe23⤵
- Executes dropped EXE
PID:1028 -
\??\c:\rxfxllf.exec:\rxfxllf.exe24⤵
- Executes dropped EXE
PID:3364 -
\??\c:\rffxrlf.exec:\rffxrlf.exe25⤵
- Executes dropped EXE
PID:1560 -
\??\c:\3bhbtb.exec:\3bhbtb.exe26⤵
- Executes dropped EXE
PID:4048 -
\??\c:\pjvjp.exec:\pjvjp.exe27⤵
- Executes dropped EXE
PID:1048 -
\??\c:\pdjdp.exec:\pdjdp.exe28⤵
- Executes dropped EXE
PID:548 -
\??\c:\jdvpj.exec:\jdvpj.exe29⤵
- Executes dropped EXE
PID:4792 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe30⤵
- Executes dropped EXE
PID:828 -
\??\c:\btbtnh.exec:\btbtnh.exe31⤵
- Executes dropped EXE
PID:5016 -
\??\c:\dpvpj.exec:\dpvpj.exe32⤵
- Executes dropped EXE
PID:1264 -
\??\c:\fxflxxx.exec:\fxflxxx.exe33⤵
- Executes dropped EXE
PID:2480 -
\??\c:\9xrfxrl.exec:\9xrfxrl.exe34⤵
- Executes dropped EXE
PID:3740 -
\??\c:\bnnhbt.exec:\bnnhbt.exe35⤵
- Executes dropped EXE
PID:2316 -
\??\c:\pjjjj.exec:\pjjjj.exe36⤵
- Executes dropped EXE
PID:1776 -
\??\c:\bnnbtn.exec:\bnnbtn.exe37⤵
- Executes dropped EXE
PID:4304 -
\??\c:\lffrfxr.exec:\lffrfxr.exe38⤵
- Executes dropped EXE
PID:1588 -
\??\c:\btbthn.exec:\btbthn.exe39⤵
- Executes dropped EXE
PID:3948 -
\??\c:\3ddvj.exec:\3ddvj.exe40⤵
- Executes dropped EXE
PID:2628 -
\??\c:\xlrfrrl.exec:\xlrfrrl.exe41⤵
- Executes dropped EXE
PID:2040 -
\??\c:\5bttnb.exec:\5bttnb.exe42⤵
- Executes dropped EXE
PID:4820 -
\??\c:\hbhbnt.exec:\hbhbnt.exe43⤵
- Executes dropped EXE
PID:3616 -
\??\c:\vjvjd.exec:\vjvjd.exe44⤵
- Executes dropped EXE
PID:3368 -
\??\c:\xrllfxx.exec:\xrllfxx.exe45⤵
- Executes dropped EXE
PID:4512 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe46⤵
- Executes dropped EXE
PID:1600 -
\??\c:\bntnbb.exec:\bntnbb.exe47⤵
- Executes dropped EXE
PID:4084 -
\??\c:\pvvjv.exec:\pvvjv.exe48⤵
- Executes dropped EXE
PID:1016 -
\??\c:\lffxllf.exec:\lffxllf.exe49⤵
- Executes dropped EXE
PID:3868 -
\??\c:\tthtnh.exec:\tthtnh.exe50⤵
- Executes dropped EXE
PID:3340 -
\??\c:\nhnnhb.exec:\nhnnhb.exe51⤵
- Executes dropped EXE
PID:2320 -
\??\c:\jddjv.exec:\jddjv.exe52⤵
- Executes dropped EXE
PID:2540 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
\??\c:\bttnbb.exec:\bttnbb.exe54⤵
- Executes dropped EXE
PID:4608 -
\??\c:\tnbnhh.exec:\tnbnhh.exe55⤵
- Executes dropped EXE
PID:452 -
\??\c:\djdvj.exec:\djdvj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900 -
\??\c:\frrfrlx.exec:\frrfrlx.exe57⤵
- Executes dropped EXE
PID:3660 -
\??\c:\hntnhb.exec:\hntnhb.exe58⤵
- Executes dropped EXE
PID:1500 -
\??\c:\bbhthh.exec:\bbhthh.exe59⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1djvd.exec:\1djvd.exe60⤵
- Executes dropped EXE
PID:3668 -
\??\c:\flxrlll.exec:\flxrlll.exe61⤵
- Executes dropped EXE
PID:3928 -
\??\c:\bbnhbb.exec:\bbnhbb.exe62⤵
- Executes dropped EXE
PID:1484 -
\??\c:\nhbtnh.exec:\nhbtnh.exe63⤵
- Executes dropped EXE
PID:4996 -
\??\c:\pjpjj.exec:\pjpjj.exe64⤵
- Executes dropped EXE
PID:1612 -
\??\c:\lffxrrr.exec:\lffxrrr.exe65⤵
- Executes dropped EXE
PID:1192 -
\??\c:\3hbnbt.exec:\3hbnbt.exe66⤵PID:1088
-
\??\c:\5jdvv.exec:\5jdvv.exe67⤵PID:1792
-
\??\c:\rlllllr.exec:\rlllllr.exe68⤵PID:3024
-
\??\c:\frxlxrr.exec:\frxlxrr.exe69⤵PID:468
-
\??\c:\hbbtbb.exec:\hbbtbb.exe70⤵PID:3000
-
\??\c:\7jjvd.exec:\7jjvd.exe71⤵PID:2416
-
\??\c:\rlrlxxf.exec:\rlrlxxf.exe72⤵PID:4700
-
\??\c:\nntnhb.exec:\nntnhb.exe73⤵PID:4188
-
\??\c:\9ppjv.exec:\9ppjv.exe74⤵PID:4272
-
\??\c:\frxlllx.exec:\frxlllx.exe75⤵PID:1824
-
\??\c:\ttnnbb.exec:\ttnnbb.exe76⤵PID:1196
-
\??\c:\1pjdp.exec:\1pjdp.exe77⤵PID:4896
-
\??\c:\vvjjp.exec:\vvjjp.exe78⤵PID:3108
-
\??\c:\rlflffr.exec:\rlflffr.exe79⤵
- System Location Discovery: System Language Discovery
PID:3924 -
\??\c:\7ttttt.exec:\7ttttt.exe80⤵PID:928
-
\??\c:\btbbbb.exec:\btbbbb.exe81⤵PID:2068
-
\??\c:\7ppvv.exec:\7ppvv.exe82⤵PID:3012
-
\??\c:\ffxrlff.exec:\ffxrlff.exe83⤵PID:832
-
\??\c:\lxlfffx.exec:\lxlfffx.exe84⤵PID:4572
-
\??\c:\bhtbbb.exec:\bhtbbb.exe85⤵PID:3044
-
\??\c:\djvvp.exec:\djvvp.exe86⤵PID:1924
-
\??\c:\xxxrfrl.exec:\xxxrfrl.exe87⤵PID:836
-
\??\c:\fxxrlrl.exec:\fxxrlrl.exe88⤵PID:2640
-
\??\c:\nnnnhh.exec:\nnnnhh.exe89⤵PID:4684
-
\??\c:\ddjdd.exec:\ddjdd.exe90⤵PID:3196
-
\??\c:\lrxrxxr.exec:\lrxrxxr.exe91⤵PID:3500
-
\??\c:\bbntbh.exec:\bbntbh.exe92⤵PID:4044
-
\??\c:\1jjdv.exec:\1jjdv.exe93⤵PID:4012
-
\??\c:\9llfllf.exec:\9llfllf.exe94⤵PID:2580
-
\??\c:\tbhbtt.exec:\tbhbtt.exe95⤵PID:4184
-
\??\c:\3bhbnn.exec:\3bhbnn.exe96⤵PID:2480
-
\??\c:\jdjdd.exec:\jdjdd.exe97⤵PID:2136
-
\??\c:\1rxfffl.exec:\1rxfffl.exe98⤵PID:3372
-
\??\c:\bttbnh.exec:\bttbnh.exe99⤵PID:1608
-
\??\c:\ttbhbn.exec:\ttbhbn.exe100⤵PID:2264
-
\??\c:\7vvdv.exec:\7vvdv.exe101⤵PID:3032
-
\??\c:\xxlrrxx.exec:\xxlrrxx.exe102⤵PID:1552
-
\??\c:\hntnbt.exec:\hntnbt.exe103⤵PID:1772
-
\??\c:\tbnntt.exec:\tbnntt.exe104⤵PID:2904
-
\??\c:\pppjj.exec:\pppjj.exe105⤵PID:2628
-
\??\c:\fxfrlxx.exec:\fxfrlxx.exe106⤵PID:2268
-
\??\c:\1hbthh.exec:\1hbthh.exe107⤵PID:4820
-
\??\c:\1bbttt.exec:\1bbttt.exe108⤵PID:4148
-
\??\c:\jdddp.exec:\jdddp.exe109⤵PID:4008
-
\??\c:\rrrrlrr.exec:\rrrrlrr.exe110⤵PID:4512
-
\??\c:\3nnhhh.exec:\3nnhhh.exe111⤵PID:2752
-
\??\c:\hbnhbh.exec:\hbnhbh.exe112⤵PID:3700
-
\??\c:\jjppp.exec:\jjppp.exe113⤵PID:1228
-
\??\c:\xffxfll.exec:\xffxfll.exe114⤵PID:4640
-
\??\c:\nnhbnt.exec:\nnhbnt.exe115⤵PID:3340
-
\??\c:\bbnhhh.exec:\bbnhhh.exe116⤵PID:4400
-
\??\c:\djppp.exec:\djppp.exe117⤵PID:1660
-
\??\c:\llxxxfx.exec:\llxxxfx.exe118⤵PID:3468
-
\??\c:\5nnbtn.exec:\5nnbtn.exe119⤵PID:4848
-
\??\c:\ddjjd.exec:\ddjjd.exe120⤵PID:4868
-
\??\c:\ppjjp.exec:\ppjjp.exe121⤵PID:3508
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-